Ansible agent role fails with Enterprise Edition

kayiwa · January 27, 2025, 1:53pm

CMK version: 2.3.0p15
OS version: Ubuntu Jammy

Error message:

TASK [checkmk.general.agent : Linux: Download GENERIC CEE Agent.] **************
FAILED - RETRYING: [canary1.lib.princeton.edu]: Linux: Download GENERIC CEE Agent. (3 retries left).
FAILED - RETRYING: [canary1.lib.princeton.edu]: Linux: Download GENERIC CEE Agent. (2 retries left).
FAILED - RETRYING: [canary1.lib.princeton.edu]: Linux: Download GENERIC CEE Agent. (1 retries left).
fatal: [canary1.lib.princeton.edu]: FAILED! => {"attempts": 3, "changed": false, "connection": "close", "content_length": "87", "content_security_policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ https://license.checkmk.com/api/verify; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'; worker-src 'self' blob:", "content_type": "application/problem+json", "date": "Mon, 27 Jan 2025 13:40:59 GMT", "elapsed": 0, "json": {"detail": "Wrong credentials (Bearer header)", "status": 401, "title": "Unauthorized"}, "msg": "Status code was 401 and not [200]: HTTP Error 401: UNAUTHORIZED", "path": "/tmp/check-mk-agent_2.3.0p15-generic.deb", "permissions_policy": "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), usb=()", "redirected": false, "referrer_policy": "origin-when-cross-origin", "server": "Apache", "status": 401, "url": "http://checkmk-host1.example.edu:80/pulmonitor/check_mk/api/1.0/domain-types/agent/actions/download_by_host/invoke?os_type=linux_deb&agent_type=generic", "x_content_type_options": "nosniff", "x_frame_options": "sameorigin", "x_permitted_cross_domain_policies": "none", "x_xss_protection": "1; mode=block"}

We are migrating from CheckMK Raw to CheckCK Enterprise. As best as we can tell (the bakery is new to us) the fact that the bakery adds a hash is the reason we can no longer run the playbook that has previously allowed us to automatically add a new host to checkmk.

If we manually add the host to checkmk the agent playbook runs through without a problem. It otherwise fails.

We are using the following variables

---
# agent vars
checkmk_agent_edition: cee
checkmk_agent_server: checkmk-host-staging1.princeton.edu
checkmk_agent_version: "2.3.0p15"
# server vars
checkmk_server_edition: cee
checkmk_server_version: 2.3.0p15
checkmk_agent_server_protocol: http
checkmk_agent_server_validate_certs: "true"
checkmk_agent_server_port: 80
checkmk_server_download_user: "{{ vault_checkmk_download_user }}"
checkmk_server_download_pass: "{{ vault_checkmk_download_pass }}"
# the receiver_port var is not used in the collection role
# we added it in our copy of the checkmk_agent role:
checkmk_agent_receiver_port: 8000
checkmk_agent_site: sitename
checkmk_agent_registration_server: "{{ checkmk_agent_server }}"
checkmk_agent_registration_site: "{{ checkmk_agent_site }}"
# in theory, we can use secrets or passwords
# only passwords seem to work at the command line
checkmk_agent_user: troubleshooting
checkmk_agent_pass: "{{ vault_checkmk_pass }}"
checkmk_agent_auth: "{{ checkmk_agent_pass }}"
# - checkmk_agent_user: ansible
# - checkmk_agent_secret: "{{ vault_checkmk_secret }}"
# - checkmk_agent_auth: "{{ checkmk_agent_secret }}"
checkmk_agent_port: 6556
checkmk_agent_folder: "{{ checkmk_folder }}" # all lowercase, for example: /linux/rdss
checkmk_agent_discover: "true" # works with false
checkmk_agent_tls: "true"
checkmk_agent_configure_firewall: "false"
checkmk_agent_add_host: "true"
checkmk_agent_host_name: "{{ inventory_hostname }}"
checkmk_agent_auto_activate: "true" # set this to 'true' to run the handler
# requires setting a host to run the API calls from . . .
checkmk_agent_delegate_api_calls: "{{ inventory_hostname }}"
checkmk_agent_force_foreign_changes: "true"

checkmk_folder: /linux/sandboxes

checkmk_server_sites:
  - name: 'sitename'
    version: "{{ checkmk_server_version }}"
    update_conflict_resolution: 'abort'
    state: 'started'
    admin_pw: '{{ vault_checkmk_pass }}'
    omd_auto_restart: 'false'
    omd_config:
      - var: AUTOSTART
        value: 'on'

robin.gierse · January 27, 2025, 3:20pm

I do not think that the issue is edition-related. The agent role tries to find the most suitable package for the host and that usually works very reliably.

{"detail": "Wrong credentials (Bearer header)", "status": 401, "title": "Unauthorized"}

This is you error, you want to double-check the credentials you use.

kayiwa · January 28, 2025, 9:40am

Thanks Robin,

The interesting thing is if my workflow was.

Log into checkmk web ui.
Add host manually
run the playbook (it will work)

that is to say. If I manually create this host the unchanged playbook from raw to cee continues to work.

robin.gierse · February 4, 2025, 9:39am

Are you using the latest version of the collection?
Did you try to authenticate against the API (e.g., using curl) with the very same credentials you provided the agent role with?

kayiwa · February 4, 2025, 11:15am

Heya Robin,

Yes to both. The authentication worked with curl. When we have cycles for this we plan to submit a PR. For now we solved it by

Creating the host using this ansible-collection-checkmk.general/plugins/modules/host.py at 30d883b0c690a182deadfde393437c12cad8dfe8 · Checkmk/ansible-collection-checkmk.general · GitHub

then vaulting the install binaries and copying them from the ansible controller to the host.

Running a command to install check MK and then activating it.

It is hack-ish but it works.