Bug in proxmox special agent?

Troubleshooting
1

CMK version: Checkmk Enterprise Edition 2.2.0p22
OS version: Debian 12

Error message: [special_proxmox_ve] Agent exited with code 1: Could not connect to

Hi,

i think the special_proxmox_ve agent has an “bug”. It seems to ignore the IPv6 Address field.

In DNS
mypve.net.domain.at has an IPv4 address
mypve.mgt.domain.at has an IPv6 address.

This is our configuration, which works fine for the checkmk agent.

image
image691×395 20.1 KB

However the special agent seems to ignore the IPv6 field and only tries to connect via the Hostname.

Output of “cmk --debug -vvn hostname”: (If it is a problem with checks or plugins)

[special_proxmox_ve] Agent exited with code 1: Could not connect to mypve .net. domain.at:8006 (HTTPSConnectionPool(host=‘mypve.net.domain.at’, port=8006): Max retries exceeded with url: /api2/json/access/ticket (Caused by ProxyError(‘Cannot connect to proxy.’, OSError(‘Tunnel connection failed: 403 Forbidden’))))(!!), [piggyback] Success (but no data found for this host), execution time 3.5 sec | execution_time=3.530 user_time=0.060 system_time=0.000 children_user_time=0.260 children_system_time=0.030 cmk_time_agent=3.170 cmk_time_ds=0.010

I even ran tcpdump to be sure, and it will only try to connect via the net fqdn instead of the mgt fqdn.

Can anyone confirm this behavior? Is this an bug?

Thanks

2

It depends :wink:
The special agent has no problem with your configuration. The problem is the part inside CMK that generates the command line for the special agent.

def agent_proxmox_ve_arguments(
    params: Mapping[str, Any], hostname: str, ipaddress: Optional[str]
) -> Sequence[Union[str, Tuple[str, str, str]]]:
    return [
        elem
        for chunk in (
            ("-u", params["username"]) if "username" in params else (),
            ("-p", passwordstore_get_cmdline("%s", params["password"]))
            if "password" in params
            else (),
            ("--port", params["port"]) if "port" in params else (),
            ("--no-cert-check",) if params.get("no-cert-check") else (),
            ("--timeout", params["timeout"]) if "timeout" in params else (),
            ("--log-cutoff-weeks", params["log-cutoff-weeks"])
            if "log-cutoff-weeks" in params
            else (),
            (hostname,),
        )
        for elem in chunk
    ]

You see that it only uses the hostname.
Beside that this code is a little bit strange the hostname line can look like this.

(ipaddress or hostname,),

The only reason to use only the hostname is also not valid here as you can disable the cert check inside the special agent config.
With such a modification you only need to pay attention. If IP field is specified it is used.

3

But we use the IP field, as you can see in my snippet butchered screenshot ;), with the IPv6 FQDN. Could it be that this check only takes the ipaddress but not an ipv6address field in consideration?

4

At the moment it only takes the host name. No IP.

5

Ok, now i understand the issue with the certificate part… makes sense.
Well, we will monitor it via the IPv4 way then.

Thanks for your help! :slight_smile: