[Check_mk (english)] Downloading Baked Agents via wget/curl

Archive checkmk-en
1

Is there an easy way to download baked agents from the check_mk server to client machines using wget or curl? It seems cumbersome to have to d/l the file using a browser and then try to scp/ftp it somewhere. I can see
the //check_mk/agents folder but those look like the generic agents not the specific baked ones.

Gavin

1 Like
Agent Bakery - Strange name on _GENERIC link
2

Hi Gavin,

Is there an easy way to download baked agents from the check_mk server
to client machines using wget or curl? It seems cumbersome to have to
d/l the file using a browser and then try to scp/ftp it somewhere. I
can see the /<site>/check_mk/agents folder but those look like the
generic agents not the specific baked ones.

Baked agents are only available for authenticated users for obvious
reasons (credentials inside the package being one reason).

The URL to download an agent from the bakery is like this:

$siteurl/check_mk/download_agent.py?hash=$hash&os=$arch&_username=$user&_secret=$pass

Where $hash is the hash value of the agent configuration and $arch
is one of linux_deb, linux_tgz, windows_msi, etc.

We have simplified our agent deployment with the following "trick":

When using the agent updater it is sufficient to install a generic agent
package that only contains the agent updater plugin. Because after the first
call to the agent the updater will install the correct package for the host.

These generic agent packages contain no secret info like credentials and therefor
can be downloaded without authentication. Do achieve this they can be symlinked
to the system webserver's DocumentRoot like this:

ln -s $OMDROOT/var/check_mk/agents/linux_deb/_GENERIC /var/www/html/check-mk-agent-generic.deb
ln -s $OMDROOT/var/check_mk/agents/windows_msi/_GENERIC /var/www/html/check-mk-agent-generic.msi

The URL to download would be https://$monitoringserver/check\-mk\-agent\-generic\.deb etc.

Regards

···

On 08.04.19 09:07, Gavin Hill wrote:
--
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

Tel: 030 / 405051-43
Fax: 030 / 405051-19

Amtsgericht Berlin-Charlottenburg - HRB 93818 B
GeschĂ€ftsfĂŒhrer: Peer Heinlein - Sitz: Berlin

3

Superb advice, thanks Robert. However, I’m confused as to how to apply the updater plugin to the generic agent? I thought to do that I needed to create the signature keys, and add the parameters of the update server and then bake custom agents for that?

After I followed the docs on creating an auto-update agent I ended up with two agents, one for all my hosts with the “agentupdater” parameters and one marked “VANILLA”

Any further advice?

Gavin

···

–

Gavin Hill | Director

		m: +27 83 601 8181

		t: +27 10 020 5959

		  <img src="cid:hlSnOYIdSUOC5FZ5uX4vQHighpeak_email_jpg">[<img src="cid:Rm3awYu7EytpKYlCYlhzgHighpeak_linkedin_jpg">](https://www.linkedin.com/company/highpeak-pty-ltd/)<img src="cid:Q3misBQNVUWQnjarztJ3XwHighpeak_skype_jpg">[<img src="cid:znighqd1GUerssHJm3C6wwHighpeak_web_jpg">](https://www.highpeak.co.za/)

-----Original Message-----
From: checkmk-en checkmk-en-bounces@lists.mathias-kettner.de On Behalf Of Robert Sander
Sent: Monday, 08 April 2019 9:21 AM
To: checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] Downloading Baked Agents via wget/curl

Hi Gavin,

On 08.04.19 09:07, Gavin Hill wrote:

Is there an easy way to download baked agents from the check_mk server
to client machines using wget or curl? It seems cumbersome to have to
d/l the file using a browser and then try to scp/ftp it somewhere. I
can see the //check_mk/agents folder but those look like the
generic agents not the specific baked ones.

Baked agents are only available for authenticated users for obvious reasons (credentials inside the package being one reason).

The URL to download an agent from the bakery is like this:

$siteurl/check_mk/download_agent.py?hash=$hash&os=$arch&_username=$user&_secret=$pass

Where $hash is the hash value of the agent configuration and $arch is one of linux_deb, linux_tgz, windows_msi, etc.

We have simplified our agent deployment with the following “trick”:

When using the agent updater it is sufficient to install a generic agent package that only contains the agent updater plugin. Because after the first call to the agent the updater will install the correct package for the host.

These generic agent packages contain no secret info like credentials and therefor can be downloaded without authentication. Do achieve this they can be symlinked to the system webserver’s DocumentRoot like this:

ln -s $OMDROOT/var/check_mk/agents/linux_deb/_GENERIC /var/www/html/check-mk-agent-generic.deb
ln -s $OMDROOT/var/check_mk/agents/windows_msi/_GENERIC /var/www/html/check-mk-agent-generic.msi

The URL to download would be https://$monitoringserver/check-mk-agent-generic.deb etc.

Regards

Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

https://www.heinlein-support.de

Tel: 030 / 405051-43
Fax: 030 / 405051-19

Amtsgericht Berlin-Charlottenburg - HRB 93818 B
GeschĂ€ftsfĂŒhrer: Peer Heinlein - Sitz: Berlin

4

Hi Gavin,

···

On 08.04.19 11:22, Gavin Hill wrote:

After I followed the docs on creating an auto-update agent I ended up
with two agents, one for all my hosts with the "agentupdater" parameters
and one marked "VANILLA"

The one for your host should also have a "GENERIC" in the list of hosts.

The generic agent receives all the configuration from the rules without
any specific conditions.

Regards
--
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

Tel: 030 / 405051-43
Fax: 030 / 405051-19

Amtsgericht Berlin-Charlottenburg - HRB 93818 B
GeschĂ€ftsfĂŒhrer: Peer Heinlein - Sitz: Berlin

5

Got it, I missed it in the list of all the hosts.

OK, so I managed to install the generic package.

I run:
$ sudo cmk-update-agent register -vvv
Successfully read /etc/check_mk/cmk-update-agent.cfg.

···

±------------------------------------------------------------------+

Check_MK Agent Updater v1.5.0p13 - Registration |

Activation of automatic agent updates. Your first step is to |
register this host at your deployment server for agent updates. |
For this step you need an administration account on WATO for |
that server. |

±------------------------------------------------------------------+
Using previous settings from /etc/cmk-update-agent.state.
Password for user ‘xxxx’:

Going to register agent at deployment server
Updating the certificate store “/var/lib/check_mk_agent/cas/all_certs.pem”

Updated the certificate store “/var/lib/check_mk_agent/cas/all_certs.pem” with 1 certificate(s)
Authenticating at Check_MK Server (using requests): https://xxx.co.za/xxx/check_mk/login.py
Fetching content (using requests): https://xxx.co.za/xxx/check_mk/register_agent.py
Successfully registered agent for deployment.
Secret is .
Successfully read /etc/cmk-update-agent.state.
Saved deployment status to /etc/cmk-update-agent.state.
You can now update your agent by running ‘cmk-update-agent -v’
Saved your registration settings to /etc/cmk-update-agent.state.
Could not modify cache age: Cachefile not found.
Done.

When I run cmk-update-agent however:

$ sudo cmk-update-agent -vvv
Successfully read /etc/cmk-update-agent.state.
Successfully read /etc/check_mk/cmk-update-agent.cfg.

±------------------------------------------------------------------+

Check_MK Agent Updater v1.5.0p13 - Update |

±------------------------------------------------------------------+
Getting target agent configuration for host ‘xxx.co.za’ from deployment server
Updating the certificate store “/var/lib/check_mk_agent/cas/all_certs.pem”

Updated the certificate store “/var/lib/check_mk_agent/cas/all_certs.pem” with 1 certificate(s)
Fetching content (using requests): https://xxx.co.za/xxx/check_mk/deploy_agent.py
Response from deployment server:
AgentAvailable: False

Successfully read /etc/cmk-update-agent.state.
Saved deployment status to /etc/cmk-update-agent.state.
No agent available for us.
Could not find and update cachefile.
Done.

However, I have created a rule and baked an agent specifically for this host. The “Automatic Updates” screen in WATO also shows 0 “Registered agents” despite the above registration being successful.

Any ideas?

Regards
Gavin

Gavin Hill | Director

		m: +27 83 601 8181

		t: +27 10 020 5959

		  <img src="cid:hlSnOYIdSUOC5FZ5uX4vQHighpeak_email_jpg">[<img src="cid:Rm3awYu7EytpKYlCYlhzgHighpeak_linkedin_jpg">](https://www.linkedin.com/company/highpeak-pty-ltd/)<img src="cid:Q3misBQNVUWQnjarztJ3XwHighpeak_skype_jpg">[<img src="cid:znighqd1GUerssHJm3C6wwHighpeak_web_jpg">](https://www.highpeak.co.za/)

-----Original Message-----
From: checkmk-en checkmk-en-bounces@lists.mathias-kettner.de On Behalf Of Robert Sander
Sent: Monday, 08 April 2019 12:12 PM
To: checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] Downloading Baked Agents via wget/curl

Hi Gavin,

On 08.04.19 11:22, Gavin Hill wrote:

After I followed the docs on creating an auto-update agent I ended up
with two agents, one for all my hosts with the “agentupdater”
parameters and one marked “VANILLA”

The one for your host should also have a “GENERIC” in the list of hosts.

The generic agent receives all the configuration from the rules without any specific conditions.

Regards

Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

https://www.heinlein-support.de

Tel: 030 / 405051-43
Fax: 030 / 405051-19

Amtsgericht Berlin-Charlottenburg - HRB 93818 B
GeschĂ€ftsfĂŒhrer: Peer Heinlein - Sitz: Berlin