CheckMK CEE 1.6.0p20 docker - all host DOWN but they are UP - services working fine

Hi,
I use the docker image of CEE 1.6.0p20 (sind 1.6.0p14 arlready) but always after I updated to latest version all my hosts are shown as DOWN.
but they are not down, they are UP and all service checks work fine.
I use the docker image on my Synology NAS within the same network as the host.
i have no idea why all the hosts are shown as DOWN
pls help me to find a solution on this

kr
Mike

Is only the ping failing or also the check_mk services?

Hi Andreas,

thanks for your kind response:

in CheckMK is shows this:

and if I log into the docker image and try to ping I get:

OMD[cmk]:~$ ping 192.168.192.222
ping: socket: Operation not permitted

CheckMK service work fine
Bildschirmfoto 2021-02-02 um 10.46.01

This looks like that problem
Podman (non root) Checkmk check_icmp operation not permitted
Is it possible that your container is running without root?

1 Like

the link give me no help - I do not have podman

btw, what do you mean - …without root? the docker images is directly from checkMK
I did not remove anything

podman is nearly the same as what you do with your docker command.
Or what container environment do you use?
Many of the container problems are side effects from the used container environment.

I use Synology NAS with Synology Docker Version 18.09.0-0513

kr
Mike

Hi,

looks more a Linux issue. There are some hints that this behaviour belongs to a permission problem.
When you google “ping: socket: Operation not permitted” you will find a lot of hints.

Cheers,
Christian

Hi ChristianM,

thanks for your kind reply.

I understand that there is a ‘suid’ problem , B U T

this is a pure DOCKER IMANGE directly from CheckMK - so if there is a problem with this and all the last DOCKER IMAGES, who can I ask to investigate and find a solution?

because I have no idea where to search and find ‘ping’ or ‘check_icmp’ to whatever the reason is, and because I am not sure whether this is a bug or a wanted behavior, I intend to ask the checkMK community (with hope that a checkMK related person might also read it :slight_smile: ).

best regards
Mike

what could be the temp. fix?

The problem is not the image. The problem is your docker host. You need to setup the container in a way that the container is allowed to do what he want’s.

Inside the container you need root rights to access these sockets. Some container host platforms don’t allow this.

You can check with different capability settings on your host.
The command line switches are like “–set-cap=SYS_ADMIN” in the GUI you should find options like “Execute container using high privilege”.

Does these settings solve the problem?

hi,

I just tried 3 diff. ways…
1st i set the “Execute container using high privilege" within Synology Docker settings.
2nd I tried with “–cap-add=SYS_ADMIN”
and 3rd I tired with “–privileged”

but none of these give success
:frowning:

when I check the cmc.log.
tail -f /omd/sites/cmk/var/log/cmc.log

i see:
2021-02-03 20:21:52 [5] [icmpsender 1701] started, commandline: /omd/sites/cmk/lib/cmc/icmpsender 8 0 1000
2021-02-03 20:21:52 [4] [icmpsender 1701] Cannot create raw socket (missing SUID root?): Operation not permitted
2021-02-03 20:22:22 [4] [icmpsender 1701] Cannot send IP addresses to icmpsender: Broken pipe
2021-02-03 20:22:22 [3] [icmpsender 1701] exited with status 1
2021-02-03 20:22:22 [5] [icmpsender 1850] started, commandline: /omd/sites/cmk/lib/cmc/icmpsender 8 0 1000
2021-02-03 20:22:22 [4] [icmpsender 1850] Cannot send IP addresses to icmpsender: Broken pipe
2021-02-03 20:22:22 [3] [icmpsender 1850] exited with status 1
2021-02-03 20:22:22 [5] [icmpsender 1851] started, commandline: /omd/sites/cmk/lib/cmc/icmpsender 8 0 1000
2021-02-03 20:22:22 [4] [icmpsender 1851] Cannot create raw socket (missing SUID root?): Operation not permitted
2021-02-03 20:22:52 [4] [icmpsender 1851] Cannot send IP addresses to icmpsender: Broken pipe
2021-02-03 20:22:52 [3] [icmpsender 1851] exited with status 1
2021-02-03 20:22:52 [5] [icmpsender 2037] started, commandline: /omd/sites/cmk/lib/cmc/icmpsender 8 0 1000
2021-02-03 20:22:52 [4] [icmpsender 2037] Cannot send IP addresses to icmpsender: Broken pipe
2021-02-03 20:22:52 [3] [icmpsender 2037] exited with status 1

so i did:
chmod u+s ./opt/omd/sites/cmk/lib/cmc/icmpsender

but now the error is gone within the cmc.log - BUT still all hosts are down
:frowning:
:frowning:

best regards

For network things you can also test the capability CAP_NET_RAW

Hi

hmm I tried to setup but:
unable to set CAP_SETFCAP effective capability: Operation not permitted

then I tried with sudo, but:
bash: sudo: command not found

(all within the docker checkMK image)

kr
Mike

I think inside the container it will not work.
It is important how the docker runtime starts the container.
The following article shows the problem also with docker containers and capabilities.

Hmm I guess it is not possible with Synology (old) docker version - or I didn’t get it…

is there a recommendation for Synology docker from checkMK?
Did anyone manage it working?

help…

kr
Mike