Hi,
I have followed the CMK agent bakery video from Youtube and was able to successfully set up automatic agent updates. For testing purpose I have set Interval for update check to 5 min, expecting the plugin would make a call for every 5 minutes. I have signed new agents in cmk server. But still the cmk-update plugin is not able to automatically pull the baked agent. I have done the required changes inGlobal settings.
Hi,
Did you register the hosts successfully from the cli ?
Did you enable the bakery master switch ?
What is the output of
Linux Host - cmk-update-agent -v
Windows Host - C:\ProgramData\checkmk\agent\plugins\cmk-update-agent.exe -v
You could also provide the config of the update plugin, but be sure to remove sensitive content:
C:\ProgramData\checkmk\agent\plugins\cmk-update-agent.exe show-config
Further documentation is here:
I have registered my linux host using cmk-update-agent register -v.
Yes the master switch is enabled.
The updates are pulled when i execute cmk-update-agent -v. But isnt the updates should be automatically pulled after the defined interval which in my case is 5min?
output of cmk-update-agent -v:
±------------------------------------------------------------------+
| |
| Check_MK Agent Updater v1.6.0p20 - Update |
| |
±------------------------------------------------------------------+
Getting target agent configuration for host â<>â from deployment server
Target state (from deployment server):
Agent Available: True
Signatures: 1
Target Hash: 93656dfec9c44788
Downloaded agent has size 9578867 bytes.
Signature check OK.
Invoking package manager: rpm -vU --oldpackage --replacepkgs /tmp/check-mk-agent-DP7poP
Output from rpm:
Preparing packagesâŠ
check-mk-agent-1.6.0p20-93656dfec9c44788.noarch
Activating startscript of xinetd
Reloading xinetdâŠ
check-mk-agent-1.6.0p20-4a2dd407025333a9.noarch
Reloading xinetdâŠ
Warning/Error from rpm:
Note: Forwarding request to âsystemctl enable xinetd.serviceâ.
Redirecting to /bin/systemctl reload xinetd.service
Redirecting to /bin/systemctl reload xinetd.service
Successfully installed agent 93656dfec9c44788.
Output of cmk-update-agent.exe show-config
Showing current configurationâŠ
Configuration from config file (/etc/check_mk/cmk-update-agent.cfg):
signature_keys: [â-----BEGIN CERTIFICATE-----********-----END CERTIFICATE-----\nâ]
protocol: http
interval: 300
site: <>
server: <>
proxy: None
certificates: []
Configuration from state file (/etc/cmk-update-agent.state):
installed_aghash: *****
last_error: The deployment server provides an agent but that is not signed.
host_name: <>
last_check: 1614881051.91
last_update: 1614881052.56
host_secret: ******
user: cmkadmin
Hi,
the last error message is :
The deployment server provides an agent but that is not signed.
It seems, that you may have build new packages but did not sign them ?
Every new package that is created after changes in the rulesets has to be signed. So after every bake you always have to sign afterwards.
In 2.0 there will be a new button âbake and signâ to make this easier ( and fix error messages during the build process of build but not yet signed agents)
But this looks, as if the package was correctly installed ?
Hi,
Even after signing the agents it didnât reflect automatically.
Can you check if the cmk-update-plugin is in the following folder ?
/usr/lib/check_mk_agent/plugins/300
One information from my side - @anonymous19 I think you use a Redhat or CentOS system.
This is known âbugâ / problem if the rpm packages.
They make a clean install but return with the message
This is no real error and should be handled the correct way by the agent updater.
@moritz the question is this a known problem in your âdatabaseâ of bugs?
I took a look at all the other topics you opened, are you sure, that the plugins are installed in the correct place and are being called by the agent ?
If you call check_mk_agent, is there an agent updater section ?
Could it be, that you are hitting this problem that is described in the documentation?
It has occasionally occurred â especially on RedHat/CentOS systems â that the call to rpm triggered by the automatic update repeatedly fails, while a manual call to cmk-update-agent processes successfully. The cause in these cases was a SELinux policy that prevented an error-free call if rpm was called by a child process of xinetd. You can solve the problem, i.e., get to the bottom of it by analysing the SELinux logs, and adjusting the policy accordingly using the audit2allow tool.
Hi!
It looks to me like you are facing that exact problem mentioned above by @aeckstein
More advice can maybe found here: [Check_mk (deutsch)] CentOS 7 Agent Bakery Autoupdate Problem or here: [Check_mk (deutsch)] SELinux Modul fĂŒr auto-update bundle im RPM
@andreas-doehler you are right. This âforwardingâ message from systemd is no warning or error. This is fixed with Checkmk 2.0 (starting with 2.0.0i2, I think). Instead of âWarning/Error from rpmâ, this message will begin with âOuput from rpm:â now.
However, this never lead to a failed update, and was displayed just for information.
Not completely right. The update was done but inside CMK it was shown for indefinite time as a failed update and the only way to cleanup this message is a manual run of the cmk-update-agent on the CentOS system. Not so good with some hundreds of RedHat hosts 
However, this never lead to a failed update, and was displayed just for information.
Correct. Here, it is the missing SELinux rule to allow xinetd to execute RPM.
Adding the rule manually fixes the problem, but this really should be part of the built RPM file.
[Check_mk (deutsch)] SELinux Modul fĂŒr auto-update bundle im RPM
For all who get the same error, here is how to compile and apply the SELinux rule:
module checkmk-agent-autoupgrade 1.0;
require {
type inetd_child_t;
type rpm_script_t;
class process transition;
}
#============= inetd_child_t ==============
allow inetd_child_t rpm_script_t:process transition;
checkmodule -M -m -o checkmk-agent-autoupgrade.mod checkmk-agent-autoupgrade.te
semodule_package -o checkmk-agent-autoupgrade.pp -m checkmk-agent-autoupgrade.mod
semodule -i checkmk-agent-autoupgrade.pp
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.