Correct configuration of piggyback

elyvar · April 15, 2024, 8:25am

**CMK version:Checkmk Raw Edition 2.2.0p18
**OS version:Ubuntu 22.04

Hello everyone,

I’m contacting you because I’m having problems with the configuration of the piggyback mechanism in CheckMK. I am aware that there are already several threads and documentation on the subject, but I am still having problems.

I’m not sure if it’s just a matter of basic understanding, but let me briefly explain my setup:

I have Host-A which sends its data to the checkMK host as normal via agents
and Host-B behind NAT, whose information is to be transmitted to the checkMK host via Host-A

As I understand it, agent outputs from other hosts can be stored in the spool directory, whereby these must have a header with the host name:

<<<<Host-B Hostname>>>>
<<<check_mk>>>>
[Agent-Output]
<<<<>>>>

This works so far, but now to my actual problem. How do I query this information regularly? I have written a simple bash script which retrieves the agent on Host-B and writes the output to a file in the spool directory, I have thrown this script into the plugins folder in the hope that it will also be executed with every automatic check - but it will not.

When I run the agent manually, the plugins are executed.

Script:

#!/bin/bash
output_file="/var/lib/check_mk_agent/spool/staging-tomcat"

echo "<<<<Host-B>>>>" > "$output_file"
ssh -T Host-B '/usr/bin/check_mk_agent' >> "$output_file"
echo "<<<<>>>>" >> "$output_file"

Dirk · April 15, 2024, 8:37am

The code looks right to me. Notice that the agent is usually run as root so the ssh to Host-B is also done as root. Often it is forbidden to connect to other machines as root. Might that be the problem?

r.sander · April 15, 2024, 8:41am

If you can fetch host B’s agent data directly via SSH from an agent plugin there is no need for the spool file.

Just use this as agent plugin:

#!/bin/bash
echo "<<<<Host-B>>>>"
ssh -T Host-B '/usr/bin/check_mk_agent'
echo "<<<<>>>>"

elyvar · April 15, 2024, 9:16am

When I run the script manually, I get the agent output from Host-B as intended. I control access via policies that allow the agent to run as root.

elyvar · April 15, 2024, 9:20am

If I adjust the lines and work without a spool file, the host receives no information and the service ends up in stale mode.

I am afraid that my scripts will not be executed during the regular checks. In the plugins folder there are also other plugins from the plugin catalog from checkMK, these are also executed without any problems. There should also be no authorization problem, because my own scripts have exactly the same authorizations.

Dirk · April 15, 2024, 9:25am

As which user do you run the agent and/or the script? As “your” user or as root?
In other words: If you are root on your local machine, can you then do a ssh Host-B?

Does it make a difference if you drop the -T option from the ssh command, i.e. just

ssh Host-B '/usr/bin/check_mk_agent'

and let the ssh figure out if a terminal emulation is required or not?

elyvar · April 16, 2024, 6:47am

Sorry for the late reply.
It was indeed a problem with the permissions of the executing user.

Thanks!