CMK version: 2.0.0p17 (CFE) OS version: Windows (agent)
Error message: [ERROR:CRITICAL] Size of data is too big 33940800
I can not update the CVE-2021-44228-log4j scanner plugin to the latest scanner.
After doing so the check_mk_update plugin will leave the checkmk agent in an
inconsistent state. The mk_agent_update plugin is gone and also the log4j2-scan.exe plugin.
The only difference betwen the working and the new version is the size of the log4j2-scan.exe.
It gas grown from 13MB to 33MB.
In the logfile of the installer (C:\ProgramData\checkmk\agent\log\agent_msi.log) I have founf this messages:
2022-02-14 12:22:56.752 [srv 7176] [Trace] Processing file 'plugins/..\bin\log4j2-scan.exe'
2022-02-14 12:22:56.753 [srv 7176] [Trace] Processing 33940800 bytes of data
2022-02-14 12:22:56.753 [srv 7176] [ERROR:CRITICAL] Size of data is too big 33940800
2022-02-14 12:22:56.754 [srv 7176] [ERROR:CRITICAL] Invalid cap file, [name] plugins/..\bin\log4j2-scan.exe
2022-02-14 12:22:56.754 [srv 7176] [Err ] CAP file C:\Program Files (x86)\checkmk\service\install\plugins.cap looks as bad
The question is, is this by design, or is this an bug.
There are two problems with this
I can not update the plugin
More important: as the automatic update of the agent is no longer working after updating to this agent package, I can not automatically rollback to a working version.
Until the bug fix has been released, we recommend everyone to disable the Log4J MKP rollout through the agent bakery or at least to not attempt to update to the current version!
We are sorry for the inconvenience and a said a fix is expected shortly.
To sum up: This is a general problem only coincidentally triggered by the size of the scanner executable. @thl-cmk described the problem pretty good, if the cab file for the agent installation grow too big, the installation fails and leaves the agent in an inconsistent state, and it obviously has unexpected and severe repercussions. @thl-cmk: I assume your update has already been published, or are you still in testing?
Why 64 MB? Is there a special reason to make it not for 1024 MB for example, or even on limit?
64 MB as a limit is valid only for a server(monitoring sire). Server doesn’t allow embedding bigger file. If you really need something very big, then it is quite easy to patch this limit. Also, the final value of the limit is not written in stone: on requests from clients, we can change the value without hesitation. And there is no special reason to set a limit on 64 MB, just a soft recall, that Windows agent is not intended for mass deployment of third-party software.
Limit on client site 1024 MB, it is just a RAM protection.
Why not say: do not use the bakery as software deployment, If you need to deploy large files (executables) do it outside of CMK?
For me this is self-evident, and I did say this many times