the new stable release 2.2.0p15 of Checkmk is ready for download.
This stable release ships with 29 changes affecting all editions of Checkmk,
3 changes for the Enterprise editions, 0 Cloud Edition specific and
1 Managed Services Edition specific changes.
Changes in all Checkmk Editions:
Agent bakery
15309 FIX: mk_oracle: broken section due to missing redirect…
Checks & agents
15311 FIX: align quoting of synchronous and asynchronous MRPE… NOTE: Please refer to the migration notes!
14217 FIX: No longer sporadically report stale services which are based on piggyback data…
16216 FIX: Resolve Runas section in Checkmk Linux agent…
16294 FIX: ibm_imm_temp: Fix ValueError (could not convert string to float: ‘’)…
16297 FIX: juniper_trpz_cpu_util: fix TypeError (‘>=’ not supported between instances of ‘float’ and ‘NoneType’)…
15303 FIX: logwatch_ec: remove spool files after reading them…
15307 FIX: logwatch_ec: tcp remote forwarding: create one spool file per service…
In the CRE deb package for Ubuntu 22.04 (and probably others), there is a bug with active checks that depend on openssl, e.g. check_http, check_ftp, check_tcp etc. These checks go critical after the update, saying
(Return code of 127 is out of bounds - plugin may be missing)
Workaround:
Symlink the old libraries like so (you might need to adapt the paths to your environment):
cd /opt/omd/versions/2.2.0p15.cre/lib
ln -s /opt/omd/versions/2.2.0p14.cre/lib/libcrypto.so.1.1
ln -s /opt/omd/versions/2.2.0p14.cre/lib/libssl.so.1.1
is that the reason why you removed the latest tag from docker hub?
Could not do a head request for “checkmk/check-mk-raw:latest”, falling back to regular pull.
Reason: registry responded to head request with “404 Not Found”, auth: “not present”
Unable to update container “/checkmk”: Error response from daemon: manifest for checkmk/check-mk-raw:latest not found: manifest unknown: manifest unknown. Proceeding to next.
Update on our side on both circumstances and current status:
In 2.2.0p15, we updated OpenSSL from 1.x to 3.x - a sensible thing to do from a security perspective. Fundamental changes like this are rather uncommon to be done in a patch release, thus we built quite some specific tests to ensure this change would not cause major issues.
All our internally built components worked without issues, however the monitoring plug-ins are not build vs OpenSSL 3.x currently. The change thus broke these checks in environments where OpenSSL 1.x is not installed on OS level. This specific case was not covered in our tests unfortunately due to build caches (Disclaimer: I lack the specific knowledge to be 100% sure, but this is what I understood from the discussions our devs had).
All customer sites, which were updated in advance as part of release testing, had OpenSSL 1.x installed already, so the issue didn’t appear there as well.
As we believe the active checks from the monitoring plugins used in Checkmk (e.g. check_http, check_tcp, …) are quite a fundamental piece and this would break monitoring for quite some users, we retracted the release.
To eliminate such problems in the future, we have on the one hand already improved our testing cases, and on the other hand are currently rewriting the most important active checks ourselves (check_http and as a consequence a complete new check_cert).
Where are we now regarding the release?
Yesterday, during release testing of 2.2.0p16, we discovered that some certificate checks went to CRITICAL - Cannot make SSL connection, which happens for hosts with deprecated cipher suits (as OpenSSL 3.x is quite harsh in this regard). This now requires a much more intricate handling, thus we decided to go back to OpenSSL 1.x until we have come up with a way how to handle such SSL connections. This gives us time to implement a proper solution now for this specific issue, and we hope that we can ship p16 in the coming days.
