If you don’t use the bakery and want to manually configure the agent to run as non-root, you don’t need to modify any source code nor recompile something.
On systemd systems the dataflow is as follows:
- The systemd service
cmk-agent-ctl-daemon.servicelistens on TCP port 6556 (by default). - If that daemon decides to call the checkmk agent, it talks into the local unix domain socket
/run/check-mk-agent.socket. - That socket is controlled by the systemd socket unit
check-mk-agent.socket. - If something “happens” on that socket, systemd starts the service unit
check-mk-agent@.servicewhich then in turn runs the agent.
(See also this post for a picture.)
So it’s finally the unit check-mk-agent@.service that starts the agent and by default it does so as user root.
See systemctl cat check-mk-agent@.service:
# /usr/lib/systemd/system/check-mk-agent@.service
[Unit]
Description=Checkmk agent
[Service]
# "-" path prefix makes systemd record the exit code,
# but the unit is not set to failed.
ExecStart=-/usr/bin/check_mk_agent
Environment='MK_RUN_ASYNC_PARTS=false'
Environment='MK_READ_REMOTE=true'
Type=simple
User=root
StandardInput=socket
If you want to change the user, do not edit that unit file. Instead, create a so called override file or drop-in in the directory /etc/systemd/system/check-mk-agent@.service.d/, e.g.
/etc/systemd/system/check-mk-agent@.service.d/override.conf
with the following content:
# drop-in that changes the user that runs the checkmk agent to "some-user"
[Service]
User=some-user
Instead of creating the directory and file yourself you can also run
systemctl edit check-mk-agent@.service
This will create the directory and override file and open an editor for you.
Do the same for the asynchronous part of the agent:
systemctl edit check-mk-agent-async.service
When done, run
systemctl daemon-reload
systemctl restart check-mk-agent-async.service
The advantage of using a systemd drop-in (or override) file is that your changes won’t get undone by an update of the checkmk agent.