debops-contrib.checkmk_agent default variables¶
Sections
Basic configuration options¶
-
checkmk_agent__base_packages
¶
List of base packages to install.
checkmk_agent__base_packages:
- 'check-mk-agent'
-
checkmk_agent__type
¶
List of Check_MK agent query protocols. Valid options are ssh and xinetd.
checkmk_agent__type: [ 'ssh' ]
-
checkmk_agent__allow
¶
List of IP addresses or network CIDR ranges allowed to connect to the Check_MK agent through the firewall. If list are empty, anyone can connect.
checkmk_agent__allow: []
-
checkmk_agent__deploy_state
¶
What is the desired state which this role should achieve? Possible options:
present
- Default. Ensure that the Check_MK agent is installed and configured as requested.
absent
- Ensure that the Check_MK agent is uninstalled and it's configuration is removed.
checkmk_agent__deploy_state: 'present'
Monitoring site integration¶
-
checkmk_agent__server_inventory_group
¶
Ansible inventory host group used to lookup the Check_MK server.
checkmk_agent__server_inventory_group: 'debops_service_checkmk_server'
-
checkmk_agent__server
¶
Ansible inventory name of Check_MK server. By default it will be autodetected
via checkmk_agent__server_inventory_group
host group configuration.
If the Check_MK server is not managed by Ansible, set this to False
.
checkmk_agent__server: '{{ groups[checkmk_agent__server_inventory_group][0]
if (checkmk_agent__server_inventory_group in groups) and
(groups[checkmk_agent__server_inventory_group] | length > 0)
else "" }}'
-
checkmk_agent__site
¶
Define Check_MK monitoring site name where the agent is registered. By default
it will be autodetected from the local facts stored under the checkmk_server
dictionary key. Fallback to site name debops
if checkmk_agent__server
is
undefined or the Ansible local facts for checkmk_agent__server
can't be
found. If the Check_MK server is managed manually this variable must be
defined accordingly in the Ansible inventory.
checkmk_agent__site: '{{ hostvars[checkmk_agent__server].ansible_local.checkmk_server.keys()[0]|d("debops")
if (checkmk_agent__server|d() and
(checkmk_agent__server in hostvars) and
("ansible_local" in hostvars[checkmk_agent__server]) and
("checkmk_server" in hostvars[checkmk_agent__server].ansible_local))
else "debops" }}'
-
checkmk_agent__autojoin
¶
Automatically add agent host to the Check_MK monitoring site. If the Check_MK
server is not managed by Ansible and you want automated agent registration to
work, manually define at least checkmk_agent__autojoin_url
,
checkmk_agent__autojoin_secret
and checkmk_agent__user_key
.
checkmk_agent__autojoin: '{{ True if checkmk_agent__autojoin_url else False }}'
-
checkmk_agent__autojoin_url
¶
Check_MK server WebAPI URL for agent registration. By default it will be
autodetected from the local facts stored under the checkmk_server
dictionary key. If the Check_MK server is managed manually this variable
must be defined accordingly in the Ansible inventory.
checkmk_agent__autojoin_url: '{{ hostvars[checkmk_agent__server].ansible_local.checkmk_server[checkmk_agent__site].webapi_url|d("")
if (checkmk_agent__server|d() and
(checkmk_agent__server in hostvars) and
("ansible_local" in hostvars[checkmk_agent__server]) and
("checkmk_server" in hostvars[checkmk_agent__server].ansible_local) and
(checkmk_agent__site in hostvars[checkmk_agent__server].ansible_local.checkmk_server))
else "" }}'
-
checkmk_agent__autojoin_user
¶
Account for agent registration via Check_MK WebAPI.
checkmk_agent__autojoin_user: 'ansible'
-
checkmk_agent__autojoin_secret
¶
Authentication secret for WebAPI registration. If the Check_MK server is managed manually the password path must be adjusted accordingly in the Ansible inventory.
checkmk_agent__autojoin_secret: '{{ lookup("password", secret + "/credentials/" + hostvars[checkmk_agent__server].ansible_fqdn + "/checkmk_server/" + checkmk_agent__site + "/" + checkmk_agent__autojoin_user + "/secret")|d("")
if checkmk_agent__server|d() and checkmk_agent__site|d() else "" }}'
-
checkmk_agent__fqdn
¶
FQDN of the agent host used for registration.
checkmk_agent__fqdn: '{{ ansible_local.core.fqdn
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.fqdn|d())
else ansible_fqdn }}'
-
checkmk_agent__host_attributes
¶
Check_MK attributes and WATO tags used for managing the host. For more details check checkmk_agent__host_attributes.
checkmk_agent__host_attributes:
tag_agent: '{{ "cmk-agent-ssh" if "ssh" in checkmk_agent__type|d(["ssh"]) else "cmk-agent" }}'
-
checkmk_agent__discovery_mode
¶
Service discovery mode. Possible values are new
(only find new services),
remove
(remove exceeding services), fixall
(remove exceeding and add
new services), refresh
(clean all autochecks and discover from scratch)
and False
(don't run service discovery).
checkmk_agent__discovery_mode: 'new'
Agent xinetd options¶
-
checkmk_agent__exec
¶
Check_MK agent executable path. If you query the agent from multiple
servers, you may want to set this to /usr/bin/check_mk_caching_agent
.
checkmk_agent__exec: '/usr/bin/check_mk_agent'
-
checkmk_agent__port
¶
Listen port for Check_MK agent.
checkmk_agent__port: '6556'
Agent SSH user options¶
-
checkmk_agent__ssh_user
¶
SSH user to query Check_MK agent.
checkmk_agent__ssh_user: 'checkmk'
-
checkmk_agent__ssh_group
¶
Primary group of SSH user querying Check_MK agent.
checkmk_agent__ssh_group: 'checkmk'
-
checkmk_agent__ssh_allow_group
¶
Group membership required to access the system by SSH. If the AllowGroups
sshd_config
option is not managed by debops.sshd this variable
might need to be defined accordingly in the Ansible inventory.
checkmk_agent__ssh_allow_group: '{{ "sshusers"
if ("sshd" in ansible_local) and
("allow_groups" in ansible_local.sshd) and
("sshusers" in ansible_local.sshd.allow_groups)
else "" }}'
-
checkmk_agent__user_home
¶
Home directory of the SSH user querying the Check_MK agent.
checkmk_agent__user_home: '/var/lib/check_mk_agent'
-
checkmk_agent__user_key
¶
Public key for user authentication when accessing the agent via SSH. By
default it will be autodetected from the local facts stored under the
checkmk_server
dictionary key. If the Check_MK server is managed manually
this variable must be defined accordingly in the Ansible inventory.
checkmk_agent__user_key: '{{ hostvars[checkmk_agent__server].ansible_local.checkmk_server[checkmk_agent__site].ssh_public_key|d("")
if (checkmk_agent__server|d() and
(checkmk_agent__server in hostvars) and
("ansible_local" in hostvars[checkmk_agent__server]) and
("checkmk_server" in hostvars[checkmk_agent__server].ansible_local) and
(checkmk_agent__site in hostvars[checkmk_agent__server].ansible_local.checkmk_server))
else "" }}'
Agent plugins¶
-
checkmk_agent__plugins
¶
List of upstream Check_MK agent plugins to always enable.
checkmk_agent__plugins: []
-
checkmk_agent__group_plugins
¶
"Host Group" list of upstream Check_MK agent plugins to always enable.
checkmk_agent__group_plugins: []
-
checkmk_agent__host_plugins
¶
"Host" list of upstream Check_MK agent plugins to always enable.
checkmk_agent__host_plugins: []
-
checkmk_agent__plugin_autodetect
¶
Try to install Check_MK agent plugins for hardware and applications auto detected via Ansible facts.
checkmk_agent__plugin_autodetect: True
-
checkmk_agent__autodetected_plugins
¶
Autodetected list of upstream Check_MK agent plugins to enable.
checkmk_agent__autodetected_plugins:
- '{{ ["smart"] if (ansible_virtualization_role in ["host"]) else [] }}'
-
checkmk_agent__facts_plugin_map
¶
Ansible local facts to Check_MK plugin mapping.
If the Ansible local fact is present and optional conditions defined in the
templates/etc/ansible/facts.d/checkmk_agent.fact.j2
file are met, the
Check_MK plugin will be enabled.
checkmk_agent__facts_plugin_map:
mariadb: 'mk_mysql'
mysql: 'mk_mysql'
nginx: 'nginx_status'
apache: 'apache_status'
-
checkmk_agent__combined_plugins
¶
Combined list of all plugins which are going to be installed.
Specified as Ansible local fact so that this variable is also valid in when
conditions evaluated in the context of other roles called from the same playbook as this role.
checkmk_agent__combined_plugins: '{{ ansible_local.checkmk_agent.plugins
if (ansible_local|d() and ansible_local.checkmk_agent|d() and
ansible_local.checkmk_agent.plugins|d())
else [] }}'
-
checkmk_agent__plugin_path
¶
Destination path to install the Check_MK agent plugins.
checkmk_agent__plugin_path: '/usr/lib/check_mk_agent/plugins'
MySQL/MariaDB monitoring plugins options¶
-
checkmk_agent__plugin_mysql
¶
Determines how to configure the mk_mysql
monitoring plugin. If this is
set to automatic
a database user which has read access to the database
server will be created. Set to manual
to configure it manually.
See https://mathias-kettner.de/checkmk_mysql.html
checkmk_agent__plugin_mysql: 'automatic'
-
checkmk_agent__plugin_mysql_user
¶
Database user account name to use for monitoring.
checkmk_agent__plugin_mysql_user: 'monitor'
-
checkmk_agent__plugin_mysql_password
¶
Database user password to use for monitoring.
checkmk_agent__plugin_mysql_password: '{{
lookup("password", secret + "/mariadb/" + (ansible_local.mariadb.delegate_to
if (ansible_local.mariadb|d() and ansible_local.mariadb.delegate_to|d()) else "") +
"/credentials/" + checkmk_agent__plugin_mysql_user + "/password length=48") }}'
-
checkmk_agent__plugin_mysql_priv
¶
Privileges of the database user used for monitoring.
checkmk_agent__plugin_mysql_priv: '*.*:SELECT,SHOW DATABASES'
nginx monitoring plugins options¶
-
checkmk_agent__plugin_nginx_servers
¶
This option allows you to configure the servers which the nginx_status
plugin should monitoring. This might be required when the auto detection of
the plugin fails for example because the default server does not allow
/nginx_status
. This can happen because the plugin tires to connect with
the IP address set as Host.
This is currently set manually to localhost
as workaround. See
https://github.com/debops-contrib/ansible-checkmk_agent/pull/3
Examples:
1 2 3 4 5 6 7 8 9 10 | checkmk_agent__plugin_nginx_servers:
- proto: 'http'
ipaddress: 'some-appliance.corp.com'
port: 80
- proto: 'http'
ipaddress: '[::1]'
port: 80
# Or:
checkmk_agent__plugin_nginx_servers: 'automatic'
|
checkmk_agent__plugin_nginx_servers:
- proto: 'http'
ipaddress: 'localhost'
port: 80
Agent plugins source options¶
-
checkmk_agent__git_dest_host
¶
The host to which the Check_MK agent source directory should be cloned.
Can be set to localhost
so that the repo is only cloned one time and not
once for each host.
checkmk_agent__git_dest_host: '{{ inventory_hostname }}'
-
checkmk_agent__git_repo
¶
Check_MK agent source repository.
checkmk_agent__git_repo: 'https://git.mathias-kettner.de/check_mk.git'
-
checkmk_agent__git_dest
¶
Check_MK agent source directory on the host.
checkmk_agent__git_dest: '{{ "/usr/local/src/check-mk/" + checkmk_agent__git_repo.split("://")[1] }}'
-
checkmk_agent__git_version_map
¶
Map from Check_MK release to git commit hash. This is done because Check_MK does not cryptographically signed their work and this role wants to comply with the DebOps Software Source Policy.
checkmk_agent__git_version_map:
'v1.2.6p12': 'cf2aaf2f7d60ca0445a239915bfc41aa6f3ee739'
'v1.2.6p20': '988e5d4e8fbcf9ac73365ffcfb2d12080c4ee052'
'v1.2.8p16': 'e5e216abca9a946a29eab94334be30cc146e7fec'
-
checkmk_agent__git_version_unsigned_fallback
¶
Defines the behavior when a requested version is not specified in
checkmk_agent__git_version_map
.
When this is set to True
and no mapping for the used release is found,
the role will fallback to using the unsigned git tag directly!
checkmk_agent__git_version_unsigned_fallback: False
-
checkmk_agent__git_version
¶
Check_MK agent git branch to deploy. Set auto
to set version to dpkg
package version.
checkmk_agent__git_version: 'auto'
Configuration for other Ansible roles¶
-
checkmk_agent__apt_preferences__dependent_list
¶
Configuration for the debops.apt_preferences role.
checkmk_agent__apt_preferences__dependent_list:
- package: 'check-mk-agent'
backports: [ 'jessie' ]
reason: 'Package not available in stable Debian Jessie'
by_role: 'debops-contrib.checkmk_agent'
state: '{{ "present"
if (checkmk_agent__deploy_state in ["present"])
else "absent" }}'
-
checkmk_agent__etc_services__dependent_list
¶
Configuration for the debops.etc_services role which registers port numbers for Check_MK agent.
checkmk_agent__etc_services__dependent_list:
- name: 'check-mk-agent'
port: '{{ checkmk_agent__port }}'
comment: 'Check_MK agent (via xinetd)'
state: '{{ "present"
if (("xinetd" in checkmk_agent__type) and
(checkmk_agent__deploy_state in ["present"]))
else "absent" }}'
-
checkmk_agent__ferm__dependent_rules
¶
Configuration for the debops.ferm role.
checkmk_agent__ferm__dependent_rules:
- type: 'accept'
dport: [ 'check-mk-agent' ]
saddr: '{{ checkmk_agent__allow }}'
accept_any: True
weight: '20'
by_role: 'debops-contrib.checkmk_agent'
rule_state: '{{ "present"
if (("xinetd" in checkmk_agent__type) and
(checkmk_agent__deploy_state in ["present"]))
else "absent" }}'
-
checkmk_agent__tcpwrappers__dependent_allow
¶
Configuration for the debops.tcpwrappers Ansible role.
checkmk_agent__tcpwrappers__dependent_allow:
- daemon: 'inetd'
comment: 'Ensure legacy tcpwrappers ACL is absent'
by_role: 'debops-contrib.checkmk_agent'
state: 'absent'
- daemon:
- 'check_mk_agent'
- 'check_mk_caching_agent'
## Not required:
# - 'inetd'
# - 'xinetd'
client: '{{ checkmk_agent__allow }}'
accept_any: False
weight: '50'
comment: 'Allow remote connections to the Check_MK agent'
by_role: 'debops-contrib.checkmk_agent'
state: '{{ "present"
if (("xinetd" in checkmk_agent__type) and
(checkmk_agent__deploy_state in ["present"]))
else "absent" }}'
Authorized key configuration for the debops.authorized_keys role.
checkmk_agent__authorized_keys__dependent_list:
- name: '{{ checkmk_agent__ssh_user }}'
group: '{{ checkmk_agent__ssh_group }}'
sshkeys:
- '{{ checkmk_agent__user_key }}'
options: '{{ authorized_keys__options_map.strict }}'
key_options: 'command="{{ "/usr/bin/sudo " if not checkmk_agent__ssh_user == "root" else "" }}{{ checkmk_agent__exec }}"'
state: '{{ "present"
if (("ssh" in checkmk_agent__type) and
(checkmk_agent__deploy_state in ["present"]))
else "absent" }}'
-
checkmk_agent__mariadb__dependent_users
¶
Database user definition for the debops.mariadb role.
checkmk_agent__mariadb__dependent_users:
- user: '{{ checkmk_agent__plugin_mysql_user }}'
password: '{{ checkmk_agent__plugin_mysql_password }}'
priv: '{{ checkmk_agent__plugin_mysql_priv }}'
priv_default: False
priv_aux: False
append_privs: False
owner: 'root'
# group: '{{ checkmk_agent__ssh_group }}'
creds_path: '/etc/check_mk/mysql.cfg'
state: '{{ "present" if (checkmk_agent__deploy_state in ["present"]) else "absent" }}'