Changelog¶
debops-contrib.checkmk_agent
This project adheres to Semantic Versioning and human-readable changelog.
The current role maintainer is ganto.
debops-contrib.checkmk_agent master - unreleased¶
Added¶
- New inventory variable
checkmk_agent__server_inventory_group
which can be used to define custom Ansible host group name for Check_MK server lookup. [ganto] - Support
checkmk_agent__deploy_state
. [ypid] - Automatically enable the
smart
Check_MK agent plugin on physical hosts to query Self-Monitoring, Analysis and Reporting data from disks. [ypid] - Add Ansible facts documentation. [ypid]
- Add
checkmk_agent__git_dest_host
which can be used to clone the Check_MK only once to the Ansible controller. [ypid]
Changed¶
- Raise HTTP timeout for discovery and activation WebAPI calls to 120s to avoid timeout issues on large hosts with many service checks. [ganto]
- If possible run WebAPI invocation for automated agent registration and host attribute updates on the Check_MK server to avoid possible firewall issues. [ganto]
- Rename
checkmk_agent__hostname
tocheckmk_agent__fqdn
. You might need to update your inventory. [ypid] - Rename
checkmk_agent__group_plugin_map
tocheckmk_agent__facts_plugin_map
. You might need to update your inventory. [ypid] - Increase Ansible min version to
2.1.5
. Everything below is deprecated anyway and has vulnerabilities so you don’t want to use that anymore. [ypid]
Removed¶
- Remove the
debops_checkmk_agent
Ansible inventory group. Make sure your hosts are indebops_service_checkmk_agent
. [ypid]
Fixed¶
- Correctly use Ansible changed and skipped task filters. [ganto]
- Let xinetd bind on
AF_INET6
to ensure IPv6 reachability of the agent. [ypid] - Fix TCP Wrappers support for xinetd. [ypid]
- Ensure the
/etc/check_mk
directory is present before running dependency roles. Fixes MariaDB credentials configuration. [ypid]
Security¶
- Enforce known good git commit hashes. As upstream does not cryptographically sign their work,
the known good hashes have to be pinned manually in
checkmk_agent__git_version_map
of the role. [ypid]
debops-contrib.checkmk_agent v0.1.1 - 2017-01-23¶
Changed¶
- Run the debops.ferm role also when xinetd is not listed in
checkmk_agent__type
to allow to migrate between different types. [ypid]
Fixed¶
- Fix xinetd support which is filtered by
tcpwrappers
and which is configured by debops.tcpwrappers to deny all connections by default (whitelisting). [ypid] - Fix lookup of non-default monitoring site specified as Ansible local fact by the debops-contrib.checkmk_server role. [ganto]
Security¶
- Change git clone URL used to install additional plugins from
http://
to https://git.mathias-kettner.de/check_mk.git to mitigate potential MITM attacks against the unauthenticatedhttp://
connection. That, together with using the latest git master branch by default could result in malicious code being executed on systems where the agent is installed. git pull will use the new URL from now on. Note that "GnuTLS recv error[s]" have been observed which might have to be fixed elsewhere. "GnuTLS recv error (-9): A TLS packet with unexpected length was received" [ypid]