Bootstrapping Automatic Check_MK Agent Updates



     One of the most powerful features of Check_MK Enterprise edition, and something we get asked about quite often is the Agent Bakery and how to use it to automatically update your endpoint monitoring agents.

     In this article we will explain what the Agent Bakery is, and cover a simple strategy to deploy the Agent on your endpoints.

     Your infrastructure may be complicated, consisting of hundreds or thousands of hosts running with several different software stacks or network topologies. The Agent Bakery allows for conditional configuration and automatic deployments of your Agent packages based on pre-defined rule sets. 
Simply put, managing your monitoring configuration on a per-endpoint basis is a thing of the past. 

Getting Started With The Bakery

     When you first enter the Agent Bakery, you will see the default Agent package available for download.
This agent has no special configuration applied and acts as a generic agent. To properly use this agent as a template, we will want to enable automatic updates.

2018-01-25-184218_976x163_scrot.png

Setting Up Automatic Updates 

     From the Bakery mask, clicking the "Automatic Updates" button at the top brings us to a list of tasks we must accomplish in order to enable the update system.

2018-01-25-185151_877x292_scrot.png

1) Configure Signature Keys
Signature keys are a security measure and are used for verifying the authenticity of a package, much like your OS maintainer signing packages in the repository. 

To create a new key, click the edit icon. You will be prompted for a password. 
(Do NOT forget your password or you will not be able to deploy agents!)

This will create a cryptographic signing key that must be present on the agent package for the endpoint to accept the update. We will need this later. 


2) Configure Agent Update Plugin
The automatic update feature is a plugin for the Agent.
We must configure it to be deployed with the package.

2018-01-25-193510_828x378_scrot.png

Here we see the parameters that the update plugin takes. The parameters selected are explained below. 

   1) Under "Activation", we will select that we want to deploy the update plugin. 

   2) We can optionally specify a time interval for the endpoint to check for an update. By default this every hour.

   3) This will be the FQDN or the IP address of the Check_MK server. This is where the endpoint will check for           updates.
  
   4) This is the Check_MK site name on which the endpoint is monitored on.
        In my case I have one site called "mynewsite".

   5) We must specify which protocol to contact the Check_MK site with. 

   6) Finally, we select the key(s) that the endpoint will accept packages signed by. 
       In my case, my key is named "qwe".


There are no filters applied to this rule, as we wish to use this as a new base template for automatic deployments and would like this applied to every host on the system.


3) Bake Your First Agent
Now that we have configured an agent package that includes the automatic update plugin, we must "bake it" into an install-able package. 

Back in the main Agent Bakery mask, there is a button labeled "Bake Agents".

2018-01-25-193800_1282x360_scrot.png

Once the Agent is "Baked" there will be a new entry in the list of available downloads.
As you can see this new Agent contains the configuration necessary to facilitate automatic updates. 
At this point, we will use this as our new standard Agent package.

4) Sign Baked Agents
It is important to remember that after new Agent packages have been baked, we must sign them with our key. 
There is a button at the top labeled "Sign All Agents". Upon pressing this, you will be prompted for the password of your key. 

5) Register Your Agent With The Check_MK Server
With the initial configuration complete, we can now start deploying our packages. 
This will be covered in the next section.

 

Deploying The Agent

     Since you can not retrospectively update agents that do not have the plugin installed, it may be necessary to re-install if you are running an old or generic agent version.

     Download and install the new agent build that is applicable for your platform.
For automatic bootstrapping with utilities such as Ansible, the package can be stored on a configuration management system, or put into an HTTP accessible directory on the monitor such as <sitehome>/var/www/ .

     After Installation, the endpoint must be registered with the Check_MK site.

2018-01-26-131743_795x344_scrot.png

     For this demo, I have manually installed the Agent on my workstation. You can see the registration process in the screenshot above.

     Since most of the parameters required for registration were already specified when we baked the agent, we only need to specify two during installation.

   1) Our endpoint name as we appear in WATO.
       My workstation is monitored on the Check_MK site with the host name of "cbass".
  
   2) An Administrative user for WATO.
       In this case I am just using the default "cmkadmin" account.
       This account is a of one time use for registration and the credentials are not stored on the endpoint.

In order to perform the registration process within an automation script, you may simply run:
       /usr/bin/cmk-update-agent register -s <serveraddress> -i <sitename> -H <endpointname> -p http -U '<adminuser>' -P '<password>' -v


The Master Switch
     Looking back at the Bakery, we can see that our endpoint is now registered and it is time to flip the master switch.

     For this, simply click the pencil icon next to "Master Switch".

2018-01-26-134544_694x205_scrot.png


     Now that automatic updates are configured for all hosts using this base agent package, it is now a much simpler job to manage endpoint configuration. Any rules that you create, or modification you make to your plugins will be automatically applied.


Resources:
http://mathias-kettner.com/cms_wato_monitoringagents.html
http://mathias-kettner.com/cms_agent_deployment.html

Have more questions? Submit a request

0 Comments

Article is closed for comments.