search

Checkmk / ansible-collection-checkmk.general

The official Checkmk Ansible collection - brought to you by the Checkmk company.
https://galaxy.ansible.com/checkmk/general
GNU General Public License v3.0
121 stars 56 forks source link

[BUG] Error in the Agent role, Firewall seems to be only installed if checkmk_agent_server is an ip address #593

Closed hasselk closed 5 months ago

hasselk commented 6 months ago

Describe the bug

It seems the Firewall Rules (Redhat and Debian) are only created if the checkmk_agent_server is an Ip address and skipped when not, which seems a bit Odd since you need an FQDN if you want to use https and check the cert.

Component Name

Component Name: roles/agent/tasks/ Debian.yml and Redhat.yml

Ansible Version

ansible [core 2.14.5]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.8 (main, Feb 19 2024, 22:58:08) [GCC 12.2.1 20220924] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Checkmk Version and Edition

2.2.0p24 (CRE)

Collection Version

Collection                    Version
----------------------------- -------
amazon.aws                    5.4.0
ansible.netcommon             4.1.0
ansible.posix                 1.5.2
ansible.utils                 2.9.0
ansible.windows               1.13.0
arista.eos                    6.0.1
awx.awx                       21.14.0
azure.azcollection            1.15.0
check_point.mgmt              4.0.0
chocolatey.chocolatey         1.4.0
cisco.aci                     2.6.0
cisco.asa                     4.0.0
cisco.dnac                    6.7.1
cisco.intersight              1.0.27
cisco.ios                     4.5.0
cisco.iosxr                   4.1.0
cisco.ise                     2.5.12
cisco.meraki                  2.15.1
cisco.mso                     2.4.0
cisco.nso                     1.0.3
cisco.nxos                    4.3.0
cisco.ucs                     1.8.0
cloud.common                  2.1.3
cloudscale_ch.cloud           2.2.4
community.aws                 5.4.0
community.azure               2.0.0
community.ciscosmb            1.0.5
community.crypto              2.12.0
community.digitalocean        1.23.0
community.dns                 2.5.3
community.docker              3.4.3
community.fortios             1.0.0
community.general             6.6.0
community.google              1.0.0
community.grafana             1.5.4
community.hashi_vault         4.2.0
community.hrobot              1.8.0
community.libvirt             1.2.0
community.mongodb             1.5.2
community.mysql               3.6.0
community.network             5.0.0
community.okd                 2.3.0
community.postgresql          2.3.2
community.proxysql            1.5.1
community.rabbitmq            1.2.3
community.routeros            2.8.0
community.sap                 1.0.0
community.sap_libs            1.4.1
community.skydive             1.0.0
community.sops                1.6.1
community.vmware              3.5.0
community.windows             1.12.0
community.zabbix              1.9.3
containers.podman             1.10.1
cyberark.conjur               1.2.0
community.zabbix              1.9.3
containers.podman             1.10.1
cyberark.conjur               1.2.0
cyberark.pas                  1.0.17
dellemc.enterprise_sonic      2.0.0
dellemc.openmanage            6.3.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
dellemc.powerflex             1.6.0
dellemc.unity                 1.6.0
f5networks.f5_modules         1.23.0
fortinet.fortimanager         2.1.7
fortinet.fortios              2.2.3
frr.frr                       2.0.2
gluster.gluster               1.0.2
google.cloud                  1.1.3
grafana.grafana               1.1.1
hetzner.hcloud                1.11.0
hpe.nimble                    1.1.4
ibm.qradar                    2.1.0
ibm.spectrum_virtualize       1.11.0
infinidat.infinibox           1.3.12
infoblox.nios_modules         1.4.1
inspur.ispim                  1.3.0
inspur.sm                     2.3.0
junipernetworks.junos         4.1.0
kubernetes.core               2.4.0
lowlydba.sqlserver            1.3.1
mellanox.onyx                 1.0.0
microsoft.ad                  1.0.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.22.0
netapp.elementsw              21.7.0
netapp.ontap                  22.5.0
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0
netapp_eseries.santricity     1.4.0
netbox.netbox                 3.12.0
ngine_io.cloudstack           2.3.0
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.3
openstack.cloud               1.10.0
openvswitch.openvswitch       2.1.0
ovirt.ovirt                   2.4.1
purestorage.flasharray        1.17.2
purestorage.flashblade        1.11.0
purestorage.fusion            1.4.2
sensu.sensu_go                1.13.2
splunk.es                     2.1.0
t_systems_mms.icinga_director 1.32.2
theforeman.foreman            3.10.0
vmware.vmware_rest            2.3.1
vultr.cloud                   1.7.0
vyos.vyos                     4.0.2
wti.remote                    1.0.4

To Reproduce Steps to reproduce the behavior: run a playbook that uses the agent role with an FQDN as the checkmk_agent_server and set checkmk_agent_configure_firewall: 'true' FW Rule does not get generated

Expected behavior convert the FQDN to an IP and use that as the checkmk_agent_server_ip

Actual behavior Currently the Firewall Rule generation gets completly skipped if checkmk_agent_server is not an ip

Minimum reproduction example

- name: "Install and Register hosts Agents"
  hosts: cmk_clients
  collections:
    - checkmk.general
  vars:
    checkmk_agent_server: "test.example.com"
    checkmk_agent_site: monitoring
    checkmk_agent_user: XXXXX
    checkmk_agent_pass: XXXXX

    # client agent config
    checkmk_agent_edition: cre
    checkmk_agent_version: "2.2.0p24"
    checkmk_agent_discover: 'true'
    checkmk_agent_update: 'false'              #Register host for automatic updates
    checkmk_agent_configure_firewall: 'true'
    checkmk_agent_add_host: 'false'
    checkmk_agent_server_protocol: https
    checkmk_agent_tls: 'true'
  roles:
    - agent

Additional context

robin-checkmk commented 6 months ago

I have not tested this yet, but from a quick look at the code this issue seems valid.

Now there are different approaches in how to handle this. In general, we need to check first, whether the variable checkmk_agent_server is an IP. Based on that we can use the IP, or we need to look up the IP address. While this sounds trivial, there can be several caveats: Firstly, is the name resolvable? If so, is the resolved IP the correct one (thinking about NAT here). And there is probably more.

Of course one could go the less smart way and just add the internally-used variable checkmk_agent_server_ip to the defaults and set it explicitly. That would make things easier on the one hand, but more error-prone on the other.

I need to think about this and look at the available options from a technical perspective.

robin-checkmk commented 6 months ago

Hey @hasselk! I implemented something in #597, that should help you solve your issue. Please let me know what you think. Maybe even leave a review. :)

robin-checkmk commented 5 months ago

As there was no feedback and 5.0.0 was released over the weekend, I consider this done.