ID: 14967
Title: Timesyncd check plugin: Include metrics for sync times, change check behavior when NTP server not reachable and future-proofing
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
Since at least systemd v250 <tt>/var/lib/systemd/timesync/clock</tt> should no longer be used to determine the time since the last synchronisation, instead the modification time of <tt>/run/systemd/timesync/synchronized</tt> is now used.
To monitor the reliability of this time, this werk also introduces two new metrics:
LI: Time since last synchronisation: The modification time of <tt>/run/systemd/timesync/synchronized</tt> if available, otherwise <tt>/var/lib/systemd/timesync/clock</tt>.
LI: Time since last NTPMessage: When the last message from the NTP server was received.
To have these metrics available, the Checkmk linux agent needs to be updated, otherwise only the time since last synchronisation based on <tt>/var/lib/systemd/timesync/clock</tt> will be shown.
Since the modification time of <tt>/var/lib/systemd/timesync/clock</tt> can at times be unsuitable to monitor when synchronization occurred (due to limited error handling in earlier systemd version), the default threshold for the allowed duration since last synchronisation has been removed.
If you want to apply thresholds to the time since last synchronisation you now have to enable the rule manually.
The default thresholds for the allowed duration since last NTPMessage have been set to 1h (WARN) and 2h (CRIT).
Additionally, the behavior of the check was changed to go to CRIT when the NTP server could not be reached for synchronisation.
In the course of the werk the rendering of the jitter was also corrected to show a time span instead of a date.
ID: 13436
Title: Fix 500 errors on BI aggregation endpoints
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0i1
Deleting a aggregation returned 500 status code "permission mismatch"
Deleting a non existing aggregation returned 500 status code, now returns 404
ID: 13435
Title: Fix 500 errors on BI rule endpoints
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0i1
Deleting a rule which is a dependency of another rule returned a 500 status code, now returns 409
Deleting a rule returned a 500 status code "permission mismatch", now returns 204
Deleting a non existing rule returned a 500 status code, now returns 404
ID: 14652
Title: Real-time checks: Simplify encryption setup
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
This Werk is incompatible for users of the <i>real-time check (RTC)</i> feature.
We incompatibly change the way the encryption for RTC is configured.
Since we cannot guarantee a compatible migration in all cases, we play it safe:
All rulesets of the rule <i>"Real-time checks"<i> are extended by a randomly generated secret, used for (and enabling) encryption.
Users have to reconfigure the rules to get the old behavior (or deploy the agents to use the created password).
<b>In detail:</b>
The setup of the RTC encryption had become confusing over time.
We now radically simplify it.
The setup is exclusively done via a new configuration option <i>"Encryption"</i>, added to the ruleset <i>"Real-time checks"</i> (formally known as <i>"Send data for real-time checks"</i>).
LI: The Checkmk agent for Linux encrypts real-time data if and only if the parameter <tt>RTC_SECRET</tt> is set (not empty) in <tt>/etc/check_mk/real_time_checks.cfg</tt>.
LI: The Checkmk site expects encrypted data if and only if a pre-shared secret is configured via the ruleset <i>"Real-time checks"</i>.
LI: If the site expects encrypted data, unencrypted data is discarded (and vice versa).
For users of the Agent Bakery the configuration of the ruleset is sufficient.
The configuration of the agent is taken care of by the bakery.
However, even if you do not use the agent bakery, you still have to set up the rule, such that the site knows which secret to use for decryption.
All other encryption settings (distributed across the rules <i>"Encryption (Linux, Windows)"</i> and <i>"Enable handling of Real-Time Checks"</i>) have no effect on the RTC encryption anymore.
Unfortunately, we can't make this change compatible via automatic configuration update.
Since we do not want to make users send unencrypted data by accident, we populate the encryption setting for <b>all existing rules</b> with a random value.
To make the RTC work again either update the baked agents, or adapt the configured rules to reflect the behavior of the deployed agent.
ID: 14770
Title: mssql_instance: check shows UNKNOWN when the instance is not accessible
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The check "mssql_instance" reported an UNKNOWN state when a specific MSSQL
instance had been discovered and added to the monitoring, but vanished later.
The check now reports a CRIT state and is consistent with other DB instance
services (e.g. Oracle).
ID: 14825
Title: Agent controller: Change in command line interface regarding verbosity flag
Component: agents
Level: 1
Class: New feature
Version: 2.2.0i1
The command line interface has been changed from
C+:
cmk-agent-ctl <sub-command> ... -vv ...
C-:
to
C+:
cmk-agent-ctl -vv <sub-command> ...
C-: