ID: 14608
Title: Agent Bakery: Stabilize bake & sign
Component: cmc
Level: 1
Class: Bug fix
Version: 2.2.0i1
In some situations, it could happen that some agent packages are signed
with an invalid signature after baking/signing with "Bake and sign agents"
action.<br>
The cause for this was that the signature of pre-existing packages sometimes
wouldn't get updated if the package had to be repackaged for a bakery revision update.
This resulted in the agent updater being unable to update affected hosts
and exiting with message <tt>signature #<i>n</i> is invalid</tt>, and the
matching <i>Check_MK</i> service showing a <i>WARN</t> state.
Signatures will be fixed and updates will continue to work after first
bake&sign action after applying this Werk.
ID: 14721
Title: Crash using the cmk_site_statistics (core PIDs) filter
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
When using the cmk_site_statistics (core PIDs) filter with no monitoring data present the
view would crash.
Note: This filter is not intended to be used in views and should only be used in host and service
problem graphs.
But due to compatibility the filter is not removed from view filters.
Now the view no longer crashes but rather displays a warning.
ID: 14361
Title: Windows agent uses retry_count correctly
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Previously, Windows agent used retry_count as a maximal allowed
count of plugin's failures. If the count of failures exceeded the
limit set by retry_count, then the plugin had been excluded from
execution. Such behavior may break monitoring or updating in
some cases.
Since this release, the retry_count is defined as a maximally
allowed count of attempts to call a plugin before clearing the
previously gathered data (also known as a cache). This approach
is fully compliant with the documentation, the help and the
functionality of the Linux agent.
The incompatibility in this werk is limited by definition: the
Windows agent will continue to call a plugin even if the number
of errors exceeds retry_count. This is the same behavior as when
retry_count is not set at all.
IMPORTANT: Windows agent always ignores retry_count for synchronous
plugins. Windows agent may decrease value of retry_count if the
value is set too high.
ID: 14150
Title: Traceback in "Percentage of total service problems" dashlet with missing monitoring data
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
When using a "Percentage of total service problems" dashlet without the necessary monitoring data the
dashlet would display a traceback of the error.
The error also occured in the Main dashboard which uses this dashlet by default.
Now the error message is displayed as a text message in the dashlet.
ID: 14482
Title: Use proper HMAC for cookie signing
Component: Setup
Level: 1
Class: Security fix
Version: 2.2.0i1
Previously to this Werk the Session cookies were signed with with calculating a
SHA256 hash over username, session id, a serial plus a secret. This could in
theory lead to a "partial message collision".
Since we parse the data given in the cookie and test for validity, we are
confident that such an attack is not possible. But to be future-proof we switch
to proper HMAC for signing the cookie value. This will invalidate all session
cookies for a site. Therefore all users have to reauthenticate to retrieve new
valid cookies.
ID: 14360
Title: Controller communicates with Windows agent using mailslot
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
Previously, the Windows agent controller used TCP-IP as a channel to
local Windows agent, but this type of communication can lead to port
conflicts. Also, mailslots inherently provide slightly better level
of local security.
If, for some reason it is required to use TCP-IP as a channel,
you may set system.controller.agent_channel in the check_mk.user.yml
to any appropriate value, for example, "localhost:28250".
ID: 14658
Title: dcd config: fix save mechanism for checkbox based host attribute tags
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
Previously, the dcd failed during the host bulk discovery step if the
configuration contained a host attribute tag that was enabled via a checkbox.
This werk fixes this problem