ID: 7182
Title: Improved GUI extension error handling
Component: Multisite
Level: 2
Class: New feature
Version: 1.6.0i1
When extending the standard GUI functionality, using either a manually
installed <tt>local/share/check_mk/web</tt> plugin or a Check_MK extension
package (MKP), exceptions may occur while loading the plugin.
In previous versions these exceptions caused the whole GUI to fail making it
impossible to repair the problem using the GUI, for example via the extension
package manager of the CEE/CME.
The extension related loading errors are now all catched and logged to the
<tt>var/log/web.log</tt> instead of making the whole application fail. In
addition to this, an error message will be shown on the "Extension packages"
WATO page. We've also added a new Analyze configuration check "Broken GUI
extensions" which will report a CRIT state when broken GUI extensions are
found.
ID: 7178
Title: German translation is now available in all Check_MK Editions
Component: Multisite
Level: 2
Class: New feature
Version: 1.6.0i1
The German translation of the the Check_MK user interface is now available to the users
of all Check_MK editions.
ID: 7089
Title: Docker container: Simplified update procedure
Component: Site Management
Level: 2
Class: New feature
Version: 1.6.0i1
The update procedure of the official Check_MK containers was a bit complicated
compared to the update procedure on other servers. The root cause for this was
that the update always required both, the old and the new versions, while the
containers are only allowed to have one version installed. This made it
necessary to create an intermediate container for the update.
The werk #7088 made it possible to perform an update without having access to
the old version. Once we have this functionality it is now possible to replace
one container with a another container. In case the version has changed, the
container is performing the update during startup of the new container.
ID: 7088
Title: omd update can now be performed without access to source version
Component: Site Management
Level: 2
Class: New feature
Version: 1.6.0i1
The "omd update" procedure, which is used to perform a version update for a
site, always needed access to the previous version, the new version and the
site.
Since this change it is now possible to perform an update without access
to the old version. This is possible becase we copy the information that
are needed to the Check_MK site during site creation.
This new mechanism can only be used when updating FROM a site that already
implements this werk.
Technical detail:
<ul>
<li>The meta files are saved for the first time during "omd create"</li>
<li>The meta files are updated to the new version during each "omd update"</li>
<li>The files are copied to the sites <tt>.version_meta</tt> directory.</li>
<li>The directory <tt>/omd/versions/[version]/skel is copied.</li>
<li>The file <tt>/omd/versions/[version]/share/omd/skel.permissions is copied.</li>
<li>A file <tt><tt>.version_meta/version</tt> is created.</li>
<li>When an update is performed, the meta files are used if they are available
and up-to-date. In case they don't fit these conditiones, the previous version
files need to be available as before this werk.</li>
<li>
ID: 7081
Title: Reworked "Distributed Monitoring" page
Component: WATO
Level: 2
Class: New feature
Version: 1.6.0i1
The "Distributed Monitoring" pages have been reworked to make it easier
to manage multiple Check_MK site connections.
The list page is now showing less site configuration details. Instead of
these columns status columns have been added to visualize whether or not
your site connections can currently be used.
One column shows the current status of the Livestatus connection, which
is needed by the GUI to gather the monitoring status from the site. In
case your livestatus connection is not configured properly, you may
have a look at the status and hover the icon for more information about
the reason.
One possible reason for a non functional Livestatus connection may be
a TLS connection issue (if you use encrypted Livestatus). You can use
this site to inspect the remote site certificate and establish a trust
with this certificate to allow the GUI to connect with that site.
The replication status column tells you whether or not the configuration
replication connection is working.
ID: 7017
Title: Livestatus via TCP can now be encrypted
Component: Livestatus
Level: 2
Class: New feature
Version: 1.6.0i1
Livestatus has been a plain text protocol since it's invention. This is
normally OK for system local connections via unix socket or TCP connections
in secure networks.
Users always had the choice to secure the communication using TLS (e.g.
via stunnel), SSH, VPN or some other solution that encrypts the
communication in their local setup.
To improve the security for all users of Check_MK, we have now changed
the Livestatus TCP communication to be encrypted by default using TLS.
This is realized using an internal CA and internally generated
certificates.
Existing sites that already have Livestatus via TCP enabled before
updating to 1.6 still use the unencrypted communication for
compatibility. An analyze configuration" test will create a CRITICAL
message about the unencrypted Livestatus TCP configuration in this
situation.
Technical details:
<ul>
<li>For new sites Livestatus via TCP is encrypted by default. Existing sites
which already have Livestatus via TCP enabled during the update keep the
communication unencrypted for compatibility reasons. This is managed using
the new 'omd config' option LIVESTATUS_TCP_TLS. This setting can also
be managed through the "Global Settings > Site Management".</li>
<li>During update or site creation a site local CA certificate is created
to manage the sites local certificates.</li>
<li>The site local certificate is created automatically during update or
site creation.</li>
<li>The sites local CA and certificates are stored in 'etc/ssl'. The CA
certificate is always located at 'etc/ssl/ca.pem'.</li>
<li>The keys are 2048 bit RSA keys and the certificates are signed using
SHA512.</li>
<li>The CA certificate is valid for 10 years, the site certificates are
valid for 3 years.</li>
<li>Check_MK / OMD code may use 'omdlib.certs.SiteLocalCA(site_id)' to
use the local CA</li>
<li>stunnel is introduced as site internal daemon that serves the TLS
wrapped socket once it has been enabled through 'omd config'.
</ul>
ID: 7056
Title: Kubernetes monitoring
Component: Checks & agents
Level: 2
Class: New feature
Version: 1.6.0i1
A special agent and multiple checks to support the monitoring of
Kubernetes clusters are added. For a detailled description of the
features and a setup guide please refer to the official Check_MK
guide:
https://mathias-kettner.de/cms_monitoring_kubernetes.html
ID: 6702
Title: Introduced various performance improvements for cmc config generation (e.g. multiprocessing)
Component: cmc
Level: 2
Class: New feature
Version: 1.6.0i1
Previous versions only used one CPU core for the config generation.
The time to generate the config highly depends on the number of hosts, services and especially rulesets.
Lots of the underlying computation code has been changed, caches and functions were optimized.
As a result Check_MK is now able to distribute the work load of the config generation over several CPUs.
Per default, this feature is activated. Unless configured otherwise, it uses up to 75% of the available
CPUs during the config generation, leaving some CPUs for running monitoring core.
A new configuration option <tt>Generate monitoring configuration via multiprocessing</tt> has been introduced.
You can either switch of multiprocessing or configure the number of used CPUs manually.
Tests have shown that the performance can increased by a factor of 5-10 on a 8 CPU core setup.
ID: 7018
Title: Livestatus can now be configured to connect via IPv6
Component: Multisite
Level: 2
Class: New feature
Version: 1.6.0i1
In previous versions it was not possible to connect the GUI to a remote site
via Livestatus using IPv6. This is now possible and can be configured from the
"Distributed Monitoring" configuration.
Technically this was prevented by several smaller things.
The internal Livestatus xinetd configuration now allows ::/0 besides 0.0.0.0 by
default. In case you have modified this setting and want to use IPv6, you may
have to add the IPv6 addresses of your choice to this option.
The site configuration GUI is now able to handle IPv6 addresses properly.
The internally used livestatus.py Livestatus client implementation supports
IPv6 now. Livestatus proxy can now connect to Livestatus via IPv6 and also the
cascading proxy feature, which is used to make the local unix socket of a site
available via the network, can now be used with IPv6 in addition to the already
existing IPv4 support.
ID: 6965
Title: Fixed socket timeout handling in check_mkevents active check
Component: Checks & agents
Level: 2
Class: Bug fix
Version: 1.6.0i1
The microseconds part of the socket timeout was not set, so a "Numerical
argument out of domain" error could happen randomly. This has been fixed.