diff --git a/.bazelversion b/.bazelversion index f3b5af39e43..21c8c7b46b8 100644 --- a/.bazelversion +++ b/.bazelversion @@ -1 +1 @@ -6.1.1 +7.1.1 diff --git a/.dir-locals.el b/.dir-locals.el deleted file mode 100644 index 15412afcd92..00000000000 --- a/.dir-locals.el +++ /dev/null @@ -1,37 +0,0 @@ -((nil . ( - (grep-find-ignored-files . ( - "*.min.js" "*.standalone.js" "*.map" "*.gz" ".#*" "*.o" "*~" "*.bin" - "*.lbin" "*.so" "*.a" "*.ln" "*.blg" "*.bbl" "*.elc" "*.lof" - "*.glo" "*.idx" "*.lot" "*.fmt" "*.tfm" "*.class" "*.fas" - "*.lib" "*.mem" "*.x86f" "*.sparcf" "*.dfsl" "*.pfsl" - "*.d64fsl" "*.p64fsl" "*.lx64fsl" "*.lx32fsl" "*.dx64fsl" - "*.dx32fsl" "*.fx64fsl" "*.fx32fsl" "*.sx64fsl" "*.sx32fsl" - "*.wx64fsl" "*.wx32fsl" "*.fasl" "*.ufsl" "*.fsl" "*.dxl" - "*.lo" "*.la" "*.gmo" "*.mo" "*.toc" "*.aux" "*.cp" "*.fn" - "*.ky" "*.pg" "*.tp" "*.vr" "*.cps" "*.fns" "*.kys" "*.pgs" - "*.tps" "*.vrs" "*.pyc" "*.pyo")) - (grep-find-ignored-directories . ( - ".git" ".venv" "node_modules" ".mypy_cache" ".pytest_cache" - "SCCS" "RCS" "CVS" "MCVS" ".src" ".svn" ".git" ".hg" ".bzr" "_MTN" "_darcs" "{arch}")) - )) - (c++-mode . ((flycheck-cppcheck-suppressions . ("passedByValue")))) - (python-mode . ((eval setq flycheck-python-mypy-executable - (concat (projectile-locate-dominating-file default-directory dir-locals-file) - "scripts/run-mypy")) - (eval setq flycheck-python-pylint-executable - (concat (projectile-locate-dominating-file default-directory dir-locals-file) - "scripts/run-pylint")) - (eval eval-after-load "yapfify" - '(defun yapfify-call-bin (input-buffer output-buffer start-line end-line) - "Call process yapf on INPUT-BUFFER saving the output to OUTPUT-BUFFER. - -Return the exit code. START-LINE and END-LINE specify region to -format." - (with-current-buffer input-buffer - (call-process-region (point-min) (point-max) - (concat (projectile-locate-dominating-file default-directory dir-locals-file) - "scripts/run-pipenv") - nil output-buffer nil - "run" "yapf" - "-l" (concat (number-to-string start-line) "-" (number-to-string end-line)))))))) - ) diff --git a/.eslintignore b/.eslintignore deleted file mode 100644 index 39ffe4ccb11..00000000000 --- a/.eslintignore +++ /dev/null @@ -1,21 +0,0 @@ -# These are just copied files and should be replaced -# with npm dependencies in the future -web/htdocs/js/modules/cbor_ext.*s -web/htdocs/js/modules/colorpicker.*s - - - -# These are generated files or included libraries - -web/htdocs/js/mobile_min.js -web/htdocs/js/side_min.js -web/htdocs/jquery/jquery.mobile-1.4.5.js -web/htdocs/jquery/jquery.mobile-1.4.5.min.js -web/htdocs/js/main_min.js - -web/htdocs/openapi/swagger-ui-3/swagger-ui-bundle.js -web/htdocs/openapi/swagger-ui-3/swagger-ui-es-bundle.js -web/htdocs/openapi/swagger-ui-3/swagger-ui.js -web/htdocs/openapi/swagger-ui-3/swagger-ui-standalone-preset.js -web/htdocs/openapi/swagger-ui-3/swagger-ui-es-bundle-core.js -web/htdocs/openapi/redoc.standalone.js diff --git a/.gitignore b/.gitignore index 95db89e0191..963be9dccc4 100644 --- a/.gitignore +++ b/.gitignore @@ -20,8 +20,8 @@ .testmondata .venv.lock /.venv/ -/.docker_workspace/ -/build_user_home/ +/container_shadow_workspace*/ +/shared_cargo_folder/ *.cookie *.gcno *.gcov @@ -61,6 +61,7 @@ GPATH GRTAGS GTAGS htmlcov/ +logback.log mk-livestatus-*.tar.gz node_modules/ omd/bazel-* @@ -76,7 +77,6 @@ tests/var/* tests/results/* tests/.hypothesis/ /results -/buildscripts/infrastructure/build-nodes/scripts/defines.make /buildscripts/docker_image_aliases/docker-image-alias-resolve-error.txt /bazel-* @@ -99,3 +99,7 @@ tests/.hypothesis/ .ionide # End of https://www.toptal.com/developers/gitignore/api/visualstudiocode + +# gui-e2e tests: playwright specific ignores +test-results/ +*.png diff --git a/.gitmodules b/.gitmodules index 79ef9bfd7d0..da9592bbf93 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,4 +1,4 @@ [submodule "tests/qa-test-data"] path = tests/qa-test-data url = ../qa-test-data - branch = main + branch = master diff --git a/.groovylintrc.json b/.groovylintrc.json new file mode 100644 index 00000000000..a943fbed31c --- /dev/null +++ b/.groovylintrc.json @@ -0,0 +1,78 @@ +{ + "extends": "recommended", + "rules": + { + "basic.DeadCode": "error", + "convention.CompileStatic": "off", + "convention.FieldTypeRequired": "info", + "convention.IfStatementCouldBeTernary": "info", + "convention.MethodReturnTypeRequired": "off", + "convention.NoDef": "off", + "convention.TrailingComma": "warning", + "convention.VariableTypeRequired": "off", + "design.Instanceof": "off", + "dry.DuplicateListLiteral": "info", + "dry.DuplicateMapLiteral": "warning", + "dry.DuplicateStringLiteral": + { + "ignoreStrings": "nexus", + "severity": "info" + }, + "exceptions.ThrowException": "warning", + "exceptions.ThrowNullPointerException": "info", + "exceptions.ThrowRuntimeException": "info", + "exceptions.ThrowThrowable": "info", + "formatting.BracesForClass": "info", + "formatting.BracesForForLoop": "info", + "formatting.BracesForIfElse": "info", + "formatting.BracesForMethod": "info", + "formatting.BracesForTryCatchFinally": "info", + "formatting.ConsecutiveBlankLines": "warning", + "formatting.FileEndsWithoutNewline": "warning", + "formatting.Indentation": + { + "severity": "warning", + "spacesPerIndentLevel": 4 + }, + "formatting.LineLength": + { + "length": 140, + "severity": "warning" + }, + "formatting.SpaceAroundMapEntryColon": "off", + "groovyism.ExplicitCallToEqualsMethod": "info", + "logging.Println": "off", + "naming.FactoryMethodName": "off", + "naming.ParameterName": + { + "regex": "^[a-zA-Z0-9_]*$", + "severity": "info" + }, + "naming.VariableName": + { + "regex": "^[a-zA-Z0-9_]*$", + "severity": "info" + }, + "size.MethodSize": + { + "maxLines": 150, + "severity": "warning" + }, + "size.NestedBlockDepth": + { + "maxNestedBlockDepth": 8, + "severity": "warning" + }, + "unnecessary.UnnecessaryGString": "off", + "unnecessary.UnnecessaryParenthesesForMethodCallWithClosure": "off", + "unnecessary.UnnecessaryReturnKeyword": "off", + "unnecessary.UnnecessarySemicolon": "off", + "unused.UnusedArray": "error", + "unused.UnusedMethodParameter": "error", + "unused.UnusedObject": "error", + "unused.UnusedPrivateField": "error", + "unused.UnusedPrivateMethod": "error", + "unused.UnusedPrivateMethodParameter": "error", + "unused.UnusedVariable": "error" + } +} \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0fe32343a01..b9d90c90cec 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -34,11 +34,16 @@ repos: exclude: | (?x)^( ^agents/plugins/| - ^enterprise/agents/plugins/| + ^non-free/cmk-update-agent/| ^tests/agent-plugin-unit/ ) - repo: local hooks: + - id: check-cmk-namespace + name: Check cmk namespace package + language: script + entry: scripts/check-cmk-namespace + types: [file, python] - id: remove-stale-imports name: Remove stale imports language: script @@ -54,12 +59,25 @@ repos: entry: scripts/run-black language: script types: [file, python] + - id: bandit + name: Run bandit + # -l level low -ll = level medium -lll level high + entry: scripts/run-pipenv run bandit --config bandit.yaml -ll + language: script + types: [file, python] - id: omd-python-modules name: Check Python modules in OMD entry: scripts/check-omd-python-modules language: script files: omd/packages/python3?-modules types: [file] + - id: sphinx + name: Sphinx Documentation + entry: scripts/run-pipenv run make -C doc/documentation html + files: ^doc/documentation/.*(rst|puml)$ + pass_filenames: false + language: script + types: [file] - id: pylint name: Check pylint entry: scripts/check-pylint diff --git a/.prettierignore b/.prettierignore deleted file mode 100644 index 0c042f49056..00000000000 --- a/.prettierignore +++ /dev/null @@ -1,5 +0,0 @@ -web/htdocs/js/*_min.js* -# colorpicker.js is a 3rd party module, so do not format it -web/htdocs/js/modules/colorpicker.js - -web/htdocs/js/modules/figures/cmk_stats.ts diff --git a/.pylintrc b/.pylintrc index 1dec6c9af0a..7412c9487a6 100644 --- a/.pylintrc +++ b/.pylintrc @@ -48,11 +48,6 @@ disable= # programming practice. In some cases, they can even hide bugs. broad-except, #--------------------------------------------------------------------------- - # Enabling this would be nice, but not crucial. Nevertheless, this would - # improve readability and involve some cleanups in our class hierarchy, so - # we should do this some day. - protected-access, - #--------------------------------------------------------------------------- # Enabling this would be nice, but not crucial. At the moment, we have quite # a few violations, so we postpone fixing this. When we do it eventually, we # probably want to use "include-naming-hint=yes" in the BASIC section. @@ -99,9 +94,15 @@ disable= # Black doesn't split long strings, we'll have to this by ourselves, see # https://github.com/psf/black/issues/1331 line-too-long, - #--------------------------------------------------------------------------- - # We are light years away from enabling this... - missing-docstring, + # Since Black 24 black and pylint started to disagree on `def foo(): ...` + # https://github.com/psf/black/issues/4173 + # black is our formatter so the black way is the proper way... + multiple-statements, + #--------------------------------------------------------------------------- + # We are light years away from enabling these... + missing-module-docstring, + missing-class-docstring, + missing-function-docstring, #--------------------------------------------------------------------------- # Enabling the two spelling-related checks increases pylints runtime from # 11 min to 40 min, so we better keep those disabled for normal runs. diff --git a/.pylintrc-windows b/.pylintrc-windows index 3a95a7d3141..55a235f8bc6 100644 --- a/.pylintrc-windows +++ b/.pylintrc-windows @@ -96,8 +96,10 @@ disable= # https://github.com/psf/black/issues/1331 line-too-long, #--------------------------------------------------------------------------- - # We are light years away from enabling this... - missing-docstring, + # We are light years away from enabling these... + missing-module-docstring, + missing-class-docstring, + missing-function-docstring, #--------------------------------------------------------------------------- # Enabling the two spelling-related checks increases pylints runtime from # 11 min to 40 min, so we better keep those disabled for normal runs. diff --git a/.werks/14219 b/.werks/14219 new file mode 100644 index 00000000000..bdf73a0f84b --- /dev/null +++ b/.werks/14219 @@ -0,0 +1,9 @@ +Title: Setup: Improved speed of ineffective rule search +Class: feature +Compatible: compat +Component: wato +Date: 1702891112 +Edition: cre +Level: 1 +Version: 2.3.0b1 + diff --git a/.werks/14220.md b/.werks/14220.md new file mode 100644 index 00000000000..78aa979adf8 --- /dev/null +++ b/.werks/14220.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# BI: fixed exception in check if aggregation was in state PENDING + +key | value +---------- | --- +date | 2024-01-30T08:17:38+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | bi +level | 1 +compatible | yes + + diff --git a/.werks/14221.md b/.werks/14221.md new file mode 100644 index 00000000000..31b1a16ab09 --- /dev/null +++ b/.werks/14221.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# Parent/Child topology: No longer ignoring additionally configured filters + +key | value +---------- | --- +date | 2024-01-30T14:11:43+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | multisite +level | 1 +compatible | yes + + diff --git a/.werks/14222.md b/.werks/14222.md new file mode 100644 index 00000000000..b09143cbedf --- /dev/null +++ b/.werks/14222.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# BI configuration: Changed element order of "restrict severity to at worst" + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-01-31T09:55:00+00:00 +level | 1 +class | feature +component | bi +edition | cre + +This werk only introduces a visual fix, so no functional changes. +The order of the dropdown choice elements did not reflect the severity of the states. +The correct severity order for the BI is OK->WARN->UNKNOWN->CRIT, which differs +from the order of the monitoring states OK->WARN->CRIT->UNKNOWN. \ No newline at end of file diff --git a/.werks/14223.md b/.werks/14223.md new file mode 100644 index 00000000000..d51998765e7 --- /dev/null +++ b/.werks/14223.md @@ -0,0 +1,47 @@ +[//]: # (werk v2) +# Introduced topology visualization + +key | value +---------- | --- +date | 2024-02-25T15:22:55+00:00 +version | 2.4.0b1 +class | feature +edition | cee +component | multisite +level | 2 +compatible | yes + + +The topology visualization is a new feature that allows the visualization of complex interconnected networks. +A simple example for this visualization is the parent/child topology. The new mechanism that comes with this werk allows the linking of external data with the data of the monitoring core. +When it comes to the display, you simply define some starting points via the filter form. +Based on these, the topology visualization then builds a mesh of incoming and outgoing connections. + +The type of external data might be +* Netstat, showing connections between the interfaces/ips/ports +* LLDP/CDP, showing the network neighbors + + +There is a common data format specification for all external data. +So you just can create your own data file which provides information about the relationships between hosts, services or generic objects which are not linked to the core. +If you drop this file into a specific folder, the visualization will handle the rest. There is no need to write python code. + +Right now you can configure +* Objects - either linked to an entity in the core or some standalone object +* Icons/emblems which should be added to the object +* Connections between objects +* Line style/color of specific connections + +Since this is a quite visualization heavy topic and hard to explain only via text, feel free to check out the +[thread](https://forum.checkmk.com/t/network-visualization-now-in-version-2-3/44467) in our checkmk forum + +We will also publish a blog article in the coming weeks + + +``` +Important: +The visualization only works if external data is provided in a special folder. +At the moment these are not created by Checkmk, but come from external MKP developments. +``` + + diff --git a/.werks/14224.md b/.werks/14224.md new file mode 100644 index 00000000000..7338e5f8580 --- /dev/null +++ b/.werks/14224.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# Frozen BI: Frozen icon now also indicates if the non-frozen version differs from the frozen one + +key | value +---------- | --- +date | 2024-02-27T15:09:59+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | bi +level | 1 +compatible | yes + + diff --git a/.werks/14226.md b/.werks/14226.md new file mode 100644 index 00000000000..e3ca094b70d --- /dev/null +++ b/.werks/14226.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# Fixed stuck activate changes on bulk discovery and when using the DCD + +key | value +---------- | --- +date | 2024-03-08T13:17:45+00:00 +version | 2.4.0b1 +class | fix +edition | cme +component | wato +level | 1 +compatible | yes + +Activate changes stopped working when initiating a bulk discovery or using the DCD with automatic service discovery. \ No newline at end of file diff --git a/.werks/14228.md b/.werks/14228.md new file mode 100644 index 00000000000..896df51cef6 --- /dev/null +++ b/.werks/14228.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# Fixed broken csv bulk import for hosts + +key | value +---------- | --- +date | 2024-04-03T07:08:09+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | wato +level | 1 +compatible | yes + + diff --git a/.werks/14229.md b/.werks/14229.md new file mode 100644 index 00000000000..0ba1e137919 --- /dev/null +++ b/.werks/14229.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Valuespecs: Fixed confusion of values when ListOf contains another ListOf and all have the same magic + +key | value +---------- | --- +date | 2024-04-10T09:56:58+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | wato +level | 1 +compatible | yes + +Normally, ListOf elements embedded in other ListOf elements should contain a different magic value, otherwise errors will occur when processing forms. +This werk here allows the use of identical magic values. diff --git a/.werks/14230.md b/.werks/14230.md new file mode 100644 index 00000000000..3de0f8c7620 --- /dev/null +++ b/.werks/14230.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# BI: Fixed incorrect aggregation of downtimes + +key | value +---------- | --- +date | 2024-04-10T12:05:48+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | bi +level | 1 +compatible | yes + +The configuration option Escalate downtimes based on aggregated WARN state did not correctly since version 1.5. +The behaviour is now fixed and works like its mentioned in our [official documentation](https://docs.checkmk.com/latest/en/bi.html#_tuning_options) diff --git a/.werks/14231.md b/.werks/14231.md new file mode 100644 index 00000000000..35f7ba17fb4 --- /dev/null +++ b/.werks/14231.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# Aggregation visualization: Fixed displaying aggregations names containing special characters + +key | value +---------- | --- +date | 2024-04-27T14:22:44+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | bi +level | 1 +compatible | yes + + diff --git a/.werks/14573 b/.werks/14573 index cbcc7a872fb..4036af699b0 100644 --- a/.werks/14573 +++ b/.werks/14573 @@ -26,5 +26,5 @@ instance, assume your rule specifies and your host has the address 1.2.3.4. Then the new rule needs to specify C+: -https://1.2.3.4:9000/my_prefix/api/v1/status/buildinfo +1.2.3.4:9000/my_prefix/api/v1/status/buildinfo C-: diff --git a/.werks/14616.md b/.werks/14616.md new file mode 100644 index 00000000000..3b40bc838b6 --- /dev/null +++ b/.werks/14616.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# ucd_disk: fs_size, fs_used and fs_free have wrongly scaled values in performance graphs + +key | value +---------- | --- +date | 2024-01-15T13:22:37+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +For `ucd_disk` a performance value translation had been missing, fixed by this change. diff --git a/.werks/14617.md b/.werks/14617.md new file mode 100644 index 00000000000..a1fe1b88eac --- /dev/null +++ b/.werks/14617.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# check_uniserv: running the active check results in exception "TypeError: a bytes-like object is required, not 'str'" + +key | value +---------- | --- +date | 2024-01-17T15:06:16+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +`check_uniserv` implementation didn't encode the `close` command resulting in an exception +`TypeError: a bytes-like object is required, not 'str'` being raised. +This change adds the missing encoding among some general modernization. diff --git a/.werks/14618.md b/.werks/14618.md new file mode 100644 index 00000000000..30deda97368 --- /dev/null +++ b/.werks/14618.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# check_mail_loop: if configured to delete processed mails, check_mail_loop would delete all mails instead + +key | value +---------- | --- +date | 2024-01-23T06:59:04+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +As a result of a refactoring instead of deleting just pre-filtered mails, `check_mail_loop` would +delete all previously fetched mails. +This change brings back the former behavior. diff --git a/.werks/14620.md b/.werks/14620.md new file mode 100644 index 00000000000..1462425060b --- /dev/null +++ b/.werks/14620.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# Sets deprecation age for mails sent by check_mail_loop from 24h to 2h + +key | value +---------- | --- +date | 2024-01-30T12:49:59+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | yes + +Mails sent by `check_mail_loop` had been deprecated only after 24h, which potentially resulted +in thousands of mails in circumstances when sent mails could not be processed for whatever +reasons. +This change lowers this age to 2h resulting in 'only' 120 mails (for this active check being +executed every minute). diff --git a/.werks/14859.md b/.werks/14859.md new file mode 100644 index 00000000000..2203cc669ac --- /dev/null +++ b/.werks/14859.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Event Console: Fix The EC always activates the config written by the previous activation. + +key | value +---------- | --- +date | 2024-01-16T14:13:44+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | ec +level | 2 +compatible | yes + +The bug was introduced by the werk: [#16012](https://checkmk.com/werk/16012) in version 2.2.0p18. +A workaround would be: make a trivial change to the rules/rule packs (edit description) +and activate the changes. Or reload the EC manually after the initial reload to apply the correct config. diff --git a/.werks/14943.md b/.werks/14943.md new file mode 100644 index 00000000000..38f2401c828 --- /dev/null +++ b/.werks/14943.md @@ -0,0 +1,34 @@ +[//]: # (werk v2) +# Agent updater: allow automation user to login with password + +key | value +---------- | --- +date | 2024-01-02T16:50:40+00:00 +version | 2.3.0b1 +class | fix +edition | cee +component | agents +level | 1 +compatible | yes + +Up to now, when using the agent updater CLI, you would have to use the +`--password` (or `-P`) parameter to specify the password for a human +user and the `--secret` (or `-S`) parameter to specify the secret for +an automation user. + +This starts to be confusing with the interactive mode: in that case the +program assumes that you are using a human user and will fail if the +credentials that you enter are valid credentials for an automation user. +On top of that, the error message is completely misleading. + +With this commit, we are changing the behavior of the agent updater so +that an automation user credentials will work even if the secret is +specified with the `--password` (or `-P`) param. + +This way the end user don't have to care about which param name is the +right one to use: they can just specify the password, or the secret, +with the `--password` param and it will work. +This also allows the interactive mode to work with an automation user. + +This change is backward compatible, meaning that everything that used to +work up until now, will keep working even after this. diff --git a/.werks/15026.md b/.werks/15026.md new file mode 100644 index 00000000000..a0c340e171a --- /dev/null +++ b/.werks/15026.md @@ -0,0 +1,20 @@ +[//]: # (werk v2) +# Disallow python_plugins and lnx_remote_alert_handlers agent config options for users without the "add_or_modify_executables" permission + +key | value +---------- | --- +date | 2024-03-15T10:37:41+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | wato +level | 1 +compatible | yes + +Without the "add_or_modify_executables" permission users do not have the right +to change any executable run by checkmk, either on the site or via the agent. +The agent config options "python_plugins" and "lnx_remote_alert_handlers" have +not yet checked for that permission. + +In the UI "python_plugins" and "lnx_remote_alert_handlers are called +"Python agent plugin execution (UNIX)" and "Remote alert handler (Linux)" respectively. diff --git a/.werks/15028.md b/.werks/15028.md new file mode 100644 index 00000000000..41f4ba5bea6 --- /dev/null +++ b/.werks/15028.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Fix crash on user page with SAML connector + +key | value +---------- | --- +date | 2024-04-29T12:01:22+00:00 +version | 2.4.0b1 +class | feature +edition | cee +component | wato +level | 1 +compatible | yes + +When viewing the users page with a user using a SAML connector a crash report +with "Internal error: locked" was shown. This is fixed now. diff --git a/.werks/15198.md b/.werks/15198.md new file mode 100644 index 00000000000..c0ddd39aa3c --- /dev/null +++ b/.werks/15198.md @@ -0,0 +1,39 @@ +[//]: # (werk v2) +# Brute-force protection ineffective for some login methods + +key | value +---------- | --- +date | 2024-04-09T12:24:12+00:00 +version | 2.4.0b1 +class | security +edition | cre +component | wato +level | 1 +compatible | yes + +Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. +Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. +As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism. + +This Werk adds the same locking mechanism to login via the REST API and basic authentication _for human user accounts_. + +Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. +It is therefore important to use long, random automation secrets. + +This issue was found during internal review. + +**Affected Versions**: + +* 2.3.0 (beta) +* 2.2.0 +* 2.1.0 +* 2.0.0 (EOL) + +**Mitigations**: + +If updating is not possible, the brute-force attempts can be hindered by using a strong password policy. + +**Vulnerability Management**: + +We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N` +and assigned CVE `CVE-2024-28825`. diff --git a/.werks/15199.md b/.werks/15199.md new file mode 100644 index 00000000000..9b2a2038c91 --- /dev/null +++ b/.werks/15199.md @@ -0,0 +1,20 @@ +[//]: # (werk v2) +# Update OpenSSL to version 3.0.13 + +key | value +---------- | --- +date | 2024-04-17T10:08:23+00:00 +version | 2.4.0b1 +class | security +edition | cre +component | omd +level | 1 +compatible | yes + +OpenSSL was updated to version 3.0.13. + +OpenSSL 3 uses requirements regarding allowed configurations, such as allowed ciphers, renegotiation, and so on. +In some scenarios, this can break monitoring for hosts with TLS configurations that are no longer considered secure. +We have published a blog post to help you mitigate these issues, should they affect you: https://checkmk.com/blog/how-monitor-servers-broken-tls-checkmk. + +To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). diff --git a/.werks/15292 b/.werks/15292 index 6389da148b9..5bca5affcca 100644 --- a/.werks/15292 +++ b/.werks/15292 @@ -22,3 +22,7 @@ https://checkmk.com/werks When updating to a new major version, the update process will check if there are unacknowledged werks and tell the user about this, as this list will no longer be available after the update. + +This check is omitted for remote sites in a distributed configuration +environment, as long as both the remote site and the central site are running +at least version 2.3.0 of Checkmk. diff --git a/.werks/15295 b/.werks/15295 new file mode 100644 index 00000000000..624db075b4c --- /dev/null +++ b/.werks/15295 @@ -0,0 +1,11 @@ +Title: snmp inline backend ignores no Access error +Class: fix +Compatible: compat +Component: core +Date: 1697714323 +Edition: cee +Level: 1 +Version: 2.3.0b1 + +Snmp walks that result in a "no Access" error are now be treated as if the walk +returned no data. A debug log entry informs the user about this. diff --git a/.werks/15297.md b/.werks/15297.md new file mode 100644 index 00000000000..37b76fa3c2d --- /dev/null +++ b/.werks/15297.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# mk_oracle.ps1: port changes made in werk 14839 to windows agent plugin + +key | value +---------- | --- +compatible | no +version | 2.3.0b1 +date | 2023-10-24T08:48:21+00:00 +level | 1 +class | fix +component | agents +edition | cre + +Changes made in Werk #14839 where +only applied to the linux agent plugin of mk_oracle. Now those changes are also +applied to mk_oracle.ps1 \ No newline at end of file diff --git a/.werks/15298.md b/.werks/15298.md new file mode 100644 index 00000000000..bd8f3d5e067 --- /dev/null +++ b/.werks/15298.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# mk_oracle: restore compatibility with oracle 12c + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2023-10-24T09:01:15+00:00 +level | 1 +class | fix +component | agents +edition | cre + +Werk #14839 added the function +listagg to one of our queries. + +Older versions of oracle database expect a WITHIN statement after the +listagg function. This was added to assure compatibility with older +databases. \ No newline at end of file diff --git a/.werks/15314 b/.werks/15314 new file mode 100644 index 00000000000..4ef7abdc671 --- /dev/null +++ b/.werks/15314 @@ -0,0 +1,20 @@ +Title: mssql_backup: fix 'no backup found' for case-insensitive databases +Class: fix +Compatible: compat +Component: checks +Date: 1702370026 +Edition: cre +Level: 1 +Version: 2.3.0b1 + +In certain circumstances it was possible that the `mssql.vbs` agent plugin +returned `no backup found` because it could not map the found backup to the +database. + +The reason for that was, that the comparison between the backups database name +and the database name was case sensitive, but its possible to configure mssql +in a way that backups database name and database name does not match case +sensitive. + +We now compare both names on the mssql server so the configured case +sensitivity is respected. diff --git a/.werks/15317.md b/.werks/15317.md new file mode 100644 index 00000000000..452d9a1480e --- /dev/null +++ b/.werks/15317.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# primekey_fan: rename service description to 'Primekey Fan' + +key | value +---------- | --- +date | 2023-12-20T09:43:06+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | no + +You are affected by this change if you monitor a Primekey appliance and use +searches or rules that rely on the service description. + +In order to unify the primeky checks `primekey_fan` services description was +renamed from 'Fan Primekey' to 'Primekey Fan'. diff --git a/.werks/15318.md b/.werks/15318.md new file mode 100644 index 00000000000..025deddf054 --- /dev/null +++ b/.werks/15318.md @@ -0,0 +1,20 @@ +[//]: # (werk v2) +# Fix logging statement + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-24T07:27:37+00:00 +level | 1 +class | fix +component | ec +edition | cre + +Prior to this change, you may have seen the following log output: + +``` +undefined action "{aname}, must be one of {", ".join(table.keys()}" +``` + +The variables are now interpolated correctly. \ No newline at end of file diff --git a/.werks/15319.md b/.werks/15319.md new file mode 100644 index 00000000000..3ef975aed75 --- /dev/null +++ b/.werks/15319.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# check_mail: create ec spool files in correct folder + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-24T09:50:01+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Previously the path was prefixed with a space, so the spool files where saved in: +/omd/sites/cmk220d/var/check_mk/core/ /omd/sites/cmk220d/var/mkeventd/spool \ No newline at end of file diff --git a/.werks/15320.md b/.werks/15320.md new file mode 100644 index 00000000000..e8d144d5fa7 --- /dev/null +++ b/.werks/15320.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# heartbeat_crm_resources: unmanaged stopped resources could not go critical + +key | value +---------- | --- +date | 2024-01-25T13:39:59+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + + +Stopped resources are marked `CRIT`. + +If a resources was stopped and unmanaged, it was not marked as `CRIT`. diff --git a/.werks/15321.md b/.werks/15321.md new file mode 100644 index 00000000000..6b5c4bea1bf --- /dev/null +++ b/.werks/15321.md @@ -0,0 +1,22 @@ +[//]: # (werk v2) +# Fix "State if specific check plugins receive no monitoring data" of Rule "Status of the Checkmk service" + +key | value +---------- | --- +date | 2024-01-29T12:49:03+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +Rule "Status of the Checkmk service" provides a setting called "State if +specific check plugins receive no monitoring data" where you can specify a +regular expression to match specific check plugins, and assign a status for +the "Check_MK" service if this check plugins receives no data. + +The feature did work correctly if you specified a Status worse than "WARN". + +But the "Check_MK" service went to "WARN" even if there was an rule to set the +status to "OK" if the specific section did not receive any data. This is fixed now. diff --git a/.werks/15322.md b/.werks/15322.md new file mode 100644 index 00000000000..4003c2df34e --- /dev/null +++ b/.werks/15322.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# BGP Peer State Mapping: add connect state + +key | value +---------- | --- +date | 2024-01-30T13:09:08+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +BGP Peer States can be in "connect". This state was missing in checkmk and thus +the service was in "UNKNOWN" state. diff --git a/.werks/15324.md b/.werks/15324.md new file mode 100644 index 00000000000..6deed429103 --- /dev/null +++ b/.werks/15324.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# agent_bakery: mk_postgres.py: restore required keys + +key | value +---------- | --- +date | 2024-02-01T06:19:27+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +[Werk #15645](https://checkmk.com/werk/15645) made the Inputs of "Instance +settings" of the Agent rule "PostgreSQL database and sessions (Linux, Windows)" +optional by accident. If you did not specify all keys, baking agents failed with +a `KeyError` on the automation call. diff --git a/.werks/15326.md b/.werks/15326.md new file mode 100644 index 00000000000..66773ef9f18 --- /dev/null +++ b/.werks/15326.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# oracle_instance: Fix ValidationError + +key | value +---------- | --- +date | 2024-02-05T07:35:36+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +Both oracle instance and oracle uptime services vanished due to too strict +validation. Crash report showed a `ValidationError`. diff --git a/.werks/15327.md b/.werks/15327.md new file mode 100644 index 00000000000..8bdb17075c4 --- /dev/null +++ b/.werks/15327.md @@ -0,0 +1,62 @@ +[//]: # (werk v2) +# mk_oracle: Follow-up to privilege escalation fix + +key | value +---------- | --- +compatible | no +version | 2.4.0b1 +date | 2024-04-04T07:59:38+00:00 +level | 2 +class | fix +component | checks +edition | cre + +You might be affected by this Werk if you use mk_oracle on a unix +system. + +You might be affected by this Werk if you use oracle wallet to connect to your +database. + +You are definitively affected by this Werk if you use oracle wallet to connect to your +database and used the instructions of our official documentation to setup your +configuration. + +This Werk fixes connection problems introduced with 2.1.0p41, 2.2.0p24 and 2.3.0b4. + + +Since Werk #16232 we switch to a +unprivileged user when executing oracle binaries. This causes problems when +using an oracle wallet as the unprivileged user might not be able to access +files defining the connection details and credentials. + +We introduced an additional permission check to the -t "Just check +the connection" option of mk_oracle. It should help you modifying +the permissions to continue using mk_oracle with oracle wallet. + +You can execute it with the following command: + +
+MK_CONFDIR=/etc/check_mk/ MK_VARDIR=/var/lib/check_mk_agent /usr/lib/check_mk_agent/plugins/mk_oracle --no-spool -t
+
+ +The path to mk_oracle might be different if you execute it asynchronously. For a +60 second interval the path would be /usr/lib/check_mk_agent/plugins/60/mk_oracle + +The script will test permissions of the files needed to connect to the database. It boils down to the following: + +mk_oracle will switch to the owner of +$ORACLE_HOME/bin/sqlplus before executing sqlplus. So +this user has to have the following permissions: + + + +Beside that we also fixed some bash syntax errors we introduced with +Werk #16232. + +See Troubleshooting mk_oracle for Windows and Linux +for more information about troubleshooting this problem. \ No newline at end of file diff --git a/.werks/15328.md b/.werks/15328.md new file mode 100644 index 00000000000..1c93ba465bc --- /dev/null +++ b/.werks/15328.md @@ -0,0 +1,41 @@ +[//]: # (werk v2) +# mk_oracle: Follow-up to privilege escalation fix: sqlnet.ora + +key | value +---------- | --- +compatible | no +version | 2.4.0b1 +date | 2024-04-05T09:38:28+00:00 +level | 1 +class | fix +component | checks +edition | cre + +You are affected by this Werk if you use mk_oracle agent plugin on unix. + +mk_oracle only works if it can find a sqlnet.ora in your +$TNS_ADMIN folder. In the past, mk_oracle executed all oracle +binaries as root, so sqlnet.ora was alwas readable. With Werk #16232 the oracle binaries are +executed with a low privileged user, so it might be the case, that +sqlnet.ora can not be read by this user. + +mk_oracle will exit early if it can not read sqlnet.ora. The +error message might look like: + + +/etc/check_mk/sqlnet.ora can not be read by user "oracle"! Either use 'sqlnet.ora permission group' bakery rule, or directly modify permissions of the file. + + +The error message will also be visible in the oracle_instance check. + +If you use the agent bakery to roll out mk_oracle to unix servers using +.rpm, .deb or Solaris .pkg packages, you have to use +the 'sqlnet.ora permission group' bakery rule to adapt the group of the +sqlnet.ora file, otherwise your permission changes might be +overwritten by updating the agent. + +Otherwise it is sufficient to adapt the permissions. + +If you install the agent on Unix using the tgz package, you will have +to manually adjust the permissions of the sqlnet.ora file. \ No newline at end of file diff --git a/.werks/15329.md b/.werks/15329.md new file mode 100644 index 00000000000..6b5b7cb09a6 --- /dev/null +++ b/.werks/15329.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# mk_oracle: fix two parse errors + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-04-09T06:01:31+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Due to fixes introduced with +Werk #16232 new error messages +have been introduced to sections which previously had not to handle any errors. + +Now oracle_processes and oracle_recovery_area services can +handle the new error messages. \ No newline at end of file diff --git a/.werks/15330.md b/.werks/15330.md new file mode 100644 index 00000000000..ee423483b76 --- /dev/null +++ b/.werks/15330.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# mk_oracle: report failed login + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-04-10T08:38:00+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Due to fixes introduced with +Werk #16234 a failed login to the +oracle database was not reported as critical, but the services were going +stale. This is now fixed. \ No newline at end of file diff --git a/.werks/15331.md b/.werks/15331.md new file mode 100644 index 00000000000..711d4fd2b5f --- /dev/null +++ b/.werks/15331.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# postgres_stat_database_size: Don't discover 'access_to_shared_objects' + +key | value +---------- | --- +date | 2024-04-16T07:10:21+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | no + +Checkmk discovered Services like "PostgreSQL DB MAIN/access_to_shared_objects +Size" but the Services only showed "Database size not available" and a WARN +status. + +Those Services are no longer discovered. diff --git a/.werks/15332.md b/.werks/15332.md new file mode 100644 index 00000000000..825fa9839af --- /dev/null +++ b/.werks/15332.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# Inventory: Add Windows support for Hardware > System > Uuid + +key | value +---------- | --- +date | 2024-04-16T13:09:47+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | inv +level | 1 +compatible | yes + +This element is already available for Linux, now the windows agent also supports +reading this value. + +You have to update `mk_inventory.vbs` on the monitored host, to provide the +necessary data. diff --git a/.werks/15333.md b/.werks/15333.md new file mode 100644 index 00000000000..dcd3396b1d6 --- /dev/null +++ b/.werks/15333.md @@ -0,0 +1,20 @@ +[//]: # (werk v2) +# Fix parsing of win_computersystemproduct + +key | value +---------- | --- +date | 2024-04-29T08:53:34+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | inv +level | 1 +compatible | yes + +On some windows system `Win32_ComputerSystemProduct` seems to return no data. +This call was introduced with [Werk #15332](https://checkmk.com/werk/15332) + +Now the parser of this data (`win_computersystemproduct`) can handle empty data. + +This change also reduces the data transported with the +`win_computersystemproduct` section, as we only use the UUID. diff --git a/.werks/15514.md b/.werks/15514.md new file mode 100644 index 00000000000..3d2f4de9bd9 --- /dev/null +++ b/.werks/15514.md @@ -0,0 +1,38 @@ +[//]: # (werk v2) +# check_httpv2: Introduce a reworked way to test web sites + +key | value +---------- | --- +date | 2024-03-08T10:06:58+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 2 +compatible | no + +The legacy http monitoring plugin caused quite some trouble over the last +years. This included lots of effort to add features or just simply fixing +bugs. + +With the new plugin, the functionality is moved to maintainable and +extendable code completely under control of Checkmk. This means also +breaking changes with the old plugin: + +* Some metrics are not available anymore as it has been known. We + discovered that these are simply not directly understandable. Instead we + will add metrics as needed in the future. Some metrics will already be + added in this first release +* Some functionality has been a workaround and is now implemented directly + into the new plugin. This makes it hard to migrate rules automatically. +* Users are now able to decide on their own which functionality should be + in an own service. This means, that it is now possible to test the + certificate validity and response times in one service, if needed. +* User are able to configure multiple http checks within one rule. You can + provide standard settings to be used for all endpoints, and overwrite + them per entry for each endpoint. Migrating manually makes absolute + sense here. + +Please note that we will not remove the old plugin for now. We understand +that you need some time to migrate your configurations. Nethertheless, we +will deprecate the old plugin and eventually remove it from Checkmk. diff --git a/.werks/15515.md b/.werks/15515.md new file mode 100644 index 00000000000..f5d87bd6b01 --- /dev/null +++ b/.werks/15515.md @@ -0,0 +1,27 @@ +[//]: # (werk v2) +# check_http: Soft deprecatation of old HTTP monitoring plug-in + +key | value +---------- | --- +date | 2024-04-03T13:15:48+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 2 +compatible | no + +The old plug-in is being deprecated in a soft way with this werk. Unlike +hard deprecation, the deprecated rule set "Check HTTP service" will remain +fully functional. However, new rules should only be created if absolutely +necessary, such as when experiencing issues with the new "Check HTTP web +service" implementation and needing to roll back to the old one. + +Please note that the rule set will be hard deprecated in version 2.4.0, +meaning that you will no longer be able to create new rules. However, the +plug-in itself will remain available as this is a component of the +monitoring-plugins collection that comes with Checkmk. + +Please let us know if you find any features that were present in the old +plug-in but are missing in the new one. + diff --git a/.werks/15516.md b/.werks/15516.md new file mode 100644 index 00000000000..b670f59b19c --- /dev/null +++ b/.werks/15516.md @@ -0,0 +1,33 @@ +[//]: # (werk v2) +# check_cert: New active check for advanced certificate monitoring + +key | value +---------- | --- +date | 2024-04-03T13:42:35+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 2 +compatible | yes + +The _check_http_ plug-in was previously the only method to monitor +certificates out-of-the-box with Checkmk. With the new plug-in Checkmk +provides an extensive functionality to monitor certificates. This includes +but is not limited to certificates provided by the HTTP protocol. + +With the new plug-in you can monitor all certificates provided through +a TCP connection to encrypt communication. This includes the monitoring +of + +* validity times (max and remaining) +* issuer fields +* subject fields +* encryption algorithm +* alternative names +* response times +* public key algorithm and size +* serial number + +As with the reworked plugin to monitor web services, you are able to +configure multiple services within a single rule. diff --git a/.werks/15584 b/.werks/15584 deleted file mode 100644 index f31042c0bed..00000000000 --- a/.werks/15584 +++ /dev/null @@ -1,13 +0,0 @@ -Title: mk_docker: Added podman support -Class: feature -Compatible: compat -Component: checks -Date: 1683627763 -Edition: cre -Knowledge: undoc -Level: 1 -Version: 2.3.0b1 - -Added podman support in mk_docker.py. -This way the plugin ends in case it is being executed on a non docker or podman host. - diff --git a/.werks/15619 b/.werks/15619 index ec202865e57..b2e731be379 100644 --- a/.werks/15619 +++ b/.werks/15619 @@ -1,4 +1,4 @@ -Title: mk_postgres.py: Allow Declaring PG_BINARY_NAME in postgres.cfg +Title: mk_postgres.py: Allow Declaring PG_BINARY_PATH in postgres.cfg Class: feature Compatible: compat Component: checks diff --git a/.werks/15648 b/.werks/15648 new file mode 100644 index 00000000000..8afecabaafc --- /dev/null +++ b/.werks/15648 @@ -0,0 +1,17 @@ +Title: KUBE: Addition of support for Kubernetes version 1.28 +Class: feature +Compatible: compat +Component: checks +Date: 1697615780 +Edition: cre +Level: 1 +Version: 2.3.0b1 + +With this release of Checkmk, we introduce support for version 1.28 of Kubernetes. In Checkmk 2.3, +support for Kubernetes version 1.23 is removed. The supported versions are listed below: + +Checkmk 2.2: 1.22, 1.23, 1.24, 1.25, 1.26, 1.27 +Checkmk 2.3: 1.24, 1.25, 1.26, 1.27, 1.28 + +The list of supported versions may not apply to future patch versions. For such cases, a +new werk will be released. diff --git a/.werks/15649 b/.werks/15649 new file mode 100644 index 00000000000..3ea37dbb570 --- /dev/null +++ b/.werks/15649 @@ -0,0 +1,25 @@ +Title: windows_tasks: Display Correct Scheduled Task State +Class: fix +Compatible: incomp +Component: checks +Date: 1705315505 +Edition: cre +Knowledge: doc +Level: 1 +Version: 2.3.0b1 + +Previously, the `Scheduled Task State` could be N\A, if the Action of a Windows +task contained a comma. Moreover, the plugin only supported German or English +localization settings for Windows. Finally, with German localization settings +disabled scheduled tasks would be discovered (despite what the checkman page +claimed). This worked correctly with English localization settings. With this +Werk, `windows_tasks` uses the new PowerShell API to obtain the data. This +fixes the aforementioned issues. + +Users, whom desire to discover disabled tasks need to configure the new service +discovery rule `Windows Tasks`. + +The changes in this Werk are only applicable, if the underlying Windows version +supports the PowerShell API. The Windows versions supported by Checkmk 2.2.0 and +later all support the required the PowerShell functions. Versions such as +Windows 7 does not support the PowerShell API. diff --git a/.werks/15650 b/.werks/15650 new file mode 100644 index 00000000000..fe24ff8b0a6 --- /dev/null +++ b/.werks/15650 @@ -0,0 +1,17 @@ +Title: mk_tsm: Fix export: =: is not an identifier +Class: fix +Compatible: compat +Component: checks +Date: 1705329209 +Edition: cre +Knowledge: doc +Level: 1 +Version: 2.3.0b1 + +Since Werk 16273 `eval` is no longer used to create the required environment. +In some setups, the following error occurs. +``` +export: =: is not an identifier +``` +With this Werk the error is fixed. +The error occured, if the ouput of `get_dsmserv_processes` consisted of a single linebreak. diff --git a/.werks/15694 b/.werks/15694 index 50c4521e90a..838d5db6323 100644 --- a/.werks/15694 +++ b/.werks/15694 @@ -11,5 +11,5 @@ Version: 2.3.0b1 With Checkmk 2.2, announced by Werk #14977, the usage of mod_auth_mellon was deprecated. This release now removes mod_auth_mellon. If you still have mod_auth_mellon in your apache config, the apache service will not be able to start. -Errors are logged to var/lib/apache2/error_log. +Errors are logged to var/log/apache2/error_log. If you want to continue to use SAML you can do it in the Enterprise Edition via Setup -> Users -> SAML connections. diff --git a/.werks/15717.md b/.werks/15717.md new file mode 100644 index 00000000000..afc4cbc8370 --- /dev/null +++ b/.werks/15717.md @@ -0,0 +1,13 @@ +[//]: # (werk v2) +# NagVis: Updated to 1.9.40 + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-09T10:43:25+00:00 +level | 1 +class | fix +component | packages +edition | cre + diff --git a/.werks/15718.md b/.werks/15718.md new file mode 100644 index 00000000000..48bc0330b0d --- /dev/null +++ b/.werks/15718.md @@ -0,0 +1,30 @@ +[//]: # (werk v2) +# Improve main menu keyboard navigation + +key | value +---------- | --- +date | 2024-01-16T11:21:43+00:00 +version | 2.3.0b1 +class | feature +edition | cre +component | multisite +level | 2 +compatible | yes + +The main menu of the UI has now more extended support for keyboard navigation. + +You can open up the menus with the following key combinations: + +* Monitoring: `ALT + m` +* Setup: `ALT + s` +* Customize: `ALT + c` + +The search field is automatically focussed (as before), you can directly insert +your search term. By using `TAB` you can navigate the search results and confirm +your choice with `ENTER`. + +Pressing `ESC` for the first time clears the current search term. A second `ESC` +closes the open menu. + +Utilizing the workflow can make navigating to the desired pages in Checkmk much +faster. diff --git a/.werks/15719.md b/.werks/15719.md new file mode 100644 index 00000000000..698552e1a65 --- /dev/null +++ b/.werks/15719.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# mk_docker: Prevent "Missing monitoring data for plugins" warnings + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-18T06:57:22+00:00 +level | 1 +class | fix +component | checks +edition | cre + +In case a docker node section can not be computed by the mk_docker agent plugin, the "Docker node +info" service reports about the error in detail. Until this werk, the "Check_MK" service did also +raise an issue regarding the missing agent section, like: "Missing monitoring data for plugins: +docker_node_disk_usage". This duplicate information is now suppressed, reducing the number of +notification Checkmk produces in such situations. \ No newline at end of file diff --git a/.werks/15720.md b/.werks/15720.md new file mode 100644 index 00000000000..ae87729bef9 --- /dev/null +++ b/.werks/15720.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# docker_node_info: Display all errors reported by the agent plugin + +key | value +---------- | --- +date | 2024-01-18T13:15:53+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +The "Docker node info" service reports about failures of the mk_docker +agent plugin. In the past it always only reported one error per check +cycle, which now changed to displaying all reported issues. diff --git a/.werks/15721.md b/.werks/15721.md new file mode 100644 index 00000000000..6e372d21ed0 --- /dev/null +++ b/.werks/15721.md @@ -0,0 +1,25 @@ +[//]: # (werk v2) +# Fix wrong edition reported via livestatus in enterprise sites running the Nagios core + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-19T08:47:31+00:00 +level | 1 +class | fix +component | core +edition | cee + +This change fixes a bug in the Nagios Core edition detection logic which could occur when using the +Nagios core with another edition than the Raw Edition. This is a rare use case, but can happen +temporarily during the migration from the Raw Edition to an Enterprise Edition. + +The bug manifests itself by reporting the wrong edition via the livestatus interface. This can be +observed with the following query: + +``` +lq "GET status\nColumns: edition" +``` + +The edition column was introduced in 2.2.0. \ No newline at end of file diff --git a/.werks/15722.md b/.werks/15722.md new file mode 100644 index 00000000000..22e335abae0 --- /dev/null +++ b/.werks/15722.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# omd update: Fix setting world read permissions on etc and local files + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-19T18:46:45+00:00 +level | 1 +class | fix +component | omd +edition | cre + +Starting with 2.2.0 (see #15062), we use a umask of 0077 to prevent files and directories owned by +the site user from being world readable. However, when updating from the CRE to a non CRE edition, +some files and directories were still set to be world readable during 'omd update'. This is now in +line with the other files. \ No newline at end of file diff --git a/.werks/15723.md b/.werks/15723.md new file mode 100644 index 00000000000..17cb18d7695 --- /dev/null +++ b/.werks/15723.md @@ -0,0 +1,20 @@ +[//]: # (werk v2) +# Ensure site is stopped when running cmk-update-config + +key | value +---------- | --- +date | 2024-01-23T11:58:49+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | core +level | 1 +compatible | yes + +The `cmk-update-config` command, which is usually executed as part of `omd +update` expects the site to be stopped during execution. This is always ensured +during `omd update`. + +However, the command can also be executed manually later on. In this situation +the site can be running. To prevent unexpected results, the command now protects +against an accidentally running site on invocation. diff --git a/.werks/15724.md b/.werks/15724.md new file mode 100644 index 00000000000..d7b6c06a6c1 --- /dev/null +++ b/.werks/15724.md @@ -0,0 +1,39 @@ +[//]: # (werk v2) +# Change API specification computation + +key | value +---------- | --- +date | 2024-02-17T13:24:38+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 2 +compatible | yes + +The specification of the REST API defines the structure of the API. It is +computed automatically from the implementation in Checkmk. + +Previously the specification was computed during runtime when something +requested access to the specification. This could be a user opening ReDoc or the +Swagger UI. The specification was then computed ad-hoc and cached in the memory of the +apache process. This caused several issues: + +* After spawning a new apache, the specification needed to be recomputed for + every process. This caused a delay in the first request hitting an + apache process asking for it. +* It was held in memory by every process consuming a few MB. +* The invalidation of the cache and computation of new specification could not + be triggered manually. + +With this change the specification is now stored in the site and made available +to all apache processes from there. + +With the dedicated command `cmk-compute-api-spec` the computation can now be +triggered in specific situations automatically or manually for debugging. + +The specification is now updated in these situations: + +* post-create hook: Create the initial spec after a site has been created +* post rename action: Update the spec after a site has been copied, restored or renamed +* update-config action: Update the spec after the site has been updated diff --git a/.werks/15725.md b/.werks/15725.md new file mode 100644 index 00000000000..8b94691c519 --- /dev/null +++ b/.werks/15725.md @@ -0,0 +1,21 @@ +[//]: # (werk v2) +# Cleanup old Microcore config during update procedure + +key | value +---------- | --- +date | 2024-02-27T09:23:01+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | core +level | 1 +compatible | yes + +This change prevents a problem which might occur in case the `omd update` did +not finish successfully. In this situation, the Microcore might be started with +a configuration file from the previous version. This could lead to unexpected +behavior. + +Instead of keeping the old configuration, the update procedure now deletes the +file which makes the Microcore fail during startup with a more helpful error +message. diff --git a/.werks/15745.md b/.werks/15745.md new file mode 100644 index 00000000000..d8931d67f1c --- /dev/null +++ b/.werks/15745.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Checkmk now redacts site secrets during support diagnostics generation + +key | value +---------- | --- +date | 2024-01-18T07:51:01+00:00 +version | 2.3.0b1 +class | feature +edition | cee +component | multisite +level | 1 +compatible | yes + +Prior to this werk, generating a support diagnostic for deployments with distributed monitoring of multiple Checkmk instances would expose site secrets within the "etc/check_mk/multisite.d/sites.mk" file. + +All site secrets are now replaced with "redacted" during the generation process of support diagnostics (Setup > Maintenance > Support diagnostics) where Checkmk Configuration files have been selected with at least low sensitivity or the sites.mk file has been selected individually. diff --git a/.werks/15838.md b/.werks/15838.md new file mode 100644 index 00000000000..1e7f6a898ef --- /dev/null +++ b/.werks/15838.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Limit the service description length to 250 + +key | value +---------- | --- +date | 2024-01-08T11:56:11+00:00 +version | 2.3.0b1 +class | feature +edition | cre +component | wato +level | 1 +compatible | yes + +Since this release WATO prevents creation of a service with +too long service description. + diff --git a/.werks/15841.md b/.werks/15841.md new file mode 100644 index 00000000000..70810abc745 --- /dev/null +++ b/.werks/15841.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# The configuration is correctly loaded by RRD helper processes + +key | value +---------- | --- +date | 2024-03-26T10:03:03+00:00 +version | 2.4.0b1 +class | fix +edition | cee +component | core +level | 2 +compatible | yes + +This change ensures the reloading of the configuration by already +running RRD processes, thereby guaranteeing that those processes are +using the correct configuration. + +SUP-17787 +CMK-16318 diff --git a/.werks/15842.md b/.werks/15842.md new file mode 100644 index 00000000000..eb0ef97150a --- /dev/null +++ b/.werks/15842.md @@ -0,0 +1,38 @@ +[//]: # (werk v2) +# Enhanced MS SQL Server monitoring + +key | value +---------- | --- +date | 2024-04-03T07:47:56+00:00 +version | 2.3.0b4 +class | feature +edition | cre +component | checks +level | 2 +compatible | yes + +With this release MS SQL Server is monitored using new plugin and new GUI. + +The old plugin is still supported but are considered deprecated. + +Key Enhancements out-of-the-box: + +- Configuration flexibility: The plugin can be configured through a YAML config file for any edition and/or a graphical user interface (GUI) for enterprise edition or better. +- Cross platform: The plugin can be deployed on Linux and Windows. +- Enhanced monitoring capabilities: Supports monitoring of remote databases on both Linux and Windows hosts, in addition to local monitoring on Windows hosts. +- Customizable monitoring sections: Sections are now selectable and configurable +- Customizable SQL statements: you may change SQL statement either manually(place file in `mssql` sub directory in config dir) or using `Custom files` rule in GUI. +- Multi-instance support: Enables the selection of different instances for monitoring. Every instance can be configured separately +- Multi-host support: possible to monitor databases on various hosts using one deployed plugin. +- Security enhancements: Limited support for certificates is now available. +- Asynchronous operation: Any section with exception `instances` can be set up for asynchronous operation. +- Piggyback: It's possible to direct the output of a plugin to a different host, rather than to the host that retrieves the data. +- Other improvements: + - Automatic detection of instances is possible for any Windows host, local and remote, depending on SQL Server Setup. + - Full logging support including rotation and file limits + - Limit for maximal connection counts + - Cache time and timeout can be configured too + +With regard to the old plug-in, there are also a few restrictions at the moment: +- The database instances must be accessible via TCP/IP. +- If several databases are running on a system, each using their own IP addresses, these must be explicitly specified in the configuration of the agent plug-in, as the addresses and ports are currently not yet found automatically. \ No newline at end of file diff --git a/.werks/15844.md b/.werks/15844.md new file mode 100644 index 00000000000..f77b239830f --- /dev/null +++ b/.werks/15844.md @@ -0,0 +1,25 @@ +[//]: # (werk v2) +# Microsoft SQL Server (Windows) ruleset is deprecated + +key | value +---------- | --- +date | 2024-04-17T13:40:06+00:00 +version | 2.3.0b6 +class | feature +edition | cre +component | checks +level | 2 +compatible | no + +We've introduced a new `Microsoft SQL Server (Linux, Windows)` plug-in for MS SQL +database monitoring, see +[werk 15842: Enhanced MS SQL Server monitoring](https://checkmk.com/werk/15842). +The new plugin extends the functionality of `Microsoft SQL Server (Windows)` +by adding more options and features. + +We recommend that you upgrade to the `Microsoft SQL Server (Linux, Windows)` plug-in to monitor MS SQL databases. This new agent plugin can be deployed +alongside the Checkmk agent on your database systems, just like the previous +plugin. You can also use this plugin on any Windows or Linux +server to monitor remote MSSQL servers over the network. + +The previous `Microsoft SQL Server (Windows)` rule set is deprecated and renamed to `Microsoft SQL Server (deprecated)`. Please note that you may need to adjust settings on your databases or continue running the old plug-in for the time being, as the agent plug-in cannot connect to local database instances that are not available over a TCP/IP connection. \ No newline at end of file diff --git a/.werks/15845.md b/.werks/15845.md new file mode 100644 index 00000000000..9a54da0ebe6 --- /dev/null +++ b/.werks/15845.md @@ -0,0 +1,20 @@ +[//]: # (werk v2) +# winperf_if check correctly discovers and processes interfaces with spaces + +key | value +---------- | --- +date | 2024-04-22T15:31:08+00:00 +version | 2.4.0b1 +class | fix +edition | cee +component | checks +level | 1 +compatible | no + +Previously, some Windows network interface names with additional spaces — +particularly before the hash symbol — were not recognized by the check engine. +This led to the absence of some services, especially Windows teaming network +interfaces. + +In this release, such interface names are handled correctly thus fixing the +problem. Still, you may need to rediscover services again. diff --git a/.werks/15976 b/.werks/15976 new file mode 100644 index 00000000000..23fbe597802 --- /dev/null +++ b/.werks/15976 @@ -0,0 +1,18 @@ +Title: mssql_backup: Correct timezone difference for last backup date +Class: fix +Compatible: compat +Component: checks +Date: 1696949130 +Edition: cre +Knowledge: doc +Level: 1 +Version: 2.4.0b1 + +This werk is relevant for users monitoring the age of the last backup time of mssql databases in different timezones. + +The date/time of the last backup of a mssql database is currently stored in local host time without the information about the host timezone. When this time is used to check the age of the last backup, it is interpreted in the Checkmk server timezone. +When using different timezones, this leads to incorrect values for "Age of last database backup" and if the age is negative, in newer Checkmk versions to the warning "Cannot reasonably calculate time since last backup (hosts time running ahead)". + +The mssql agent plugin will now store the time in UTC and the mssql_backup check will interpret the time accordingly. + +You will need to update the agent plugin mssql.vbs to receive the corrected times. diff --git a/.werks/16012 b/.werks/16012 new file mode 100644 index 00000000000..6950cc7dea6 --- /dev/null +++ b/.werks/16012 @@ -0,0 +1,9 @@ +Title: Event Console: Fix events on central site if these events are dedicated for remote sites +Class: fix +Compatible: compat +Component: ec +Date: 1702905058 +Edition: cre +Level: 1 +Version: 2.3.0b1 + diff --git a/.werks/16013.md b/.werks/16013.md new file mode 100644 index 00000000000..ba7e9e7650b --- /dev/null +++ b/.werks/16013.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Fix missing event console rules after site update + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-17T09:18:22+00:00 +level | 1 +class | fix +component | ec +edition | cee + +With werk 16012 the event console rules are filtered ond saved to the location +var/mkeventd/active_config during activate changes. +This werk fixes the missing procedure while updating to a new Checkmk version. \ No newline at end of file diff --git a/.werks/16015.md b/.werks/16015.md new file mode 100644 index 00000000000..ab6cb4e469a --- /dev/null +++ b/.werks/16015.md @@ -0,0 +1,21 @@ +[//]: # (werk v2) +# ldap & saml: resolve error when connection config is edited or created + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2023-07-28T08:14:29+00:00 +level | 1 +class | fix +component | wato +edition | cme + +Prior to this werk, Checkmk raised an error in the following cases: + +* when the user attempted to create a LDAP connection with a config with the customer option set to "Global" +* when the user attempted to change a LDAP connection config with the customer option set to "Global" +* when the user attempted to create a SAML connection config +* when the user attempted to delete an existing SAML connection config + +This werk resolves these issues and Checkmk will not throw an error anymore. \ No newline at end of file diff --git a/.werks/16025 b/.werks/16025 new file mode 100644 index 00000000000..ab3ce4cda5f --- /dev/null +++ b/.werks/16025 @@ -0,0 +1,32 @@ +Title: Update PHP version in SLES15SP3 from 7 to 8 +Class: fix +Compatible: incomp +Component: rpm +Date: 1701254497 +Edition: cre +Level: 2 +Version: 2.3.0b1 + +Checkmk was shipped with a dependency to PHP7 for SLES15SP3. Since PHP7 is +part of the legacy module, this Werk updates the dependency from PHP7 to PHP8. + +As SLES only allows one version of PHP to be installed, the following steps +will uninstall PHP7 from the system and install the new version of Checkmk +with PHP8. Be aware that this procedure updates PHP from version 7 to 8 for the whole OS. In case you run additional PHP applications next to Checkmk, the update will also affect them. + +Run the following commands to perform the update to the new Checkmk version: + +* add SLES-15SP4 repo to get PHP8 with zypper addrepo https://updates.suse.com/SUSE/Products/SLE-BCI/15-SP4/x86_64/product/ sles15sp4 +* install the new Checkmk version with zypper install NEW_CHECKMK.rpm +* Zypper will now complain about a conflict with several PHP packages and asks you to select a solution. There, select solution 1 to confirm the deinstallation of the current Checkmk version, the PHP7 modules and to continue with the installation +* confirm the installation of the new Checkmk version and PHP8 with yes +* removing the existing Checkmk version will throw an error like `Site is still using this version! Removal of (@System) failed:`, proceed by choosing ignore which creates a inconsistent state for the old Checkmk version package, which we will resolve in a later step. +* PHP7 will be removed and PHP8 gets installed +* change to the site user with omd su SITE_NAME +* stop the site with omd stop +* perform the update to the new Checkmk version with omd update, select Update at the user prompt +* in case further prompts regarding wrong permissions of BUILD files appear, choose the default value with d +* start the site again with omd start +* exit from the site user +* list all installed Checkmk version with omd versions +* finally remove the old Checkmk installation with zypper remove OLD_CHECKMK diff --git a/.werks/16037.md b/.werks/16037.md new file mode 100644 index 00000000000..9be28ed75b3 --- /dev/null +++ b/.werks/16037.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# folder_config/host_config: No longer accept non-existent site + + +key | value +---------- | --- +date | 2023-12-22T08:11:28+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + +You can no longer set a non-existent site on folders and hosts. + +When called with a non-existent site as an attribute the +endpoints now return the status code 400. diff --git a/.werks/16038.md b/.werks/16038.md new file mode 100644 index 00000000000..c7d3fef5eb5 --- /dev/null +++ b/.werks/16038.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# SLA tooltip missing UNKN state + +key | value +---------- | --- +date | 2024-01-04T08:28:52+00:00 +version | 2.3.0b1 +class | fix +edition | cee +component | multisite +level | 1 +compatible | yes + + +The SLA tooltip would always show UNKN (0%) even if the state was UNKN. +The corresponding value was aggregated as a PEND state. + +Now the UNKN state is displayed correctly. diff --git a/.werks/16039.md b/.werks/16039.md new file mode 100644 index 00000000000..af57e6c84d2 --- /dev/null +++ b/.werks/16039.md @@ -0,0 +1,20 @@ +[//]: # (werk v2) +# host_config: add inherited labels to effective attributes + +key | value +---------- | --- +date | 2024-01-26T11:20:55+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + +Previously, when using the effective attributes query parameter with the +``` +GET /objects/host_config/{host_name} +``` +endpoint, only the labels of the current host have been returned. + +Now all of the effective labels are aggregated and returned. diff --git a/.werks/16040.md b/.werks/16040.md new file mode 100644 index 00000000000..4a56e7a5d22 --- /dev/null +++ b/.werks/16040.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Add Top list dashlet + +key | value +---------- | --- +date | 2024-01-31T07:14:24+00:00 +version | 2.4.0b1 +class | feature +edition | cee +component | multisite +level | 1 +compatible | yes + +The Top list dashlet displays the top (or bottom) X values of a selected metric. + +The number of values can be selected, but is limited to 50 values. diff --git a/.werks/16047.md b/.werks/16047.md new file mode 100644 index 00000000000..717a881cf6c --- /dev/null +++ b/.werks/16047.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# Changed host labels for Azure Resource Groups and Virtual Machine + +key | value +---------- | --- +date | 2024-01-26T12:20:23+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | no + +This werk affects users who use the tags of Azure Resource Groups or Virtual Machines (if monitored as hosts) as host labels in Checkmk. +The host labels are renamed from the original Azure format "{key}":"{value}" to "cmk/azure/tag/{key}":"{value}" in order to stay consistent with other host labels and to avoid overwriting existing Checkmk labels. +Additionally, label keys and values are now validated to 1) not hold empty values - empty values are replaced by "true" and 2) not contain colons (":") - colons are replaced by underscores ("_"). So a former label "label:key":"" will now be shown as "label_key":"true". +The old labels will be removed in version 2.4.0. diff --git a/.werks/16048.md b/.werks/16048.md new file mode 100644 index 00000000000..f8e3456fd86 --- /dev/null +++ b/.werks/16048.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Import Azure tags as service labels + +key | value +---------- | --- +date | 2024-01-29T07:26:41+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | yes + +Azure resource tags are now imported as service labels as well. Each service that is discovered for an Azure resource now holds the resource's tags as service labels. +Also, you can now restrict the import of Azure tags via regex or disable the import altogether. This can be done in the rule "Microsoft Azure" via option "Import tags as host/service labels". +Note that tags are validated to 1) not hold empty values - empty values are replaced by "true" and 2) not contain colons (":") - colons are replaced by underscores ("_"). So an Azure resource tag "tag:key":"" will now be shown as "tag_key":"true". diff --git a/.werks/16049.md b/.werks/16049.md new file mode 100644 index 00000000000..c4d8543ffe0 --- /dev/null +++ b/.werks/16049.md @@ -0,0 +1,21 @@ +[//]: # (werk v2) +# Render service graphs of host independent of historic metrics + +key | value +---------- | --- +date | 2024-02-19T07:41:52+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | multisite +level | 1 +compatible | yes + +The view "Service graphs of host" used to show the error message "No historic metrics recorded but performance data is available. Maybe performance data processing is disabled." even if the underlying single service graphs existed. +This occured especially when using a host check command. + +The behavior is fixed to always rendering the service graphs in the view "Service graphs of host", if their performance data is available. + +Note that this change does not affect the same error message shown for the "Host graph" row of the "Status of Host" view, as the available performance data belongs to the services and not to the host. + + diff --git a/.werks/16050.md b/.werks/16050.md new file mode 100644 index 00000000000..ac86cfbfacc --- /dev/null +++ b/.werks/16050.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Change default OS dashboards "Linux hosts" and "Windows hosts" + +key | value +---------- | --- +date | 2024-03-12T07:58:50+00:00 +version | 2.4.0b1 +class | feature +edition | cee +component | multisite +level | 1 +compatible | yes + +We change the default dashboards "Linux hosts" and "Windows hosts" (Monitor > Overview) to a new layout and partly to new dashboard elements. +This change shall improve user experience and provide the most relevant Linux/Windows host information on these boards. diff --git a/.werks/16067 b/.werks/16067 index b730256a6cf..f22567153a0 100644 --- a/.werks/16067 +++ b/.werks/16067 @@ -6,9 +6,8 @@ Date: 1698237843 Edition: cre Knowledge: doc Level: 1 -Version: 2.3.0i1 +Version: 2.3.0b1 Werk #15393 already solved this for most users but in rare cases, the formulars were still so big that an "Internal server error" occurred on saving. This change should fix that behaviour even for such cases. - diff --git a/.werks/16075 b/.werks/16075 new file mode 100644 index 00000000000..d31bbb62297 --- /dev/null +++ b/.werks/16075 @@ -0,0 +1,14 @@ +Title: Notification spooler: Fix possible wrong order of notification processing +Class: fix +Compatible: compat +Component: notifications +Date: 1700481159 +Edition: cee +Level: 1 +Version: 2.3.0b1 + +The notification spooler used the mtime of the spool files to determine the +order of execution. + +In rare cases, the mtime was too imprecise so we now use the mtime in +nanoseconds. diff --git a/.werks/16084.md b/.werks/16084.md new file mode 100644 index 00000000000..5ae17b6ed27 --- /dev/null +++ b/.werks/16084.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Show full agent hash in Check_MK Agent service and Agent update status + +key | value +---------- | --- +date | 2024-02-15T08:39:14+00:00 +version | 2.4.0b1 +class | fix +edition | cee +component | agents +level | 1 +compatible | yes + +As an addition to Werk #15424, the *Check_MK Agent* service and the +*Agent update status* page now also show the full 16-digit agent hash. diff --git a/.werks/16085.md b/.werks/16085.md new file mode 100644 index 00000000000..e6a87a5fde8 --- /dev/null +++ b/.werks/16085.md @@ -0,0 +1,24 @@ +[//]: # (werk v2) +# Agent Updater: Better detection of underlying platform + +key | value +---------- | --- +date | 2024-02-21T10:36:36+00:00 +version | 2.4.0b1 +class | fix +edition | cee +component | agents +level | 1 +compatible | yes + +Previously, the agent updater used to detect the underlying platform, +in terms of the combination of OS and package manager (e.g., Linux + RPM), +automatically by scanning for certrain directories. + +As multiple package managers may be available on one system, this sometimes +lead to unexpected behavior on agent updates when the update mechanism decided +to switch to a different platform. + +Now, the platform will be specified by a file that comes with the agent installation, +and the agent updater will rely on this static information instead of the dynamic detection. + diff --git a/.werks/16088.md b/.werks/16088.md new file mode 100644 index 00000000000..640098c33db --- /dev/null +++ b/.werks/16088.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Support Diagnostics: Also add the latest Crash Dumps to the SD Dump + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2023-09-27T16:54:11+00:00 +level | 1 +class | feature +component | setup +edition | cre + +For each category of crash dumps (base, check, ec, gui, rest_api, section), add the latest dump +to the Support Diagnostics dump. \ No newline at end of file diff --git a/.werks/16114 b/.werks/16114 index 2c753c5b54e..894ab178adc 100644 --- a/.werks/16114 +++ b/.werks/16114 @@ -8,5 +8,9 @@ Knowledge: doc Level: 1 Version: 2.3.0b1 -Previously, the folder name pattern for GET and DELETE endpoints were stricter than the CREATE, provoking that a new folder could not be retrieved nor deleted. This fix widens the folder name pattern on GET and DELETE endpoints to align with the CREATE one. +Prior to this Werk, the folder name pattern for GET and DELETE endpoints did not allow the use of unicode characters while they were supported by the CREATE endpoint, with the result that folders created with such characters could not be accessed or deleted from the REST API. + +For example, the user was able to create a folder named û亿Ï8Ĺ, which then could not be read or deleted from the API. + +This Werk widens the folder name pattern on GET and DELETE endpoints to align with the CREATE one and now all of them support unicode characters. diff --git a/.werks/16116.md b/.werks/16116.md new file mode 100644 index 00000000000..cd35a80687d --- /dev/null +++ b/.werks/16116.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# Fixed association of contacts with hosts/services/contactgroups + +key | value +---------- | --- +date | 2024-04-05T13:48:37+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | livestatus +level | 3 +compatible | yes + +Checkmk 2.3 beta introduced a regression regarding contacts when +then Nagios core was used: The association of contacts with hosts, +services and contact groups was incorrect. A symptom of this bug +were e.g. missing hosts or services in the GUI. diff --git a/.werks/16147.md b/.werks/16147.md new file mode 100644 index 00000000000..9140cf20590 --- /dev/null +++ b/.werks/16147.md @@ -0,0 +1,22 @@ +[//]: # (werk v2) +# Abort CMC on irrecoverable filesystem errors + +key | value +---------- | --- +date | 2024-01-03T15:27:33+00:00 +version | 2.3.0b1 +class | fix +edition | cee +component | cmc +level | 1 +compatible | yes + +The errors + + * too many files open (EMFILE) + * too many files open in system (ENFILE) + * no buffer space (ENOBUFS) + * not enough memory (ENOMEM) + +now exit the core. Correct monitoring cannot be +guaranteed when the server is in this state. diff --git a/.werks/16148.md b/.werks/16148.md new file mode 100644 index 00000000000..86539d0401c --- /dev/null +++ b/.werks/16148.md @@ -0,0 +1,28 @@ +[//]: # (werk v2) +# New livestatus column performance_data + +key | value +---------- | --- +date | 2024-01-12T06:35:01+00:00 +version | 2.3.0b1 +class | feature +edition | cre +component | livestatus +level | 1 +compatible | yes + +The hosts and services tables have a new column named +`performance_data` that returns a mapping where the keys +are the names of metrics and values are the numeric values +of the performance data. + +For example, +``` +OMD[heute]:~$ lq << EOF +> GET services +> Columns: description performance_data +> Filter: description = CPU load +> OutputFormat: python +> EOF +[["CPU load",{"load5":0.64,"load1":0.62,"load15":1.13}]] +``` diff --git a/.werks/16149.md b/.werks/16149.md new file mode 100644 index 00000000000..8c6f6fbe8c2 --- /dev/null +++ b/.werks/16149.md @@ -0,0 +1,56 @@ +[//]: # (werk v2) +# New OrderBy header in livestatus + +key | value +---------- | --- +date | 2024-01-29T10:12:24+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | livestatus +level | 1 +compatible | yes + +We provide a new header for livestatus that returns the rows in +sorted order. + +For example, to sort host names in descending order +``` +$ lq 'GET hosts\nColumns: name\nOrderBy: name desc' +zhost +yhost +xhost +... +``` +in ascending order +``` +$ lq 'GET hosts\nColumns: name\nOrderBy: name asc' +ahost +bhost +... +``` +or, alternatively without `asc`, +``` +$ lq 'GET hosts\nColumns: name\nOrderBy: name' +ahost +bhost +... +``` + +The `OrderBy` header can be combined with the `Limit` header to +limit the number of results as expected. +``` +$ lq 'GET hosts\nColumns: name\nOrderBy: name\nLimit: 1' +ahost +``` + +Furthermore, it is possible to sort on dictionary keys with the +following syntax +``` +$ lq << EOF +GET services +Columns: host_name description performance_data +OrderBy: performance_data.user_time +EOF +... +``` diff --git a/.werks/16163 b/.werks/16163 new file mode 100644 index 00000000000..694602f8ab4 --- /dev/null +++ b/.werks/16163 @@ -0,0 +1,46 @@ +Title: jar_signature: Prevent privilege escalation to root +Class: security +Compatible: incomp +Component: checks +Date: 1702395666 +Edition: cre +Level: 3 +Version: 2.3.0b1 + +jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule) +was vulnerable to privilege escalation to root by the oracle user. + +A malicious oracle user could replace the jarsigner binary with another script and put +it in the JAVA_HOME directory. The script would be executed by the root user. + +The jarsigner is now executed by the oracle user, preventing the privilege escalation. + +This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users +should deploy the new version of the plugin or disable it. + +This issue was found during internal review. + + +### Affected Versions + + * 2.2.0 + * 2.1.0 + * 2.0.0 (EOL) and older + + +### Mitigations + +If updating is not possible, disable the jar_signature plugin. + + +### Vulnerability Management + +We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: +`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` + +We have assigned `CVE-2023-6740`. + + +### Changes + +The jarsigner binary is now executed by the oracle user. \ No newline at end of file diff --git a/.werks/16164.md b/.werks/16164.md new file mode 100644 index 00000000000..a43be5f3f02 --- /dev/null +++ b/.werks/16164.md @@ -0,0 +1,23 @@ +[//]: # (werk v2) +# veeam_cdp_jobs: Handle last sync time from the future + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2023-12-29T08:24:59+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Previously, the veeam_cdp_jobs would crash when receiving last +sync time from the future with a message: +``` +raise ValueError("Cannot render negative timespan") +``` + +Now, the affected service will be in state WARN and report the following message: +``` +"The timestamp of the file is in the future. Please investigate your host times" +``` \ No newline at end of file diff --git a/.werks/16165.md b/.werks/16165.md new file mode 100644 index 00000000000..a6af7ab0e8a --- /dev/null +++ b/.werks/16165.md @@ -0,0 +1,23 @@ +[//]: # (werk v2) +# check_mk_agent: Set LC_ALL before running the agent + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-02T10:09:48+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Previously, Checkmk agents would be run with a preset LC_ALL +environment variable if neither C.UTF-8 or C.utf-8 locales were +installed. + +That led to invalid agent output and crashes in section parsing +in multiple checks for some of the locales. + +Linux, AIX, Solaris, FreeBSD and OpenWrt agents were affected. + +Now, LC_ALL variable is set to C for the described case. \ No newline at end of file diff --git a/.werks/16166.md b/.werks/16166.md new file mode 100644 index 00000000000..6676bcc7579 --- /dev/null +++ b/.werks/16166.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# ibm storwize: Fix missing data when monitoring nodes + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-03T09:05:20+00:00 +level | 1 +class | fix +component | checks +edition | cre + +lsnodestats command was used for monitoring nodes in IBM Storwize devices. +Storwize devices don't have the lsnodestats command which led to missing data +in ibm_svc_nodestats services. + +Now, the IBM SVC agent uses the lsnodestats if it's available and lsnodecanisterstats +otherwise. \ No newline at end of file diff --git a/.werks/16167.md b/.werks/16167.md new file mode 100644 index 00000000000..e86b842bc10 --- /dev/null +++ b/.werks/16167.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# pandacom_psu: New PSU types added + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-04T13:07:52+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Pandacom devices with PSU types 65025-65033 caused a crash during +section parsing. + +Now, Checkmk recognizes the new type codes and reports the correct +PSU type. \ No newline at end of file diff --git a/.werks/16168.md b/.werks/16168.md new file mode 100644 index 00000000000..e14d2994e87 --- /dev/null +++ b/.werks/16168.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# fortiauthenticator_auth_fail: Detect new FortiAuthenticator devices + +key | value +---------- | --- +date | 2024-01-05T13:30:46+00:00 +version | 2.3.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | yes + +Additional FortiAuthenticator devices with SysObjectID starting with +".1.3.6.1.4.1.12356.113" are now detected. diff --git a/.werks/16169.md b/.werks/16169.md new file mode 100644 index 00000000000..12f0862128d --- /dev/null +++ b/.werks/16169.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# opsgenie: Fix notification acknowledgement if host or service are back to OK + +key | value +---------- | --- +date | 2024-01-05T14:04:50+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | notifications +level | 1 +compatible | yes + +Previously, Opsgenie notification wouldn't acknowledge notifications if +host or service state went back to OK in the meantime. diff --git a/.werks/16170.md b/.werks/16170.md new file mode 100644 index 00000000000..cbb70ec2884 --- /dev/null +++ b/.werks/16170.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# snmp: Store OID cache per context group + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-07T09:54:40+00:00 +level | 1 +class | fix +component | checks +edition | cre + +SNMP caching didn't take contexts in consideration when storing +OID data. This led to the same result being reported for the OID +in different sections even if sections use different contexts. + +Now, SNMP caching stores fetched OID data for every group of contexts +it was called with. \ No newline at end of file diff --git a/.werks/16171.md b/.werks/16171.md new file mode 100644 index 00000000000..05377c96bae --- /dev/null +++ b/.werks/16171.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# aws: Fix Cloudwatch alarms fetching + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-21T13:16:55+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Cloudwatch alarms weren't fetched properly for environments with a lot +of alarms. It resulted in missing alarms in the 'AWS/CloudWatch Alarms' service. \ No newline at end of file diff --git a/.werks/16172.md b/.werks/16172.md new file mode 100644 index 00000000000..e3d9c3a492a --- /dev/null +++ b/.werks/16172.md @@ -0,0 +1,31 @@ +[//]: # (werk v2) +# kaspersky_av: Don't run kav4fs-control or kesl-control if they aren't owned by root + +key | value +---------- | --- +date | 2024-02-27T09:14:50+00:00 +version | 2.4.0b1 +class | security +edition | cre +component | checks +level | 1 +compatible | yes + +Kaspersky Anti-Virus plugin uses /opt/kaspersky/kav4fs/bin/kav4fs-control and +/opt/kaspersky/kesl/bin/kesl-control commands to monitor a Kaspersky Anti-Virus +installation. + +To prevent privilege escalation, the plugin (which is run by root user) must +not run executables which can be changed by less privileged users. + +In the default installation, kav4fs-control and kesl-control commands are owned +by root and root is the only user with write permissions, which prevents privilege +escalation attacks. + +With this Werk, the plugin checks if control commands are owned by root and root +is the only user with write permissions before running the command. If that's not +the case the commands won't be run. This prevents privilege escalation attacks if +the permissions of the control commands have been changed. + +We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). +This CVSS is primarily meant to please automatic scanners. diff --git a/.werks/16173.md b/.werks/16173.md new file mode 100644 index 00000000000..8b053277aac --- /dev/null +++ b/.werks/16173.md @@ -0,0 +1,31 @@ +[//]: # (werk v2) +# symantec_av: Don't run sav command if it isn't owned by root + +key | value +---------- | --- +date | 2024-02-28T08:58:09+00:00 +version | 2.4.0b1 +class | security +edition | cre +component | checks +level | 1 +compatible | yes + +Symantec Anti Virus plugin uses /opt/Symantec/symantec_antivirus/sav command +to monitor a Symantec Anti Virus installation. + +To prevent privilege escalation, the plugin (which is run by root user) must +not run executables which can be changed by less privileged users. + +In the default installation, sav command is owned by root and root is the only +user with write permissions, which prevents privilege escalation attacks. + +With this Werk, the plugin checks if sav command is owned by root and root +is the only user with write permissions before running the command. If that's not +the case the command won't be run. This prevents privilege escalation attacks if +the permissions of the sav command have been changed. + +We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). +This CVSS is primarily meant to please automatic scanners. + +CMK-15318 diff --git a/.werks/16174.md b/.werks/16174.md new file mode 100644 index 00000000000..69d9977fddb --- /dev/null +++ b/.werks/16174.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# mongodb_replica_set: Fix replication lag and last replication time + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-03-07T09:48:38+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Checkmk previously assumed that timestamps collected from MongoDB oplog +are provided in ms. This wasn't the case, which led to wrong values for +replication lag and last replication time being shown in +the 'MongoDB Replication Lag' service. \ No newline at end of file diff --git a/.werks/16175.md b/.werks/16175.md new file mode 100644 index 00000000000..ce3c99bb690 --- /dev/null +++ b/.werks/16175.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# apc_netbotz_sensors, apc_netbotz_other_sensors: Add monitoring for Netbotz 50 devices + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-03-08T10:39:25+00:00 +level | 1 +class | feature +component | checks +edition | cre + +apc_netbotz_sensors and apc_netbotz_other_sensors checks provided monitoring for APC Netbotz v2 devices. +Now, the checks can additionally monitor APC Netbotz 50 devices. \ No newline at end of file diff --git a/.werks/16176.md b/.werks/16176.md new file mode 100644 index 00000000000..4dec6b7a14c --- /dev/null +++ b/.werks/16176.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# postfix: Fix Postfix status monitoring for agents run in Docker + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-03-13T09:57:01+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Previously, Checkmk agent used the data from /proc to determine if Postfix instance is running. +Since docker containers don't have permissions to read /proc, the agent always reported +the Postfix instance as 'not running'. + +This resulted in CRIT 'Postfix status' service even if Postfix instance was running correctly. \ No newline at end of file diff --git a/.werks/16177.md b/.werks/16177.md new file mode 100644 index 00000000000..f891c77b4cc --- /dev/null +++ b/.werks/16177.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# bi_aggregation: Better visualization of aggregation errors + +key | value +---------- | --- +date | 2024-03-15T15:27:21+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | yes + +Aggregation errors are shown in the details of 'Aggr' services. +Previously, all aggregation errors were shown in the same tree +independent of whether they influence the state of the service or not, +which lead to confusion. +Now, two trees are shown, 'Aggregation problems affecting the state' and +'Aggregation problems not affecting the state'. diff --git a/.werks/16178.md b/.werks/16178.md new file mode 100644 index 00000000000..1dab1cfc43e --- /dev/null +++ b/.werks/16178.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# dns: Reintroduce macro replacement in 'Expected DNS answers' config + +key | value +---------- | --- +date | 2024-03-20T08:49:31+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +With version 2.3.0b1, the macros in the 'Expected DNS answers' field of 'Check DNS service' +were no longer replaced. This change reintroduces macro replacement. diff --git a/.werks/16179.md b/.werks/16179.md new file mode 100644 index 00000000000..494fdf03bda --- /dev/null +++ b/.werks/16179.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# size_trend: Treat negative free space as 0 in all cases + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-03-20T10:04:09+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Before the version 2.2.0p21, 'Time left until full' was reported to be 0 in case of +devices reporting negative free space. +With werk 16330, we stopped reporting the metric in case of very small size changes +because it lead to infinite values. With this change the behavior was unintentionally +also changed for negative free space values. +This werk restores the same functionality in case of negative free space. \ No newline at end of file diff --git a/.werks/16180.md b/.werks/16180.md new file mode 100644 index 00000000000..83fe5080350 --- /dev/null +++ b/.werks/16180.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Ruleset API: Datamodel changes for Proxy FormSpec + +key | value +---------- | --- +date | 2024-03-28T13:45:23+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | yes + +This only affects plugin developers using the new API `cmk.rulesets.v1`. +The datamodel for the `Proxy`, `Levels`, `TimePeriod` and `Password` Formspecs is changed. +Use the `migrate_to_...` migration function to update your stored configurations to the newer datamodel. diff --git a/.werks/16194.md b/.werks/16194.md new file mode 100644 index 00000000000..caf32f50d20 --- /dev/null +++ b/.werks/16194.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# Licensing: Allow UI to be used in trial and free state when CMC is not running + +key | value +---------- | --- +date | 2024-01-08T12:25:13+00:00 +version | 2.3.0b1 +class | fix +edition | cce +component | wato +level | 1 +compatible | yes + +When using a CCE in the trial phase or in the free license state, the UI was mostly unusable when the CMC was not running (with the pages showing the error "Cannot connect to 'unix:/omd/sites/monitoring_eval/tmp/run/live'....") + +Since the CMC is prohibited from starting if too many services are being monitored in the free license state, this meant that in order to get out of the free state, the license could only be applied via REST-API. + +This has now been fixed. diff --git a/.werks/16195.md b/.werks/16195.md new file mode 100644 index 00000000000..84fd75c794d --- /dev/null +++ b/.werks/16195.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Licensing: Improve process of applying a license for non-running CMC + +key | value +---------- | --- +date | 2024-01-11T13:14:15+00:00 +version | 2.3.0b1 +class | fix +edition | cce +component | wato +level | 1 +compatible | yes + +In werk #16194 an issue was fixed where the UI was not reachable to apply a license when the CMC is not running. +However, if the core was not running due to a license issue, a new core configuration would have to be generated in order to restart the core. +This has been improved so that the core can now be started without further interaction. diff --git a/.werks/16197.md b/.werks/16197.md new file mode 100644 index 00000000000..8487a488770 --- /dev/null +++ b/.werks/16197.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# quantum_libsmall_*: Improve SNMP detection + +key | value +---------- | --- +date | 2024-02-27T12:11:36+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +Currently the SNMP detection for `quantum_libsmall_status` and `quantum_libsmall_door` checks if "linux" and "library" are contained in the sysDescr and sysLocation OIDs. To make the detection more reliable, the sysObjectID is checked against the linux object identifier and the libraryProductName .1.3.6.1.4.1.3697.1.10.10.1.10.0 against "Quantum Small Library Product". diff --git a/.werks/16198.md b/.werks/16198.md new file mode 100644 index 00000000000..9f6fb231d62 --- /dev/null +++ b/.werks/16198.md @@ -0,0 +1,33 @@ +[//]: # (werk v2) +# mk_informix: Do not allow privilege escalation + +key | value +---------- | --- +date | 2024-03-08T14:57:50+00:00 +version | 2.4.0b1 +class | security +edition | cre +component | checks +level | 1 +compatible | yes + +The informix database monitoring plugin would previously `eval` statements parsed from `$INFORMIXDIR/bin/onstat`. Since the plugin is usually run as root, this could cause statements injected in `$INFORMIXDIR/bin/onstat` to be run as root as well. +By adding scripts named the same as other functionality found in `$PATH` to `$INFORMIXDIR/bin`, `$PATH` functionality could also be overshadowed and the custom executed as root. +Finally, `$INFORMIXDIR/bin/onstat` would be executed as root, allowing a substituted script to be run with elevated privileges. + +With this werk, the environment variables will be exported instead and `$PATH` will now be searched before `$INFORMIXDIR/bin`. +The plugin will now also check if `$INFORMIXDIR/bin/onstat` belongs to root if the plugin is executed as root. If not, it will be executed as the user owning the executable. + + +This issue was found during internal review. + +*Affected Versions*: + +* 2.3.0 (beta) +* 2.2.0 +* 2.1.0 +* 2.0.0 (EOL) + +*Vulnerability Management*: + +We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` and assigned CVE `CVE-2024-28824`. diff --git a/.werks/16210.md b/.werks/16210.md new file mode 100644 index 00000000000..ee4c197232f --- /dev/null +++ b/.werks/16210.md @@ -0,0 +1,24 @@ +[//]: # (werk v2) +# folder_config: Prevent unintentional deletion of a non-empty folder + +key | value +---------- | --- +date | 2024-01-11T09:34:55+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | no + +Prior to this Werk, the REST API could delete non-empty folders without any further check. With this Werk, the endpoint now accepts the **delete_method** query parameter. The possible values are: +- **recursive**: Deletes the folder and all the elements it contains. +- **abort_on_nonempty**: Deletes the folder only if it is not empty + +If no delete_method is provided, **recursive** is asumed and the behaviour is the same as before this Werk. + +The enpoint will return a 409 status code when trying to delete a folder that contains hosts, rules, subfolders or is referenced by another object. + +Use example: +`curl -X 'DELETE' 'http://example.com/my_site/check_mk/api/1.0/objects/folder_config/my_folder?delete_metod=abort_on_nonempty' -H 'accept: */*` + diff --git a/.werks/16227 b/.werks/16227 new file mode 100644 index 00000000000..f84a1dcda1e --- /dev/null +++ b/.werks/16227 @@ -0,0 +1,32 @@ +Title: Disabled automation users could still authenticate +Class: security +Compatible: incomp +Component: wato +Date: 1702309789 +Edition: cre +Level: 1 +Version: 2.3.0b1 + +Prior to this Werk an automation user whose password was disabled also described as "disable the login to this account" was still able to authenticate. +The information that a user was disabled was not checked for automation users. + +We found this vulnerability internally. + +Affected Versions: +LI: 2.2.0 +LI: 2.1.0 +LI: 2.0.0 +LI: 1.6.0 +LI: 1.5.0 (probably older versions as well) + +Mitigations: +If the need arises to block an automation user one can change the password or remove that user from the system. + +Vulnerability Management: +We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: +CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. +We assigned CVE-2023-31211 to this vulnerability. + +Changes: +This Werk adds a check for the disabled information. During update you will be warned if a automation user is currently disabled. + diff --git a/.werks/16232.md b/.werks/16232.md new file mode 100644 index 00000000000..ef26da4a921 --- /dev/null +++ b/.werks/16232.md @@ -0,0 +1,42 @@ +[//]: # (werk v2) +# mk_oracle(ps1): Prevent privilege esclation to root + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-01-17T08:20:43+00:00 +level | 3 +class | security +component | checks +edition | cre + +The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user. + +A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put +it in the corresponding directory. The script would be executed by the root user. + +All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. +Affected binaries are: sqlplus, tnsping, crsctl. + +

Affected Versions

+ +* 2.3.0 (beta) +* 2.2.0 +* 2.1.0 +* 2.0.0 (EOL) and older + +

Mitigations

+ +If updating is not possible, disable the mk_oracle plugin. + +

Vulnerability Management

+ +We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: +CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + +We have assigned CVE-2024-0638. + +

Changes

+ +All called binaries are now executed in a safe way. \ No newline at end of file diff --git a/.werks/16233.md b/.werks/16233.md new file mode 100644 index 00000000000..ad02cbdc06d --- /dev/null +++ b/.werks/16233.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# Cease to provide builds for Ubuntu 23.04 (Lunar Lobster) + +key | value +---------- | --- +date | 2024-01-23T13:20:36+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | omd +level | 1 +compatible | no + + diff --git a/.werks/16234.md b/.werks/16234.md new file mode 100644 index 00000000000..dc55d8d275a --- /dev/null +++ b/.werks/16234.md @@ -0,0 +1,33 @@ +[//]: # (werk v2) +# Hide credentials in ps output for mk_oracle + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-20T18:39:35+00:00 +level | 1 +class | security +component | checks +edition | cre + +In the mk_oracle plugin sqlplus used to be called with the connection string as an argument. +This connection string could contain credentials necessary to authenticate against the database. +These arguments could be extracted by other users (e.g. with use of ps). + +This vulnerability was reported to us, we are not aware of any exploitations. + +Affected Versions: + +2.2.0 +2.1.0 +2.0.0 (probably older versions as well) + +Vulnerability Management: + +We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector: +CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N. +We assigned CVE-2024-1742 to this vulnerability. + +Changes: +With this Werk the connection string is now piped via stdin to sqlplus. \ No newline at end of file diff --git a/.werks/16235.md b/.werks/16235.md new file mode 100644 index 00000000000..6b5ed411111 --- /dev/null +++ b/.werks/16235.md @@ -0,0 +1,13 @@ +[//]: # (werk v2) +# oracle_sql: don't crash on wrong keyword + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-20T19:17:54+00:00 +level | 1 +class | fix +component | checks +edition | cre + diff --git a/.werks/16236.md b/.werks/16236.md new file mode 100644 index 00000000000..e27de7ea277 --- /dev/null +++ b/.werks/16236.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Regression when obtaining mails from mailbox + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-21T13:17:42+00:00 +level | 1 +class | fix +component | checks +edition | cre + +This regression exists since 2.2.0b1. Monitoring mails in your in box may have not been possible. +This is fixed now. \ No newline at end of file diff --git a/.werks/16237.md b/.werks/16237.md new file mode 100644 index 00000000000..f3d970d737f --- /dev/null +++ b/.werks/16237.md @@ -0,0 +1,25 @@ +[//]: # (werk v2) +# Path to mysql.ini under Windows for mk_sql + +key | value +---------- | --- +date | 2024-02-23T11:26:08+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +If you've been using mysql and the corresponding agent plugin *mk_sql* +under Windows, the plugin may have crashed and the agent output would then +show the following error: +``` +<<>> +[[MySQL83]] +mysqladmin: File '\etc\check_mk\mysql.local.ini' not found (OS errno 2 - No such file or directory) +mysqladmin: [ERROR] Stopped processing the 'include' directive in file C:\ProgramData\checkmk\agent\config\mysql.ini at line 8. +``` +Under Windows, the plugin config path `C:\ProgramData\checkmk\agent\config` is now used. + +In contrast to the corresponding Linux plugin `mk_mysql`, the config path under Windows cannot be changed. diff --git a/.werks/16238.md b/.werks/16238.md new file mode 100644 index 00000000000..2a59e65282f --- /dev/null +++ b/.werks/16238.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Add m7i.large as aws resource type + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-27T12:50:29+00:00 +level | 1 +class | feature +component | checks +edition | cre + +You're affected if your aws_ec2_limits check reported "Unknown resource" and you're using "m7i.large". +The aws resource names are changing from time to time and we will need to find a more stable solution for that in the future. +But for now, this will be fixed by adding the resource name "m7i.large" to our internal list of aws resources. \ No newline at end of file diff --git a/.werks/16239.md b/.werks/16239.md new file mode 100644 index 00000000000..3763f049ea4 --- /dev/null +++ b/.werks/16239.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# Extend devices found by apc_ats_status + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-28T12:37:31+00:00 +level | 1 +class | fix +component | checks +edition | cre + +This werk affects you, in case you try to monitor your APC Rack Automatic Transfer Switch with apc_ats_status. +Previously some devices were not discovered due to a too strict scan function. +Futher, we enable monitoring other power supplies available at such devices as for example 1V and 3.3V. +This was fixed now. \ No newline at end of file diff --git a/.werks/16240.md b/.werks/16240.md new file mode 100644 index 00000000000..ff8d2d325f4 --- /dev/null +++ b/.werks/16240.md @@ -0,0 +1,22 @@ +[//]: # (werk v2) +# Crash on missing thread count on AIX + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-28T14:12:59+00:00 +level | 1 +class | fix +component | checks +edition | cre + +You're affected if you want to monitor your CPU and the cpu check crashes with something like: +``` + File "/omd/sites/YOURSITE/lib/python3/cmk/base/plugins/agent_based/cpu.py", line 48, in parse_cpu + count=int(row[3].split("/")[1]), +ValueError (invalid literal for int() with base 10: '') +``` + +We saw this happening on AIX system when the ps information cannot be obtained due to low memory. +The parsing is now more resilient against such missing data. \ No newline at end of file diff --git a/.werks/16241.md b/.werks/16241.md new file mode 100644 index 00000000000..cc2d8eeb281 --- /dev/null +++ b/.werks/16241.md @@ -0,0 +1,23 @@ +[//]: # (werk v2) +# Crash during parsing of systemd unit when description is missing + +key | value +---------- | --- +date | 2024-02-29T10:20:38+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +You're affected if you're monitoring your systemd units with an old agent and +your unit is missing a descpription. + +Parsing may have failed with: +``` +> loaded_status, active_status, current_state, descr = remains.split(" ", 3) +E ValueError: not enough values to unpack (expected 4, got 3) +``` + +This is fixed now. diff --git a/.werks/16242.md b/.werks/16242.md new file mode 100644 index 00000000000..09812bcf45a --- /dev/null +++ b/.werks/16242.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# Kill forked processes by mk_oracle under AIX + +key | value +---------- | --- +date | 2024-03-06T12:43:13+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +The agent plugin `mk_oracle` creates forked processes, e.g. from `sqlplus`. +In order to reliable clean up stale processes, we kill now the whole process chain under AIX +which corresponds to the stored `PID`. +We introduce this only for `AIX` now as we have customers which are affected under that OS. diff --git a/.werks/16259.md b/.werks/16259.md new file mode 100644 index 00000000000..1c73954487c --- /dev/null +++ b/.werks/16259.md @@ -0,0 +1,97 @@ +[//]: # (werk v2) +# New APIs for plugin development + +key | value +---------- | --- +date | 2024-02-26T21:27:58+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 2 +compatible | yes + + +Checkmk 2.3 features new APIs for plugin development. +There are three new APIs, and a new version of the agent based API (also known as "Check API"). +The replaced APIs will not be supported after 2.3 (details below). + +Plugin APIs in general provide means to write own code that interacts with the main application using well defined and stable code libraries. + +While Checkmk has always offered the possibility to add custom plugins, the APIs were often ad-hoc and undocumented. +In Checkmk 2.0 we started to address this with the introduction of the agent-based API. +With this werk, all important elements of creating your own monitoring plugins are covered by an API. + +With the APIs we introduce here we clarify what is meant to be used by plugin developers and what are internal modules, which can and likely will change over time and should not be used. +This is beneficial for all involved parties: + + * Checkmk developers can easily figure out what parts of the code can be changed without breaking plugins. + We can focus on providing stable APIs while gaining the freedom to rapidly refactor the backend code. + * Plugin developers know what features to use to prevent their plugin from unexpectedly breaking during an upgrade, without having to closely follow the changes we make to the code. + * Checkmk users can have reliable information on which of their extensions will continue to work after a major upgrade. + +As a result, the increased transparency leads to a better stability and hence a better user experience on all sides. + +While the APIs are also intended to be stable, the main focus now is on transparency. +All of the APIs have a limited scope, and we have tried to have them feature complete within these limits. +However, as the development of Checkmk progresses, we might have to add some features or redesign others. +The versioning of the APIs will allow us in these cases to maintain the old version (for a while) and provide documentation on how to migrate to the newer API version. + +**While we recommend testing the APIs and highly appreciate any feedback: Be aware that during the beta phase incompatible changes to the APIs might occur. +Start with a small subset of your plugins to check out the APIs capabilities and limitations. +Wait for the stable release before migrating a large amount of plugins to avoid having to make adjustments in all of them.** + +You can find a detailed technical documentation of the APIs in a running sites "Help" menu, under "Plugin API references". + + +## Compatibility + +For all affected plugins (see below) the following migration timeline is supported: + +For Checkmk 2.3 we tried our best to ensure all plugins will continue working as in 2.2. +Note that we can't guarantee all plugins will work for the above reasons. + +We strongly recommend users migrate to the new APIs during the lifetime of 2.3. + +With the update to 2.4 all measures to ensure that older plugins still work are dropped, effectively making it extremely unlikely that these plugins will continue to work. + +## General changes and common API properties + +The main changes of these APIs is to reduce side effects when importing the code (for better testablility) and allow for a better component oriented structure: + + * We move away from the "registry" approach we had in the past, to a discovery based approach. + Plugins are instances of specific classes that are created in a certain place with a certain naming scheme. + * All plugins (rulesets, check plugins, metrics, ...) of the same "plugin family" can now live in a common folder. + +A detailed description can be found in the technical documentation mentioned above. + +Plugins already migrated by us can be found in the [cmk/plugins](https://github.com/Checkmk/checkmk/tree/master/cmk/plugins) folder of the source code. + +## Rulesets API: `cmk.rulesets.v1` + +This is the new API for the creation of rulesets used by the users to configure their plugins. +The supported Ruleset types and input form elements can be found in the technical documentation. +These are the plugins formally known to sit in your sites `local/share/check_mk/web/plugins/wato`. +To be discovered by Checkmk they now have to be in `local/lib/python3/cmk_addons/plugins//rulesets`. + +## Graphing API: `cmk.graphing.v1` + +This is the new API for the creation of objects required for metric visualization, such as perfometers and graphs. +The supported metric objects can be found in the technical documentation. +These plugins previously where located at `local/share/check_mk/web/plugins/metrics`. +To be discovered by Checkmk they now have to be in `local/lib/python3/cmk_addons/plugins//graphing`. + +## Server side calls API: `cmk.server_side_calls.v1` + +This is the new API for plugins that convert a configured ruleset for a special agent or active check to the command line command that is used to run the special agent or active check. +Details on the exposed classes and their usage can be found in the technical documentation. +These plugins previously where located at `local/share/check_mk/checks`, and filled a `special_agent_info` or `active_check_info` dictionary. +To be discovered by Checkmk they now have to be in `local/lib/python3/cmk_addons/plugins//server_side_calls`. + +## New version of agent based API: `cmk.agent_based.v2` + +The new version of the agent based API was mostly added to increase consistency with the other three APIs (discovery mechanism, plugin location). +It also features a couple of less important improvements. Details can be found in the technical documentation. +These plugins previously where located at `local/lib/check_mk/base/plugins/agent_based`. +To be discovered by Checkmk they now have to be in `local/lib/python3/cmk_addons/plugins//agent_based`. + diff --git a/.werks/16261.md b/.werks/16261.md new file mode 100644 index 00000000000..84c860b2685 --- /dev/null +++ b/.werks/16261.md @@ -0,0 +1,24 @@ +[//]: # (werk v2) +# Split up rule "Mails in outgoing mail queue" + +key | value +---------- | --- +date | 2023-12-25T17:11:32+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | no + +This affects all users that had rules for "Mails in outgoing mail queue" configured. + +To clean up inconsistencies that the new APIs no longer tolerate, we had to split the ruleset into two. + +We renamed "Mails in outgoing mail queue" to "Mails in outgoing mail queue (multiple queues)" and added a new ruleset "Mails in outgoing mail queue (single queue)". +The required new rules are created automatically during upgrade, but we advise users to check if they have rules that are not needed anymore. + +The plugins using the new ruleset are + * Barracuda SPAM Firewall: Active and Deferred Mail Queue Length (`barracuda_mailqueues`) + * Nullmailer: Mailqueue Length (`nullmailer_mailq`) + * qmail: Mailqueue Length (`qmail_stats`) diff --git a/.werks/16273 b/.werks/16273 new file mode 100644 index 00000000000..7e2a4ea0550 --- /dev/null +++ b/.werks/16273 @@ -0,0 +1,39 @@ +Title: Local privilege escalation in agent plugin 'mk_tsm' +Class: security +Compatible: incomp +Component: checks +Date: 1702411459 +Edition: cre +Level: 1 +Version: 2.3.0b1 + +By crafting a malicious command that then shows up in the output of `ps` users of monitored hosts could gain root privileges. +This was achieved by exploiting the insufficient quoting when using ksh's `eval` to create the required environment. + +This issue was found during internal review. + + +### Affected Versions + + * 2.2.0 + * 2.1.0 + * 2.0.0 (EOL) and older + + +### Mitigations + +If updating is not possible, disable the Tivoli Storage Manager plugin. + + +### Vulnerability Management + +We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: +`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` + +We have assigned `CVE-2023-6735`. + + +### Changes + +With this change we no longer use `eval` and fixe the quoting. +This prevents variable exports being missinterpreted as commands to execute. diff --git a/.werks/16274.md b/.werks/16274.md index 5e13a6f5d18..18461bf21ca 100644 --- a/.werks/16274.md +++ b/.werks/16274.md @@ -16,15 +16,15 @@ This werk only affects you if you observe unknown "Logical device <ITEM>" In case you are affected please run a discovery on the affected hosts and fix the monitoring history as described below. -We observed some devices to send `""` (the null-byte) as their name (`OID .1.3.6.1.4.1.232.3.2.3.1.1.14`). +We observed some devices to send `"\x00"` (the null-byte) as their name (`OID .1.3.6.1.4.1.232.3.2.3.1.1.14`). Not all components delt well with it, leading to unacknowlegable downtimes, non matching rules and the like. -We now replace all null-bytes with `"\x00"` (the literal containing the four characters backslash, 'x', 'zero', 'zero'). +We now replace all null-bytes with `"\\x00"` (the literal containing the four characters backslash, 'x', 'zero', 'zero'). As of Checkmk 2.3, this should in fact no longer be necessary, but as we need a backportable solution, we change the item consistently in all versions. If this affects you, you might also want to fix the services in the monitoring history by running ``` -sed -i 's||\x00|' var/check_mk/core/history var/check_mk/core/archive/* +sed -i 's|\\x00|\\\\x00|' var/check_mk/core/history var/check_mk/core/archive/* ``` diff --git a/.werks/16276.md b/.werks/16276.md new file mode 100644 index 00000000000..8d52a9cf87a --- /dev/null +++ b/.werks/16276.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# "Cisco Devices: Temperature Sensors" used wrong lower device levels + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2023-12-18T11:39:31+00:00 +level | 1 +class | fix +component | checks +edition | cre + +The services picked the device levels meant for a "less than" comarison, +when in fact comparing "less or equal" (as Checkmk usually does). +They now pick the levels meant for "less or equal" comparison. \ No newline at end of file diff --git a/.werks/16277.md b/.werks/16277.md new file mode 100644 index 00000000000..93cb99c61ec --- /dev/null +++ b/.werks/16277.md @@ -0,0 +1,24 @@ +[//]: # (werk v2) +# Split up rule "Main memory usage of simple devices" + +key | value +---------- | --- +date | 2023-12-23T14:52:41+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | no + +This affects all users that had rules for "Main memory usage of simple devices" configured. + +To clean up inconsistencies that the new APIs no longer tolerate, we had to split the ruleset into two. + +We renamed "Main memory usage of simple devices" to "Main memory usage of simple devices with multiple services" and added a new ruleset "Main memory usage of simple devices with single services". +The required new rules are created automatically during upgrade, but we advise users to check if they have rules that are not needed anymore. + +The plugins using the new ruleset are + * Check Point Firewalls: Memory Usage (`checkpoint_memory`) + * HPE Procurve Switches: Memory Usage (`hp_procurve_mem`) + * UCD SNMP Daemon: Memory Check (`ucd_mem`) diff --git a/.werks/16287.md b/.werks/16287.md new file mode 100644 index 00000000000..170d5a7b93b --- /dev/null +++ b/.werks/16287.md @@ -0,0 +1,50 @@ +[//]: # (werk v2) +# rule_notification: match_hosttag now accepts custom tag ids + +key | value +---------- | --- +date | 2024-01-12T16:30:38+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | no + +Previously, when creating or updating a notification rule, +the match_host_tag field would only allow for builtin tag ids. +With this werk we now accept any configured host tag id. +The schema has also changed in order to make this possible. +This means that instead of a field representing each tag, +you now have to pass a list of aux tag ids/tag group tag ids +along with an operator. This way we can determine if the +tag id should match or not. + +e.g. + +``` +{ + "match_host_tags": { + "state": "enabled", + "value": [ + { + "tag_type": "aux_tag", + "tag_id": "snmp", + "operator": "is_set", + }, + { + "tag_type": "tag_group", + "tag_group_id": "criticality", + "operator": "is", + "tag_id": "prod", + }, + { + "tag_type": "tag_group", + "tag_group_id": "networking", + "operator": "is_not", + "tag_id": "lan", + } + ], + }, +} +``` diff --git a/.werks/16289.md b/.werks/16289.md new file mode 100644 index 00000000000..521b58f2ccb --- /dev/null +++ b/.werks/16289.md @@ -0,0 +1,13 @@ +[//]: # (werk v2) +# jolokia_jvm_memory: translate old heap and nonheap metrics + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2023-11-13T13:25:53+00:00 +level | 1 +class | fix +component | checks +edition | cre + diff --git a/.werks/16292.md b/.werks/16292.md new file mode 100644 index 00000000000..306963f1510 --- /dev/null +++ b/.werks/16292.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# user_config: add verification for contact groups and locked attributes + +key | value +---------- | --- +date | 2024-01-16T14:42:21+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + +This werk introduces two changes: +* it now verifies for create & edit if the provided contact groups actually exist +* it verifies that for an edit request, locked attributes are not being modified diff --git a/.werks/16295 b/.werks/16295 index 810b672c626..2b997718fb3 100644 --- a/.werks/16295 +++ b/.werks/16295 @@ -1,6 +1,6 @@ Title: postfix_mailq_status: Rework discovery Class: fix -Compatible: incomp +Compatible: compat Component: checks Date: 1700560692 Edition: cre @@ -9,6 +9,3 @@ Version: 2.3.0b1 With this werk the postfix status service is not discovered if Postfix is not running. The default mail queue is now discovered as "Postfix Status default". - -In order to make the check plugin work you have to perform a re-discovery on the affected hosts. -Otherwise, the service "Postfix Status" (dicovered before this change) will stop working. diff --git a/.werks/16306.md b/.werks/16306.md new file mode 100644 index 00000000000..c94e6d530a4 --- /dev/null +++ b/.werks/16306.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Fix PDF export of host- and servicegroup views + +key | value +---------- | --- +date | 2024-01-02T09:35:31+00:00 +version | 2.3.0b1 +class | fix +edition | cee +component | reporting +level | 1 +compatible | yes + +If you exported a view with host- or servicegroup context, an error like "Error +while rendering element type" was shown because of missing context information. diff --git a/.werks/16307.md b/.werks/16307.md new file mode 100644 index 00000000000..9dfa9a6502f --- /dev/null +++ b/.werks/16307.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Validate empty settings for "Maximum long output size" + +key | value +---------- | --- +date | 2024-01-02T10:33:32+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | wato +level | 1 +compatible | yes + +It was possible to unset the settings for the global option "Maximum long +output size" leading to an error on activating of changes. diff --git a/.werks/16308.md b/.werks/16308.md new file mode 100644 index 00000000000..20ea6a05ab8 --- /dev/null +++ b/.werks/16308.md @@ -0,0 +1,32 @@ +[//]: # (werk v2) +# New option to test notification rulesets + +key | value +---------- | --- +date | 2024-01-11T12:12:45+00:00 +version | 2.3.0b1 +class | feature +edition | cre +component | notifications +level | 2 +compatible | yes + +Previously, you could only test your notification rulesets using the "Analyze" +option against a limited set of notifications in the backlog or with the "Fake +check result" command. + +We now introduce the possibility to define a custom notification and test it +against your rulesets. The option can be found in "Setup" - "Notifications" - +"Test notifications". + +In the popup, select whether you want to test on a host or a service +notification. Select the host and service (if you want to test on a service +notification) and the type of simulation. Currently supported are 'Start of +downtime" and "Status change". Optionally, you can specify a custom plugin +output. + +A checkbox allows you to decide whether to test only (default) or to send a +real notification according to your notification rules. + +Within the 'Advanced condition simulation' options you can set a custom +notification date and time to test period matching and the notification number. diff --git a/.werks/16310.md b/.werks/16310.md new file mode 100644 index 00000000000..0dc4cc455bd --- /dev/null +++ b/.werks/16310.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# Rework of "Automatically update service configuration" option + +key | value +---------- | --- +date | 2024-01-19T12:59:21+00:00 +version | 2.3.0b1 +class | feature +edition | cre +component | wato +level | 1 +compatible | yes + +This option is used in the service discovery rule "Periodic service discovery" +and the global option "Bulk discovery" and offers now the possibility to choose +between a refresh of all services and host labels or a custom configuration. If +you choose a custom one, you can select "Monitor undecided services", "Remove +vanished services" and/or "Update host labels". diff --git a/.werks/16312.md b/.werks/16312.md new file mode 100644 index 00000000000..d6990c6d5f1 --- /dev/null +++ b/.werks/16312.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Fix error on "Save & go to list" while editing dashboards + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-23T14:21:12+00:00 +level | 1 +class | fix +component | multisite +edition | cre + +If you used the "Properties" option within the "Dashboard" page menu in +dashboards and chose "Save & go to list" after editing the dashboard, you +have seen an error like "This page was not found. Sorry.". \ No newline at end of file diff --git a/.werks/16313.md b/.werks/16313.md new file mode 100644 index 00000000000..2238c210875 --- /dev/null +++ b/.werks/16313.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Fix tree of folders snapin filter for statistics dashlets + +key | value +---------- | --- +date | 2024-01-24T09:17:40+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | multisite +level | 1 +compatible | no + +If you used the "Tree of folders" snapin and the shown dashboard contained a +dashlet "Host statistics" or "Service statistics" the wato folder was not +filtered for that dashlet. diff --git a/.werks/16314.md b/.werks/16314.md new file mode 100644 index 00000000000..8b7f7953189 --- /dev/null +++ b/.werks/16314.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Fix error on edit of host or service statistics dashlet + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-24T14:06:42+00:00 +level | 1 +class | fix +component | multisite +edition | cre + +If you edited the builtin dashlets "Host statistics" or "Service statistics" on +the main dashboard (CRE) / problem dashboard (CEE) you got an error like +"Internal error: size" on saving. \ No newline at end of file diff --git a/.werks/16315.md b/.werks/16315.md new file mode 100644 index 00000000000..0a03945b997 --- /dev/null +++ b/.werks/16315.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Respect sort index for listed dashboards in page menu + +key | value +---------- | --- +date | 2024-02-05T13:05:04+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | multisite +level | 1 +compatible | yes + +The page menu "Dashboards" in dashboards listed all other available dashboards +in a random order. The defined sort index of each dashboard is now respected. + diff --git a/.werks/16316.md b/.werks/16316.md new file mode 100644 index 00000000000..7fe90c7b016 --- /dev/null +++ b/.werks/16316.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Respect timerange for all view elements in report + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-09T10:20:05+00:00 +level | 1 +class | fix +component | reporting +edition | cee + +If a report with more than one view element was created e.g. via the report +snapin, the defined timerange was only set from the second view element on. \ No newline at end of file diff --git a/.werks/16317.md b/.werks/16317.md new file mode 100644 index 00000000000..d32152a54ca --- /dev/null +++ b/.werks/16317.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# "Aggregation of Downtimes" BI option had no effect + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-15T07:48:10+00:00 +level | 1 +class | fix +component | bi +edition | cre + +The option should change the computation of downtimes from CRIT to WARN but did +not. This has been fixed. \ No newline at end of file diff --git a/.werks/16318.md b/.werks/16318.md new file mode 100644 index 00000000000..bba6401d8fc --- /dev/null +++ b/.werks/16318.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# Connection test using SNMP credentials configured on host page + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-16T07:42:06+00:00 +level | 1 +class | fix +component | wato +edition | cre + +If you used "Save & run connection tests" on the host properties page with SNMP +credentials configured, the configured password was not used for the executed +tests. + +A workaround was to enter the password on the "Test connection" page again. \ No newline at end of file diff --git a/.werks/16319.md b/.werks/16319.md new file mode 100644 index 00000000000..0733acca41a --- /dev/null +++ b/.werks/16319.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# Reduce context/search filter for "Metrics graph of a single service" + +key | value +---------- | --- +compatible | no +version | 2.4.0b1 +date | 2024-02-27T09:10:58+00:00 +level | 1 +class | fix +component | reporting +edition | cee + +Since 2.2 the content element "Metrics graph of a single service" allowed to +configure multiple context/search filters. +This was wrong because this element is limited to e specific host and service. + +This change should have no effect on your configuration but we recommend to +check reports with such content elements. \ No newline at end of file diff --git a/.werks/16320.md b/.werks/16320.md new file mode 100644 index 00000000000..37c9a47b2c3 --- /dev/null +++ b/.werks/16320.md @@ -0,0 +1,22 @@ +[//]: # (werk v2) +# Publish permission handling + +key | value +---------- | --- +compatible | no +version | 2.4.0b1 +date | 2024-03-05T12:32:34+00:00 +level | 1 +class | fix +component | multisite +edition | cre + +Werk 13498 introduced the possibility to set publish permissions independently +of each other. + +Still, the permission "Publish views" (e.g. for publishing views) was needed +to see the published views. + +This has been fixed. + +Note: Please check your publish configuration in views, dashboards, etc. \ No newline at end of file diff --git a/.werks/16321.md b/.werks/16321.md new file mode 100644 index 00000000000..212f9e0581e --- /dev/null +++ b/.werks/16321.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# Fix metric history painter with inherit time range option + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-03-07T08:35:37+00:00 +level | 1 +class | fix +component | reporting +edition | cee + +If you used the option “Inherit from report time range” for the painter "Metric +history" in report content elements, an error was shown in the report. + +This affected all previous 2.2 versions. \ No newline at end of file diff --git a/.werks/16322.md b/.werks/16322.md new file mode 100644 index 00000000000..08d7ff8158f --- /dev/null +++ b/.werks/16322.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Show used filter of virtual host tree + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-03-08T13:45:32+00:00 +level | 1 +class | fix +component | multisite +edition | cre + +If you opened the "Filter" option of a view that was visited via a link from +the "Virtual host tree" snapin, all filters were empty. \ No newline at end of file diff --git a/.werks/16324.md b/.werks/16324.md new file mode 100644 index 00000000000..8e236ed2279 --- /dev/null +++ b/.werks/16324.md @@ -0,0 +1,49 @@ +[//]: # (werk v2) +# NetApp: addition of datasource program and check plugins for NetApp ONTAP + +key | value +---------- | --- +date | 2024-01-29T12:15:27+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | yes + +Since NetApp has discontinued support for their old API this werk adds datasource program and check plugins for the new NetApp ONTAP REST API. + +However, the new API does not provide certain metrics that were available in the old API. As a result, the new check plugins have been modified accordingly. + +The plugins that have been migrated with this werk are the ones that monitor: + +- NetApp aggregates +- NetApp node's CPUs +- NetApp disks +- NetApp sensors of environment and shelves +- NetApp node's fans +- NetApp node's interfaces +- NetApp LUNs +- NetApp node's ports +- NetApp power supply units +- NetApp volumes (and snapshots) +- NetApp (SVMs) Storage Virtual Machine's (formerly called "vservers”) traffic and status + +These plugins and metrics are under development: +- NetApp snapvault +- NetApp qtree quota +- NetApp FCP +- NetApp (SVMs) Storage Virtual Machine's (formerly called "vservers”) + - Nfsv3_read_ios (read ops) + - Nfsv3_write_ios (write ops) + +Here is a list of missing metrics and plugins as the corresponding data cannot be found in the new NetApp API: +- NetApp Disk Summary + - Parity disks + - Total number of disks type data + - Total number of disks type parity +- Traffic SVM (formerly vServer) + - Nfsv4_read_ios (read ops) + - Nfsv4_write_ios (write ops) +- System time + - Missing service \ No newline at end of file diff --git a/.werks/16325.md b/.werks/16325.md new file mode 100644 index 00000000000..0bb0f26714b --- /dev/null +++ b/.werks/16325.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# netapp_ontap_psu: fix discovery ruleset + +key | value +---------- | --- +date | 2024-01-31T13:08:07+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | no + +This problem affected users who wanted to discover the 'summary' mode of PSU service: it was not possible to configure the appropriate discovery rule. This werk fixes this behaviour. + +A rediscovery is required for the change to take effect. diff --git a/.werks/16327.md b/.werks/16327.md new file mode 100644 index 00000000000..ecde3ed7ad2 --- /dev/null +++ b/.werks/16327.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# netapp_ontap_environment: show unit of measurement in summary + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-01T13:34:16+00:00 +level | 1 +class | fix +component | checks +edition | cre + +The service summary now displays the units of measurement of the monitored value. \ No newline at end of file diff --git a/.werks/16329.md b/.werks/16329.md new file mode 100644 index 00000000000..007e0e46d69 --- /dev/null +++ b/.werks/16329.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# mk_redis: Use REDISCLI_AUTH instead of -a argument in order to hide password + +key | value +---------- | --- +date | 2024-01-24T09:23:40+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +mk_redis used to expose the password in the process name because of the '-a' argument. +This has been fixed using the environment variable REDISCLI_AUTH. diff --git a/.werks/16330.md b/.werks/16330.md new file mode 100644 index 00000000000..4b8461a22f7 --- /dev/null +++ b/.werks/16330.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# size_trend: avoid 'infinite to integer' crash + +key | value +---------- | --- +date | 2024-01-24T14:08:45+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +While calculating how much time is left until the resource is full, if the value of the mb in range was too low (e.g. 1e-320) the check used to crash with 'infinite to integer'. +This has now been fixed and if the value is too low and causes division with it to result in 'inf', the check will not be executed. diff --git a/.werks/16331.md b/.werks/16331.md new file mode 100644 index 00000000000..8e2421c7c24 --- /dev/null +++ b/.werks/16331.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# mcafee_webgateway: Services not being discovered + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-01-29T10:17:43+00:00 +level | 1 +class | fix +component | checks +edition | cre + +Some mcafee services were not discovered because of the detection criteria. +This has now been fixed by using the 'OBJECTID' for the detection. \ No newline at end of file diff --git a/.werks/16333.md b/.werks/16333.md new file mode 100644 index 00000000000..1245d5f739a --- /dev/null +++ b/.werks/16333.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# if_lancom: Switch port discovery does not work for Lancom routers when the router description is configured to be used for the Service Description + +key | value +---------- | --- +date | 2024-02-01T16:48:01+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | no + +Sometimes the Lancom routers don't provide a name. During data parsing this caused the description to be left as an empty string. +As a result of that, when the router description was configured to be used for the Service Desciption, the discovery did not work properly. +This has now been fixed by having a fallback mechanism. If the router name is not present, the router description will be used. +Because of the change, the user is required to execute the service discovery again in order to discover any new services. +As well as get rid of any vanished services. diff --git a/.werks/16336.md b/.werks/16336.md new file mode 100644 index 00000000000..b5e9a159589 --- /dev/null +++ b/.werks/16336.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# lnx_video: Fix section parsing + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-08T17:22:52+00:00 +level | 1 +class | fix +component | checks +edition | cre + +The output of the 'lspci' command was not consistent. This caused the parsing of the lnx_video section to fail. +As a consequnce, the graphics cards were not shown in the HW/SW inventory. +This has now been fixed and the graphics cards will be shown. \ No newline at end of file diff --git a/.werks/16337.md b/.werks/16337.md new file mode 100644 index 00000000000..8814690ec0e --- /dev/null +++ b/.werks/16337.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# mk_inventory: Fix for lnx_video when multiple graphics cards are available + +key | value +---------- | --- +date | 2024-02-12T12:30:17+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | no + +When multiple graphics cards were present, the command 'lscpi -s: Invalid bus number'. +This left the section blank and no cards were detected in the HW/SW inventory. +This fix may cause new graphics cards to appear in the HW/SW inventory. +For the fix to take effect, the user will need to re-deploy the plugin. diff --git a/.werks/16338.md b/.werks/16338.md new file mode 100644 index 00000000000..7db6752d9c5 --- /dev/null +++ b/.werks/16338.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# mk_redis: Fix for Werk #16329 + +key | value +---------- | --- +date | 2024-02-21T10:40:17+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +With werk #16329 when a password was set, the plugin did not work. +This has now been fixed and configuring a password shouldn't cause any issues. diff --git a/.werks/16339.md b/.werks/16339.md new file mode 100644 index 00000000000..6c603f5687e --- /dev/null +++ b/.werks/16339.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# mtr: Fix section parsing error + +key | value +---------- | --- +date | 2024-02-25T22:30:51+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +When the mtr section contained a line that started with `**ERROR**`, the parsing of the section failed. +This has now been fixed. +The lines starting with `**ERROR**` will be ignored. diff --git a/.werks/16340.md b/.werks/16340.md new file mode 100644 index 00000000000..24d50e380ba --- /dev/null +++ b/.werks/16340.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# docker_node_images: KeyError: 'VirtualSize' + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-03-06T16:28:34+00:00 +level | 1 +class | fix +component | checks +edition | cre + +In newer versions of the Docker API the information about the 'VirtualSize' of a node image is not available, because it has been deprecated. +From now on the plugin will use 'VirtualSize' if available, and 'Size' if not. \ No newline at end of file diff --git a/.werks/16341.md b/.werks/16341.md new file mode 100644 index 00000000000..001db3b7c1e --- /dev/null +++ b/.werks/16341.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# rmk: Ignore RCC suites and RCC profile configuration if CORE mode is active + +key | value +---------- | --- +date | 2024-03-21T15:36:04+00:00 +version | 2.3.0b4 +class | fix +edition | cee +component | checks +level | 1 +compatible | yes + +When the Robotmk Core MKP is installed, RCC Suites configuration and RCC Profile configuration are not available as they are Enterprise features. +Previously, there were scenarios where RCC suites were running even though the Robotmk Core MKP was installed. +The Agent Bakery would use previously saved Enterprise configurations without first migrating them to their CoreMode counterparts. + +This has now been fixed and the licensing mode is checked when the agent is baked. This means the RCC Suites/RCC Profile configuration will be ignored during the bake process. +This prevents users from inadvertently relying on a paid feature when CoreMode is enabled. diff --git a/.werks/16342.md b/.werks/16342.md new file mode 100644 index 00000000000..46056489c11 --- /dev/null +++ b/.werks/16342.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# Rename service labels for Robotmk + +key | value +---------- | --- +date | 2024-03-25T12:28:56+00:00 +version | 2.3.0b4 +class | feature +edition | cee +component | multisite +level | 2 +compatible | yes + +This is a follow-up for werk #13872. +The service labels have been renamed to 'cmk/rmk/html_last_log:yes' and 'cmk/rmk/html_last_error_log:yes'. +The icons for the last log file and last error log file will have an icon based on the new labels as well as the old ones from werk #13872. diff --git a/.werks/16343.md b/.werks/16343.md new file mode 100644 index 00000000000..349c9df5059 --- /dev/null +++ b/.werks/16343.md @@ -0,0 +1,22 @@ +[//]: # (werk v2) +# rmk: Remove 'Load environment variables from file' field in Robotmk Scheduler bakery rule + +key | value +---------- | --- +date | 2024-03-27T14:51:09+00:00 +version | 2.3.0b4 +class | feature +edition | cee +component | wato +level | 1 +compatible | no + +Users who have configured the 'Load environment variable from file' field in the Robotmk Scheduler rule are affected by this incompatible werk. Any rules that contain the value for this field will be automatically migrated during the update and the value will be removed from the rules. + +Originally, this field was designed to be fully compatible with Robots that could be used within Robocorp's cloud environment. + +However, as Robocorp shifted its focus from Robot Framework to Python developers, the need for the VS Code extensions provided by Robocorp became redundant. The language server for Robot Framework would no longer be maintained, and the "RobotCode" extension would no longer serve Robot Framework users. In addition, both extensions had a rather confusing interface and didn't work well together. Now the RobotCode extension is the only necessary extension for VS Code, and it works very well. + +The env.json file generated from this field was used exclusively by the Robocorp extension. This approach allowed local initiation and debugging of automations with the exact set of environment variables configured, mirroring those set later in the Cloud UI. + +For the above reasons, we decided to remove this field. diff --git a/.werks/16344.md b/.werks/16344.md new file mode 100644 index 00000000000..c606314f693 --- /dev/null +++ b/.werks/16344.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Pure Storage FlashArray: Devices with status 'not_installed' will now have an OK state + +key | value +---------- | --- +date | 2024-04-28T17:04:15+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +Devices with a reported status of 'not_installed' previously caused the check state to be CRIT. +This behaviour has now been changed. These devices will now have an OK state. diff --git a/.werks/16349.md b/.werks/16349.md new file mode 100644 index 00000000000..e84a8d34d92 --- /dev/null +++ b/.werks/16349.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# Support Diagnostics: UI improvements + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-17T07:36:58+00:00 +level | 1 +class | fix +component | wato +edition | cre + +This fix + +* renames "Crash Dumps" to "Crash Reports" and mark them as medium sensitive, +* renames "Local Files" to "Local Files and MKPs". That's somewhat redundant, but it helps to better understand what is packed. diff --git a/.werks/16350.md b/.werks/16350.md new file mode 100644 index 00000000000..6ed845fb4fd --- /dev/null +++ b/.werks/16350.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Support Diagnostics: The timeout for creating a dump is now configurable + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-04-12T11:07:00+00:00 +level | 1 +class | feature +component | wato +edition | cre + +Before this werk, the process of creating a Support Diagnostics Dump sometimes lead to a timeout exception. The hard-coded timeout was 110s. +Now, it's possible to configure the timeout in the user interface. \ No newline at end of file diff --git a/.werks/16355.md b/.werks/16355.md new file mode 100644 index 00000000000..08eecf2525e --- /dev/null +++ b/.werks/16355.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# Graph oject lists: Avoid strange help texts in list views (non-English only) + +key | value +---------- | --- +date | 2024-04-15T10:20:16+00:00 +version | 2.4.0b1 +class | fix +edition | cee +component | multisite +level | 1 +compatible | yes + +When using Checkmk in a language other than English, the list views for graph collections, graph +tunings, custom graphs and forecast graphs might have displayed strange help texts such as +"Project-Id-Version: Checkmk user interface translation 0.1 ...". + +This happened only for graph objects with empty descriptions and only if the inline help was +activated for the corresponding page. diff --git a/.werks/16356.md b/.werks/16356.md new file mode 100644 index 00000000000..b304bd1bc57 --- /dev/null +++ b/.werks/16356.md @@ -0,0 +1,25 @@ +[//]: # (werk v2) +# Synthetic Monitoring: Incompatible overhauls + +key | value +---------- | --- +date | 2024-04-17T11:05:50+00:00 +version | 2.4.0b1 +class | feature +edition | cee +component | checks +level | 1 +compatible | no + +This werk only affects users who have configured the rule *Robotmk scheduler (Windows)* during the +2.3.0 beta phase. The following incompatible changes have been made: + +* The plan naming convention introduced in [werk 16421](https://checkmk.com/werk/16421) has been adopted in more places, both internally and user-facing. +* The service items of the *RMK Plan* and *RMK Test* services have been reworked to include the name of the corresponding top-level Robot Framework suite. +* Previously, the scheduler terminated in case of permission issues for example with its working directory. As of this werk, the scheduler instead skips affected plans and forwards these issues to the Checkmk server, where they are reported to the user. + +After updating, the *RMK scheduler status* service will report UNKNOWN. The plan and test services +will go stale. Furthermore, the *Check_MK* service will report that there is monitoring data missing +for the plugins `robotmk_plan` and `robotmk_test`. To remedy these issues, users first have to re- +bake and then update the Checkmk agent on affected systems. After updating the agent, users have to +re-discover the services of affected Checkmk hosts. diff --git a/.werks/16357.md b/.werks/16357.md new file mode 100644 index 00000000000..d9de542f747 --- /dev/null +++ b/.werks/16357.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# Check certificates: Fix checking of common name of issuer + +key | value +---------- | --- +date | 2024-04-18T11:02:41+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +The active certificate check (configured via the ruleset *Check certificates*) did not check the +common name (CN) of the certificate issuer correctly: + +* If only the checking of the issuer CN was activated, the CN of the subject was checked instead. +* If both the checking of the issuer and the subject CN where activated, the active check crashed with\ +error: the argument '--subject-cn \' cannot be used multiple times. diff --git a/.werks/16359.md b/.werks/16359.md new file mode 100644 index 00000000000..08835b178a1 --- /dev/null +++ b/.werks/16359.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# Remove deprecated windows plugins + +key | value +---------- | --- +date | 2024-01-16T11:18:30+00:00 +version | 2.3.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | no + +In previous versions some windows agent plugins were included in `share/check_mk/agents/windows/plugins/deprecated`. +As the name already suggested these were deprecated for a long time and are now removed. + +If you still require them you can use the plugins from former versions. diff --git a/.werks/16360.md b/.werks/16360.md new file mode 100644 index 00000000000..c29cba67d83 --- /dev/null +++ b/.werks/16360.md @@ -0,0 +1,27 @@ +[//]: # (werk v2) +# Dedicated security logging + +key | value +---------- | --- +date | 2024-02-16T09:38:25+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | omd +level | 1 +compatible | yes + +To make it easier to detect certain security relevant events a dedicated security log is introduced. You can find it in `var/log/security.log`. + +The format of each line is: +1. The date and time the logentry was created (local time) +2. The security domain and the process id. +3. The message as json with a `summary` and `details` key. The contents of the `details` vary by the domain. + +Currently the following domains exist: +* `application_errors`: e.g if a CSRF token could not be found/validated +* `auth`: e.g. successful / unsuccessful authentication attempts. (Successful authentication attempts without opening a session are currently not logged.) +* `service`: e.g. the start of a site +* `user_management`: e.g. change of a password + +Please note that this logfile is still subject to change. Additional events might be added and details may change with p-releases. diff --git a/.werks/16361.md b/.werks/16361.md new file mode 100644 index 00000000000..b4066ce3c4f --- /dev/null +++ b/.werks/16361.md @@ -0,0 +1,36 @@ +[//]: # (werk v2) +# Privilege escalation in Windows agent + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-26T14:44:18+00:00 +level | 1 +class | security +component | checks +edition | cre + +In order to execute some system commands Checkmk Windows agent writes cmd files to `C:\Windows\Temp\` and afterwards executes them. +The permissions of the files were set restrictive but existing files were not properly handled. +If a cmd file already existed and was write protected the agent was not able to rewrite the file but did not handle this case and executed the file nevertheless. + +We thank Michael Baer (SEC Consult Vulnerability Lab) for reporting this issue. + +**Affected Versions**: +* 2.2.0 +* 2.1.0 +* 2.0.0 + +**Indicators of Compromise**: +The filename of the cmd file needed to be guessed therefore the proof-of-concept creates a lot of files in `C\Windows\Temp` with the filename `cmk_all_\d+_1.cmd`. +These file-creation events could be monitored. + +**Vulnerability Management**: +We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: +`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`. +We assigned CVE-2024-0670 to this vulnerability. + +**Changes**: +This Werk changes the temp folder and adds a subfolder with more restrictive permissions in which the files are created. +Also errors are handled better. \ No newline at end of file diff --git a/.werks/16364.md b/.werks/16364.md new file mode 100644 index 00000000000..edd96301f17 --- /dev/null +++ b/.werks/16364.md @@ -0,0 +1,43 @@ +[//]: # (werk v2) +# tag_group: change the identification field from 'ident' to 'id' + +key | value +---------- | --- +date | 2024-01-29T13:13:54+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | no + +Before this Werk, when creating a tag group, the **ident** field was used to provide its identification as well as that of the tags associated to the group, however the information was returned in the **id** field. This Werk unifies the names and now the **ident** fields are renamed to **id**. Users should adapt their scripts accordingly. + +For comptatibility reasons CheckMK 2.2.0 and 2.3.0 will support both **id** and **ident**, but **ident** will be removed on the next version. + +The following example shows the changes that need to be applied to the payload to use this endpoint: + + +Original payload: +```json +{ + "ident": "test_group", + "title": "Test group", + "help_text": "My test groupd", + "tags": [ + {"ident": "test", "title": "Test Tag"} + ] +} +``` + +Updated payload: +```json +{ + "id": "test_group", + "title": "Test group", + "help_text": "My test groupd", + "tags": [ + {"id": "test", "title": "Test Tag"} + ] +} +``` diff --git a/.werks/16365.md b/.werks/16365.md new file mode 100644 index 00000000000..a8a824246ff --- /dev/null +++ b/.werks/16365.md @@ -0,0 +1,22 @@ +[//]: # (werk v2) +# baked_agents: Fix version displayed on agent files + +key | value +---------- | --- +date | 2024-02-08T08:30:06+00:00 +version | 2.4.0b1 +class | fix +edition | cee +component | wato +level | 1 +compatible | yes + +Prior to this Werk, the running version of Checkmk was used to display +the version of the agents. This caused that after updating Checkmk to a +new version, the wrong version of the agents was displayed until they +were baked again. + +To fix this bug, the agent version is now displayed instead of the +Checkmk version. + +SUP-14846 diff --git a/.werks/16366.md b/.werks/16366.md new file mode 100644 index 00000000000..1a15ad2ec62 --- /dev/null +++ b/.werks/16366.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# rule: Fix crash on rule creation via REST API without conditions or properties + +key | value +---------- | --- +date | 2024-02-09T07:06:04+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + +Before this Werk, an status code 500 Internal Server Error was returned when creating a +rule without conditions or properties. This Werk fixes it and now it is possible to create +a rule in such conditions. + diff --git a/.werks/16367.md b/.werks/16367.md new file mode 100644 index 00000000000..e77390fa591 --- /dev/null +++ b/.werks/16367.md @@ -0,0 +1,23 @@ +[//]: # (werk v2) +# audit_log: Deprecate 'delete' method and replace it for 'archive' + +key | value +---------- | --- +date | 2024-02-09T13:24:13+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | no + +Since the DELETE method actually archives the audit_log entries, this endpoint is +replaced by domain-types/audit_log/actions/archive/invoke + +The DELETE endpoint is deprecated and will be removed on version 2.4.0. + +In order to update their scripts, users should replace +curl -x DELETE http://host/site/api/1.0/domain-types/audit_log/collections/all + +with +curl -x POST http://host/site/api/1.0/domain-types/audit_log/actions/archive/invoke diff --git a/.werks/16368.md b/.werks/16368.md new file mode 100644 index 00000000000..371c9b6aa3d --- /dev/null +++ b/.werks/16368.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# service_discovery: Fixed internal server error on service discovery when IP cannot be resolved + +key | value +---------- | --- +date | 2024-02-12T12:34:21+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + +Prior to this Werk, when a service discovery was requested from a host whose IP could not be resolved, the endpoint returned a 500 error status (Internal Server Error). This Werk corrects this behavior and now returns error code 400. + diff --git a/.werks/16369.md b/.werks/16369.md new file mode 100644 index 00000000000..b149e1e8444 --- /dev/null +++ b/.werks/16369.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# downtimes: Added service_description field to services downtimes + +key | value +---------- | --- +date | 2024-02-20T14:52:12+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | rest-api +level | 1 +compatible | yes + +When querying downtimes through the "show all downtimes" endpoint, the service_description field for service downtimes was not included. This werk introduces this field, which is not present in the host downtimes. diff --git a/.werks/16370.md b/.werks/16370.md new file mode 100644 index 00000000000..8a8a3378826 --- /dev/null +++ b/.werks/16370.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# time_periods: Fix error when using time ranges shorter than a minute + +key | value +---------- | --- +date | 2024-02-22T10:48:51+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + +Prior to this Werk, when trying to create a time period with a time range +shorter than 1 minute, an error code 500 was returned due to a validation +error. This Werk solves that problem, and time periods shorter than 1 minute +are validated correctly, so the endpoint now accepts them. diff --git a/.werks/16371.md b/.werks/16371.md new file mode 100644 index 00000000000..01a5de77918 --- /dev/null +++ b/.werks/16371.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# sla: range field for predefined_time_range parameter is mandatory + +key | value +---------- | --- +date | 2024-02-23T08:00:57+00:00 +version | 2.4.0b1 +class | fix +edition | cee +component | rest-api +level | 1 +compatible | yes + +Before this werk, when the sla was computed for a predefined time +range without specifying the range field, an error status 500 +Internal Server Error was returned. This werk solves the problem +by checking for the existence of the range field, and if it does +not exist, the endpoint returns an error status 400 - Bad Request. + diff --git a/.werks/16372.md b/.werks/16372.md new file mode 100644 index 00000000000..b20249693dc --- /dev/null +++ b/.werks/16372.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# swagger: Fix parameters not working in Swagger + +key | value +---------- | --- +date | 2024-03-01T09:27:29+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | rest-api +level | 1 +compatible | yes + +Since not all Python regexes are ECMA (JavaScript) compliant, several parameter fields did not work in Swagger. This werk solves the problem by adjusting the regexes to be compatible with JavaScript. diff --git a/.werks/16373.md b/.werks/16373.md new file mode 100644 index 00000000000..8a9059dd078 --- /dev/null +++ b/.werks/16373.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# metrics: allow dots in metric ids + +key | value +---------- | --- +date | 2024-02-28T08:35:14+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + +Before this Werk, the REST API was not able to access metrics named after IP addresses. This Werk fixes that and allows user to access metrics containing dots on the id diff --git a/.werks/16374.md b/.werks/16374.md new file mode 100644 index 00000000000..c830f8c8ee4 --- /dev/null +++ b/.werks/16374.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# mem_win: Base prediction on original measurement + +key | value +---------- | --- +date | 2024-01-11T22:47:00+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +This only affects users that monitor the memory usage of Windows hosts using both averaging and predictive levels. + +The prediction is now based on the unaveraged original value, potentially leading to a slightly larger standard deviation. +The resulting levels are still applied to the averaged value, if averaging is configured. \ No newline at end of file diff --git a/.werks/16375.md b/.werks/16375.md new file mode 100644 index 00000000000..848dc04592e --- /dev/null +++ b/.werks/16375.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# Rule "Check Email": Allow all makros + +key | value +---------- | --- +date | 2024-01-15T13:59:03+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +The ruleset "Check Email" recently featured stricter validation. +As a result, macros (like `$HOSTNAME$`) could not be used anymore. +This was partially compensated for in [#15203](https://checkmk.com/werk/15203), but this was still too restrictive. +Users can now configure validated host adresses or unvalidated strings containing macros. diff --git a/.werks/16376.md b/.werks/16376.md new file mode 100644 index 00000000000..b55007cda9d --- /dev/null +++ b/.werks/16376.md @@ -0,0 +1,20 @@ +[//]: # (werk v2) +# DCD: Not respecting "Validity of missing data" setting + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-01-23T14:05:03+00:00 +level | 1 +class | fix +component | checks +edition | cre + +This fixes disappearing hosts in case of temporarily missing data around the time when +a cleanup background job is run (around midnight). + +In case a piggybacked host temporarily did not receive any data while the background +(cron) job cmk --cleanup-piggyback was executed, a subsequent run of the DCD would not +respect the "Validity of missing data" setting, wrongly removing the affected host +from the monitoring configuration. \ No newline at end of file diff --git a/.werks/16377.md b/.werks/16377.md new file mode 100644 index 00000000000..3c4d0e26790 --- /dev/null +++ b/.werks/16377.md @@ -0,0 +1,21 @@ +[//]: # (werk v2) +# postfix_mailq: Rename "Postfix Queue" to "Postfix Queue default" + +key | value +---------- | --- +date | 2024-02-01T08:44:18+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +This affects users monitoring hosts that run one single postfix instance. + +For new installations, the service "Postfix Queue" will be renamed to "Postfix Queue default". + +In general, Checkmk is able to monitor multiple postfix instances running on the monitored host. +This will change the name in the common case where users are not running multiple postfix instances, but only the "default" one. +If you want to switch to the new service description after an upgrade, you can do so using the setting "Use new service descriptions". +Be aware that you will lose the historic data in case you do that. diff --git a/.werks/16378.md b/.werks/16378.md new file mode 100644 index 00000000000..a5a85bdef04 --- /dev/null +++ b/.werks/16378.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# Checkmk Linux agent: ignore \*.dpkg-tmp files in plugin folder + +key | value +---------- | --- +date | 2024-02-20T21:25:44+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +The Checkmk agents for Linux, Solaris, AIX, OpenWrt and FreeBSD now ignore \*.dpkg-tmp files in the plugins folder. + +They previously executed them inadvertedly as plugins. +This mostly fails silently (or even succeedes), but sometimes it is reported by the "Check_MK Agent" service. diff --git a/.werks/16380.md b/.werks/16380.md new file mode 100644 index 00000000000..d5874e316c6 --- /dev/null +++ b/.werks/16380.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# Ruleset API: add option to configure the default levels type + +key | value +---------- | --- +date | 2024-03-11T13:21:51+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | yes + +For details refer to the developer documentation in your sites "Help" menu. diff --git a/.werks/16381.md b/.werks/16381.md new file mode 100644 index 00000000000..9465de9fbbc --- /dev/null +++ b/.werks/16381.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# HP-UX: Mirror State of LVM Logical Volumes: be more robust in state evaluation + +key | value +---------- | --- +date | 2024-03-11T13:39:19+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | yes + +The plugin previously only considered the status to be OK if the device reported a literal "available,syncd". +It now is OK for any combination of (some of) the words "available", "syncd", "snapshot" and "space_efficient". diff --git a/.werks/16382.md b/.werks/16382.md new file mode 100644 index 00000000000..e029b705ac4 --- /dev/null +++ b/.werks/16382.md @@ -0,0 +1,41 @@ +[//]: # (werk v2) +# Cleanup SNMP version and bulkwalk rulesets + +key | value +---------- | --- +date | 2024-03-13T06:09:17+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | wato +level | 1 +compatible | no + +This werk is incompatible for users using the rule previously named "Disable bulk walks on SNMPv2c/v3" (see below for details). + +The ruleset for disabling bulkwalks has not been correctly applied to SNMPv3 hosts using the inline backend in the past. +In addition it has been interfering with the ruleset to enable SNMP version 2 (over version 1). + +## Change + +The following new ruleset _names_ are introduced: + + * "Disable bulkwalks" (formerly known as "Disable bulk walks on SNMPv2c/v3") + * "Enable SNMPv2c for hosts" (formerly known as "Enable SNMPv2c and bulk walk for hosts") + * "Enable SNMPv2c for management boards" (formerly known as "Enable SNMPv2c and bulk walk for management boards") + +With this change the following logic applies: + + * **bulkwalk**: + The "bulkwalk" query is used if and only if the ruleset "Disable bulkwalks" does not match the host and it is available in the used SNMP version (v1 does not have "bulkwalk"). + * **SNMP version**: + Checkmk will use SNMP v3 if and only if the host configuration contains SNMP v3 style credentials. + The remaining hosts will use SNMP v2c if and only if the ruleset "Enable SNMPv2c for hosts" matches, otherwise SNMPv1. + +This applies to both the "inline" and the "classic" backend. + +## Incompatibility + +Previously, in order to succesfully disable SNMP bulkwalks, users had to make sure the "Disable bulk walks on SNMPv2c/v3" matched the host, and the "Enable SNMPv2c and bulk walk for hosts" did not match the host. +This is no longer the case. +All hosts that are neither configured for SNMPv3 (see above) nor matched by the "Enable SNMPv2c" ruleset will use SNMPv1. diff --git a/.werks/16383.md b/.werks/16383.md new file mode 100644 index 00000000000..bd5cb9b3037 --- /dev/null +++ b/.werks/16383.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Handle empty operational status during interface inventory + +key | value +---------- | --- +date | 2024-03-14T13:48:35+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +`inv_if.py` crashed on empty oper_status. +This is fixed now as at least on some Cisco ASA/FirePower devices this value is empty. diff --git a/.werks/16384.md b/.werks/16384.md new file mode 100644 index 00000000000..3c0b4c9a377 --- /dev/null +++ b/.werks/16384.md @@ -0,0 +1,40 @@ +[//]: # (werk v2) +# notification rule: allow for non builtin service levels + +key | value +---------- | --- +date | 2024-01-17T11:19:06+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | no + + +When configuring a notification rule via the Rest API, you could not +set the value for "match_service_levels" to anything but the default +service levels. This werk addresses this issue by now allowing any +of the service levels configured to be used. This change mean that +there is a change to the request schema. Previously, we accepeted +the service level string value, whereas now we accept the integer +value. + +Previous schema +``` +{"match_service_levels": { + "state": "enabled", + "value": {"from_level": "silver", "to_level": "gold"} + } +} +``` + +New schema +``` +{"match_service_levels: { + "state": "enabled", + "value": {"from_level": 10, "to_level": 20} + } +} +``` + diff --git a/.werks/16385.md b/.werks/16385.md new file mode 100644 index 00000000000..f7c92c9b85b --- /dev/null +++ b/.werks/16385.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# revert_changes: internal changes can be reverted only if the user has the correct permission + +key | value +---------- | --- +date | 2024-01-17T11:41:59+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | wato +level | 1 +compatible | yes + +Changes made by the checkmk internal user can now only be reverted when the +logged-in user has the permission "Discard foreign changes". diff --git a/.werks/16386.md b/.werks/16386.md new file mode 100644 index 00000000000..a90ca9b0f29 --- /dev/null +++ b/.werks/16386.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# notification rule: match service levels and match time period being saved with wrong key + +key | value +---------- | --- +date | 2024-01-19T11:43:30+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + + +Previously when creating or updating an notification rule via the rest-api, the +matching conditions for service levels and time periods were being saved to +file with an incorrect key. This werk addresses this issue by correcting the +keys being saved. + diff --git a/.werks/16387.md b/.werks/16387.md new file mode 100644 index 00000000000..3f6cdaa523d --- /dev/null +++ b/.werks/16387.md @@ -0,0 +1,20 @@ +[//]: # (werk v2) +# notification_rules: custom plugins now created correctly when using the REST-API + +key | value +---------- | --- +date | 2024-01-22T08:18:31+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + + +Previous to this werk, when creating a notification rule with a custom +plugin via the rest-api, the parameters were not being shown in the UI +as expected. The reason being, an incorrect format being saved to file. + +This werk addresses this issue by correcting the format being saved to +file. \ No newline at end of file diff --git a/.werks/16388.md b/.werks/16388.md new file mode 100644 index 00000000000..220c371c6c7 --- /dev/null +++ b/.werks/16388.md @@ -0,0 +1,21 @@ +[//]: # (werk v2) +# host: query on mk_inventory no longer causing crash + +key | value +---------- | --- +date | 2024-01-24T09:17:52+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + + +Previously, when you had a host that had no check running, +calling the following endpoint would cause a crash. + +GET /domain-type/host/collections/all?columns=mkinventory + +This werk addresses this issue by preventing the crash +and now returns an appropriate response. \ No newline at end of file diff --git a/.werks/16389.md b/.werks/16389.md new file mode 100644 index 00000000000..15aa10f866d --- /dev/null +++ b/.werks/16389.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# authentication: remove user profile dir when unknown user and failed to login + +key | value +---------- | --- +date | 2024-01-26T15:59:51+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | wato +level | 1 +compatible | yes + + +Previously, failed login attempts with an unknown user would create a +user profile directory. This is no longer the case. The profile +directory is now only created for valid users. + diff --git a/.werks/16390.md b/.werks/16390.md new file mode 100644 index 00000000000..f211bdfcb75 --- /dev/null +++ b/.werks/16390.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# notification_rule: cancel previous notifications now working with custom plugin scripts + +key | value +---------- | --- +date | 2024-01-31T15:15:29+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + +When creating or updating notification rules, the option to "cancel_previous_notifications" +was previously not available when the plugin name selected was a custom plugin script. + +This werk addresses this issue and now allows for custom plugin scripts when setting the +option to cancel. diff --git a/.werks/16391.md b/.werks/16391.md new file mode 100644 index 00000000000..600cf484225 --- /dev/null +++ b/.werks/16391.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# ldap_connection: When you create/clone a new ldap connection, the ID will now be unique + +key | value +---------- | --- +date | 2024-02-09T15:54:09+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | wato +level | 1 +compatible | yes + +Previously, when creating a new LDAP connection via the UI, you could provide +an ID that was already in use by another user connection. This is no longer +the case with this werk. Now, when you clone a connection, a new unique ID +will be generated from the cloned connection. If you create a new connection, +the ID must be unique or you will get an error. diff --git a/.werks/16392.md b/.werks/16392.md new file mode 100644 index 00000000000..e77852fc7f4 --- /dev/null +++ b/.werks/16392.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# global_settings: LSI MegaRAID: Logical Disks selected by default + +key | value +---------- | --- +date | 2024-02-13T15:13:19+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | wato +level | 1 +compatible | yes + + diff --git a/.werks/16393.md b/.werks/16393.md new file mode 100644 index 00000000000..d59e5b71a42 --- /dev/null +++ b/.werks/16393.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# notification_rule: allow custom plugin names when selecting cancel without a restart + +key | value +---------- | --- +date | 2024-02-14T13:46:22+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | rest-api +level | 1 +compatible | yes + +We recently made a change that would allow you to create a notification rule, +via the REST-API using a custom plugin but also setting the option +"cancel_previous_notifications". However, an apache restart was required +since we were verifying the custom plugin via the runtime generated +schema. This werk fixes this issue by removing this verification from the +schema and checking at the endpoint. diff --git a/.werks/16394.md b/.werks/16394.md new file mode 100644 index 00000000000..90d57907ca1 --- /dev/null +++ b/.werks/16394.md @@ -0,0 +1,13 @@ +[//]: # (werk v2) +# check_mk_agent.aix: Fix Missing Plugin Details + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-17T16:15:00+00:00 +level | 1 +class | fix +component | checks +edition | cre + diff --git a/.werks/16395.md b/.werks/16395.md new file mode 100644 index 00000000000..0ecc4c23bb5 --- /dev/null +++ b/.werks/16395.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# "Cisco Devices: Temperature Sensors" Revert: used wrong lower device levels + +key | value +---------- | --- +date | 2024-01-18T09:22:17+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +In Werk [#16276](https://checkmk.com/werk/16276), we replaced the "less than" comparison by the +"less or equal" comparison. This is not consistent with how Checkmk handles lower levels, despite +what the Werk claims. This Werk restores the old behavior before Werk +[#16276](https://checkmk.com/werk/16276). Note, that Werk [#16276](https://checkmk.com/werk/16276) +also uncovered some Cisco devices, which report faulty thresholds for "less or equal". These +thresholds are now ignored again. diff --git a/.werks/16396.md b/.werks/16396.md new file mode 100644 index 00000000000..cddc7308619 --- /dev/null +++ b/.werks/16396.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# KUBE: Fixing Validation Error for ContainerWaitingState + +key | value +---------- | --- +date | 2024-01-22T13:57:03+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + + diff --git a/.werks/16397.md b/.werks/16397.md new file mode 100644 index 00000000000..d92bbc623f4 --- /dev/null +++ b/.werks/16397.md @@ -0,0 +1,20 @@ +[//]: # (werk v2) +# special_zerto: Error Message in Check_MK HW/SW Inventory + +key | value +---------- | --- +date | 2024-01-23T08:14:35+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +Previously, the agent special_zerto would show the following error message in the Check_MK HW/SW +Inventory +``` +NOOPParser: Ignoring invalid data b'<<>>Initialized OK<<<>>> +``` +Moreover, the service `Zerto Agent Status` was not discoverable and some piggyback data would +incorrectly be mapped to the source host. This is now fixed. diff --git a/.werks/16398.md b/.werks/16398.md new file mode 100644 index 00000000000..67f03ea93e2 --- /dev/null +++ b/.werks/16398.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# mk_jolokia: Respect Timeout Settings + +key | value +---------- | --- +date | 2024-01-23T09:28:00+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +Previously, passing a timeout parameter the agent plugin `mk_jolokia` had no effect. +This has been fixed. diff --git a/.werks/16400.md b/.werks/16400.md new file mode 100644 index 00000000000..9d205e0a4cb --- /dev/null +++ b/.werks/16400.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# omd restart: Exit Code is 2 on Failure + +key | value +---------- | --- +date | 2024-01-26T13:27:19+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | omd +level | 1 +compatible | yes + +`omd restart` executes `omd start` and `omd stop`, both of which can terminate with exit code zero +or two. Previously, the exit code of these commands would be ignored. `omd restart` now reports the +worst exit code reported by the two commands. diff --git a/.werks/16401.md b/.werks/16401.md new file mode 100644 index 00000000000..23605df3723 --- /dev/null +++ b/.werks/16401.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# omd start mkeventd: Error Code of Event Daemon + +key | value +---------- | --- +date | 2024-02-02T12:32:48+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | omd +level | 1 +compatible | yes + +The command `omd start mkeventd` starts the event daemon. Previously, any exit code produced +by this daemon would be ignored. Now, if the exit code is non-zero, then the message `Failed` is +shown and the command `omd start mkeventd` exits with error code 2. diff --git a/.werks/16402.md b/.werks/16402.md new file mode 100644 index 00000000000..f9a12af32b7 --- /dev/null +++ b/.werks/16402.md @@ -0,0 +1,16 @@ +[//]: # (werk v2) +# azure_vm_network_io: KeyError (total_Network_In_Total) + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-05T14:11:34+00:00 +level | 1 +class | fix +component | checks +edition | cre + +The Microsoft Azure API sometimes omits the metrics total_Network_In_Total and +total_Network_Out_Total. The check plugin azure_vm_network_io now omits computations based on these +metrics rather than crashing. \ No newline at end of file diff --git a/.werks/16403.md b/.werks/16403.md new file mode 100644 index 00000000000..9d340ae1780 --- /dev/null +++ b/.werks/16403.md @@ -0,0 +1,21 @@ +[//]: # (werk v2) +# Fix assert self._rulespec.item_name is not None + +key | value +---------- | --- +date | 2024-02-13T10:08:20+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | wato +level | 1 +compatible | yes + +A `rulespec` may have an `item_spec` without a title. In +[Werk #13387](https://checkmk.com/werk/13387) changed it so that if this title is missing the +the following crash occurs. +``` +assert self._rulespec.item_name is not None +``` +The occured if one navigates to the parameters via `Parameters for this service` and clicks +`Parameters`. It is now fixed. diff --git a/.werks/16405.md b/.werks/16405.md new file mode 100644 index 00000000000..fffbe5051f6 --- /dev/null +++ b/.werks/16405.md @@ -0,0 +1,25 @@ +[//]: # (werk v2) +# cmk-update-config: Don't Read Characters Pressed before Prompt Appears + +key | value +---------- | --- +date | 2024-02-14T14:29:36+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | omd +level | 1 +compatible | yes + +During `cmk-update-config` can prompt you with questions about how to continue the update. This +is an example. +``` +Exception while trying to load rulesets: + +You can abort the update process (A) and try to fix the incompatibilities or try to continue the update (c). +Abort update? [A/c] +``` +Previously, these prompts would read input, which was typed before the prompt was shown. Now, only +the input is read after the prompt is shown. + + diff --git a/.werks/16406.md b/.werks/16406.md new file mode 100644 index 00000000000..c022bda06a8 --- /dev/null +++ b/.werks/16406.md @@ -0,0 +1,19 @@ +[//]: # (werk v2) +# cmk-update-config: Don't Prompt User if Using Conflict Mode "install" or "keepold" + +key | value +---------- | --- +date | 2024-03-07T13:04:36+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | omd +level | 2 +compatible | yes + +While upgrading with `cmk-update-config`, the user can be prompted with questions about the next +update steps. This questioning can be disabled by using one of the conflict options `install`, +`keepold` or `abort`. Due to a regression in the 2.3.0b1 the options `install` and `keepold` do not +supress these questions. In particular, if there is a problem while `Verifying the Checkmk +configuration...`, then the update of Checkmk on Checkmk appliances will exit with a traceback. +Upgrading to the 2.3.0b1 is thus only possible here, if all problems are fixed beforehand. diff --git a/.werks/16407.md b/.werks/16407.md new file mode 100644 index 00000000000..81f9e5bd1a4 --- /dev/null +++ b/.werks/16407.md @@ -0,0 +1,21 @@ +[//]: # (werk v2) +# omd update: Don't Delete "config.pb" During Pre-Update + +key | value +---------- | --- +date | 2024-03-07T13:27:55+00:00 +version | 2.4.0b1 +class | fix +edition | cee +component | omd +level | 1 +compatible | yes + +The `omd update` command has the capability to undo the changes it has done up until `Verifying +Checkmk configuration...`. However, if any change after `Verifying Checkmk configuration...` is +persisted. Due to a regression caused by Werk #15725, the file `config.pb` is deleted during this +verification. If the update aborts during the verification, then users will see the following error: +``` +Starting cmc...Failed (Config /omd/sites/prod_dmz/var/check_mk/core/config.pb missing, run "cmk -U" and try again) +``` +With this Werk, `config.pb` will be deleting only while `Updating Checkmk configuration...`. diff --git a/.werks/16408.md b/.werks/16408.md new file mode 100644 index 00000000000..4b563a55f75 --- /dev/null +++ b/.werks/16408.md @@ -0,0 +1,24 @@ +[//]: # (werk v2) +# omd update: Allow Aborting Before "Completed verifying site configuration." + +key | value +---------- | --- +date | 2024-03-07T13:47:39+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | omd +level | 2 +compatible | yes + +Sites may have configuration, MKPs and other local files, which are incompatible with the version +targeted by `omd update`. If such a problem occurs, then aborting the update may be necessary. In +earlier versions, users were advised to perform a downgrade, which was not user-friendly and had +several pitfalls. Downgrading is not supported as it has many potential downsides. With this Werk, +`omd update` is better able to deal with these situations. `omd update` will show the message +``` +Completed verifying site configuration. Your site now has version {target version}. +``` +If the update is aborted before this message is shown, then the site is restored to it's previous +state. This includes selecting the `abort` option, unexpected internal errors, or aborting the +update using CTRL-C. diff --git a/.werks/16409.md b/.werks/16409.md new file mode 100644 index 00000000000..66f357a156e --- /dev/null +++ b/.werks/16409.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Prometheus & Alertmanager: Removal of 'IP Address' and 'Host name' options + +key | value +---------- | --- +date | 2024-03-07T17:16:21+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +In Werk #14573, the deprecation of the options 'IP Address' and 'Host name' of the rules Prometheus +and Alertmanager was announced and described. This Werk removes these options. diff --git a/.werks/16410.md b/.werks/16410.md new file mode 100644 index 00000000000..c71d741ef08 --- /dev/null +++ b/.werks/16410.md @@ -0,0 +1,27 @@ +[//]: # (werk v2) +# omd update: Fix Aborting in Docker Container + +key | value +---------- | --- +date | 2024-03-12T15:30:46+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | omd +level | 1 +compatible | yes + +This bug affects users of the 2.3.0 beta. + +In Werk #16408 a mechanism was introduced to restore a site after an aborted update. If this +mechanism triggered inside a docker container, then the site may be in an inconsistent state. Any +further update will show the following error. +``` +FileNotFoundError: [Errno 2] No such file or directory: '/omd/versions/2.3.0b1.cee/share/omd/skel.permissions' +``` +You can check whether you are affected by this issue by comparing the output of `omd update` and +`cat "${OMD_ROOT}"/.version_meta/version`. If the versions do not match, then you are affected by +this issue. + +This Werk fixes the update procedure. In case you are affected, you can delete `.version_meta` and +upgrade to the version which is shown by `omd update`. diff --git a/.werks/16411.md b/.werks/16411.md new file mode 100644 index 00000000000..7b15199b004 --- /dev/null +++ b/.werks/16411.md @@ -0,0 +1,14 @@ +[//]: # (werk v2) +# Robotmk: Add Inventory + +key | value +---------- | --- +date | 2024-03-13T10:26:52+00:00 +version | 2.4.0b1 +class | feature +edition | cee +component | checks +level | 1 +compatible | yes + +This Werks adds a HW/SW inventory for Robotmk. The content is under active development. diff --git a/.werks/16412.md b/.werks/16412.md new file mode 100644 index 00000000000..83841293ff4 --- /dev/null +++ b/.werks/16412.md @@ -0,0 +1,35 @@ +[//]: # (werk v2) +# cmk-update-config: Correct Assigning Files to Extension Package + +key | value +---------- | --- +date | 2024-03-14T12:54:20+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | omd +level | 1 +compatible | yes + +This Werk affects those who are testing the 2.3.0 beta. It affects users, whom have enabled MKPs and +then use either `omd update` or `cmk-update-config`. + +During the pre-update steps of Checkmk all rulesets are loaded, which are part of an MKP. +Previously, if an error occurs during this step, then the user is prompted with the following error. +``` + 02/05 UI extensions... +Error loading rulespecs: +[ValueError('cmk.plugins.redfish.rulesets.datasource: boom')] +Incompatible local file 'cmk/plugins/redfish/rulesets/datasource.py'. +Error: cmk.plugins.redfish.rulesets.datasource: boom + +You can abort the update process (A) and try to fix the incompatibilities or continue the update (c). +Abort the update process? [A/c] +``` +Thus, eventhough the file belongs to an MKP, if that file is part of the ruleset API v1, then +Checkmk does not correctly recognize that the file belongs to an MKP during the update. Now, Checkmk +offers to disable the MKP instead, i.e., +``` +You can abort the update process (A) or disable the extension package (d) and continue the update process. +Abort the update process? [A/d] +``` diff --git a/.werks/16414.md b/.werks/16414.md new file mode 100644 index 00000000000..31d930828f4 --- /dev/null +++ b/.werks/16414.md @@ -0,0 +1,23 @@ +[//]: # (werk v2) +# Migrate Old Configuration Format For 'Disable notifications' + +key | value +---------- | --- +date | 2024-03-18T13:59:16+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | notifications +level | 1 +compatible | yes + +In Werk #6417, we announced that some changes to `etc/check_mk/conf.d/wato/contacts.mk` are +necessary before updating. In case a user did not migrate his configuration, they would encounter +the following crash in 2.2.0, but not in 2.1.0: +``` + File "/omd/sites/edding/lib/python3/cmk/base/notify.py", line 968, in rbn_rule_contacts + if disable_notifications_opts.get("disable", False): + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +AttributeError: 'bool' object has no attribute 'get' +``` +With this Werk, the configuration is migrated automatically. diff --git a/.werks/16415.md b/.werks/16415.md new file mode 100644 index 00000000000..b968aed3c2e --- /dev/null +++ b/.werks/16415.md @@ -0,0 +1,13 @@ +[//]: # (werk v2) +# Prometheus & Alertmanager: Allow $HOSTNAME$ and $HOSTADDRESS$ in 'URL server address' + +key | value +---------- | --- +date | 2024-03-27T14:58:45+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | yes + diff --git a/.werks/16416.md b/.werks/16416.md new file mode 100644 index 00000000000..7a3f54bee19 --- /dev/null +++ b/.werks/16416.md @@ -0,0 +1,18 @@ +[//]: # (werk v2) +# Make scp command work as site userr on SLES 15 + +key | value +---------- | --- +date | 2024-03-28T08:38:12+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | omd +level | 1 +compatible | yes + +On SUSE Linux Enterprise Server 15 systems, the `scp` command could crash with +``` +/usr/bin/ssh: symbol lookup error: /usr/bin/ssh: undefined symbol: EVP_KDF_CTX_free, version OPENSSL_1_1_1d lost connection +``` +when executed as a site user. diff --git a/.werks/16420.md b/.werks/16420.md new file mode 100644 index 00000000000..5ec0f265e6b --- /dev/null +++ b/.werks/16420.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# jolokia_info: Support Version 2.0 + +key | value +---------- | --- +date | 2024-04-08T09:28:55+00:00 +version | 2.4.0b1 +class | feature +edition | cre +component | checks +level | 1 +compatible | yes + +Jolokia 2.0 was released 2023-12-19. With the release some changes to the Jolokia Protocol have been +introduced. If a user installed this version of Jolokia, the check plugin `jolokia_info` showed +`unknown` instead of the product information. After updating the agent plugin `mk_jolokia.py`, the +correct information will be shown again. diff --git a/.werks/16421.md b/.werks/16421.md new file mode 100644 index 00000000000..42cd87269c8 --- /dev/null +++ b/.werks/16421.md @@ -0,0 +1,23 @@ +[//]: # (werk v2) +# Synthetic Monitoring: Adopt 'Plan' Naming Convention + +key | value +---------- | --- +date | 2024-04-09T11:39:57+00:00 +version | 2.4.0b1 +class | fix +edition | cee +component | checks +level | 1 +compatible | no + +This Werk affects users, who have configured the rule `Robotmk Scheduler (Windows)` during the 2.3.0 +beta. The naming conventions of the check plugin `robotmk_suite` have been reworked. + +* Plugin was renamed from `robotmk_suite` to `robotmk_plan`. +* Service label value changed from `cmk/rmk/type:suite` to `cmk/rmk/type:plan`. +* The service item has changed it's suffix from `Suite` to `Plan`. +* The metric was renamed from `robotmk_suite_runtime` to `robotmk_peak_attempt_runtime` +* The metric was renamed from `robotmk_runtime_timeout_ratio` to `robotmk_runtime_limit_ratio` + +Users affected by this change must run re-discovery. diff --git a/.werks/16423.md b/.werks/16423.md new file mode 100644 index 00000000000..57c49152bcd --- /dev/null +++ b/.werks/16423.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# mk_postgres.py: Add 'PG_BINARY_PATH' to Bakery Rule + +key | value +---------- | --- +date | 2024-04-16T15:15:06+00:00 +version | 2.4.0b1 +class | feature +edition | cee +component | agents +level | 1 +compatible | yes + +[Werk #15619](https://checkmk.com/werk/15619) added support for reading `PG_BINARY_PATH` from +`postgres.cfg`. This Werk allows setting this value with the agent bakery. diff --git a/.werks/16424.md b/.werks/16424.md new file mode 100644 index 00000000000..691ddfc8067 --- /dev/null +++ b/.werks/16424.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# omd start redis: Don't Start If Process Already Running + +key | value +---------- | --- +date | 2024-04-18T16:06:48+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | omd +level | 1 +compatible | yes + +With this Werk, `omd start` will no longer create a new redis process if redis is already started. +This aligns the behaviour with the other services of a site. diff --git a/.werks/16425.md b/.werks/16425.md new file mode 100644 index 00000000000..418c3b39dfa --- /dev/null +++ b/.werks/16425.md @@ -0,0 +1,23 @@ +[//]: # (werk v2) +# APACHE_TCP_ADDR now allows IPv6 address + +key | value +---------- | --- +date | 2024-04-22T11:05:16+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | omd +level | 1 +compatible | yes + +Previously, using the command `omd config set APACHE_TCP_ADDR` with a IPv6 address would fail. For +example, the command +``` +$ omd config set APACHE_TCP_ADDR "[::]" +``` +resulted in `Invalid value for '[::]'. Does not match allowed pattern.` + +With this Werk, it `omd` only checks that a `Listen` directive for Apache can be constructed from the +`APACHE_TCP_ADDR`. In particular, this a IPv6 address can be configured. Such an address must be +surrounded by square brackets. diff --git a/.werks/16426.md b/.werks/16426.md new file mode 100644 index 00000000000..32af1fe3323 --- /dev/null +++ b/.werks/16426.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# NetApp Snapshot Reserve: Don't Restrict 'Levels for used configured reserve' + +key | value +---------- | --- +date | 2024-05-02T07:01:49+00:00 +version | 2.4.0b1 +class | fix +edition | cre +component | checks +level | 1 +compatible | yes + +Previously, the option `Levels for used configured reserve` of the rule `NetApp Snapshot Reserve` did not allow percent values beyond 101.0 %. +Now any non-negative value can be set. diff --git a/.werks/16444.md b/.werks/16444.md new file mode 100644 index 00000000000..b0802012ef9 --- /dev/null +++ b/.werks/16444.md @@ -0,0 +1,17 @@ +[//]: # (werk v2) +# EC: Fix missing configuration files + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-22T09:32:56+00:00 +level | 1 +class | fix +component | ec +edition | cee + +With werk 16012 the event console rules are filtered and saved to the location +var/mkeventd/active_config during activate changes. +Unfortunatelly other configuration files like global.mk are missing which are +now copied recursively, too. \ No newline at end of file diff --git a/.werks/16445.md b/.werks/16445.md new file mode 100644 index 00000000000..621731911d2 --- /dev/null +++ b/.werks/16445.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# HW/SW Inventory: Improve displaying retention information + +key | value +---------- | --- +date | 2024-01-24T11:35:45+00:00 +version | 2.3.0b1 +class | fix +edition | cre +component | inv +level | 1 +compatible | yes + +Fix missing retention information in views with HW/SW inventory columns. Do not +display retention icon if retention information is valid but not outdated. diff --git a/.werks/16446.md b/.werks/16446.md new file mode 100644 index 00000000000..77de2cec5fa --- /dev/null +++ b/.werks/16446.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Event console: Fix missing customer if configured within rule packs + +key | value +---------- | --- +compatible | yes +version | 2.3.0b1 +date | 2024-01-25T09:19:59+00:00 +level | 1 +class | fix +component | wato +edition | cme + +If the customer field of a rule pack is configured then - after "save" - it's +gone. This bug was introduced with Checkmk 2.2.0 and has been fixed now. diff --git a/.werks/16447.md b/.werks/16447.md new file mode 100644 index 00000000000..da5e89f8625 --- /dev/null +++ b/.werks/16447.md @@ -0,0 +1,13 @@ +[//]: # (werk v2) +# Fix inventory sync of subsequent hosts if a previous one has invalid data + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-05T11:32:34+00:00 +level | 1 +class | fix +component | liveproxy +edition | cee + diff --git a/.werks/16448.md b/.werks/16448.md new file mode 100644 index 00000000000..9471e957461 --- /dev/null +++ b/.werks/16448.md @@ -0,0 +1,15 @@ +[//]: # (werk v2) +# Fix inventory sync of hosts if remote data is updated at the time when liveproxyd sync starts or ends + +key | value +---------- | --- +compatible | yes +version | 2.4.0b1 +date | 2024-02-05T11:36:15+00:00 +level | 1 +class | fix +component | liveproxy +edition | cee + +When the liveproxyd starts or ends at a particular time TS and remote inventory +data is written between TS and \