Agent updater as non-root
Today it's possible to have the agent bakery create an agent that is not running as root. However this does not allow the agent to update itselves.
It would be useful if the new implemented agent-controller could handle the agent update process (and not cmk-update-agent) by creating a separate process.
There are also annoying permissions issues where a lot of files and directories are owned by root when they should be owned by the user who runs the agent.
Comments: 3
Oldest
•
Newest
•
Most likes
•
Fewest likes
-
02 Jun, '24
Martin Hirschvogel AdminHello,
Thank you for your idea. After thorough internal discussion, we’ve decided to plan its implementation for one of the next releases of our software.
We look forward to keeping you updated on progress.
At Checkmk we work on ideas based on business needs, customer demand, and resource availability. For strategic reasons, we reserve the right to re-evaluate the priority and/or scope of this feature as new information becomes available. We therefore ask for your understanding that we do not guarantee its implementation.
Warm regards,
Your Checkmk team -
29 Mar, '25
AndyIn 2.4 it seems this feature might be removed as the rule now states "This feature will be deprecated in a future version of Checkmk."
-
01 Apr, '25
Martin Hirschvogel AdminWe deprecated the rules: "Installation directory for agent files" and "Run agent as non-root user" because a new ruleset unifies both: "Customize agent package". See screenshot.
The Checkmk agent so far has been located in common UNIX installation paths (/var/, /usr/, …). You can now configure with the new ruleset ‘Customize agent package’ one directory in which all agent files are installed. Static package files for installation are separated from runtime files now. This is the foundation for the ‘non-root’ agent mode.
With ‘Customize agent package’ you can now also configure a user to own the runtime files and execute the agent script. We rely on sudo as a mechanism.
The non-root mode is currently limited to the agent script. Runnings plug-ins, incl. the updater as non-root will still require customizations by you. We plan to tackle these elements however this year. Running the updater non-root with the current convenience is not something easy, but we will take that challenge.
x6ujfgampgwpjcw0atdy.png