From e0be299a2c07299e37bbf5079cd14c73864b1007 Mon Sep 17 00:00:00 2001 From: Robin Gierse Date: Tue, 8 Apr 2025 12:11:37 +0200 Subject: [PATCH 1/5] WIP: Rework firewall management. --- roles/agent/README.md | 15 ++++-------- roles/agent/defaults/main.yml | 2 -- roles/agent/meta/argument_specs.yml | 6 ----- roles/agent/molecule/2.2.0/group_vars/all.yml | 5 ---- roles/agent/molecule/2.3.0/group_vars/all.yml | 5 ---- roles/agent/molecule/2.4.0/group_vars/all.yml | 5 ---- roles/agent/tasks/Debian.yml | 24 ++++++------------- roles/agent/tasks/RedHat.yml | 24 ++++++------------- roles/agent/tasks/Suse.yml | 9 +++++++ 9 files changed, 27 insertions(+), 68 deletions(-) diff --git a/roles/agent/README.md b/roles/agent/README.md index b22cdb35d..18fdfa649 100644 --- a/roles/agent/README.md +++ b/roles/agent/README.md @@ -131,17 +131,10 @@ See [this link](https://docs.checkmk.com/latest/en/agent_linux.html#registration checkmk_agent_configure_firewall: 'true' -Automatically configure the firewall (*currently only on RedHat and Debian derivatives*) to allow access to the Checkmk agent. - - checkmk_agent_configure_firewall_zone: 'public' - -When checkmk_agent_configure_firewall is set to `true` then configure the firewall zone on RedHat derivatives. Defaults to 'public'. - - checkmk_agent_server_ips: [] - -A list of IP addresses, that will be whitelisted in the firewall for agent access on `checkmk_agent_port`. -The `checkmk_agent_server` will automatically be added, but only if it is an IP address. -This parameter also does **not** take care of any agent-side whitelisting! +Automatically configure the firewall to allow access to the Checkmk agent. +**This is a very rudamentary configration!** +It only opens port 6556. Everything else uses defaults of the respective platform. +If you need more elaborate configuration, use your own firewall management! checkmk_agent_force_install: 'false' diff --git a/roles/agent/defaults/main.yml b/roles/agent/defaults/main.yml index 9a75f3931..a731b30fd 100644 --- a/roles/agent/defaults/main.yml +++ b/roles/agent/defaults/main.yml @@ -24,8 +24,6 @@ checkmk_agent_force_foreign_changes: 'false' checkmk_agent_update: 'false' checkmk_agent_tls: 'false' checkmk_agent_configure_firewall: 'true' -checkmk_agent_configure_firewall_zone: 'public' -checkmk_agent_server_ips: [] checkmk_agent_force_install: 'false' checkmk_agent_prep_legacy: 'false' checkmk_agent_delegate_api_calls: 'localhost' diff --git a/roles/agent/meta/argument_specs.yml b/roles/agent/meta/argument_specs.yml index 75612107d..c88fbb932 100644 --- a/roles/agent/meta/argument_specs.yml +++ b/roles/agent/meta/argument_specs.yml @@ -145,12 +145,6 @@ argument_specs: description: - Refer to the README for details. - checkmk_agent_server_ips: - type: "list" - elements: "str" - description: - - Refer to the README for details. - checkmk_agent_force_install: type: "bool" default: false diff --git a/roles/agent/molecule/2.2.0/group_vars/all.yml b/roles/agent/molecule/2.2.0/group_vars/all.yml index 106fe07ed..0745b7d06 100644 --- a/roles/agent/molecule/2.2.0/group_vars/all.yml +++ b/roles/agent/molecule/2.2.0/group_vars/all.yml @@ -31,11 +31,6 @@ checkmk_agent_discover_max_parallel_tasks: 2 checkmk_agent_update: 'false' checkmk_agent_tls: 'true' checkmk_agent_configure_firewall: 'true' -checkmk_agent_configure_firewall_zone: 'public' -checkmk_agent_server_ips: - - 10.10.10.10 - - 172.16.16.16 - - 192.168.1.1 checkmk_agent_force_install: 'false' checkmk_agent_prep_legacy: 'false' checkmk_agent_delegate_api_calls: "{{ inventory_hostname }}" diff --git a/roles/agent/molecule/2.3.0/group_vars/all.yml b/roles/agent/molecule/2.3.0/group_vars/all.yml index 2dae40521..907b39209 100644 --- a/roles/agent/molecule/2.3.0/group_vars/all.yml +++ b/roles/agent/molecule/2.3.0/group_vars/all.yml @@ -31,11 +31,6 @@ checkmk_agent_discover_max_parallel_tasks: 2 checkmk_agent_update: 'false' checkmk_agent_tls: 'true' checkmk_agent_configure_firewall: 'true' -checkmk_agent_configure_firewall_zone: 'public' -checkmk_agent_server_ips: - - 10.10.10.10 - - 172.16.16.16 - - 192.168.1.1 checkmk_agent_force_install: 'false' checkmk_agent_prep_legacy: 'false' checkmk_agent_delegate_api_calls: "{{ inventory_hostname }}" diff --git a/roles/agent/molecule/2.4.0/group_vars/all.yml b/roles/agent/molecule/2.4.0/group_vars/all.yml index 2dda0eadb..acd6f4cf4 100644 --- a/roles/agent/molecule/2.4.0/group_vars/all.yml +++ b/roles/agent/molecule/2.4.0/group_vars/all.yml @@ -31,11 +31,6 @@ checkmk_agent_discover_max_parallel_tasks: 2 checkmk_agent_update: 'false' checkmk_agent_tls: 'true' checkmk_agent_configure_firewall: 'true' -checkmk_agent_configure_firewall_zone: 'public' -checkmk_agent_server_ips: - - 10.10.10.10 - - 172.16.16.16 - - 192.168.1.1 checkmk_agent_force_install: 'false' checkmk_agent_prep_legacy: 'false' checkmk_agent_delegate_api_calls: "{{ inventory_hostname }}" diff --git a/roles/agent/tasks/Debian.yml b/roles/agent/tasks/Debian.yml index 6b3509c61..cdc488263 100644 --- a/roles/agent/tasks/Debian.yml +++ b/roles/agent/tasks/Debian.yml @@ -44,21 +44,11 @@ tags: - install-package -- name: "{{ ansible_os_family }} Derivatives: Configure Firewall for Agent." +- name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent." when: checkmk_agent_configure_firewall | bool and "ufw.service" in ansible_facts.services - block: - - name: "{{ ansible_os_family }} Derivatives: Add Checkmk Server to Firewall Whitelist if it is an IP address." - when: checkmk_agent_server | ansible.utils.ipaddr() - ansible.builtin.set_fact: - checkmk_agent_server_ips: "{{ checkmk_agent_server_ips + [checkmk_agent_server] }}" - - - name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent." - when: checkmk_agent_server_ips is defined - community.general.ufw: - rule: allow - proto: tcp - src: "{{ item }}" - port: '6556' - comment: Allow Checkmk - loop: "{{ checkmk_agent_server_ips }}" - become: true + community.general.ufw: + rule: allow + proto: tcp + port: '6556' + comment: "Allow Checkmk Agent access from anywhere." + become: true diff --git a/roles/agent/tasks/RedHat.yml b/roles/agent/tasks/RedHat.yml index 11033009e..2fcfa113b 100644 --- a/roles/agent/tasks/RedHat.yml +++ b/roles/agent/tasks/RedHat.yml @@ -44,21 +44,11 @@ tags: - install-package -- name: "{{ ansible_os_family }} Derivatives: Configure Firewall for Agent." +- name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent." when: checkmk_agent_configure_firewall | bool and "firewalld.service" in ansible_facts.services - block: - - name: "{{ ansible_os_family }} Derivatives: Add Checkmk Server to Firewall Whitelist if it is an IP address." - when: checkmk_agent_server | ansible.utils.ipaddr() - ansible.builtin.set_fact: - checkmk_agent_server_ips: "{{ checkmk_agent_server_ips + [checkmk_agent_server] }}" - - - name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent." - when: checkmk_agent_server_ips is defined - ansible.posix.firewalld: - permanent: 'yes' - immediate: 'yes' - state: enabled - rich_rule: 'rule family="ipv4" source address={{ item }} port port="{{ checkmk_agent_port }}" protocol="tcp" accept' - zone: "{{ checkmk_agent_configure_firewall_zone | default('public') }}" - loop: "{{ checkmk_agent_server_ips }}" - become: true + ansible.posix.firewalld: + permanent: true + immediate: true + port: 6556/tcp + state: "enabled" + become: true diff --git a/roles/agent/tasks/Suse.yml b/roles/agent/tasks/Suse.yml index fe654141d..0b8bfbccb 100644 --- a/roles/agent/tasks/Suse.yml +++ b/roles/agent/tasks/Suse.yml @@ -46,3 +46,12 @@ when: checkmk_agent_edition | lower == "cre" tags: - install-package + +- name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent." + when: checkmk_agent_configure_firewall | bool and "firewalld.service" in ansible_facts.services + ansible.posix.firewalld: + permanent: true + immediate: true + port: 6556/tcp + state: "enabled" + become: true From 766b6bd4aacdb5dba32c9c2f94e5a4aa85c4f231 Mon Sep 17 00:00:00 2001 From: Robin Gierse Date: Tue, 27 May 2025 13:11:02 +0200 Subject: [PATCH 2/5] Finalize firewall management for the agent. --- changelogs/fragments/firewall-agent.yml | 5 +++++ roles/agent/README.md | 6 +++--- roles/agent/tasks/Debian.yml | 4 ++-- roles/agent/tasks/RedHat.yml | 4 ++-- roles/agent/tasks/Suse.yml | 4 ++-- 5 files changed, 14 insertions(+), 9 deletions(-) create mode 100644 changelogs/fragments/firewall-agent.yml diff --git a/changelogs/fragments/firewall-agent.yml b/changelogs/fragments/firewall-agent.yml new file mode 100644 index 000000000..dbc604c54 --- /dev/null +++ b/changelogs/fragments/firewall-agent.yml @@ -0,0 +1,5 @@ +breaking_changes: + - Agent role - Remove advanced firewall configuration options and revert to basic firewall management. + If you used the `checkmk_agent_server_ips` or `checkmk_agent_configure_firewall_zone` option, you need to take action. + Refer to the README for details. + If you need elaborate firewall management, use a dedicated role! diff --git a/roles/agent/README.md b/roles/agent/README.md index 18fdfa649..3940b948c 100644 --- a/roles/agent/README.md +++ b/roles/agent/README.md @@ -131,10 +131,10 @@ See [this link](https://docs.checkmk.com/latest/en/agent_linux.html#registration checkmk_agent_configure_firewall: 'true' -Automatically configure the firewall to allow access to the Checkmk agent. +Automatically configure the firewall to allow access to the Checkmk agent on the `checkmk_agent_port`. **This is a very rudamentary configration!** -It only opens port 6556. Everything else uses defaults of the respective platform. -If you need more elaborate configuration, use your own firewall management! +It only opens port 6556/tcp by default. Everything else uses defaults of the respective platform. +If you need more elaborate configuration, use your own firewall management and set this to `false`! checkmk_agent_force_install: 'false' diff --git a/roles/agent/tasks/Debian.yml b/roles/agent/tasks/Debian.yml index cdc488263..81a3e38a3 100644 --- a/roles/agent/tasks/Debian.yml +++ b/roles/agent/tasks/Debian.yml @@ -44,11 +44,11 @@ tags: - install-package -- name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent." +- name: "{{ ansible_os_family }} Derivatives: Allow access to the Checkmk agent on port {{ checkmk_agent_port }}/tcp." when: checkmk_agent_configure_firewall | bool and "ufw.service" in ansible_facts.services community.general.ufw: rule: allow proto: tcp - port: '6556' + port: "{{ checkmk_agent_port }}" comment: "Allow Checkmk Agent access from anywhere." become: true diff --git a/roles/agent/tasks/RedHat.yml b/roles/agent/tasks/RedHat.yml index 2fcfa113b..5641c76c1 100644 --- a/roles/agent/tasks/RedHat.yml +++ b/roles/agent/tasks/RedHat.yml @@ -44,11 +44,11 @@ tags: - install-package -- name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent." +- name: "{{ ansible_os_family }} Derivatives: Allow access to the Checkmk agent on port {{ checkmk_agent_port }}/tcp." when: checkmk_agent_configure_firewall | bool and "firewalld.service" in ansible_facts.services ansible.posix.firewalld: permanent: true immediate: true - port: 6556/tcp + port: "{{ checkmk_agent_port }}/tcp" state: "enabled" become: true diff --git a/roles/agent/tasks/Suse.yml b/roles/agent/tasks/Suse.yml index 0b8bfbccb..75040f2e7 100644 --- a/roles/agent/tasks/Suse.yml +++ b/roles/agent/tasks/Suse.yml @@ -47,11 +47,11 @@ tags: - install-package -- name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent." +- name: "{{ ansible_os_family }} Derivatives: Allow access to the Checkmk agent on port {{ checkmk_agent_port }}/tcp." when: checkmk_agent_configure_firewall | bool and "firewalld.service" in ansible_facts.services ansible.posix.firewalld: permanent: true immediate: true - port: 6556/tcp + port: "{{ checkmk_agent_port }}/tcp" state: "enabled" become: true From bb15071fdcc134c47c90fb6b82604d49fc5b53d4 Mon Sep 17 00:00:00 2001 From: Robin Gierse Date: Tue, 27 May 2025 13:29:08 +0200 Subject: [PATCH 3/5] Harmonize firewall management for server role. --- changelogs/fragments/firewall-server.yml | 3 +++ roles/server/README.md | 13 +++++++++++-- roles/server/defaults/main.yml | 5 +++++ roles/server/tasks/Debian.yml | 10 ++++++++++ roles/server/tasks/RedHat.yml | 20 ++++++-------------- roles/server/vars/RedHat.yml | 5 ----- 6 files changed, 35 insertions(+), 21 deletions(-) create mode 100644 changelogs/fragments/firewall-server.yml diff --git a/changelogs/fragments/firewall-server.yml b/changelogs/fragments/firewall-server.yml new file mode 100644 index 000000000..bf73cfccc --- /dev/null +++ b/changelogs/fragments/firewall-server.yml @@ -0,0 +1,3 @@ +minor_changes: + - Server role - Harmonize firewall management accross distributions and simplify configuration. + Refer to the README for details! diff --git a/roles/server/README.md b/roles/server/README.md index b219b2b50..276c2bc37 100644 --- a/roles/server/README.md +++ b/roles/server/README.md @@ -64,8 +64,17 @@ Uninstall unused Checkmk versions on the server. checkmk_server_configure_firewall: 'true' -Automatically open the necessary ports on the Checkmk server for the -web interface to be accessible. +Automatically open necessary ports on the Checkmk server. +This setting only has effect on systems, which are running `ufw` or `firewalld`. +For elaborate firewall configuration, use your own firewall management! +This setting only enables very basic firewall configuration. + + checkmk_server_ports: + - 80/tcp + - 443/tcp + - 8000/tcp + +The ports to open automatically. Adapt this to the specific requirements of your site. checkmk_server_allow_downgrades: 'false' diff --git a/roles/server/defaults/main.yml b/roles/server/defaults/main.yml index 61a2d64bb..bf66a54ed 100644 --- a/roles/server/defaults/main.yml +++ b/roles/server/defaults/main.yml @@ -56,6 +56,11 @@ checkmk_server_sites: [] checkmk_server_configure_firewall: 'true' +checkmk_server_ports: + - 80/tcp + - 443/tcp + - 8000/tcp + checkmk_server_backup_on_update: 'true' # Not recommended to disable this option checkmk_server_backup_dir: '/tmp' checkmk_server_backup_opts: '--no-past' diff --git a/roles/server/tasks/Debian.yml b/roles/server/tasks/Debian.yml index 4da75543d..3f53a810f 100644 --- a/roles/server/tasks/Debian.yml +++ b/roles/server/tasks/Debian.yml @@ -9,3 +9,13 @@ notify: Start Apache tags: - install-package + +- name: "{{ ansible_os_family }} Derivatives: Open Firewall Ports for the Checkmk Server." + when: checkmk_server_configure_firewall | bool and "ufw.service" in ansible_facts.services + community.general.ufw: + rule: allow + proto: tcp + port: "{{ item }}" + state: "enabled" + become: true + loop: "{{ checkmk_server_ports }}" diff --git a/roles/server/tasks/RedHat.yml b/roles/server/tasks/RedHat.yml index db6c505e8..64ed0ccc3 100644 --- a/roles/server/tasks/RedHat.yml +++ b/roles/server/tasks/RedHat.yml @@ -97,20 +97,12 @@ tags: - set-selinux-boolean -- name: "Make sure firewalld is started and enabled" - become: true - ansible.builtin.systemd: - name: firewalld - state: started - enabled: true - when: checkmk_server_configure_firewall | bool - -- name: "Open firewall ports." - become: true +- name: "{{ ansible_os_family }} Derivatives: Open Firewall Ports for the Checkmk Server." + when: checkmk_server_configure_firewall | bool and "firewalld.service" in ansible_facts.services ansible.posix.firewalld: - port: "{{ item }}" permanent: true immediate: true - state: enabled - loop: "{{ __checkmk_server_ports }}" - when: checkmk_server_configure_firewall | bool + port: "{{ item }}/tcp" + state: "enabled" + become: true + loop: "{{ checkmk_server_ports }}" diff --git a/roles/server/vars/RedHat.yml b/roles/server/vars/RedHat.yml index d28da0c70..860c4cda8 100644 --- a/roles/server/vars/RedHat.yml +++ b/roles/server/vars/RedHat.yml @@ -3,11 +3,6 @@ __checkmk_server_setup_file: |- check-mk-{{ __checkmk_server_edition_mapping[checkmk_server_edition | lower] }}-{{ checkmk_server_version }}-el{{ ansible_distribution_major_version }}-38.x86_64.rpm -__checkmk_server_ports: - - 80/tcp - - 443/tcp - - 8000/tcp - __checkmk_server_prerequisites_per_distro: RedHat: - firewalld From 8a551195e8f3404b0b92f7a89ec203a0f6c84c98 Mon Sep 17 00:00:00 2001 From: Robin Gierse Date: Tue, 27 May 2025 13:30:59 +0200 Subject: [PATCH 4/5] Update README. --- roles/agent/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/agent/README.md b/roles/agent/README.md index 3940b948c..86f1a8997 100644 --- a/roles/agent/README.md +++ b/roles/agent/README.md @@ -132,9 +132,9 @@ See [this link](https://docs.checkmk.com/latest/en/agent_linux.html#registration checkmk_agent_configure_firewall: 'true' Automatically configure the firewall to allow access to the Checkmk agent on the `checkmk_agent_port`. -**This is a very rudamentary configration!** -It only opens port 6556/tcp by default. Everything else uses defaults of the respective platform. -If you need more elaborate configuration, use your own firewall management and set this to `false`! +This setting only has effect on systems, which are running `ufw` or `firewalld`. +For elaborate firewall configuration, use your own firewall management! +This setting only enables very basic firewall configuration. checkmk_agent_force_install: 'false' From a7c3dfcc0e6548ce56d0d8bfbdad750807c286ce Mon Sep 17 00:00:00 2001 From: Robin Gierse Date: Tue, 27 May 2025 15:29:28 +0200 Subject: [PATCH 5/5] Fix ports. --- roles/server/README.md | 6 +++--- roles/server/defaults/main.yml | 7 ++++--- roles/server/tasks/main.yml | 6 +++++- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/roles/server/README.md b/roles/server/README.md index 276c2bc37..2a13ee687 100644 --- a/roles/server/README.md +++ b/roles/server/README.md @@ -70,9 +70,9 @@ For elaborate firewall configuration, use your own firewall management! This setting only enables very basic firewall configuration. checkmk_server_ports: - - 80/tcp - - 443/tcp - - 8000/tcp + - 80 + - 443 + - 8000 The ports to open automatically. Adapt this to the specific requirements of your site. diff --git a/roles/server/defaults/main.yml b/roles/server/defaults/main.yml index bf66a54ed..a6ce5340b 100644 --- a/roles/server/defaults/main.yml +++ b/roles/server/defaults/main.yml @@ -57,9 +57,10 @@ checkmk_server_sites: [] checkmk_server_configure_firewall: 'true' checkmk_server_ports: - - 80/tcp - - 443/tcp - - 8000/tcp + - 22 + - 80 + - 443 + - 8000 checkmk_server_backup_on_update: 'true' # Not recommended to disable this option checkmk_server_backup_dir: '/tmp' diff --git a/roles/server/tasks/main.yml b/roles/server/tasks/main.yml index 2c945482f..f80d49074 100644 --- a/roles/server/tasks/main.yml +++ b/roles/server/tasks/main.yml @@ -17,8 +17,12 @@ - include-os-family-vars - install-package -- name: "Get installed Packages." +- name: "{{ ansible_system }}: Get RPM or APT package facts." ansible.builtin.package_facts: + manager: "auto" + +- name: "{{ ansible_system }}: Populate service facts." + ansible.builtin.service_facts: - name: "Update APT Cache." become: true