Hi I am new to check_mk and not very good in linux server configuration at all, so thanks for your patience.
I installed check_mk under debian via gdebi (systemd not xinetd - and used default configuration so far) and also deployed several agents already. That worked good on most machines. but on machines, where ipv6 is deaktivated for security reasons, it does not work. (https://security.stackexchange.com/questions/181949/how-would-disabling-ipv6-make-a-server-any-more-secure seems to be not the worst idea)
checking netstat -npa | grep 6556
showed me its tcp6
listening.
tcp6 0 0 :::6556 :::* LISTEN 1/init
When I check telnet localhost 6556
I get the agent output (the same when I run check_mk_agent
).
And check_mk dashboard tells me it can ping that server. So it is there.
What are my chances to fix that problem without activating ipv6?
Thanks :)
On Linux, the v6 sockets are dual stack by default, but this is platform specific behavior. Of course applications can still do
AF_INET
sockets, and would have to if v6 is not in the kernel. Beware, without v6 some apps may no longer work in their default configurations.Do not disable IPv6 completely on a host. You already broke a thing, and pretending it does not exist is not secure. Avoid adding to technical debt.
Instead, leave IPv6 enabled on hosts and manage your network. Just to name some basics, RA guard and other first hop security, firewall rules, and manage A or AAAA records in DNS. An IPv6 implementation is not required, but actually securing a network requires knowledge of both.
I was now able to switch to ipv4.
I followed the instructions in the manual installation here:
https://docs.checkmk.com/latest/de/agent_linux.html (2.5) - which was not obvious for me, as the
gdebi
installation worked without any errors.Then I configured
xinetd
to change the ceckmk socket to listen on ipv4 in the configfile/etc/xinetd.d/check-mk-agent
.