Merge branch 'Checkmk:master' into master

.werks/15517.md

@@ -0,0 +1,20 @@
+[//]: # (werk v2)
+# check_cert: Fixed metrics in output
+
+key        | value
+---------- | ---
+date       | 2024-09-23T14:48:43+00:00
+version    | 2.4.0b1
+class      | fix
+edition    | cre
+component  | checks
+level      | 2
+compatible | yes
+
+The active check for monitoring certificates produces two metrics by now.
+These metrics have been written in a broken format and therefore never
+been created. This is now fixed and both metrics are now available.
+
+The affected metrics are
+* certificate_remaining_validity (is also used for Perf-O-Meter)
+* overall_execution_time

.werks/16218.md

@@ -22,4 +22,4 @@ This issue was found during internal review.
 
 *Vulnerability Management*:
 
-We have rated the issue with a CVSS Score of 9.2 High (`CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`) and assigned `CVE-2024-8606`.
+We have rated the issue with a CVSS Score of 9.2 Critical (`CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`) and assigned `CVE-2024-8606`.

.werks/17036.md

@@ -0,0 +1,17 @@
+[//]: # (werk v2)
+# heartbeat_crm: Handle cases when pacemaker service is not running
+
+key        | value
+---------- | ---
+date       | 2024-09-16T21:35:09+00:00
+version    | 2.4.0b1
+class      | fix
+edition    | cre
+component  | checks
+level      | 1
+compatible | yes
+
+The creation of the agent section depended on the pacemaker service being running. If this was not the case, the section was left empty, causing the services to become stale.
+From now on, if the pacemaker service is not running, the service will go into CRIT state and the summary will indicate that the connection was not possible/refused.
+
+Also, the agent now checks for the existence of 'crm_mon' on the system, as this is a prerequisite for further command execution.

.werks/17134.md

@@ -11,4 +11,6 @@ component  | inv
 level      | 1
 compatible | yes
 
-
+Empty nodes, ie. nodes with no attributes or table rows, may be created via inventory plugins or
+update actions by means of retention interval configurations. In this case the seemingly changed
+trees are not allowed to be saved or archived.

.werks/17145.md

@@ -0,0 +1,30 @@
+[//]: # (werk v2)
+# Information leak in mknotifyd
+
+key        | value
+---------- | ---
+date       | 2024-07-15T11:23:40+00:00
+version    | 2.4.0b1
+class      | security
+edition    | cee
+component  | notifications
+level      | 1
+compatible | yes
+
+When a notification context is sent to mknotifyd a "result message" is generated by mknotifyd and sent back so the original site so it can show if there were problems handling that notification.
+This result message could contain secrets that were not meant to be sent to remote sites, e.g. passwords/secrets.
+
+These secrets were not processed by the remote site but a rough site would have been able to retrieve these.
+
+This issue was found during internal review.
+
+*Affected Versions*:
+
+* 2.3.0
+* 2.2.0
+* 2.1.0
+* 2.0.0 (EOL)
+
+*Vulnerability Management*:
+
+We have rated the issue with a CVSS Score of 5.3 Medium (`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`) and assigned `CVE-2024-6747`.

.werks/17285.md

@@ -0,0 +1,17 @@
+[//]: # (werk v2)
+# bonding: Configurable number of expected interfaces
+
+key        | value
+---------- | ---
+date       | 2024-09-16T08:45:31+00:00
+version    | 2.4.0b1
+class      | feature
+edition    | cre
+component  | checks
+level      | 1
+compatible | yes
+
+
+The number of expected interfaces for the bonding checks can now be configured. You can configure the lower limit of expected interfaces and the state if the actual number is lower than the expected number.
+
+

.werks/17292.md

@@ -0,0 +1,25 @@
+[//]: # (werk v2)
+# check_httpv2: Body checking: Fixes for inverted regular expressions
+
+key        | value
+---------- | ---
+date       | 2024-09-18T06:26:40+00:00
+version    | 2.4.0b1
+class      | fix
+edition    | cre
+component  | checks
+level      | 1
+compatible | yes
+
+The [new active check for HTTP endpoints](https://checkmk.com/werk/15514) offers the option to
+search the response body for strings. This search can be configured to either use a fixed string or
+a regular expression. In the latter case, there is the additional option to invert the matching:
+Report WARNING if the expression matches and OK if not. This werk fixes two issues related to this
+option:
+
+1. In the user interface, the inversion option was incorrectly labelled with "CRITICAL" instead of
+"WARNING" in case the expression matches.
+
+2. In the service output, if inversion was activated, a not-matched expression was labelled with
+"matched" and a matched expression with "not matched". Note that the actual service state (WARNING
+if matched, OK otherwise) was correct.

.werks/17310.md

@@ -0,0 +1,23 @@
+[//]: # (werk v2)
+# licensing: Changes in license compatibility
+
+key        | value
+---------- | ---
+date       | 2024-09-24T06:19:35+00:00
+version    | 2.4.0b1
+class      | feature
+edition    | cme
+component  | wato
+level      | 1
+compatible | no
+
+Previously, a Checkmk MSP site was usable with a Checkmk Cloud license, but not the other way around.
+Since the Checkmk Cloud is now included in the Checkmk MSP, this changes to the following compatibility:
+
+* Usable with a Checkmk Enterprise license: Checkmk Raw, Checkmk Enterprise
+* Usable with a Checkmk Cloud license: Checkmk Raw, Checkmk Enterprise, Checkmk Cloud
+* Usable with a Checkmk MSP license: Checkmk Raw, Checkmk Enterprise, Checkmk Cloud, Checkmk MSP
+
+Note that this only refers to the compatibility when applying a license to a site, not whether sites of different editions can exist together in a distributed setup/monitoring.
+
+If you plan to upgrade from Checkmk Enterprise to Checkmk Cloud or Enterprise Checkmk Cloud to Checkmk MSP, please upgrade your subscription first.

.werks/first_free

@@ -1 +1 @@
-17310
+17320

agents/.f12

@@ -14,6 +14,7 @@
 
 # don't delete *.deb and *.rpm files as those are part of the distribution and can not be found in the source directory
 rsync --verbose --recursive --links --devices --specials --one-file-system --delete \
+    --include='cee/robotmk/*' \
     --exclude=.f12* \
     --exclude=__init__.py* \
     --exclude cmk-agent-ctl \

agents/check_mk_agent.linux

@@ -1043,9 +1043,15 @@ section_drbd() {
 }
 
 section_heartbeat() {
-    if [ -S /var/run/heartbeat/crm/cib_ro ] || [ -S /var/run/crm/cib_ro ] || pgrep "^(crmd|pacemaker-contr)$" >/dev/null 2>&1; then
-        echo '<<<heartbeat_crm>>>'
-        TZ=UTC crm_mon -1 -r | grep -v ^$ | sed 's/^ //; /^\sResource Group:/,$ s/^\s//; s/^\s/_/g'
+    if command -v crm_mon >/dev/null 2>&1 || [ -S /var/run/heartbeat/crm/cib_ro ] || [ -S /var/run/crm/cib_ro ] || pgrep "^(crmd|pacemaker-contr)$" >/dev/null 2>&1; then
+        crm_output=$(TZ=UTC crm_mon -1 -r | grep -v ^$ | sed 's/^ //; /^\sResource Group:/,$ s/^\s//; s/^\s/_/g')
+        if [ -n "$crm_output" ]; then
+            echo '<<<heartbeat_crm>>>'
+            echo "$crm_output"
+        else
+            echo '<<<heartbeat_crm>>>'
+            crm_mon -1 -r 2>&1
+        fi
     fi
 
     if inpath cl_status; then

agents/modules/windows/build_python.cmd

@@ -11,8 +11,9 @@ cd %build_msi% 2> nul  || powershell Write-Host "cannot find a python sources" -
 powershell Write-Host "Starting build" -foreground Green
 set GIT=c:\Program Files\git\cmd\git.exe
 if not exist "%GIT%" powershell Write-Host "You should install Git as %GIT%" -Foreground Red && exit /b 3
-set HOST_PYTHON=c:\python310\python.exe
-if not exist "%HOST_PYTHON%" powershell Write-Host "You should install Python as %HOST_PYTHON%" -Foreground Red && exit /b 4
+for /f %%i in ('where python') do set HOST_PYTHON=%%i
+if "%HOST_PYTHON%" == "" powershell Write-Host "Python not found" -Foreground Red && exit /b 4
+powershell Write-Host "Using python %HOST_PYTHON%" -Foreground Green
 set
 @echo call buildrelease.bat  -o %build_dir% -b -x86 --skip-nuget --skip-pgo --skip-zip
 

buildscripts/scripts/update-architecture-documentation.groovy

@@ -8,19 +8,14 @@ def main() {
             inside_container() {
                 sh("make -C doc/documentation htmlhelp");
             }
-            stage("Stash") {
-                stash(
-                    name: "htmlhelp",
-                    includes: "doc/documentation/_build/htmlhelp/**"
-                );
-            }
         }
 
-        // The pages produced by the job are served by the web server on our CI
-        // master node. Extract the results there to make it available to the
-        // web server.
-        node("Master_DoNotUse") {
-            unstash("htmlhelp");
+        stage("Deploy") {
+            withCredentials([file(credentialsId: 'Release_Key', variable: 'RELEASE_KEY')]) {    // groovylint-disable DuplicateMapLiteral
+                sh("""
+                    scp -rs -o StrictHostKeyChecking=accept-new -i ${RELEASE_KEY} doc/documentation/_build/htmlhelp ${DEV_DOCS_URL}/devdoc
+                """);
+            }
         }
     }
 }

cmk/base/automations/check_mk.py

@@ -1558,11 +1558,11 @@ def _get_service_info_from_autochecks(
             [
                 service
                 for node in config_cache.nodes(host_name)
-                for service in config_cache.get_autochecks_of(node)
+                for service in config_cache.get_discovered_services(node)
                 if host_name == config_cache.effective_host(node, service.description)
             ]
             if host_name in config_cache.hosts_config.clusters
-            else config_cache.get_autochecks_of(host_name)
+            else config_cache.get_discovered_services(host_name)
         )
 
         for service in services:

cmk/base/config.py

@@ -99,7 +99,12 @@
 from cmk.fetchers.config import make_persisted_section_dir
 from cmk.fetchers.filecache import MaxAge
 
-from cmk.checkengine.checking import CheckPluginName, ConfiguredService, ServiceID
+from cmk.checkengine.checking import (
+    CheckPluginName,
+    ConfiguredService,
+    ServiceConfigurer,
+    ServiceID,
+)
 from cmk.checkengine.discovery import (
     AutochecksManager,
     CheckPreviewEntry,
@@ -245,14 +250,20 @@ def _aggregate_check_table_services(
         skip_ignored=skip_ignored,
     )
 
+    is_cluster = host_name in config_cache.hosts_config.clusters
+
     # process all entries that are specific to the host
     # in search (single host) or that might match the host.
     if not config_cache.is_ping_host(host_name):
-        yield from (s for s in config_cache.get_autochecks_of(host_name) if sfilter.keep(s))
-
-    # Now add checks a cluster might receive from its nodes
-    if host_name in config_cache.hosts_config.clusters:
-        yield from (s for s in _get_clustered_services(config_cache, host_name) if sfilter.keep(s))
+        if is_cluster:
+            # Add checks a cluster might receive from its nodes
+            yield from (
+                s for s in _get_clustered_services(config_cache, host_name) if sfilter.keep(s)
+            )
+        else:
+            yield from (
+                s for s in config_cache.get_discovered_services(host_name) if sfilter.keep(s)
+            )
 
     yield from (
         svc
@@ -349,15 +360,28 @@ def _get_clustered_services(
     config_cache: ConfigCache,
     cluster_name: HostName,
 ) -> Iterable[ConfiguredService]:
-    for node in config_cache.nodes(cluster_name):
-        node_checks: list[ConfiguredService] = []
-        if not config_cache.is_ping_host(cluster_name):
-            node_checks += config_cache.get_autochecks_of(node)
-        node_checks.extend(svc for _, svc in config_cache.enforced_services_table(node).values())
+    nodes = config_cache.nodes(cluster_name)
 
+    nodes_discovered_services = (
+        {}
+        if config_cache.is_ping_host(cluster_name)
+        else {node: config_cache.get_discovered_services(node) for node in nodes}
+    )
+
+    nodes_enforced_services = {node: config_cache.enforced_services_table(node) for node in nodes}
+
+    # Note: the way we return the services here means that for a service that is enforced on some
+    # nodes and discovered on others, the parameters of the service on the cluster will depend
+    # on the order of the nodes in the cluster.
+    for node in nodes:
+        yield from (
+            service
+            for service in nodes_discovered_services[node]
+            if config_cache.effective_host(node, service.description) == cluster_name
+        )
         yield from (
             service
-            for service in node_checks
+            for _ruleset_name, service in nodes_enforced_services[node].values()
             if config_cache.effective_host(node, service.description) == cluster_name
         )
 
@@ -1924,7 +1948,6 @@ def initialize(self) -> ConfigCache:
         self._discovered_labels_cache = DiscoveredLabelsCache(
             self._autochecks_manager.get_autochecks
         )
-
         self._clusters_of_cache: dict[HostName, list[HostName]] = {}
         self._nodes_cache: dict[HostName, list[HostName]] = {}
         self._effective_host_cache: dict[tuple[HostName, ServiceName, tuple | None], HostName] = {}
@@ -1959,6 +1982,11 @@ def initialize(self) -> ConfigCache:
                 if self.is_active(hn) and self.is_online(hn)
             }
         )
+        self._service_configurer = ServiceConfigurer(
+            functools.partial(compute_check_parameters, self.ruleset_matcher),
+            functools.partial(service_description, self.ruleset_matcher),
+            self.effective_host,
+        )
 
         return self
 
@@ -2257,7 +2285,7 @@ def enforced_services_table(
                             configured_parameters=TimespecificParameters((params,)),
                         ),
                         discovered_parameters={},
-                        service_labels={},
+                        discovered_labels={},
                         is_enforced=True,
                     ),
                 )
@@ -3472,12 +3500,9 @@ def get_explicit_service_custom_variables(
         except KeyError:
             return {}
 
-    def get_autochecks_of(self, hostname: HostName) -> Sequence[ConfiguredService]:
-        return self._autochecks_manager.get_configured_services(
-            hostname,
-            functools.partial(compute_check_parameters, self.ruleset_matcher),
-            functools.partial(service_description, self.ruleset_matcher),
-            self.effective_host,
+    def get_discovered_services(self, hostname: HostName) -> Sequence[ConfiguredService]:
+        return self._service_configurer.configure_autochecks(
+            hostname, self._autochecks_manager.get_autochecks(hostname)
         )
 
     def section_name_of(self, section: str) -> str:

cmk/base/core_nagios/_create_config.py

@@ -464,8 +464,9 @@ def get_dependencies(hostname: HostName, servicedesc: ServiceName) -> str:
         )
 
         service_labels[service.description] = {
-            label.name: label.value for label in service.service_labels.values()
-        } | dict(get_labels_from_attributes(list(passive_service_attributes.items())))
+            **service.discovered_labels,
+            **get_labels_from_attributes(list(passive_service_attributes.items())),
+        }
 
         service_spec.update(passive_service_attributes)