back to website

Werk #18271: Linux non-root agent deployment: Fix issues with agent updater

Component Agent bakery
Title Linux non-root agent deployment: Fix issues with agent updater
Date Jul 10, 2025
Level Trivial Change
Class Bug Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.5.0b1
Not yet released 		Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0p8 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

As it's mentioned in Werk #17900, it's possible to migrate to the new single-directory deployment using the agent updater.
That said, when combining this with the non-root deployment from Werk #17901, you will encounter some rough edges and issues.

This Werk addresses the following issues, making the agent updater usable in non-root agent deployment:

  • During the update the agent updater did complain that it can't find its state file. This happened because, while the state file had been migrated to the new location, it still was the old agent updater that was trying to write to it, and that only knew the old location.
    The agent updater now stops writing to the state file after succeeded update, and leaves that task to the new agent updater instance.
    Note: Parts of this fix were already active in Checkmk 2.4.0p6, and lead to the regression in the Windows agent updater, that will be addressed by Werk #18270. Sorry for that.
  • When operating the agent updater in a non-root deployment, it soon failed to access its state file, and created a new one instead. However, this came with a loss of data. The reason for this is that the agent updater runs in two different modes: The update mode, that runs under the agent user as a plugin, and the install mode, that runs under root. Due to the way the state file is handled, the root part of the agent updater left the state file with root ownership. Since it's located at the agent user's runtime directory, the update part of the agent updater could replace it, but with a loss of data.
    The agent updater will now ensure that the state file is owned by the agent user also when running as root.
  • In a new agent installation, the root part of the agent updater may run for the first time before the agent user part. In this case, the cmk-update-agent.log was created wih root ownership, which even made the agent user part crash, making automatic agent updates impossible.
    Just like with the state file, the root part now ensures that the log file is created with agent user ownership.

To the list of all Werks