Checkmk on Ubuntu 24.04 on Azure User Guide
Overview
Checkmk is a leading open source IT monitoring system. From an ordinary browser your team can watch the health and performance of hosts, services, networks and applications, discover services automatically, evaluate thresholds, raise notifications, and build dashboards and views on top of a rich library of built in checks. The cloudimg image ships the Checkmk Raw edition (the free, 100 percent open source edition, licensed under the GNU GPL version 2) as a single self contained monitoring site on a hardened, fully patched Ubuntu 24.04 LTS base. The site is created with Checkmk's Open Monitoring Distribution (OMD) framework and runs behind the system Apache web server, which terminates HTTPS on port 443 with a certificate generated uniquely on the first boot of every VM. A unique administrator password is generated on first boot as well, so no known or default login ships in the image. Backed by 24/7 cloudimg support.
cloudimg is not affiliated with, endorsed by, or sponsored by Checkmk GmbH. Checkmk is a trademark of Checkmk GmbH, used here only to identify the open source software packaged in this image.
What is included:
- Checkmk Raw edition (GPL-2.0), the free and open source edition built on the Nagios core with the full Checkmk web interface
- A single monitoring site named
cmk, created and started for you, ready to add your first host - The system Apache reverse proxy terminating HTTPS on port 443 with a per VM self signed certificate
- A per VM administrator password for the
cmkadminaccount, generated on first boot and recorded in a root only file - No default login: the site creation password is discarded and rotated to a unique per VM secret, and
cmkadminis kept a normal interactive user so the web login works - Port 80 serving an unauthenticated
/healthzendpoint for Azure Load Balancer probes and redirecting everything else to HTTPS apache2.serviceand Checkmk's ownomd.serviceas enabled systemd units, so the site starts on every boot- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; size up for more monitored hosts, more services or longer history retention. NSG inbound: allow 22/tcp from your management network and 443/tcp for the web interface. Port 80 is only used for health probes and to redirect browsers to HTTPS. The web interface is served over HTTPS with a self signed certificate that is regenerated per VM, so your browser will show a certificate warning on the first visit; for production, place your own certificate or a load balancer with a managed certificate in front of the appliance.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Checkmk by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTPS (443). Then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name checkmk \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open port 443 to the web interface:
az vm open-port --resource-group <your-rg> --name checkmk --port 443
Step 3 - Confirm the services are running
SSH in as azureuser and confirm the system Apache and the Checkmk site are active. Checkmk's own omd.service starts the site on every boot, so a single command reports both Apache and the site as active. The site's own processes (its Nagios core, RRD cache, site Apache and more) run under the cmk site user and are proxied by the system Apache on ports 80 and 443.
systemctl is-active apache2 omd
sudo omd status cmk | grep -iE 'Overall|nagios|apache|rrdcached'
sudo ss -tlnp | grep -E ':80 |:443 '

Step 4 - Retrieve the per VM administrator password
The administrator password is generated uniquely on the first boot of every VM and written to a root only file. Read it over SSH:
sudo cat /root/checkmk-credentials.txt
The file records the site URL, the cmkadmin user name and the per VM password. Keep it somewhere safe.

Step 5 - Sign in to the Checkmk web interface
Open https://<your-vm-public-ip>/cmk/ in a browser. Because the certificate is self signed and unique to your VM, your browser will warn on the first visit; accept the warning to continue. Sign in as cmkadmin with the password from the previous step.

After signing in you land on the main monitoring dashboard, with panels for host and service statistics and for current and recent problems. On a fresh appliance these read zero until you add your first host.

Step 6 - Add your first host
Go to Setup then Hosts and choose Add host to the monitoring. Give the host a name and its IP address or resolvable host name, then save and run a service discovery so Checkmk finds what to monitor. Most hosts are monitored with the Checkmk agent (installed on the target), with SNMP, or through one of the built in API integrations. After you add a host, activate your pending changes to put it into monitoring.

Step 7 - Monitor your hosts and services
Under Monitor the All hosts view lists every monitored host with its current state, and the service views break out each check. From here you can acknowledge problems, schedule downtimes and filter by any attribute. On a fresh appliance the list is empty until you complete Step 6.

Step 8 - The secured default account (no default login)
Creating a Checkmk site normally generates a cmkadmin account with a password printed once at creation time. In the cloudimg image that creation time password is discarded and never shipped. On the first boot of every VM the cmkadmin password is rotated to a unique per VM secret, written to the root only credentials file from Step 4. The account is kept a normal interactive administrator (not an automation user), so the web login works while no known or blank credential is ever exposed. You can prove the round trip on the VM: the per VM password signs in and establishes a session, and a wrong password is rejected.
sudo bash /usr/local/sbin/checkmk-cred-roundtrip.sh

Step 9 - Confirm the edition, version and HTTPS
This image ships the Checkmk Raw edition, which is the free and open source edition licensed under the GNU GPL version 2. You can confirm the edition and version, the HTTPS login page and the health endpoint directly on the VM:
omd version
curl -ksI https://127.0.0.1/cmk/check_mk/login.py | head -1
curl -sI http://127.0.0.1/healthz | head -1

Where your data lives
The monitoring site and everything in it - your host and service configuration, the collected metrics and RRD databases, the site logs and the web configuration - live under /omd/sites/cmk on the OS disk, which is captured into the image and re provisioned on every VM. Back up that directory (or use Checkmk's own backup under Setup then Backup) to protect your configuration and history. The per VM administrator credentials are in /root/checkmk-credentials.txt (root only).
Licence
Checkmk Raw edition is free and open source software licensed under the GNU General Public License, version 2 (GPL-2.0). The commercial Checkmk editions (Pro, Ultimate and Cloud) are not included in this image. cloudimg is not affiliated with, endorsed by, or sponsored by Checkmk GmbH; Checkmk is a trademark of Checkmk GmbH, used here only to identify the open source software packaged in this image.
Support
This image is provided by cloudimg with 24/7 support. If you have any questions about deploying or operating Checkmk on Azure, contact us at support@cloudimg.co.uk.