Using the SNMP Plugin for Ksplice Uptrack

The SNMP plugin for Ksplice works with Oracle Enterprise Manager to monitor the status of Ksplice on systems. It also works with any monitoring solution that's compatible with SNMP.

Installing and Configuring the SNMP Plugin

Verify the system meets all prerequisites:

• The net-snmp package must be installed.

• The net-snmp-utils package must be installed to test the configuration using the snmpwalk command.

• The snmpd service must be configured to start automatically.

• SELinux must either be disabled or set to permissive mode on the system.

This procedure describes how to install the SNMP plugin on the system that you want to monitor.

Note:

This procedure uses the dnf command to describe many package management actions. On releases earlier than Oracle Linux 8, substitute the commands with the appropriate yum commands.

1. Subscribe the system to the appropriate Ksplice channels on ULN.

   Subscribe the system to the appropriate Ksplice channel for the installed Oracle Linux distribution and system architecture, for example, ol9_x86_64_ksplice for Oracle Linux 9 on x86_64.

2. Install the ksplice-snmp-plugin package on the system.

   sudo dnf -y install ksplice-snmp-plugin

3. (Optional) If you plan to test the configuration by using the snmpwalk command, install the net-snmp-utils package.

   sudo dnf -y install net-snmp-utils

4. Configure the system to use the SNMP plugin by editing the /etc/snmp/snmpd.conf file.

   The following example shows how the entries in this file might look on an Oracle Linux 9 system:

   # Setting up permissions
   # ======================
   com2sec local localhost public
   com2sec mynet source public
   
   group local v1 local
   group local v2c local
   group local usm local
   group mynet v1  mynet
   group mynet v2c mynet
   group mynet usm mynet
   
   view all included .1 80
   
   access mynet "" any noauth exact all none none
   access local "" any noauth exact all all none
   
   syslocation Oracle Linux 9
   syscontact sysadmin <root@localhost>
   
   # Load the plugin
   # ===============
   dlmod kspliceUptrack /usr/lib/ksplice-snmp/kspliceUptrack.so

   1. In the com2sec mynet community entry, replace source with the IP address or resolvable host name of the server that hosts the SNMP monitoring software, or with a subnet address represented as IP_address / netmask, for example, com2sec mynet 192.168.10.0/24 private.

      For IPv6 configuration, specify an IPv6 address and netmask to a com2sec6 mynet community entry, for example, com2sec6 mynet fec0::/64 private.

   2. In the syslocation entry, replace the argument for the identifier of the system being monitored.

   3. In the dlmod entry that loads the kspliceUptrack.so plugin, replace the lib path element with lib on a 32-bit system and lib64 on a 64-bit system.

   This sample configuration file is suitable for the purposes of testing.

5. Restart the SNMP service.

   sudo systemctl restart snmpd

For information about configuring SNMP, see the documentation at https://www.net-snmp.org/docs/readmefiles.html. See also the snmpd(8) and snmpd.conf(5) manual pages.

Testing the SNMP Plugin

You can use the snmpwalk command to check information and test the SNMP plugin.

1. Check the installed version of Ksplice.

   snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceVersion

   Sample output:

   KSPLICE-UPTRACK-MIB::kspliceVersion.0 = STRING: 1.2.80

2. Check if available updates for a kernel have been installed.

   snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceStatus

   Sample output (which shows the kernel is out of date):

   KSPLICE-UPTRACK-MIB::kspliceStatus.0 = STRING: outofdate

3. Compare the installed kernel with the Ksplice effective version.

   snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceBaseKernel
   snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceEffectiveKernel

   Sample output (which shows the base kernel and effective kernel are the same, implying no updates have been applied):

   KSPLICE-UPTRACK-MIB::kspliceBaseKernel.0 = STRING: 5.15.0-304.171.4.1.el9uek
   KSPLICE-UPTRACK-MIB::kspliceEffectiveKernel.0 = STRING: 5.15.0-304.171.4.1.el9uek

4. Show a list of all the updates that have been applied to the kernel.

   snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::ksplicePatchTable

   In this example, we receive no output, meaning no updates have been applied. This confirms why the base and effective kernel versions are the identical and why the kernel is out of date.

5. Show a list of updates that can be installed.

   snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceAvailTable

   Sample output:

   KSPLICE-UPTRACK-MIB::kspliceavailIndex.0 = INTEGER: 0
   KSPLICE-UPTRACK-MIB::kspliceavailIndex.1 = INTEGER: 1
   KSPLICE-UPTRACK-MIB::kspliceavailIndex.2 = INTEGER: 2
   ...
   KSPLICE-UPTRACK-MIB::kspliceavailDesc.23 = STRING: CVE-2011-4325: Denial of service in NFS direct-io.
   KSPLICE-UPTRACK-MIB::kspliceavailDesc.24 = STRING: CVE-2011-4348: Socking locking race in SCTP.
   KSPLICE-UPTRACK-MIB::kspliceavailDesc.25 = STRING: CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.

6. After fully upgrading the kernel by using Ksplice Uptrack, you can run the following snmpwalk commands to verify that the kernel is updated.

   snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceStatus

   Sample output:

   KSPLICE-UPTRACK-MIB::kspliceStatus.0 = STRING: uptodate

7. Check that no updates are available for installation, and also that the patches that have been applied.

   snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceAvailTable
   snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::ksplicePatchTable

   Output similar to the following is displayed:

   KSPLICE-UPTRACK-MIB::ksplicepatchIndex.0 = INTEGER: 0
   KSPLICE-UPTRACK-MIB::ksplicepatchIndex.1 = INTEGER: 1
   KSPLICE-UPTRACK-MIB::ksplicepatchIndex.2 = INTEGER: 2
   ...