Professional Documents
Culture Documents
E39380-05
May 2013
Oracle® Linux: Ksplice User's Guide
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are
trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or
registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected
by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce,
translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse
engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them
to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the
following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware,
and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition
Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs,
including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license
terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for
use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware
in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its
safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous
applications.
This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle
Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products,
and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of
third-party content, products, or services.
Abstract
This manual provides information about using Ksplice Uptrack to update a running Linux kernel without needing to
reboot the system.
iii
iv
Preface
The Oracle Linux Ksplice User's Guide provides information about how to configure Ksplice Uptrack to
update a running system kernel and how to use the Ksplice Uptrack API.
Audience
This document is intended for administrators who need to configure Ksplice Uptrack for Oracle Linux 5 and
Oracle Linux 6 systems. It is assumed that readers are familiar with web technologies and have a general
understanding of Linux system administration.
Document Organization
The document is organized as follows:
• Chapter 1, Ksplice Uptrack describes how to configure Ksplice Uptrack to update a running system
kernel.
• Chapter 2, Ksplice Uptrack API describes how to use the Ksplice Uptrack API.
Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website
at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Oracle customers have access to electronic support through My Oracle Support. For information, visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?
ctx=acc&id=trs if you are hearing impaired.
Related Documents
The documentation for this product is available at:
http://www.oracle.com/technetwork/server-storage/linux/documentation/index.html.
Conventions
The following text conventions are used in this document:
Convention Meaning
boldface Boldface type indicates graphical user interface elements associated with an
action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for which
you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, code in
examples, text that appears on the screen, or text that you enter.
v
vi
Chapter 1. Ksplice Uptrack
Table of Contents
1.1. About Oracle Ksplice ................................................................................................................... 1
1.2. About Ksplice Uptrack ................................................................................................................. 2
1.2.1. Supported Kernels ............................................................................................................ 2
1.3. Registering to Use Oracle Ksplice ................................................................................................ 3
1.4. Installing Ksplice Uptrack ............................................................................................................. 3
1.5. Configuring Ksplice Uptrack ......................................................................................................... 4
1.6. Managing Ksplice Updates ........................................................................................................... 5
1.7. Patching and Updating Your System ............................................................................................ 6
1.8. Removing the Ksplice Uptrack software ........................................................................................ 6
1.9. About Ksplice Offline Client .......................................................................................................... 6
1.9.1. Configuring an Oracle Linux 5 System to Use yum with ULN ............................................... 7
1.9.2. Creating a Local Yum Server to Act as a Ksplice Mirror ...................................................... 7
1.9.3. Updating a Local Yum Server .......................................................................................... 10
1.9.4. Configuring Ksplice Offline Clients ................................................................................... 10
1.10. For More Information About Ksplice Uptrack ............................................................................. 11
This chapter describes how to configure Ksplice Uptrack to update the kernel on a running system.
Oracle Ksplice allows you to keep your systems secure and highly available by allowing you to update your
systems with the latest kernel security errata and other critical updates. Oracle Ksplice updates the running
kernel image without requiring a reboot. Your systems remain up to date with their OS vulnerability patches
and downtime is minimized. A Ksplice update takes effect immediately it is applied. It is not an on-disk
change that only takes effect after a subsequent reboot.
Oracle creates each Ksplice update from a kernel update that originates either from Oracle or from the
Linux kernel community.
Figure 1.1, “Life Cycle of a Ksplice Update” illustrates the life cycle of a Ksplice update.
1
About Ksplice Uptrack
Ksplice Uptrack is freely available for Oracle Linux customers that subscribe to Oracle Linux Premier
Support. If you are an Oracle Linux Basic, Basic Limited, or Network Support subscriber, contact your
sales representatives to discuss a potential upgrade of your subscription to a Premier Support plan.
• All Oracle Unbreakable Enterprise Kernel versions for Oracle Linux 5 and Oracle Linux 6 starting with
2.6.32-100.28.9 (released March 16, 2011).
• All Oracle Linux 5 Red Hat Compatible Kernels starting with Oracle Linux 5.4 (2.6.18-164.el5, released
September 9, 2009).
2
Registering to Use Oracle Ksplice
• All Oracle Linux 5 Red Hat Compatible Kernels with bug fixes added by Oracle starting with Oracle Linux
5.6 (2.6.18-238.0.0.0.1.el5, released January 22, 2011).
To confirm whether a particular kernel is supported, install the Uptrack client on a system that is running
the kernel.
For information about registering with ULN, see the Oracle Linux Unbreakable Linux Network User's Guide.
If you already have an account on ULN, you can register your system to use Ksplice Uptrack at http://
linux.oracle.com.
1. From your browser, log in to ULN with your existing user name and password. If your subscription
grants you access to Ksplice, the ULN home page displays the Ksplice Uptrack Registration button.
2. Click Ksplice Uptrack Registration. The screen displays all valid Customer Support Identifiers (CSIs)
for your account.
3. Select the CSI that you want to use and click Register. The screen displays an acknowledgment that a
Ksplice account has been created and that an e-mail containing the Ksplice access key, a temporary
password for Ksplice, and a URL for confirming your registration has been sent to your e-mail account.
4. When you receive the e-mail, open the URL that it contains.
After registering to use Ksplice Uptrack, you can log in at https://uptrack.ksplice.com using your e-mail
address as your user name, and the temporary password. You must change your password when you first
log in. You can view the status of your registered systems, the patches that have been applied, and the
patches that are available. You can also create access control groups for your registered systems.
The system on which you want to install Ksplice Uptrack must meet the following criteria:
• The operating system must be Oracle Linux 5 or Oracle Linux 6 with a supported version of either the
Unbreakable Enterprise Kernel or the Red Hat Compatible Kernel installed. You can verify the kernel
version by using the uname -a command. See Section 1.2.1, “Supported Kernels”.
• The kernel that is running currently is assumed to be the one that you want to update. Ksplice Uptrack
applies updates only to the running kernel.
3
Configuring Ksplice Uptrack
2. If you use an Internet proxy, configure the HTTP and HTTPS settings for the proxy in the shell.
• For the sh, ksh, or bash shells, use commands such as the following:
# http_proxy=http://proxy_URL:http_port
# https_proxy=http://proxy_URL:https_port
# export http_proxy https_proxy
3. Using a browser, log in at http://linux.oracle.com with the ULN user name and password that you used
to register the system, and perform the following steps:
a. On the Systems tab, click the link named for your system in the list of registered machines.
c. On the System Summary page, select the Ksplice for Oracle Linux channel for the correct release
and your system's architecture (i386 or x86_64) from the list of available channels and click the
right arrow (>) to move it to the list of subscribed channels.
The access key for Ksplice Uptrack is retrieved from ULN and added to /etc/uptrack/
uptrack.conf, for example:
[Auth]
accesskey = 0e1859ad8aea14b0b4306349142ce9160353297daee30240dab4d61f4ea4e59b
5. To enable the automatic installation of updates, change the following entry in /etc/uptrack/
uptrack.conf:
autoinstall = no
so that it reads:
autoinstall = yes
For information about configuring Ksplice Uptrack, see Section 1.5, “Configuring Ksplice Uptrack”.
For information about managing Ksplice updates, see Section 1.6, “Managing Ksplice Updates”.
4
Managing Ksplice Updates
If your system is registered with the Ksplice Uptrack repository, Ksplice Uptrack communicates with the
Uptrack server by connecting to https://updates.ksplice.com:443. You can either configure
your firewall to allow connection via port 443, or you can configure Ksplice Uptrack to use a proxy
server. To configure Ksplice Uptrack to use a proxy server, set the following entry in /etc/uptrack/
uptrack.conf:
https_proxy = https://proxy_URL:https_port
You receive e-mail notification when Ksplice updates are available for your system.
To make Ksplice Uptrack install all updates automatically as they become available, set the following entry:
autoinstall = yes
Note
To install updates automatically at boot time, the following entry must appear in /etc/uptrack/
uptrack.conf:
install_on_reboot = yes
When you boot the system into the same kernel, the /etc/init.d/uptrack script reapplies the installed
Ksplice updates to the kernel.
To prevent Ksplice Uptrack from automatically reapplying updates to the kernel when you reboot the
system, set the entry to:
install_on_reboot = no
To install all available updates at boot time, even if you boot the system into a different kernel, uncomment
the following entry in /etc/uptrack/uptrack.conf:
#upgrade_on_reboot = yes
so that it reads:
upgrade_on_reboot = yes
To install an individual Ksplice update, specify the update's ID as the argument (in this example, the ID is
dfvn0zq8):
# uptrack-upgrade dfvn0zq8
5
Patching and Updating Your System
After Ksplice has applied updates to a running kernel, the kernel has an effective version that is different
from the original boot version displayed by the uname –a command. Use the uptrack-uname command
to display the effective version of the kernel:
# uptrack-uname -a
uptrack-uname supports the commonly used uname flags, including -a and -r, and provides a way
for applications to detect that the kernel has been patched. The effective version is based on the version
number of the latest patch that Ksplice Uptrack has applied to the kernel.
To view the updates that Ksplice Uptrack has made to the running kernel:
# uptrack-show
To prevent Ksplice Uptrack from reapplying the updates at the next system reboot, create the empty file /
etc/uptrack/disable:
# touch /etc/uptrack/disable
Alternatively, specify nouptrack as a parameter on the boot command line when you next restart the
system.
A Ksplice offline client does not require a network connection to be able to apply the update package to
the kernel. For example, you could use rpm to install the update package from a memory stick. However,
a more usual arrangement would be to create a local yum server that acts as a mirror of the Ksplice for
Oracle Linux channels on ULN. At regular intervals, you download the latest Ksplice update packages to
this server. Only the local yum server requires access the Oracle Uptrack server. After installing Ksplice
Offline Client on your other systems, they need only to be able to connect to the local yum server.
6
Configuring an Oracle Linux 5 System to Use yum with ULN
Note
You cannot use the web interface or the Ksplice Uptrack API to monitor systems
that are running Ksplice Offline Client as such systems are not registered with
https://uptrack.ksplice.com.
With the plugin installed, you can immediately start to use yum instead of up2date.
• The system should also have enough disk space to store copies of the packages that it hosts. As a
general rule, you require between 6 and 10 GB of space for the packages of each major release.
Note
If you already have a local yum server, you need only perform step 1 of this
procedure.
1. Using a browser, log in at http://linux.oracle.com with the ULN user name and password that you used
to register the system, and configure its properties on ULN as follows:
a. On the Systems tab, click the link named for your system in the list of registered machines.
c. On the Edit System Properties page, select the Yum Server check box and click Apply Changes.
e. On the System Summary page, select channels from the list of available or subscribed channels
and click the arrows to move the channels between the lists.
Modify the subscribed channels to include Ksplice for Oracle Linux as well as any other channels
that you want to make available to local systems.
The following table shows the channels that are available for Ksplice on Oracle Linux.
Channel Name Channel Label Description
Ksplice for Oracle ol5_i386_ksplice Oracle Ksplice clients, updates, and
Linux 5 (i386) dependencies for Oracle Linux 5 on i386
systems.
7
Creating a Local Yum Server to Act as a Ksplice Mirror
The next table shows some of the channels that are available for Oracle Linux 6 on the x86_64
architecture.
Channel Name Channel Label Description
Oracle Linux 6 ol6_x86_64_latest All packages released for Oracle Linux 6
Latest (x86_64) including the latest errata packages.
Oracle Linux 6 ol6_x86_64_addons Oracle Linux 6 add ons.
Add ons (x86_64)
Oracle Software ol6_x86_64_oracle Oracle Software for Oracle Linux 6.
for Oracle Linux 6
(x86_64)
Oracle Linux 6 GA ol6_ga_x86_64_base All packages released for Oracle Linux 6 GA.
(x86_64) This channel does not include errata.
For more information about the release channels that are available, see http://www.oracle.com/
technetwork/articles/servers-storage-admin/yum-repo-setup-1659167.html.
f. When you have finished selecting channels, click Save Subscriptions and log out of ULN.
2. Create a base directory for the yum repository, for example /var/yum or /var/www/html/yum.
# mkdir -p /var/yum
Note
The name and location of this script might change over time. For the latest
information, see http://www.oracle.com/technetwork/articles/servers-storage-
admin/yum-repo-setup-1659167.html.
If you prefer that the script have a more meaningful name, such as
fetch_updates.sh, rename it or create a link to it.
4. Run the 167283.sh script to create the yum repositories for the registered channels.
8
Creating a Local Yum Server to Act as a Ksplice Mirror
Note
If you have not subscribed the system to the Oracle Linux Add ons channel, the
script fails with the error No package uln-yum-proxy available.
6. If you created a base directory for the yum repository that is not under /var/www/html and SELinux
is enabled in enforcing mode on your system:
a. Use the semanage command to define the default file type of the repository root directory hierarchy
as httpd_sys_content_t:
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/var/yum(/.*)?"
b. Use the restorecon command to apply the file type to the entire repository.
# /sbin/restorecon -R -v /var/yum
7. If you created a base directory for the yum repository that is not under /var/www/html, create a
symbolic link in /var/www/html that points to the repository, for example:
# ln -s /var/yum /var/www/html/yum
a. Specify the resolvable domain name of the server in the argument to ServerName.
ServerName server_addr:80
If the server does not have a resolvable domain name, enter its IP address instead.
b. Verify that the setting of the Options directive in the <Directory "/var/www/html"> section
specifies Indexes and FollowSymLinks to allow you to browse the directory hierarchy, for
example:
Options Indexes FollowSymLinks
9. Start the Apache HTTP server, and configure it to start after a reboot.
# service httpd start
# chkconfig httpd on
10. If you have enabled a firewall on your system, configure it to allow incoming HTTP connection requests
on TCP port 80.
For example, the following command configures iptables to allow incoming HTTP connection
requests and saves the change to the firewall configuration:
# iptables -I INPUT 2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
9
Updating a Local Yum Server
To update the repositories for the registered channels, run the 167283.sh script on the local yum server:
It is recommended that you set up a cron job to perform this task. For example, the following crontab
entry for root runs the script twice per day at 6am and 6pm:
0 6,18 * * * sh /var/downloads/yum/167283.sh
This example assumes that the 167283.sh script is located in the /var/downloads directory.
1. In the /etc/yum.repos.d directory, edit the existing repository file, such as public-yum-
ol6.repo or ULN-base.repo, and disable all entries by setting enabled=0.
2. In the /etc/yum.repos.d directory, create the file local-yum.repo, which contains entries such
as the following for an Oracle Linux 6 client:
[ol6_x86_64_ksplice]
name=Ksplice for $releasever - $basearch
baseurl=http://local_yum_server/yum/OracleLinux/OL6/ksplice/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1
[ol6_latest]
name=Oracle Linux $releasever - $basearch - latest
baseurl=http://local_yum_server/yum/OracleLinux/OL6/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1
[ol6_addons]
name=Oracle Linux $releasever - $basearch - addons
baseurl=http://local_yum_server/yum/OracleLinux/OL6/addons/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=0
[ol6_oracle]
name=Oracle Linux $releasever - $basearch - oracle
baseurl=http://local_yum_server/yum/OracleLinux/OL6/oracle/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
10
For More Information About Ksplice Uptrack
gpgcheck=1
enabled=0
[ol6_ga_base]
name=Oracle Linux $releasever GA - $basearch - base
baseurl=http://local_yum_server/yum/OracleLinux/OL6/0/base/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=0
Replace local_yum_server with the IP address or resolvable host name of the local yum server.
In the sample configuration, only the ol6_latest and ol6_x86_64_ksplice channels are enabled.
Note
If yum cannot connect to the local yum server, check that the firewall settings on that server allow
incoming TCP connections to port 80.
4. Install the Ksplice updates that are available for the kernel.
As new Ksplice updates are made available, you can use this command to pick up these updates
and apply them. It is recommended that you set up a cron job to perform this task. For example, the
following crontab entry for root on an Oracle Linux 6 system runs the command once per day at
7am:
0 7 * * * yum install uptrack-updates-`uname -r`
To display information about Ksplice updates, use the rpm -qa | grep uptrack-updates and
uptrack-show commands.
11
12
Chapter 2. Ksplice Uptrack API
Table of Contents
2.1. About the Ksplice Uptrack API ................................................................................................... 13
2.2. Viewing Your API User Name and API Key ................................................................................ 13
2.3. Generating a New API Key ........................................................................................................ 13
2.4. Installing the Command Line API Tools ...................................................................................... 14
2.5. About the Command Line API Tools ........................................................................................... 14
2.5.1. uptrack-api-authorize ............................................................................................ 14
2.5.2. uptrack-api-describe .............................................................................................. 14
2.5.3. uptrack-api-list ...................................................................................................... 15
2.5.4. Specifying the User Name and API Key ........................................................................... 15
2.5.5. Specifying a Proxy .......................................................................................................... 15
2.6. About the API Implementation .................................................................................................... 16
2.6.1. Versioning ....................................................................................................................... 16
2.6.2. Authentication ................................................................................................................. 16
2.6.3. Request Format .............................................................................................................. 16
2.6.4. Supported Requests ........................................................................................................ 16
2.6.5. Sample Interaction .......................................................................................................... 18
2.7. Configuring the check_uptrack Nagios Plugin .............................................................................. 18
2.7.1. Using the Nagios Plugins ................................................................................................ 19
2.8. For More Information About the Ksplice Uptrack API ................................................................... 20
The API tells you what updates machines have, if you have out of date, inactive, or unsupported machines,
and more. The Python bindings come with the check_uptrack and check_uptrack_local plugins for
Nagios, which allows you to monitor the status of your machines.
You cannot use the Ksplice Uptrack API to monitor systems that are running Ksplice Offline Client as such
systems are not registered with https://uptrack.ksplice.com.
2. On the Settings page, select the Generate a new API key? check box and click Save Changes.
13
Installing the Command Line API Tools
Note
The Python bindings are installed in the Python site-packages directory, typically /usr/lib/
python2.6/site-packages/ksplice. The API tools are installed in /usr/bin.
2.5.1. uptrack-api-authorize
uptrack-api-authorize uses the authorize API call to change the authorization for a single
machine, for example:
$ uptrack-api-authorize -u api_username -k api_key uuid deny
Successfully denied access for uuid.
$ uptrack-api-authorize -u api_username -k api_key uuid allow
Successfully allowed access for uuid .
Note
To view your API user name and API key, log in to https://uptrack.ksplice.com and
select the Settings tab.
2.5.2. uptrack-api-describe
uptrack-api-describe uses the describe API call to get detailed information on a single machine
specified by its UUID, for example:
$ uptrack-api-describe -u api_username -k api_key uuid
prod1.mydom.com (192.168.1.100)
Effective kernel: 2.6.18-194.11.1.el5
This machine is no longer active
14
uptrack-api-list
Alternatively, specify the --this-machine option if you are running the script on the machine that you
want to check:
$ uptrack-api-describe -u api_username -k api_key --this-machine
qa.mydom.com (192.168.1.200)
Effective kernel: 2.6.18-194.8.1.el5
This machine is active
Last seen on 2010-09-15T12:43:07Z
OS status: Out of date:
* Install v8gacfip CVE-2010-2521: Remote buffer overflow in NFSv4 server.
* Install 3c4sopia CVE-2010-2226: Read access to write-only files in XFS filesystem.
* Install oiqwvltu CVE-2010-2240: Privilege escalation vulnerability in memory management.
2.5.3. uptrack-api-list
uptrack-api-list uses the machines API call to return a list of all of your machines and their
statuses, for example:
$ uptrack-api-list -u api_username -k api_key
- dev1.mydom.com (192.168.1.102): outofdate
- qa1.mydom.com (192.168.1.103): outofdate (inactive)
- prod1.mydom.com (192.168.1.100): uptodate
- prod2.mydom.com (192.168.1.101): uptodate
You can also set the user name and api key in the UPTRACK_API_USERNAME and UPTRACK_API_KEY
environment variables, for example:
$ export UPTRACK_API_USERNAME=jo.admin@mydom.com
$ export UPTRACK_API_KEY=3af3c2c1ec407feb0fdc9fc1d8c4460c
$ uptrack-api-describe --this-machine
where protocol is http or https, username and password authenticate you with the proxy (if
required), and proxy and port are the host name or IP address and port number used to connect to the
proxy.
For example:
https_proxy = http://proxy.example.com:3128/
15
About the API Implementation
2.6.1. Versioning
This document describes version 1 of the API. All requests go to paths that begin with /api/1/.
2.6.2. Authentication
Authentication to the Uptrack API server uses a user name and an API key that are specified in custom
HTTP headers. Specifically, all requests must include X-Uptrack-User and X-Uptrack-Key HTTP
headers that specify the API user name and API key of the user making the request.
These headers are not required at present as the API supports only JSON-encoded data, but future
versions of the API might support additional data-encoding formats.
16
Supported Requests
allowed The machine is allowed to communicate with the Uptrack servers and to receive updates.
denied The machine has been denied access to the Uptrack servers via the web interface, uptrack-
api-authorize, or the authorize API call.
pending This account has the default deny policy set for new machines, and the machine has not yet
been authorized.
The mmap_min_addr field is the value of /proc/sys/vm/mmap_min_addr or None for clients prior to
version 1.0.3.
The uptrack_client_version field is the version of the Uptrack client that the machine is running.
effective_kernel Ksplice has applied all of the important security and reliability updates that are
needed to bring the machine into line with this kernel version.
group The group to which the machine is assigned. You can also use the web interface
to manage machine groups.
original_kernel The kernel version that the system had before any Ksplice updates were applied.
steps A list of 2-element lists of the form [action, {'ID': update_id, 'Name':
update_name}], representing the updates that need to be installed or removed
to bring the machine up to date. action can be Install or Remove. A existing
update is removed if it superseded by a newer version.
17
Sample Interaction
where string is the name of the new group. The group is created if it does not already exist. If the
account does not have a machine with the specified UUID, the request results in an HTTP 404 error.
To remove a machine from a group, you can set the group to something else, or an empty string for no
group.
The following request for a list of registered machines is made to the server:
The server authenticates the request and responds with the list of machines:
HTTP/1.0 200 OK
Date: Mon, 03 May 2010 21:09:48 GMT
Content-Type: application/json
1. Set the username and api_key variables in the configuration file /etc/uptrack-api.conf under
an [uptrack] section heading, for example:
[uptrack]
username = jo.admin@mydom.com
api_key = 3af3c2c1ec407feb0fdc9fc1d8c4460c
2. If you access the Internet via a proxy, specify the connection information in the [uptrack] section of /
etc/uptrack-api.conf:
https_proxy = [protocol://][username:password@]proxy[:port]
where protocol is http or https, username and password authenticate you with the proxy (if
required), and proxy and port are the host name or IP address and port number used to connect to
the proxy.
For example:
https_proxy = http://proxy.example.com:3128/
18
Using the Nagios Plugins
3. Configure the check_uptrack plugin in the Nagios configuration file, usually /usr/local/nagios/
etc/nagios.cfg. The following minimal configuration alows you to run the plugin:
# Dummy host with which to associate the Uptrack service
define host {
host_name uptrack-service
notifications_enabled 0
max_check_attempts 1
notification_interval 0
check_period never
contacts server-admins
}
define service {
host_name uptrack-service
service_description Ksplice Uptrack Update Status
check_command check_uptrack
notifications_enabled 1
normal_check_interval 60
retry_check_interval 15
max_check_attempts 4
notification_options w,c,r
contacts server-admins
}
define command {
command_name check_uptrack
command_line /usr/lib/nagios/plugins/check_uptrack
}
define command {
command_name check_uptrack_opts
command_line /usr/lib/nagios/plugins/check_uptrack -w $ARG1$ -c $ARG2$
}
This command produces a summary about your machines in the standard Nagios plugin format, for
example:
2 machines are OUTOFDATE!|uptodate=1280;outofdate=1;unsupported=0;inactive=3
prod1.mydom.com (192.168.1.1) is OUTOFDATE
prod2.mydom.com (192.168.1.2) is OUTOFDATE
If you specify the -c or -w options with a comma-separated list of the arguments i, o, or u for inactive out
of date, or unsupported machines, check_uptrack displays critical or warning notices for machines that
match those criteria. For example, the following command returns warning notices for any machines that
are inactive or unsupported, and critical notices for any machines that are out of date:
/usr/lib/nagios/plugins/check_uptrack -w u,i -c o
To monitor the local machine, you can use the check_uptrack_local plugin:
# /usr/lib/nagios/plugins/check_uptrack_local
The output from check_uptrack_local is similar to that from check_uptrack. However, for out-of-
date machines, it also lists the updates that are required to bring the machine up to date.
19
For More Information About the Ksplice Uptrack API
Note
check_uptrack_local reads the local Uptrack update cache. It does not use the
settings in /etc/uptrack-api.conf.
20