Monitoring failure in linux daemon update

Comments (21)

1. 

   SzV reporter

   • edited description

   • 2016-01-15T11:33:34+00:00
2. 

   SzV reporter

   • edited description

   • 2016-01-15T11:33:48+00:00
3. 

   Tildeslash repo owner

   which monit version it is? (monit -V)

   can you send a monit log to support@tildeslash.com?

   • 2016-01-15T12:07:22+00:00
4. 

   SzV reporter

   version 5.10

   sent.

   • 2016-01-15T12:33:52+00:00
5. 

   SzV reporter

   Start looking at [CET Jan 15 06:39:34] debug : 'sshd_bin' file exists

   • 2016-01-15T12:40:53+00:00
6. 

   Tildeslash repo owner

   Please can you post the configuration of the sftp_bin service? Which action do you use if the checksum failed?

   It seems that the monitoring was disabled after the checksum failure (most probably by unmonitor or stop action), which resets the file informations, so all tests after the one which disabled the monitoring will work with zero values ... we'll fix.

   • 2016-01-15T14:47:23+00:00
7. 

   SzV reporter

    check process sshd with pidfile /var/run/sshd.pid
      group system
      group sshd
      start program = "/etc/init.d/ssh start"
      stop  program = "/etc/init.d/ssh stop"
      if failed host localhost port 22 with proto ssh then restart
      if 5 restarts with 5 cycles then timeout
      depend on sshd_bin
      depend on sftp_bin
      depend on sshd_rc
      depend on sshd_rsa_key
      depend on sshd_dsa_key
   
    check file sshd_bin with path /usr/sbin/sshd
      group sshd
      include /etc/monit/templates/rootbin
   
    check file sftp_bin with path /usr/lib/openssh/sftp-server
      group sshd
      include /etc/monit/templates/rootbin
   
    check file sshd_rsa_key with path /etc/ssh/ssh_host_rsa_key
      group sshd
      include /etc/monit/templates/rootstrict
   
    check file sshd_dsa_key with path /etc/ssh/ssh_host_dsa_key
      group sshd
      include /etc/monit/templates/rootstrict
   
    check file sshd_rc with path /etc/ssh/sshd_config
      group sshd
      include /etc/monit/templates/rootrc
   

   • 2016-01-15T14:50:50+00:00
8. 

   SzV reporter

   I suspect monit holds on to the old - deleted - inode on the filesystem.

   • 2016-01-15T14:52:34+00:00
9. 

   Tildeslash repo owner

   Please can you post content of /etc/monit/templates/rootbin? (that file most probably contains the checksum test and action on failure.

   The problem is not related to old binary's inode, it is really internal stuff (reset of service data after unmonitor/stop action class) - we have reproduced the problem with unmonitor action, just need to be sure which action you use so we can test the same.

   • 2016-01-15T14:59:39+00:00
10. 

    SzV reporter

     if failed checksum       then unmonitor
     if failed permission 755 then unmonitor
     if failed uid root       then unmonitor
     if failed gid root       then unmonitor
    

    • 2016-01-15T15:04:49+00:00
11. 

    Tildeslash repo owner

    thanks for data, working on fix

    • 2016-01-15T15:09:11+00:00
12. 

    SzV reporter

    Thank you for your work.

    • 2016-01-15T15:10:00+00:00
13. 

    Tildeslash repo owner

    • changed status to resolved

    Fix Issue #315: If some file, filesystem, directory or fifo test triggered unmonitor, stop or restart, the tests which followed the one which performed that action may fail as the collected data were reset to zero during unmonitor/stop/restart action. The status also showed wrong values for uid, gid, permission and timestamp during that cycle.

    → <<cset fb5f579000f6>>

    • 2016-01-15T16:41:22+00:00
14. 

    SzV reporter

    Thank you! I've just packaged monit-5.16.deb for testing.

    • 2016-01-15T22:38:10+00:00
15. 

    SzV reporter

    @tildeslash OK, It works now. Is there a command to issue after a service update when the checksum changes? The only way I know of is restarting monit.

    • 2016-04-28T08:05:32+00:00
16. 

    Tildeslash repo owner

    You can use "if changed checksum", instead of "if failed checksum":

    if changed checksum then alert
    

    It will notify you whenever the checksum changed, no need for monit reload.

    • 2016-04-29T09:52:44+00:00
17. 

    SzV reporter

    OK. I don't want it to automatically accept changed checksums.

    Is there a way to manually accept changed checksums?

    • 2016-04-29T11:05:36+00:00
18. 

    Tildeslash repo owner

    If you use the "if failed checksum", the value is initialised on Monit start/reload only - currently the only way is to reload monit.

    • 2016-04-29T11:24:07+00:00
19. 

    SzV reporter

    Thank you! It is very nice of you that you tell it.

    • 2016-04-29T11:27:30+00:00
20. 

    SzV reporter

    Please consider a solution for package upgrades. Thanks again.

    • 2016-04-29T11:28:35+00:00
21. 

    SzV reporter

    My solution is to stop monit during packages upgrades.

        cat > /etc/apt/apt.conf.d/05monit <<"EOF"
    DPkg::Pre-Invoke { "[ -x /usr/bin/monit ] && /etc/init.d/monit stop" };
    DPkg::Post-Invoke { "[ -x /usr/bin/monit ] && /etc/init.d/monit start" };
    EOF
    

    • 2016-09-22T16:24:53+00:00
22. Log in to comment