Dear users,
as we have introduced severe regressions in both mk_oracle agent plugins for windows and linux, we will post here the current state of the fixes as mkp for you to be able to test the status.
Those mkps will be first tested internally and by some specific customers. As soon as those tests are successful, we will upload here those mkps.
Feedback is then very welcome!
Regards
Timi
[Latest Update from 10th of April, 14:45]
mk_oracle_220-1.0.14.mkp (38.7 KB)
mk_oracle_210-1.0.14.mkp (36.9 KB)
Hi all,
we have now two mkps ready (2.2 and 2.1) which include the following fixes.
You might be affected by this Werk if you use mk_oracle on a unix
system.
You might be affected by this Werk if you use oracle wallet to connect to your
database.
You are definitively affected by this Werk if you use oracle wallet to connect to your
database and used the instructions of our official documentation to setup your
configuration.
This Werk fixes connection problems introduced with 2.1.0p41, 2.2.0p24 and 2.3.0b4.
Since Werk #16232 we switch to a
unprivileged user when executing oracle binaries. This causes problems when
using an oracle wallet as the unprivileged user might not be able to access
files defining the connection details and credentials.
We introduced an additional permission check to the -t âJust check
the connectionâ option of mk_oracle. It should help you modifying
the permissions to continue using mk_oracle with oracle wallet.
You can execute it with the following command:
MK_CONFDIR=/etc/check_mk/ MK_VARDIR=/var/lib/check_mk_agent /usr/lib/check_mk_agent/plugins/mk_oracle --no-spool -t
The path to mk_oracle might be different if you execute it asynchronously. For a
60 second interval the path would be /usr/lib/check_mk_agent/plugins/60/mk_oracle
The script will test permissions of the files needed to connect to the database. It boils down to the following:
mk_oracle will switch to the owner of
$ORACLE_HOME/bin/sqlplus before executing sqlplus. So
this user has to have the following permissions:
$TNS_ADMIN/sqlnet.ora$TNS_ADMIN/tnsnames.ora/etc/check_mk/oracle_wallet if followed the official documentation)/etc/check_mk/oracle_wallet/* if followed the official documentation)Beside that we also fixed some bash syntax errors we introduced with
Werk #16232.
You are affected by this Werk if you use mk_oracle agent plugin on unix.
mk_oracle only works if it can find a sqlnet.ora in your
$TNS_ADMIN folder. In the past, mk_oracle executed all oracle
binaries as root, so sqlnet.ora was alwas readable. With Werk #16232 the oracle binaries are
executed with a low privileged user, so it might be the case, that
sqlnet.ora can not be read by this user.
mk_oracle will exit early if it can not read sqlnet.ora. The
error message might look like:
/etc/check_mk/sqlnet.ora can not be read by user "oracle"! Either use 'sqlnet.ora permission group' bakery rule, or directly modify permissions of the file.
The error message will also be visible in the oracle_instance check.
If you use the agent bakery to roll out mk_oracle to unix servers using
.rpm, .deb or Solaris .pkg packages, you have to use
the âsqlnet.ora permission groupâ bakery rule to adapt the group of the
sqlnet.ora file, otherwise your permission changes might be
overwritten by updating the agent.
Otherwise it is sufficient to adapt the permissions.
If you install the agent on Unix using the tgz package, you will have
to manually adjust the permissions of the sqlnet.ora file.
Due to fixes introduced with
Werk #16234 a failed login to the
oracle database was not reported as critical, but the services were going
stale. This is now fixed.
Please let us know if you have feedback.
Thanks
Do you already know when the 2.2.0p25 will be released? We have been waiting a long time for a few fixes that are included in 2.2.0p25.
Until the problems with the mk_oracle are definitely solved you should keep the previous version. Those who really need the new security feature can use the MKP for the time being.
A p25 is planned as soon as the Oracle fixes are final, hopefully early next week. We will likely only include the Oracle fixes in it though.
After that, we can take proper time to test all other changes currently in the pipeline.
I very much appreciate Checkmkâs efforts to make Checkmk as safe as possible and with all understanding for the problem, I still donât think itâs good that an entire release with corrections that go back to September 2023 is blocked because of a single isolated problem. One could point out in the release under âKnown problemsâ that a definitive solution is still being worked on and that own measures must be taken until then
As long as the agent runs under root, you will have the same problem with any plugin that executes a command that belongs to another user. This would mean that you now have to fix all checks that execute such commands.
This is the reason why we run all agents (including those from other providers) under an unprivileged user. Weâve had some interesting discussions with checkmk about this issue over the last years, but unfortunately it never became more concrete.
Perhaps some of these ideas will help to make the agent and monitoring even more secure:
Regards, Lars
Hi Lars,
we will do a subsequent release with the patches you are waiting for quite quickly then.
Non-root agent:
I think the time is ripe now for getting the stuff we have been discussing for a long time into fruition. We will share on the conference our plans in that direction. We have reserved capacity for this year to move the agent in that direction.
Thanks for dedicating time on the weekend!
Martin
Hi Martin, do you have an update on the release schedule for P25?
Thankyou
Most customer testing is done here and Linux looks good. We have one edge case issue in Windows at the moment, which we are analyzing together with a customer.
Hello everybody,
we just released 2.2.0p25 which only includes the fixes regarding the recent oracle regressions:
In case youâre interested, this release was built from this branch and shows the minimal set of changes:
Best regards and happy week-end!
We just released 2.1.0p42 which only includes the fixes regarding the recent Oracle regressions: