[Xymon] linked libs test warning bpfilter_umh
Adam Thorn
alt36 at cam.ac.uk
Sun Jul 11 19:52:17 CEST 2021
On 11/07/2021 00:34, Rich H wrote:
> I have the following installed on Ubuntu server 20.04,
>
> hobbit-plugins/focal,now 20191218 all
> xymon/focal,now 4.3.30-1 amd64
> xymon-client/focal,now 4.3.30-1 amd64
>
> Many of my hosts keep getting the yellow warning on the libs test:
>
>
> Sat Jul 10 23:21:58 2021 - libs NOT ok
>
> green Newest kernel is running: 5.4.0-77-generic, version #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021
>
> yellow The following processes have libs linked that were upgraded:
>
> root:
> / (deleted) (768)
>
> The system is up to date, and I have not run an update since the last reboot
> That process is bpfilter_umh. Reboot does not seem to clear it.
> Not all of my hosts have it, but many do. Why is it (deleted) and
> how can I clear it?
bpfilter_umh is the "usermode helper" process which is automatically
spawned when the bpfilter kernel module is loaded.
https://lwn.net/Articles/749108/
https://kernelnewbies.org/KernelProjects/usermode-helper-enhancements
It looks like the way this all works is that, when loaded, the kernel
module provides a blob of binary data which is the executable rather
than there being an executable on disk. I think this also means the info
in /proc for the process is not quite what the libs test is used to, e.g.
# ls /proc/119667/exe -l
lrwxrwxrwx 1 root root 0 Jul 11 18:38 /proc/119667/exe -> '/ (deleted)'
because there is no executable! Presumably the assumption in the code
which populates /proc is "file not present => it must have been deleted"
I've checked my focal servers and the bpfilter module is not in use on
any of them, so you might find it useful to identify if/why bpfilter is
loading on your hosts. Regardless, I think the only solution here is
either a) stop bpfilter loading if it isn't actually in use, or b) make
the xymon libs test ignore this. For (b), put the following in
/etc/xymon/libs.local.yaml - either these 4 lines verbatim if you don't
yet have that yaml file, or merge with the existing whitelist dict if
you do:
---
whitelist:
'/ (deleted)':
- '^/ \(deleted\)$'
Regards,
Adam
More information about the Xymon
mailing list