calestyo / check_yum Goto Github PK

yum check-output splits output about a package over two lines with the package name is long, like so:

java-1.7.0-openjdk-devel.x86_64
                               1:1.7.0.99-2.6.5.0.el6_7 rhel-6-server-rpms    

This confuses the code in get_all_updates().

A crude hack to fix this is to post-process the return value of self.run(cmd): append any line that starts with whitespace to the preceding line.

Hi,

It seems like when security updates are surpassed by non-security updates the security update is missed.

Not sure where the fault lies, check_yum does not see the list of packages in the '/usr/bin/yum --security check-update' output or if it is a '/usr/bin/yum --security check-update' bug, which concludes there are 'No packages needed for security', but still shows in between updates that are security upgrades.

./check_yum -vvvv
check_yum - Version 1.1.0

setting plugin timeout to 55 seconds
running command: /usr/bin/yum --security check-update
Returncode: '100'
Output: 'Loaded plugins: changelog, fastestmirror, security
Loading mirror speeds from cached hostfile

• epel: mirror-fr1.bbln.org
• openvz-kernel-rhel6: openvz.proserve.nl
• openvz-utils: openvz.proserve.nl
• rpmforge: mirror.de.leaseweb.net
  Limiting package lists to security relevant ones
  No packages needed for security; 28 packages available

facter.x86_64 1:2.4.1-1.el6 puppetlabs-products
tzdata.noarch 2015a-1.el6 updates
'
0 Security Updates Available. 28 Non-Security Updates Available

yum check-update --security -v
Loading "changelog" plugin
Loading "fastestmirror" plugin
Loading "security" plugin
Config time: 0.048
Yum Version: 3.2.29
rpmdb time: 0.000
Building updates object
Setting up Package Sacks
Loading mirror speeds from cached hostfile

• epel: mirror-fr1.bbln.org
• openvz-kernel-rhel6: openvz.proserve.nl
• openvz-utils: openvz.proserve.nl
• rpmforge: mirror.de.leaseweb.net
  Limiting package lists to security relevant ones
  Building updates object
  up:Obs Init time: 0.666
  up:simple updates time: 0.024
  up:obs time: 0.018
  up:condense time: 0.000
  updates time: 3.798
  --> unzip-6.0-2.el6_6.x86_64 from updates excluded (non-security)
  --> cyrus-sasl-2.1.23-15.el6_6.2.x86_64 from updates excluded (non-security)
  --> dracut-004-356.el6_6.1.noarch from updates excluded (non-security)
  --> 32:bind-utils-9.8.2-0.30.rc1.el6_6.2.x86_64 from updates excluded (non-security)
  --> subversion-1.6.11-12.el6_6.x86_64 from updates excluded (non-security)
  --> augeas-libs-1.0.0-7.el6_6.1.x86_64 from updates excluded (non-security)
  --> cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64 from updates excluded (non-security)
  --> vzkernel-2.6.32-042stab106.4.x86_64 from openvz-kernel-rhel6 excluded (non-security)
  --> kpartx-0.4.9-80.el6_6.3.x86_64 from updates excluded (non-security)
  --> libssh2-1.4.2-1.el6_6.1.x86_64 from updates excluded (non-security)
  --> tzdata-2015b-1.el6.noarch from updates excluded (non-security)
  --> tcsh-6.17-25.el6_6.x86_64 from updates excluded (non-security)
  --> ruby-rdoc-1.8.7.374-4.el6_6.x86_64 from updates excluded (non-security)
  --> cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64 from updates excluded (non-security)
  --> vzkernel-headers-2.6.32-042stab106.4.x86_64 from openvz-kernel-rhel6 excluded (non-security)
  --> 2:shadow-utils-4.1.4.2-19.el6_6.1.x86_64 from updates excluded (non-security)
  --> libcurl-7.19.7-40.el6_6.4.x86_64 from updates excluded (non-security)
  --> 32:bind-libs-9.8.2-0.30.rc1.el6_6.2.x86_64 from updates excluded (non-security)
  --> ruby-1.8.7.374-4.el6_6.x86_64 from updates excluded (non-security)
  --> 1:busybox-1.15.1-21.el6_6.x86_64 from updates excluded (non-security)
  --> dracut-kernel-004-356.el6_6.1.noarch from updates excluded (non-security)
  --> curl-7.19.7-40.el6_6.4.x86_64 from updates excluded (non-security)
  --> puppet-3.7.5-1.el6.noarch from puppetlabs-products excluded (non-security)
  --> ruby-libs-1.8.7.374-4.el6_6.x86_64 from updates excluded (non-security)
  --> 32:bind-9.8.2-0.30.rc1.el6_6.2.x86_64 from updates excluded (non-security)
  --> ruby-irb-1.8.7.374-4.el6_6.x86_64 from updates excluded (non-security)
  --> 1:facter-2.4.3-1.el6.x86_64 from puppetlabs-products excluded (non-security)
  --> krb5-libs-1.10.3-37.el6_6.x86_64 from updates excluded (non-security)
  No packages needed for security; 28 packages available
  pkgsack time: 8.451
  up:Obs Init time: 0.623
  up:simple updates time: 0.018
  up:obs time: 0.022
  up:condense time: 0.000
  updates time: 10.116

facter.x86_64 1:2.4.1-1.el6 puppetlabs-products
tzdata.noarch 2015a-1.el6 updates

What steps will reproduce the problem?
1. Run check_yum through nrpe
2.
3.

What is the expected output? What do you see instead?

I expect to see 21 critical etc but intest I get "NRPE: Unable to read output"

What version of the product are you using? On what operating system?

1.0

Please provide any additional information below.

Due to the nature of the environment we can only use nrpe.  Runing your plugin 
locally works fine.  Running it throught NRPE (even on the localhost) and it 
fails.

Original issue reported on code.google.com by [email protected] on 30 Jan 2014 at 1:42

I think it would be good to re-implement check_yum either in C or C++... or 
possibly in Perl.

C/C++ have the typical advantages of real programming languages... 
(performance, etc.).

Perl, while also being a crappy script language, has at least some "special" 
support within Nagios/Icinga via the embedded Perl interpreter.


Anyway, this is surely a long term goal. 

Original issue reported on code.google.com by [email protected] on 9 Oct 2012 at 12:08

It seems that --no-warn-on-lock doesn't work in YUM versions of RHEL 5 and 6.

Original issue reported on code.google.com by [email protected] on 13 Sep 2012 at 11:09

YUM output signature is larger than current known format, please make sure you have upgraded to the latest version of this plugin. If the problem persists, please contact the author for a fix

Example output of yum in that case:

[root@joker plugins]# yum check-update
Loaded plugins: fastestmirror
base | 3.6 kB 00:00:00
core | 3.0 kB 00:00:00
epel/x86_64/metalink | 26 kB 00:00:00
extras | 3.4 kB 00:00:00
icinga2_repo | 2.5 kB 00:00:00
saltstack-repo | 2.9 kB 00:00:00
updates | 3.4 kB 00:00:00
icinga2_repo/7/primary_db | 17 kB 00:00:00
Loading mirror speeds from cached hostfile

• base: mirror.de.leaseweb.net
• epel: mirror.de.leaseweb.net
• extras: ftp.plusline.de
• updates: centos.intergenia.de

ImageMagick.x86_64 6.7.8.9-15.el7_2 core
Percona-XtraDB-Cluster-shared-56.x86_64 1:5.6.30-25.16.1.el7 core
device-mapper.x86_64 7:1.02.107-5.el7_2.5 updates
device-mapper-event.x86_64 7:1.02.107-5.el7_2.5 updates
device-mapper-event-libs.x86_64 7:1.02.107-5.el7_2.5 updates
device-mapper-libs.x86_64 7:1.02.107-5.el7_2.5 updates
dracut.x86_64 033-360.el7_2.1 core
epel-release.noarch 7-7 core
icingaweb2-common.noarch 2.3.4-1.el7.centos icinga2_repo
iproute.x86_64 3.10.0-54.el7_2.1 core
iscsi-initiator-utils.x86_64 6.2.0.873-33.el7_2.1 core
iscsi-initiator-utils-iscsiuio.x86_64 6.2.0.873-33.el7_2.1 core
kernel.x86_64 3.10.0-327.22.2.el7 core
kernel-headers.x86_64 3.10.0-327.22.2.el7 core
kpartx.x86_64 0.4.9-85.el7_2.5 core
leveldb.x86_64 1.12.0-11.el7 core
libsmbclient.x86_64 4.2.10-6.2.el7_2 core
libvirt.x86_64 1.2.17-13.el7_2.5 core
libvirt-client.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-config-network.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-config-nwfilter.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-driver-interface.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-driver-lxc.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-driver-network.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-driver-nodedev.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-driver-nwfilter.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-driver-qemu.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-driver-secret.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-driver-storage.x86_64 1.2.17-13.el7_2.5 core
libvirt-daemon-kvm.x86_64 1.2.17-13.el7_2.5 core
libvirt-devel.x86_64 1.2.17-13.el7_2.5 core
libvirt-docs.x86_64 1.2.17-13.el7_2.5 core
libwbclient.x86_64 4.2.10-6.2.el7_2 core
libxml2.x86_64 2.9.1-6.el7_2.3 core
libxml2-devel.x86_64 2.9.1-6.el7_2.3 core
lvm2.x86_64 7:2.02.130-5.el7_2.5 updates
lvm2-libs.x86_64 7:2.02.130-5.el7_2.5 updates
nfs-utils.x86_64 1:1.3.0-0.21.el7_2.1 core
polkit.x86_64 0.112-7.el7_2 core
python-perf.x86_64 3.10.0-327.22.2.el7 core
python-pip.noarch 8.1.2-1.el7 core
python-requests.noarch 2.10.0-1.el7 core
python-urllib3.noarch 1.15.1-2.el7 core
rpcbind.x86_64 0.2.0-33.el7_2.1 core
salt.noarch 2016.3.1-1.el7 saltstack-repo
salt-minion.noarch 2016.3.1-1.el7 saltstack-repo
samba-client.x86_64 4.2.10-6.2.el7_2 core
samba-client-libs.x86_64 4.2.10-6.2.el7_2 core
samba-common.noarch 4.2.10-6.2.el7_2 core
samba-common-libs.x86_64 4.2.10-6.2.el7_2 core
samba-common-tools.x86_64 4.2.10-6.2.el7_2 core
samba-libs.x86_64 4.2.10-6.2.el7_2 core
spice-server.x86_64 0.12.4-15.el7_2.1 core
systemd.x86_64 219-19.el7_2.11 core
systemd-libs.x86_64 219-19.el7_2.11 core
systemd-python.x86_64 219-19.el7_2.11 core
systemd-sysv.x86_64 219-19.el7_2.11 core
Obsoleting Packages
python2-babel.noarch 2.3.4-1.el7 core
python-babel.noarch 1.3-6.el7 @core
python2-babel.noarch 2.3.4-1.el7 core
python-babel.noarch 1.3-6.el7 @core
python2-babel.noarch 2.3.4-1.el7 core
python-babel.noarch 1.3-6.el7 @core
python2-babel.noarch 2.3.4-1.el7 core
python-babel.noarch 1.3-6.el7 @core
python2-setuptools.noarch 22.0.5-1.el7 core
python-setuptools.noarch 0.9.8-4.el7 @base
python2-setuptools.noarch 22.0.5-1.el7 core
python-setuptools.noarch 0.9.8-4.el7 @base
python2-setuptools.noarch 22.0.5-1.el7 core
python-setuptools.noarch 0.9.8-4.el7 @base
python2-setuptools.noarch 22.0.5-1.el7 core
python-setuptools.noarch 0.9.8-4.el7 @base
[root@joker plugins]#

Hari Sekhon noted, that there may be issues, when invoked as non-root:
“It was requested to not run as root but some experimentation has shown that 
package information is generally less reliable when running as a normal user. 
YUM incorrectly returns less or no security updates, which are shown when run 
as root. I believe this is due to YUM repository files not being readable by a 
non-privileged user (especially 3rd party repositories). If you relax the 
permissions on those repository files it may be possible to run this as a 
non-root user, but you should first check for differences in results on your 
systems between running as root or as an ordinary user.”

The reasons may be gone by now - or not.
There may be bugs in YUM itself.

Follow all this up.

Original issue reported on code.google.com by [email protected] on 1 May 2012 at 1:18

A user reports via mail:
hi! we had an issue with check_yum spawning yum processes without
killing them when yum is stuck waiting for a lock. to see this happen, run

yum install isdn4k-utils

(or some other package not installed already) and do NOT answer yes, but
leave it waiting.

the timeout code will kill the python script itself after 55 seconds,
but the child process will be left behind. we had a server dying due to
the lack of memory after a while, since Icinga runs the check every 5
minutes when it is in non-OK state...

the included patch will simply disable check_yum's own signal handler
for SIGALRM and then proceed to send SIGALRM to all processes in its
process group. this will include the forked nrpe parent, but not nrpe
itself. when run interactively in a shell without job control, it may
also terminate that interactive shell. I don't think it is worthwhile
to complicate the code to avoid that behaviour.

also, have you heard that Google Code is shutting down? would be good
to migrate your project to Github or similar. if you have already done
so, please update

http://exchange.nagios.org/directory/Plugins/Operating-Systems/Linux/check_yum/details

thanks!

See attached patch.


    Added perfdata and longoutput with ERRATA IDs

    Option added:
      -l - runs yum list-security to get advisories and packages
    Perfdata now shows how many updates are available.

Original issue reported on code.google.com by [email protected] on 13 Dec 2012 at 10:21

Attachments:

• check_yum.patch

What steps will reproduce the problem?
1. Run check_yum with -v, -vv, or -vvv

What is the expected output? What do you see instead?
Running with -vvv shows debug output, but none of the other verbosity settings 
show any more info.

Running with -v could show the package list from the yum check-update command, 
and with -vv could show the full output of the yum check-update command, 
including yum plugins used and repositories enabled, etc. -vvv should remain 
unchanged, as the debug output follows Nagios specification.

e.g. ($ indicates command, # indicates output, for demonstration purposes only):
$ check_yum -v
#YUM OK: 0 Security Updates Available. 1 Non-Security Update Available |
#Updates:
#binutils.i386 2.17.50.0.6-20.el5_8.3 updates

$ check_yum -vv
#YUM OK: 0 Security Updates Available. 1 Non-Security Update Available |
#yum check-update output:
#Loaded plugins: fastestmirror, security
#Loading mirror speeds from cached hostfile
# * epel: fedora-epel.mirror.lstn.net
#Skipping security plugin, no data
#
#binutils.i386 2.17.50.0.6-20.el5_8.3 updates

What version of the product are you using? On what operating system?
0.7.1 (or 0.7.2 from 
http://opensource.is/trac/browser/nagios-plugins/check_yum/) on CentOS 5

Original issue reported on code.google.com by [email protected] on 17 May 2012 at 4:19

The same issue like #25:
The check fails with exit 2 with

YUM output signature is larger than current known format, please make sure you have upgraded to the latest version of this plugin. If the problem persists, please contact the author for a fix

as error message. Can be resolved the same way like #26 or #30.

I have written a plugin to check when the last yum update was done. I ripped 
quite a bit of code out of your plugin to do this. I could host it myself, but 
I think it would make sense for it to be hosted with this plugin. 

I'm attaching the plugin, and if you like it then please add it to your 
repository under the same licence. If you don't want to put it in the same repo 
then please say so and I'll put it in its own repo. I'm also happy to do some 
rework (or for you to do some rework) if you think it needs it.

Original issue reported on code.google.com by [email protected] on 17 May 2012 at 1:52

Attachments:

• check_yum_last_update

Running on Amazon EC2:

$ uname -a
Linux [host] 2.6.35.14-106.53.amzn1.i686 #1 SMP Fri Jan 6 16:20:23 UTC 2012 
i686 i686 i386 GNU/Linux

$ cat /etc/issue
Amazon Linux AMI release 2012.03
Kernel \r on an \m

$ yum --version
3.2.29
  Installed: rpm-4.8.0-19.38.amzn1.i686 at 2012-07-04 00:40
  Built    : Amazon.com, Inc. <http://aws.amazon.com> at 2012-04-04 20:01
  Committed: Cristian Gafton <[email protected]> at 2012-04-04

  Installed: yum-3.2.29-30.23.amzn1.noarch at 2012-09-18 15:04
  Built    : Koji at 2012-09-10 23:46
  Committed: Cristian Gafton <[email protected]> at 2012-09-10

  Installed: yum-plugin-fastestmirror-1.1.30-10.12.amzn1.noarch at 2012-07-04 00:40
  Built    : Amazon.com, Inc. <http://aws.amazon.com> at 2012-01-05 22:47
  Committed: Cristian Gafton <[email protected]> at 2011-12-08

Debugging output is as follows:

$ ./check_yum_0.8.0 -vvv
check_yum - Version 0.8.0

setting plugin timeout to 30 seconds
running command: /usr/bin/yum --security check-update
Returncode: '0'
Output: 'Loaded plugins: fastestmirror, priorities, security, update-motd
Loading mirror speeds from cached hostfile
 * amzn-main: packages.us-east-1.amazonaws.com
 * amzn-updates: packages.us-east-1.amazonaws.com
Limiting package lists to security relevant ones
Security: kernel-3.2.28-45.63.amzn1.i686 is an installed security update
Security: kernel-2.6.35.14-106.53.amzn1.i686 is the currently running version
'
YUM WARNING: Cannot find summary line in YUM output. Please make sure you have 
upgraded to the latest version of this plugin. If the problem persists, please 
contact the author for a fix | 

Original issue reported on code.google.com by [email protected] on 18 Sep 2012 at 3:11

Hi @calestyo

Instead of maintaining multiple divergent copies of this check_yum.py code, could you please just send any updates you want to the original Advanced Nagios Plugins Collection repo via a pull request?

This way there is less maintenance effort overall and everyone benefits from all of of our joint improvements (GitHub will also give you credit as a contributor to that larger higher profile project).

It doesn't really make sense for each of us to making updates for this same code independently, it's twice the work.

The upstream project also has layers of code checks, continuous integration, dockerized tests etc so the quality will be kept higher there and will be supported long term.

I think critical is the wrong severity, even for security updates. We have a nightly cronjob on our servers that runs yumcron. Critical should only be used for problems that directly affect a system and require immediate attention.

What steps will reproduce the problem?
1. Run this check
2. /vat/tmp/ folder will populate with yum-nagios-**** folder
3. yum-nagios-** folder will grow overtime consuming GBs of disk

What is the expected output? What do you see instead?
yum-nagios-*** folder should be removed after check has run

What version of the product are you using? On what operating system?
Centos 6 & 7

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 7 Nov 2014 at 1:29

For reasons I’ve outlaid here:
https://sourceforge.net/tracker/?func=detail&aid=3572875&group_id=29880&atid=397
597

I plan to remove the
"YUM <status>: " part from the text output of the plugin, likely in the next 
release.


If anyone sees problem with that change, here's the chance to complain.

Original issue reported on code.google.com by [email protected] on 28 Sep 2012 at 11:11

Add coding:utf-8 to prevent python warnings due to copyright symbol in license 
information

Original issue reported on code.google.com by [email protected] on 17 May 2012 at 4:37

Attachments:

• check_yum.patch

On RHEL 6, I get a lot of

An update notice is broken, or duplicate, skipping: RHSA-2013:0188
An update notice is broken, or duplicate, skipping: RHSA-2013:0215
...

recently. This triggers the warning in line 304-305 and the check doesn't report anything useful.

There have been some additions by Pall Sigurdsson at the trac repo here:
http://opensource.is/trac/browser/nagios-plugins/check_yum/

These add support for RHEL/CentOS 6 output from the yum check-update command, 
which has been updated to be more grammatically accurate.

Since this is the repo linked to from Nagios Exchange 
(http://exchange.nagios.org/directory/Plugins/Operating-Systems/Linux/check_yum/
details), it should probably be brought up to date.

Original issue reported on code.google.com by [email protected] on 17 May 2012 at 4:10

The Nagios plugins package already contains a check for the APT package 
management system.

As YUM is also quite widespread (Fedora, RHEL, CentOS, Scientific Linux) it 
should become part, too.


Could become difficult, as apparently most (all?) plugins there are written in 
C, not in Python.

Original issue reported on code.google.com by [email protected] on 1 May 2012 at 1:15

OS: Red Hat Enterprise Linux Server release 5.8 (Tikanga)
uname -a: Linux server.domain.com 2.6.18-308.20.1.el5 #1 SMP Tue Nov 6 04:39:21 
EST 2012 i686 athlon i386 GNU/Linux

I hope the output is enough:

[root@server ~]# /usr/lib/nagios/plugins/check_yum
Security plugin for YUM is required. Try to 'yum install yum-security' and then 
re-run this plugin. Alternatively, to just alert on any update which does not 
require the security plugin, try --all-updates
[root@server ~]# /usr/lib/nagios/plugins/check_yum --all-updates
Error parsing package information, inconsistent package count, YUM output may 
have changed. Please make sure you have upgraded to the latest version of this 
plugin. If the problem persists, then please contact the author for a fix
[root@server ~]# /usr/lib/nagios/plugins/check_yum --all-updates -vvv
check_yum - Version 1.0.0

setting plugin timeout to 55 seconds
running command: /usr/bin/yum check-update
Returncode: '100'
Output: 'Loaded plugins: rhnplugin

fipscheck.i386                    1.2.0-1.el5                 rhel-i386-server-5
kernel.i686                       2.6.18-308.24.1.el5         rhel-i386-server-5
kernel-devel.i686                 2.6.18-308.24.1.el5         rhel-i386-server-5
kernel-headers.i386               2.6.18-308.24.1.el5         rhel-i386-server-5
perl-Module-Install.noarch        0.92-1.el5.rf               dag
Obsoleting Packages
fipscheck-lib.i386                1.2.0-1.el5                 rhel-i386-server-5
    fipscheck.i386                1.0.3-1.el5                 installed
'
Error parsing package information, inconsistent package count, YUM output may 
have changed. Please make sure you have upgraded to the latest version of this 
plugin. If the problem persists, then please contact the author for a fix

Original issue reported on code.google.com by [email protected] on 7 Dec 2012 at 2:50

Hi!
I'd really like to package your plugin so it could be made available via public yum repositories but I can't package it without stating a license.

I assume you wanted to put it under the GPL and just forgot to mention this in your plugin or a readme. If you want I can send you a pull request containing the information you need but I need to know which license you want or if you care at all :-)

Cheers,
Thomas

Since check_yum generally runs as a non-privileged user, it caches rpm data to /var/tmp. On a machine with limited space, this can cause problems.

This page recommends forcing to /tmp for the tmp dir and also cleaning up the temporary files:
http://unix.stackexchange.com/questions/92257/yum-user-temp-files-var-tmp-yum-fills-up-with-repo-data

Currently, check_yum does _not_ warn on "normal" updates (i.e. such not marked 
as security updates) per default but only when --all-updates and/or 
--warn-on-any-update is used.

IMHO that's a security risk, because many repositories simply lack the 
information whether updates are normal or security critical and YUM isn't 
clever and considers all of them as security critical in such cases.

My intention is therefore to revert the default behaviour.

Original issue reported on code.google.com by [email protected] on 29 Sep 2012 at 9:43