forked from HariSekhon/Nagios-Plugins
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck_yum.py
executable file
·624 lines (511 loc) · 23.7 KB
/
check_yum.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
#!/usr/bin/env python
#
# Author: Hari Sekhon
# Date: 2008-04-29 17:21:08 +0100 (Tue, 29 Apr 2008)
#
# https://github.com/harisekhon/nagios-plugins
#
# License: see accompanying LICENSE file
#
"""
Nagios plugin to test for Yum updates on RedHat / CentOS Linux.
Can optionally alert on any available updates as well as just security related updates
See also: check_yum.pl (also part of the Advanced Nagios Plugins Collection)
Tested on CentOS 5 / 6 / 7
"""
import os
import re
import sys
import signal
OLD_PYTHON = False
# pylint: disable=wrong-import-position
try:
from subprocess import Popen, PIPE, STDOUT
except ImportError:
OLD_PYTHON = True
import commands
from optparse import OptionParser
__author__ = "Hari Sekhon"
__title__ = "Nagios Plugin for Yum updates on RedHat/CentOS systems"
__version__ = "0.8.8"
# Standard Nagios return codes
OK = 0
WARNING = 1
CRITICAL = 2
UNKNOWN = 3
DEFAULT_TIMEOUT = 30
support_msg = "Please make sure you have upgraded to the latest version from " + \
"https://github.com/harisekhon/nagios-plugins. If the problem persists, " + \
"please raise a ticket at https://github.com/harisekhon/nagios-plugins/issues "+ \
"with the full -vvv output"
def end(status, message):
"""Exits the plugin with first arg as the return code and the second
arg as the message to output"""
check = "YUM "
if status == OK:
print "%sOK: %s" % (check, message)
sys.exit(OK)
elif status == WARNING:
print "%sWARNING: %s" % (check, message)
sys.exit(WARNING)
elif status == CRITICAL:
print "%sCRITICAL: %s" % (check, message)
sys.exit(CRITICAL)
else:
print "UNKNOWN: %s" % message
sys.exit(UNKNOWN)
YUM = "/usr/bin/yum"
def check_yum_usable():
"""Checks that the YUM program and path are correct and usable - that
the program exists and is executable, otherwise exits with error"""
if not os.path.exists(YUM):
end(UNKNOWN, "%s cannot be found" % YUM)
elif not os.path.isfile(YUM):
end(UNKNOWN, "%s is not a file" % YUM)
elif not os.access(YUM, os.X_OK):
end(UNKNOWN, "%s is not executable" % YUM)
class YumTester(object):
"""Class to hold all portage test functions and state"""
def __init__(self):
"""Initialize all object variables"""
self.all_updates = False
self.no_cache_update = False
self.no_warn_on_lock = False
self.enable_repo = ""
self.disable_repo = ""
self.disable_plugin = ""
self.yum_config = ""
self.timeout = DEFAULT_TIMEOUT
self.verbosity = 0
self.warn_on_any_update = False
def validate_all_variables(self):
"""Validates all object variables to make sure the
environment is sane"""
if self.timeout is None:
self.timeout = DEFAULT_TIMEOUT
try:
self.timeout = int(self.timeout)
except ValueError:
end(UNKNOWN, "Timeout must be an whole number, " \
+ "representing the timeout in seconds")
if self.timeout < 1 or self.timeout > 3600:
end(UNKNOWN, "Timeout must be a number between 1 and 3600 seconds")
if self.verbosity is None:
self.verbosity = 0
try:
self.verbosity = int(self.verbosity)
if self.verbosity < 0:
raise ValueError
except ValueError:
end(UNKNOWN, "Invalid verbosity type, must be positive numeric " \
+ "integer")
def run(self, cmd):
"""runs a system command and returns
an array of lines of the output"""
if not cmd:
end(UNKNOWN, "Internal python error - " \
+ "no cmd supplied for run function")
if self.no_cache_update:
cmd += " -C"
if self.enable_repo:
for repo in self.enable_repo.split(","):
cmd += " --enablerepo=%s" % repo
if self.disable_repo:
for repo in self.disable_repo.split(","):
cmd += " --disablerepo=%s" % repo
if self.disable_plugin:
# --disableplugin can take a comma separated list directly
#for plugin in self.disable_plugin.split(","):
#cmd += " --disableplugin=%s" % plugin
cmd += " --disableplugin=%s" % self.disable_plugin
if self.yum_config:
for repo in self.yum_config.split(","):
cmd += " --config=%s" % repo
self.vprint(3, "running command: %s" % cmd)
if OLD_PYTHON:
self.vprint(3, "subprocess not available, probably old python " \
+ "version, using shell instead")
os.environ['LANG'] = "en_US"
returncode, stdout = commands.getstatusoutput(cmd)
if returncode >= 256:
returncode = returncode / 256
else:
try:
env = {'LANG': 'en_US'}
process = Popen(cmd.split(), stdin=PIPE, stdout=PIPE, stderr=STDOUT, env=env)
except OSError, error:
error = str(error)
if error == "No such file or directory":
end(UNKNOWN, "Cannot find utility '%s'" % cmd.split()[0])
end(UNKNOWN, "Error trying to run utility '%s' - %s" \
% (cmd.split()[0], error))
output = process.communicate()
# for using debug outputs, either do not comment above line or explicitly set exit code below
#output = [open(os.path.dirname(__file__) + '/test_input.txt').read(), '']
returncode = process.returncode
stdout = output[0]
if not stdout:
end(UNKNOWN, "No output from utility '%s'" % cmd.split()[0])
self.vprint(3, "Returncode: '%s'\nOutput: '%s'" \
% (returncode, stdout))
output = str(stdout).split("\n")
self.check_returncode(returncode, output)
return output
def check_returncode(self, returncode, output):
"""Takes the returncode and output (as an array of lines)
of the yum program execution and tests for failures, exits
with an appropriate message if any are found"""
if returncode == 0:
for line in output:
if "You must run this command as root" in line:
end(UNKNOWN, "You must run this plugin as root")
elif returncode == 100:
# Updates Available
pass
elif returncode == 200:
if "lock" in output[-2] or "another copy is running" in output[-2]:
msg = "Cannot check for updates, " \
+ "another instance of yum is running"
if self.no_warn_on_lock:
end(OK, msg)
else:
end(WARNING, msg)
else:
output = self.strip_output(output)
end(UNKNOWN, "%s" % output)
else:
if (not ('Loading "security" plugin' in output or 'Loaded plugins:.*security' in output)) \
or "Command line error: no such option: --security" in output:
end(UNKNOWN, "Security plugin for yum is required. Try to " \
+ "'yum install yum-security' (RHEL5) or " \
+ "'yum install yum-plugin-security' (RHEL6) and then re-run " \
+ "this plugin. Alternatively, to just alert on " \
+ "any update which does not require the security " \
+ "plugin, try --all-updates")
else:
output = self.strip_output(output)
end(UNKNOWN, "%s" % output)
def strip_output(self, output):
"""Cleans up the output from the plugin and returns it.
Takes and returns an array of the lines of output
and returns a single string"""
self.vprint(3, "stripping output of 'Loading ... plugin' lines")
re_loading_plugin = re.compile("^Loading .+ plugin$")
output = [re_loading_plugin.sub("", line) for line in output]
output = " ".join(output).strip()
return output
def set_timeout(self):
"""sets an alarm to time out the test"""
if self.timeout == 1:
self.vprint(3, "setting plugin timeout to %s second" \
% self.timeout)
else:
self.vprint(3, "setting plugin timeout to %s seconds"\
% self.timeout)
signal.signal(signal.SIGALRM, self.sighandler)
signal.alarm(self.timeout)
def sighandler(self, discarded, discarded2):
"""Function to be called by signal.alarm to kill the plugin"""
# Nop for these variables
discarded = discarded2
discarded2 = discarded
end(CRITICAL, "Yum nagios plugin has self terminated after " \
+ "exceeding the timeout (%s seconds)" % self.timeout)
def get_updates(self):
"""Checks for updates and returns a tuple containing the number of
security updates and the number of total updates"""
self.vprint(2, "checking for any security updates")
if self.all_updates:
number_security_updates, number_other_updates = \
self.get_all_updates()
else:
number_other_updates = self.get_security_updates()
number_security_updates = 0
return number_security_updates, number_other_updates
def get_all_updates(self):
"""Gets all updates. Returns a single integer of the
number of available updates"""
cmd = "%s check-update" % YUM
output = self.run(cmd)
output2 = [_ for _ in "\n".join(output).split("\n\n") if _]
if self.verbosity >= 4:
for section in output2:
print "\nSection:\n%s\n" % section
if len(output2) > 2 or \
not ("Setting up repositories" in output2[0] or \
"Loaded plugins: " in output2[0] or \
re.search(r'Loading\s+".+"\s+plugin', output2[0])):
end(WARNING, "Yum output signature does not match current known " \
+ "format. " + support_msg)
number_packages = 0
if len(output2) == 1:
# There are no updates but we have passed
# the loading and setting up of repositories
pass
else:
for line in output2[1].split("\n"):
if len(line.split()) > 1 and \
line[0:1] != " " and \
"Obsoleting Packages" not in line:
number_packages += 1
try:
number_packages = int(number_packages)
if number_packages < 0:
raise ValueError
except ValueError:
end(UNKNOWN, "Error parsing package information, invalid package " \
+ "number, yum output may have changed. " + support_msg)
# Extra layer of checks. This is a security plugin so it's preferable
# to fail on error rather than pass silently leaving you with an
# insecure system
count = 0
re_kernel_security_update = re.compile('^Security: kernel-.+ is an installed security update')
re_kernel_update = re.compile('^Security: kernel-.+ is the currently running version')
re_package_format = \
re.compile(r'^.+\.(i[3456]86|x86_64|noarch)\s+.+\s+.+$')
# This is to work around a yum truncation issue effectively changing
# the package output format. Currently only very long kmod lines
# are seen to have caused this so we stick to what we know for safety
# and raise an unknown error on anything else for maximum security
#re_package_format_truncated = \
# re.compile("^[\w-]+-kmod-\d[\d\.-]+.*\s+.+\s+.+$")
obsoleting_packages = False
for line in output:
if ' excluded ' in line:
continue
elif obsoleting_packages and line[0:1] == " ":
continue
elif "Obsoleting Packages" in line:
obsoleting_packages = True
continue
elif re_kernel_security_update.match(line):
end(WARNING, 'Kernel security update is installed but requires a reboot')
elif re_kernel_update.match(line):
continue
if re_package_format.match(line):
count += 1
if count != number_packages:
end(UNKNOWN, "Error parsing package information, inconsistent " \
+ "package count (%d count vs %s num packages)" % (count, number_packages) \
+ ", yum output may have changed. " + support_msg)
return number_packages
def get_security_updates(self):
"""Gets all updates, but differentiates between
security and normal updates. Returns a tuple of the number
of security and normal updates"""
cmd = "%s --security check-update" % YUM
output = self.run(cmd)
re_security_summary = \
re.compile(r'Needed (\d+) of (\d+) packages, for security')
re_summary_rhel6 = re.compile(r'(\d+) package\(s\) needed for security, out of (\d+) available')
re_no_sec_updates = \
re.compile(r'No packages needed,? for security[;,] (\d+) (?:packages )?available')
re_kernel_update = re.compile(r'^Security: kernel-.+ is an installed security update')
summary_line_found = False
for line in output:
_ = re_summary_rhel6.match(line)
if _:
summary_line_found = True
number_security_updates = _.group(1)
number_total_updates = _.group(2)
break
_ = re_no_sec_updates.match(line)
if _:
summary_line_found = True
number_security_updates = 0
number_total_updates = _.group(1)
break
_ = re_security_summary.match(line)
if _:
summary_line_found = True
number_security_updates = _.group(1)
number_total_updates = _.group(2)
break
_ = re_kernel_update.match(line)
if _:
end(CRITICAL, "Kernel security update is installed but requires a reboot")
if not summary_line_found:
end(WARNING, "Cannot find summary line in yum output. " + support_msg)
try:
number_security_updates = int(number_security_updates)
number_total_updates = int(number_total_updates)
except ValueError:
end(WARNING, "Error parsing package information, yum output " \
+ "may have changed. " + support_msg)
number_other_updates = number_total_updates - number_security_updates
from_excluded_regex = re.compile(' from .+ excluded ')
if len([_ for _ in output if not from_excluded_regex.search(_)]) > number_total_updates + 25:
end(WARNING, "Yum output signature is larger than current known " \
+ "format. " + support_msg)
return number_security_updates, number_other_updates
def test_yum_updates(self):
"""Starts tests and controls logic flow"""
check_yum_usable()
self.vprint(3, "%s - Version %s\nAuthor: %s\n" \
% (__title__, __version__, __author__))
self.validate_all_variables()
self.set_timeout()
if self.all_updates:
return self.test_all_updates()
return self.test_security_updates()
def test_all_updates(self):
"""Tests for all updates, and returns a tuple
of the status code and output"""
status = UNKNOWN
message = "code error. " + support_msg
number_updates = self.get_all_updates()
if number_updates == 0:
status = OK
message = "0 Updates Available"
else:
status = CRITICAL
if number_updates == 1:
message = "1 Update Available"
else:
message = "%s Updates Available" % number_updates
message += " | total_updates_available=%s" % number_updates
return status, message
def test_security_updates(self):
"""Tests for security updates and returns a tuple
of the status code and output"""
status = UNKNOWN
message = "code error. " + support_msg
number_security_updates, number_other_updates = \
self.get_security_updates()
if number_security_updates == 0:
status = OK
message = "0 Security Updates Available"
else:
status = CRITICAL
if number_security_updates == 1:
message = "1 Security Update Available"
elif number_security_updates > 1:
message = "%s Security Updates Available" \
% number_security_updates
if number_other_updates != 0:
if self.warn_on_any_update and status != CRITICAL:
status = WARNING
if number_other_updates == 1:
message += ". 1 Non-Security Update Available"
else:
message += ". %s Non-Security Updates Available" \
% number_other_updates
message += " | security_updates_available=%s non_security_updates_available=%s total_updates_available=%s" \
% (number_security_updates, number_other_updates, number_security_updates + number_other_updates)
return status, message
def vprint(self, threshold, message):
"""Prints a message if the first arg is numerically greater than the
verbosity level"""
if self.verbosity >= threshold:
print "%s" % message
def main():
"""Parses command line options and calls the test function"""
tester = YumTester()
parser = OptionParser()
parser.add_option("-A",
"--all-updates",
action="store_true",
dest="all_updates",
help="Does not distinguish between security and " \
+ "non-security updates, but returns critical for " \
+ "any available update. This may be used if the " \
+ "yum security plugin is absent or you want to " \
+ "maintain every single package at the latest " \
+ "version. You may want to use " \
+ "--warn-on-any-update instead of this option")
parser.add_option("-W",
"--warn-on-any-update",
action="store_true",
dest="warn_on_any_update",
help="Warns if there are any (non-security) package " \
+ "updates available. By default only warns when " \
+ "security related updates are available. If " \
+ "--all-updates is used, then this option is " \
+ "redundant as --all-updates will return a " \
+ "critical result on any available update, " \
+ "whereas using this switch still allows you to " \
+ "differentiate between the severity of updates ")
parser.add_option("-C",
"--cache-only",
action="store_true",
dest="no_cache_update",
help="Run entirely from cache and do not update the " \
+ "cache when running yum. Useful if you have " \
+ "'yum makecache' cronned so that the nagios " \
+ "check itself doesn't have to do it, possibly " \
+ "speeding up execution (by 1-2 seconds in tests)")
parser.add_option("-c",
"--config",
dest="yum_config",
help="Run with custom repository config in order to use " \
+ "custom repositories in case of special setup for")
parser.add_option("-N",
"--no-warn-on-lock",
action="store_true",
dest="no_warn_on_lock",
help="Return OK instead of WARNING when yum is locked " \
+ "and fails to check for updates due to another " \
+ "instance running. This is not recommended from " \
+ "the security standpoint, but may be wanted to " \
+ "reduce the number of alerts that may " \
+ "intermittently pop up when someone is running " \
+ "yum for package management")
parser.add_option("-e",
"--enablerepo",
dest="repository_to_enable",
help="Explicitly enables a reposity when calling yum. " +
"Can take a comma separated list of repositories")
parser.add_option("-d",
"--disablerepo",
dest="repository_to_disable",
help="Explicitly disables a repository when calling yum. " \
+ "Can take a comma separated list of repositories")
parser.add_option("--disableplugin",
dest="plugin_to_disable",
help="Explicitly disables a plugin when calling yum. " \
+ "Can take a comma separated list of plugins")
parser.add_option("-t",
"--timeout",
dest="timeout",
help="Sets a timeout in seconds after which the " \
+"plugin will exit (defaults to %s seconds). " \
% DEFAULT_TIMEOUT)
parser.add_option("-v",
"--verbose",
action="count",
dest="verbosity",
help="Verbose mode. Can be used multiple times to " \
+ "increase output. Use -vvv for debugging output. " \
+ "By default only one result line is printed as " \
+ "per Nagios standards")
parser.add_option("-V",
"--version",
action="store_true",
dest="version",
help="Print version number and exit")
(options, args) = parser.parse_args()
if args:
parser.print_help()
sys.exit(UNKNOWN)
tester.all_updates = options.all_updates
tester.no_cache_update = options.no_cache_update
tester.no_warn_on_lock = options.no_warn_on_lock
tester.enable_repo = options.repository_to_enable
tester.disable_repo = options.repository_to_disable
tester.disable_plugin = options.plugin_to_disable
tester.yum_config = options.yum_config
tester.timeout = options.timeout
tester.verbosity = options.verbosity
tester.warn_on_any_update = options.warn_on_any_update
if options.version:
print "%s - Version %s\nAuthor: %s\n" \
% (__title__, __version__, __author__)
sys.exit(OK)
result, output = tester.test_yum_updates()
end(result, output)
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print "Caught Control-C..."
sys.exit(CRITICAL)