nagios-plugins and check_apt

Robie Basak robie.basak at ubuntu.com
Fri Jul 5 14:05:12 UTC 2013 

check_apt does not correctly report pending security updates as
critical, as it is designed to do.

https://launchpad.net/bugs/1031680

The problem is the fundamental way it's designed. I reported this to
upstream and they said the following:

	I agree with your stance on parsing apt-get output, and I'd love
	to see a replacement that does the job using an APT API. I'm
	less keen on having the behaviour depend on whether or not some
	tool is available, though; as that's problematic with respect to
	maintenance and support.  And I guess update-notifier is a bit
	too Ubuntu-ish to add a hard dependency on apt-check ...

There's a suitable replacement written by Simon Déziel here:

https://github.com/simondeziel/custom-nagios-plugins/blob/master/plugins/check_apt_upgrade

Here are some thoughts on fixing this properly:

1) We (Ubuntu Server) recommend against using the existing
nagios-plugins check_apt for security purposes, since it will not report
security updates as critical correctly.

2) We (Ubuntu Server) recommend use of
/usr/lib/update-notifier/apt-check (provided by the
update-notifier-common package) as a reliable way of getting the
required information. This is because update-manager uses it too
(AFAIK), so it should be better maintained in Ubuntu.

3) Perhaps we should adopt Simon Déziel's plugin, which uses
/usr/lib/update-notifier/apt-check, in a delta of nagios-plugins and
call it check_ubuntu_apt or something. He's licenced it under the ISC
Licence, which AIUI is DFSG compliant so this shouldn't be a problem.
nagios-plugins can depend on update-notifier-common.
update-notifier-common appears in the server task already, so this
shouldn't be a problem.

4) If we do adopt Simon Déziel's plugin, then we can recommend that
upstream adopt it too, or try and get them to do it first so we don't
even need a delta.

5) Given that we know that check_apt is bad to use in Ubuntu, perhaps we
can deprecate it further by modifying it to provide a deprecation
warning result in all cases, and then removing it altogether in a future
delta to nagios-plugins. This is to protect Ubuntu users who mistakenly
use it in the belief that it will alert them of security updates, when
it will not necessarily do that correctly. The warning would provide
information on using check_ubuntu_apt instead. Users who wish to
override this may always pull in the upstream check_apt into /usr/local.
An alternate approach for this might be to get upstream to check for
Ubuntu and issue the deprecation warning there instead, and perhaps
eventually make it always return a critical failure.

What do you think? How far down my list should we go?

Robie

More information about the ubuntu-server mailing list