nagios-plugins and check_apt

Simon Deziel simon.deziel at
Mon Jul 8 14:03:44 UTC 2013

On 13-07-08 05:06 AM, Dmitrijs Ledkovs wrote:
> On 5 July 2013 15:05, Robie Basak <robie.basak at> wrote:
>> check_apt does not correctly report pending security updates as
>> critical, as it is designed to do.
>> The problem is the fundamental way it's designed. I reported this to
>> upstream and they said the following:
>>         I agree with your stance on parsing apt-get output, and I'd love
>>         to see a replacement that does the job using an APT API. I'm
>>         less keen on having the behaviour depend on whether or not some
>>         tool is available, though; as that's problematic with respect to
>>         maintenance and support.  And I guess update-notifier is a bit
>>         too Ubuntu-ish to add a hard dependency on apt-check ...
>> There's a suitable replacement written by Simon Déziel here:
>> What do you think? How far down my list should we go?
> It's reasonable expectation for default nagios/check_mk/icinga
> configurations on both Debian and Ubuntu to have updates and security
> checks that work.
> Given that check_apt doesn't do what it says on the tin, on Ubuntu
> systems, imho it's best to ship check_apt_upgrade under check_apt
> name.
> To do so, we need to carefully check/test that standard nagios & perf
> data options are supported by check_apt_upgrade and

Possible omissions for check_apt_upgrade are the timeout and version
options. I'm going to add timeout support today. For the version, I'm
not sure what it should output exactly.

As for the perf data, check_apt_upgrade outputs them by default while
check_apt do not support those.

> flags/options that it doesn't support are either gracefully ignored or
> passed to the original check_apt plugin.

Right now check_apt_upgrade doesn't support any argument (except -h) and
returns UNKNOWN if an argument is provided.

Since check_apt_upgrade is only a wrapper around
/usr/lib/update-notifier/apt-check I think that gracefully ignoring the
options of check_apt is the way to go.

> This way we should be able to replace non-working check, with the one
> that does work and push that as an SRU.

That would be great.


More information about the ubuntu-server mailing list