[CENTOS] Detects Linux (yum / apt) package updates

Thing you want to do

There is a premise that "the settings are always slightly different". For example, even if you have 1000 units, if you have the same configuration, the number of update packages will be the same and you should have a distribution server, so you should not need such a tool. It doesn't have much of a sledge with the much talked about Docker infrastructure, and it has nothing to do with the temporary launch of vagrant.

I have about 5 environments by myself, but I use it when Debian / Ubuntu / CentOS are different.

I simply couldn't think of software that manages such checks across OSs.

What i did

https://github.com/dmiyakawa/check_linux_updates

check_updates.py: Observe the other side from your terminal

This is an implementation that goes to see updates for each host via Fabric (ssh). By default, it goes to check in parallel.

Example(The snip part was actually equivalent to the FQDN):
$ check_updates.py
hansode.(snip)     :   0(0) (REBOOT-REQUIRED)
gobusode.(snip)    :  40(0)
shichibusode.(snip):   1(0)
mowa-net.jp        :   3(2)
centos64.(snip)    :   2(?) (REBOOT_REQUIRED)

gobusode is Debian sid. It will be like this as soon as it is left unattended. However, a little more important is mowa-net.jp, which has two security updates (in parentheses), so this should be updated. Of course Debian has a mechanism to automatically apply security updates, so this is a punishment for not using it.

$ check_updates.py --upgrade mowa-net

Will be upgraded. In this case, it will be executed serially on one host, so it is okay to ask for the password.

I have changed the host name in various ways, but it generally works like that. It can be mixed with CentOS (eg centos64 above), but I'm skipping the implementation and haven't seen any security updates on CentOS. So it is "?". (I see it with the tools described later. That)

The implementation on my side around Paramiko (ssh connection) is too appropriate, and when running in parallel, if you do not enter with public key authentication, it will fail at the password prompt. sudo I still die at the password prompt when I need it.

You can set a group such as "My own server group". The following example walks through the hosts in the mine group and makes interactive update and reboot decisions. (Fabric does not allow interactive Yes / No when running in parallel)

$ check_updates.py --serial --ask-upgrade mine

It is assumed that the executing side is Python 2.7.

$ check_updates.py -h
usage: check_updates.py [-h] [-s] [-q] [-n] [-v] [--ask-upgrade]
                        [--auto-upgrade] [--dist-upgrade]
                        [--auto-upgrade-restart] [--refresh] [--show-packages]
                        [--sanity-check]
                        [HOST [HOST ...]]

Checks if remote hosts need update or not.

positional arguments:
  HOST                  Host names or host groups. If not specified, default
                        hosts configuration will be used. This may allow
                        special command "all" "list", "groups" (=
                        "list_groups").

optional arguments:
  -h, --help            show this help message and exit
  -s, --serial          Executes check in serial manner
  -q, --quiet           Suppress unnecessary output.
  -n, --nonregistered   Allow host names that are not registered
  -v, --verbose         Show verbose outputs, including Fabric ones.
  --ask-upgrade         Asks if upgrade should be done when appropriate. Only
                        effective when --serial (-s) option is set
  --auto-upgrade        Requests hosts to upgrade itself when necessary.
  --dist-upgrade        Use "dist-upgrade" instead of "upgrade". Only
                        effective with debian-like systems. Meaningless on
                        redhat-like systems.
  --auto-upgrade-restart
                        Requests hosts to upgrade itself and restart when
                        upgrade is finished. With this option restart will be
                        executed regardless of necessity (with/without
                        "Reboot-Required" status). This will execute "dist-
                        upgrade" on debian(-like) OSes, not "upgrade.
  --refresh             Run "apt-get update" on debian-like systems.
  --show-packages       This will show names of packages to be upgraded.
  --sanity-check        First executes sanity check toward each host serially
                        (not in parallel). If some hosts show prompt in the
                        check phase, this command will abort itself
                        immediately. Might be useful for "debugging" new
                        hosts. If you are considering --serial option, This
                        "check" would be meaningless.

check_update_local.py: Run on the other side

With the above script, you have to connect with ssh, and the authentication / authorization process is delicate. There are many inconveniences when monitoring with Zabbix.

Let's make something that can be monitored from Zabbix Agent even if a script (Python) is placed on each host.

$ check_update_local.py -h
usage: check_update_local.py [-h] [--log LOG] [-d] [-s] [-r] [-q]

Check if update is available. Returns num of updates

optional arguments:
  -h, --help            show this help message and exit
  --log LOG             Set Python log level. e.g. DEBUG, INFO, WARN
  -d, --debug           Shortcut for --log DEBUG
  -s, --security-updates
                        Instead of showing num of updates, show num of
                        security updates.
  -r, --reboot_required
                        Instead of showing num of updates, return 1 if reboot
                        is required
  -q, --quiet           Logging will be disabled entirely.
$ check_update_local.py 
0
$ check_update_local.py -s
0
$ check_update_local.py -r
1

Debian requires the update-notifier-common package to use the apt-check command. Certainly, it seems that it is included from the beginning if it is an Ubuntu system, but the details are unknown.

It was relatively easy so far, If you're not careful and try to make this script compatible with CentOS 6 The default Python for CentOS 6 was scared at 2.6 (rather than 2.7). I made a lot of strange hacks, and if I entered argparse with pip, I made it to a level where it works, but I would like to expect a cleaner method.

Unfortunately, Python 3 support is not included. 14.04 It may not be LTS-like.

How to use with Zabbix is described in README.md. Both apt-check and yum are really heavy to hit from the Agent, so it's uneasy. When used with many monitored objects, the server-side process that hits the Agent may become full. I made it earlier, so I can't verify it.

what I want

Better tool than this

Postscript

Recommended Posts

Detects Linux (yum / apt) package updates
How to prevent package updates with apt
[Linux] Update the package offline
Linux main package management system