diff --git a/bundles/apt/files/check_unattended_upgrades b/bundles/apt/files/check_unattended_upgrades new file mode 100644 index 0000000..9c4c1fa --- /dev/null +++ b/bundles/apt/files/check_unattended_upgrades @@ -0,0 +1,32 @@ +#!/bin/bash + +statusfile=/var/tmp/unattended_upgrades.status +if ! [[ -f "$statusfile" ]] +then + echo "Status file not found" + exit 3 +fi + +mtime=$(stat -c %Y $statusfile) +now=$(date +$s) +if (( $now - $mtime > 60*60*8 )) +then + echo "Status file is older than 8 days!" + exit 3 +fi + +exitcode=$(cat $statusfile) +case "$exitcode" in + abort_ssh) + echo "Upgrades skipped due to active SSH login" + exit 1 + ;; + 0) + echo "OK" + exit 0 + ;; + *) + echo "Last exitcode was $exitcode" + exit 2 + ;; +esac diff --git a/bundles/apt/files/upgrade-and-reboot b/bundles/apt/files/upgrade-and-reboot index 5435f31..a5ec4fe 100644 --- a/bundles/apt/files/upgrade-and-reboot +++ b/bundles/apt/files/upgrade-and-reboot @@ -16,11 +16,15 @@ then fi fi +statusfile=/var/tmp/unattended_upgrades.status +# Workaround, because /var/tmp is usually 1777 +[[ "$UID" == 0 ]] && chown root:root "$statusfile" -logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd"') +logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd" && $1 != "sshmon"') if [[ -n "$logins" ]] then echo "Will abort now, there are active SSH logins: $logins" + echo "abort_ssh" > "$statusfile" exit 1 fi @@ -32,21 +36,15 @@ printf '{"comment": "UPDATE", "date": %s, "expiry": %s, "id": "UNATTENDED", "ite >"$softlockdir"/UNATTENDED trap 'rm -f "$softlockdir"/UNATTENDED' EXIT -apt-get update - -ret=$? -if (( $ret != 0 )) -then - echo "apt-get update exited $ret" - exit 1 -fi - -DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef dist-upgrade - +( + apt-get update + DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef dist-upgrade +) ret=$? if (( $ret != 0 )) then echo "apt-get dist-upgrade exited $ret" + echo "$ret" > "$statusfile" exit 1 fi diff --git a/bundles/apt/items.py b/bundles/apt/items.py index 77f2e64..d16f94d 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -23,6 +23,9 @@ actions = { } files = { + '/usr/local/share/icinga/plugins/check_unattended_upgrades': { + 'mode': '0755', + }, '/usr/local/sbin/upgrade-and-reboot': { 'content_type': 'mako', 'mode': '0700', diff --git a/bundles/apt/metadata.py b/bundles/apt/metadata.py index b1242a6..d2db8f4 100644 --- a/bundles/apt/metadata.py +++ b/bundles/apt/metadata.py @@ -4,4 +4,13 @@ defaults = { minute=node.magic_number % 30, ), }, + 'icinga2_api': { + 'apt': { + 'services': { + 'UNATTENDED UPGRADES': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_unattended_upgrades', + }, + }, + }, + }, }