search

HariSekhon / Nagios-Plugins

450+ AWS, Hadoop, Cloud, Kafka, Docker, Elasticsearch, RabbitMQ, Redis, HBase, Solr, Cassandra, ZooKeeper, HDFS, Yarn, Hive, Presto, Drill, Impala, Consul, Spark, Jenkins, Travis CI, Git, MySQL, Linux, DNS, Whois, SSL Certs, Yum Security Updates, Kubernetes, Cloudera etc...
https://www.linkedin.com/in/HariSekhon
Other
1.13k stars 505 forks source link

check_yum.py #421

Open fernandezguzmas opened 5 months ago

fernandezguzmas commented 5 months ago

YUM WARNING: Cannot find summary line in yum output. Please make sure you have upgraded to the latest version from https://github.com/HariSekhon/Nagios-Plugins. If the problem persists, please raise a ticket at https://github.com/HariSekhon/Nagios-Plugins/issues with the full -vvv output

adlerweb commented 2 months ago

This message appears on RHEL with subscription repositories when the check is not run as root. Full log:

Nagios Plugin for Yum updates on RedHat/CentOS systems - Version 0.12.8
Author: Hari Sekhon

setting plugin timeout to 30 seconds
running command: /usr/bin/yum --security check-update
Returncode: '0'
Output: 'Not root, Subscription Management repositories not updated
Last metadata expiration check: 0:24:30 ago on Tue 16 Jul 2024 09:49:12 AM CEST.
'
YUM WARNING: Cannot find summary line in yum output. Please make sure you have upgraded to the latest version from https://github.com/HariSekhon/Nagios-Plugins. If the problem persists, please raise a ticket at https://github.com/HariSekhon/Nagios-Plugins/issues with the full -vvv output

As we probably want to update the repositories to check for new updates, ignoring the message is not an option. The easiest way would be to setuid the script to rool (chown root check_yum.py && chmod u+s check_yum.py), this however may cause security concerns. A bit more restrictive would be modifying the script to use sudo (see attachment) and allow the two commands in /etc/sudoers.d/icinga as follows:

icinga ALL=(ALL) NOPASSWD: /usr/bin/yum --security check-update
icinga ALL=(ALL) NOPASSWD: /usr/bin/yum check-update

(Edit user "icinga" to match whatever your monitoring system is executing the script as)

Ultimately the script should probably check if the necessary permissions are already in place, switch to sudo if not and show a less generic error message for permission errors.

(attachments seem to be broken ATM)

--- check_yum.org.py    2024-07-16 10:25:24.280882380 +0200
+++ check_yum.py        2024-07-16 10:33:42.463331371 +0200
@@ -84,6 +84,7 @@
         print("UNKNOWN: %s" % message)
         sys.exit(UNKNOWN)

+SUDO = "/usr/bin/sudo"
 YUM = "/usr/bin/yum"
 DNF = '/usr/bin/dnf'

@@ -313,7 +314,7 @@
         """Gets all updates. Returns a single integer of the
         number of available updates"""

-        cmd = "%s check-update" % YUM
+        cmd = "%s %s check-update" % (SUDO, YUM)

         output = self.run(cmd)

@@ -385,7 +386,7 @@
         security and normal updates. Returns a tuple of the number
         of security and normal updates"""

-        cmd = "%s --security check-update" % YUM
+        cmd = "%s %s --security check-update" % (SUDO, YUM)

         output = self.run(cmd)