check_apt - different value than apt update on server

nagios-plugins / nagios-plugins

Nagios Plugins

GNU General Public License v3.0

351 stars 330 forks source link

check_apt - different value than apt update on server #731

Open og900aero opened 1 year ago

og900aero commented 1 year ago

Hello. Different package count on Debian 12 between check_apt and apt update.

sudo apt update:

Ign:1 http://hwraid.le-vert.net/debian bullseye InRelease Hit:2 http://deb.debian.org/debian bookworm InRelease Hit:3 http://security.debian.org/debian-security bookworm-security InRelease Hit:4 http://deb.debian.org/debian bookworm-updates InRelease Get:5 http://hwraid.le-vert.net/debian bullseye Release [2,840 B] Get:6 http://hwraid.le-vert.net/debian bullseye Release.gpg [520 B] Ign:7 http://repo.mongodb.org/apt/debian bookworm/mongodb-org/5.0 InRelease Hit:8 http://repo.mongodb.org/apt/debian bookworm/mongodb-org/5.0 Release Get:9 http://hwraid.le-vert.net/debian bullseye/main amd64 Packages [1,024 B] Fetched 4,384 B in 1s (5,430 B/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done 1 package can be upgraded. Run 'apt list --upgradable' to see it.

sudo bash -c "'/usr/lib/nagios/plugins/check_apt' '-u' '-v'":

Ign:1 http://hwraid.le-vert.net/debian bullseye InRelease Hit:2 http://deb.debian.org/debian bookworm InRelease Hit:3 http://security.debian.org/debian-security bookworm-security InRelease Hit:4 http://hwraid.le-vert.net/debian bullseye Release Hit:5 http://deb.debian.org/debian bookworm-updates InRelease Ign:6 http://repo.mongodb.org/apt/debian bookworm/mongodb-org/5.0 InRelease Hit:7 http://repo.mongodb.org/apt/debian bookworm/mongodb-org/5.0 Release Reading package lists... APT OK: 0 packages available for upgrade (0 critical updates). |available_upgrades=0;;;0 critical_updates=0;;;0

What is the problem?

og900aero commented 1 year ago

The Debian 12 server's icinga2 version:

sudo icinga2 --version icinga2 - The Icinga 2 network monitoring daemon (version: r2.13.6-1)

Copyright (c) 2012-2023 Icinga GmbH (https://icinga.com/) License GPLv2+: GNU GPL version 2 or later https://gnu.org/licenses/gpl2.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

System information: Platform: Debian GNU/Linux Platform version: 12 (bookworm) Kernel: Linux Kernel version: 6.1.0-11-amd64 Architecture: x86_64

Build information: Compiler: GNU 12.2.0 Build host: x86-csail-01 OpenSSL version: OpenSSL 3.0.9 30 May 2023

Application information:

General paths: Config directory: /etc/icinga2 Data directory: /var/lib/icinga2 Log directory: /var/log/icinga2 Cache directory: /var/cache/icinga2 Spool directory: /var/spool/icinga2 Run directory: /run/icinga2

Old paths (deprecated): Installation root: /usr Sysconf directory: /etc Run directory (base): /run Local state directory: /var

Internal paths: Package data directory: /usr/share/icinga2 State path: /var/lib/icinga2/icinga2.state Modified attributes path: /var/lib/icinga2/modified-attributes.conf Objects path: /var/cache/icinga2/icinga2.debug Vars path: /var/cache/icinga2/icinga2.vars PID path: /run/icinga2/icinga2.pid

rfrederick commented 1 year ago

I'm seeing this same issue with the version of check_apt (v2.3.3) in the monitoring-plugins-basic Debian package on Debian Bookworm (12.1, specifically).

nagiosgwesterman commented 8 months ago

Hi @og900aero (this might apply to you as well @rfrederick),

I have been looking into this issue, and I'm not certain there is a bug. I can replicate a similar discrepancy between the results of running apt update and ./check_apt -u -v, but this happens because the plugin check_apt parses the results of apt-get upgrade to use in its output message rather than the results of apt-get update or just apt update.

For a more concrete example:

When I run apt update, it just tells me "114 packages can be upgraded. Run 'apt list --upgradable' to see them."
But when I run apt-get upgrade, it tells me "113 upgraded, 0 newly installed, 0 to remove and 1 not upgraded." with 1 package being "kept back" which, as far as I know, has to do with dependencies.
The results of the second command (apt-get upgrade) are consistent with my results from the plugin.

If you run these commands, do you get similar outputs? I'm not as experienced with DEB-based package management, but is the plugin doing something reasonable here?

rfrederick commented 8 months ago

It looks like it may be reasonable.

It looks like the way for check_apt to display the "expected" value here is to modify the default options for upgrade to include the --with-new-pkgs option, eg. check_apt -U"-o 'Debug::NoLocking=true' --with-new-pkgs -s -qq"

nagiosgwesterman commented 8 months ago

Unfortunately, I do not believe that change solves the problem entirely. With the -s and -qq options, new packages are listed no differently than packages available to be upgraded. Adding this option will cause the plugin to potentially report a number larger than both apt update and the base apt-get upgrade and apt upgrade as these treat new packages as separate (update entirely excludes them and upgrade lists them separately). For instance, making this change on my testing environment makes the plugin tell me I have 115 packages available for upgrade while all of apt-get upgrade, apt upgrade, and apt update return 114. This change would make it no longer consistent with apt-get upgrade but rather with something like: /usr/bin/apt-get -s -qq --with-new-pkgs upgrade | grep ^"Inst" | wc -l.

Ultimately, my question still remains, and I appreciate anyone's input: is it critical that the plugin is consistent with apt update or is it fair that it's consistent with apt-get upgrade?

og900aero commented 8 months ago

Hi @og900aero (this might apply to you as well @rfrederick),

I have been looking into this issue, and I'm not certain there is a bug. I can replicate a similar discrepancy between the results of running apt update and ./check_apt -u -v, but this happens because the plugin check_apt parses the results of apt-get upgrade to use in its output message rather than the results of apt-get update or just apt update.

For a more concrete example:

When I run apt update, it just tells me "114 packages can be upgraded. Run 'apt list --upgradable' to see them."

But when I run apt-get upgrade, it tells me "113 upgraded, 0 newly installed, 0 to remove and 1 not upgraded." with 1 package being "kept back" which, as far as I know, has to do with dependencies.

The results of the second command (apt-get upgrade) are consistent with my results from the plugin.

If you run these commands, do you get similar outputs? I'm not as experienced with DEB-based package management, but is the plugin doing something reasonable here?

It is possible that it is not a bug. As I read back then, the problem could be that sometimes apt-get update and apt update give different results. I don't remember what exactly it was then, but it has come up a few times since then, and it seems to have happened when a kernel-related update came out.