osupdates: unpriv implementation alternative (#395)

snmp/unpriv/osupdates/Readme.md

@@ -0,0 +1,9 @@
+# osupdates
+
+## Installation
+
+1. Copy shell scripts into /usr/local/bin/
+2. Make them executable
+3. Copy timer and service unit into /etc/systemd/system/
+4. Activate timer (`systemctl enable --now librenms-osupdates-generate.timer`)
+5. Set `extend osupdate /usr/local/bin/osupdates-unpriv-gather.sh` in `/etc/snmp/snmpd.conf`

snmp/unpriv/osupdates/librenms-osupdates-generate.service

@@ -0,0 +1,8 @@
+# librenms-osupdates-generate.service
+
+[Unit]
+Description=generate osupdates information
+
+[Service]
+ExecStart=/usr/local/bin/osupdates-unpriv-generate.sh
+

snmp/unpriv/osupdates/librenms-osupdates-generate.timer

@@ -0,0 +1,11 @@
+# librenms-osupdates-generate.timer
+
+[Unit]
+Description=generates osupdates information minutely
+
+[Timer]
+OnCalendar=hourly
+Persistent=true
+
+[Install]
+WantedBy=timers.target

snmp/unpriv/osupdates/osupdates-unpriv-gather.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+SNMP_PERSISTENT_DIR="$(net-snmp-config --persistent-directory)"
+UNPRIV_SHARED_FILE="$SNMP_PERSISTENT_DIR/osupdates/stats.txt"
+
+if [ -f "$UNPRIV_SHARED_FILE" ]; then
+    cat "$UNPRIV_SHARED_FILE"
+else
+    echo "0"
+    logger -p daemon.error -t "osupdates-unpriv" Reading osupdate data from file "$UNPRIV_SHARED_FILE" failed!
+fi

snmp/unpriv/osupdates/osupdates-unpriv-generate.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+################################################################
+# copy this script to /etc/snmp/ and make it executable:       #
+# chmod +x /etc/snmp/osupdate                                  #
+# ------------------------------------------------------------ #
+# edit your snmpd.conf and include:                            #
+# extend osupdate /etc/snmp/osupdate                           #
+#--------------------------------------------------------------#
+# restart snmpd and activate the app for desired host          #
+#--------------------------------------------------------------#
+# please make sure you have the path/binaries below            #
+################################################################
+BIN_WC='/usr/bin/env wc'
+BIN_GREP='/usr/bin/env grep'
+CMD_GREP='-c'
+CMD_WC='-l'
+BIN_ZYPPER='/usr/bin/env zypper'
+CMD_ZYPPER='-q lu'
+BIN_YUM='/usr/bin/env yum'
+CMD_YUM='-q check-update'
+BIN_DNF='/usr/bin/env dnf'
+CMD_DNF='-q check-update'
+BIN_APT='/usr/bin/env apt-get'
+CMD_APT='-qq -s upgrade'
+BIN_PACMAN='/usr/bin/env pacman'
+CMD_PACMAN='-Sup'
+BIN_CHECKUPDATES='/usr/bin/env checkupdates'
+BIN_PKG='/usr/sbin/pkg'
+CMD_PKG=' audit -q -F'
+BIN_APK='/sbin/apk'
+CMD_APK=' version'
+SNMP_PERSISTENT_DIR="$(net-snmp-config --persistent-directory)"
+UNPRIV_SHARED_FILE="$SNMP_PERSISTENT_DIR/osupdates/stats.txt"
+
+mkdir -p "$(dirname "$UNPRIV_SHARED_FILE" )"
+exec > "$UNPRIV_SHARED_FILE"
+
+################################################################
+# Don't change anything unless you know what are you doing     #
+################################################################
+if command -v zypper &>/dev/null ; then
+    # OpenSUSE
+    # shellcheck disable=SC2086
+    UPDATES=$($BIN_ZYPPER $CMD_ZYPPER | $BIN_WC $CMD_WC)
+    if [ "$UPDATES" -ge 2 ]; then
+        echo $(($UPDATES-2));
+    else
+        echo "0";
+    fi
+elif command -v dnf &>/dev/null ; then
+    # Fedora
+    # shellcheck disable=SC2086
+    UPDATES=$($BIN_DNF $CMD_DNF | $BIN_WC $CMD_WC)
+    if [ "$UPDATES" -ge 1 ]; then
+        echo $(($UPDATES-1));
+    else
+        echo "0";
+    fi
+elif command -v pacman &>/dev/null ; then
+    # Arch
+    # calling pacman -Sup does not refresh the package list from the mirrors,
+    # thus it is not useful to find out if there are updates. Keep the pacman call
+    # to accomodate users that do not have it. checkupdates is in pacman-contrib.
+    # also enables snmpd to collect this information if it's not run as root
+    if command -v checkupdates &>/dev/null ; then
+        # shellcheck disable=SC2086
+        UPDATES=$($BIN_CHECKUPDATES | $BIN_WC $CMD_WC)
+    else
+        # shellcheck disable=SC2086
+        UPDATES=$($BIN_PACMAN $CMD_PACMAN | $BIN_WC $CMD_WC)
+    fi
+    if [ "$UPDATES" -ge 1 ]; then
+        echo $(($UPDATES-1));
+    else
+        echo "0";
+    fi
+elif command -v yum &>/dev/null ; then
+    # CentOS / Redhat
+    # shellcheck disable=SC2086
+    UPDATES=$($BIN_YUM $CMD_YUM | $BIN_WC $CMD_WC)
+    if [ "$UPDATES" -ge 1 ]; then
+        echo $(($UPDATES-1));
+    else
+        echo "0";
+    fi
+elif command -v apt-get &>/dev/null ; then
+    # Debian / Devuan / Ubuntu
+    # shellcheck disable=SC2086
+    UPDATES=$($BIN_APT $CMD_APT | $BIN_GREP $CMD_GREP 'Inst')
+    if [ "$UPDATES" -ge 1 ]; then
+        echo "$UPDATES";
+    else
+        echo "0";
+    fi
+elif command -v pkg &>/dev/null ; then
+    # FreeBSD
+    # shellcheck disable=SC2086
+    UPDATES=$($BIN_PKG $CMD_PKG | $BIN_WC $CMD_WC)
+    if [ "$UPDATES" -ge 1 ]; then
+        echo "$UPDATES";
+    else
+        echo "0";
+    fi
+elif command -v apk &>/dev/null ; then
+    # Alpine
+    # shellcheck disable=SC2086
+    UPDATES=$($BIN_APK $CMD_APK | $BIN_WC $CMD_WC)
+    if [ "$UPDATES" -ge 2 ]; then
+        echo $(($UPDATES-1));
+    else
+        echo "0";
+    fi
+else
+    echo "0";
+fi