Merge pull request #245 from SUNET/jocar-check-apt-race

Handle race between check and unattended updates
SUNET · Jan 24, 2025 · 1640ba7 · 1640ba7
2 parents cfd47f5 + e7962b7
commit 1640ba7
Showing 1 changed file with 35 additions and 23 deletions.
diff --git a/files/nagios/check_apt-wrapper b/files/nagios/check_apt-wrapper
@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 
-default_check () {
-    /usr/lib/nagios/plugins/check_apt
-    exit $?
+default_check() {
+	/usr/lib/nagios/plugins/check_apt
+	exit $?
 }
 
-unattended_check () {
-   pref_file=$(mktemp)
-   cat <<<'
+unattended_check() {
+	pref_file=$(mktemp)
+	cat <<<'
 Package: *
 Pin: release o=Debian
 Pin-Priority: -10
@@ -18,25 +18,37 @@ Pin-Priority: -10
 
 Package: *
 Pin: release o=Ubuntu
-Pin-Priority: -10' > "${pref_file}"
-
-    output=$(apt-get -s -o Dir::Etc::Preferences="${pref_file}" upgrade | grep -P '^\d+\supgraded,\s\d+\snewly installed,\s\d+ to remove and \d+ not upgraded.$')
-    rm "${pref_file}"
-    packages_to_upgrade=$(echo "${output}" | sed -E 's/^([0-9]+)\s.+/\1/g')
-    base_output="${packages_to_upgrade} packages to upgrade which are not covered by unattended-updates. | available_upgrades=${packages_to_upgrade};;;0"
-    if [ "${packages_to_upgrade}" -ne 0 ]; then
-            echo "APT WARN: ${base_output}"
-            exit 1
-    else
-            echo "APT OK: ${base_output}"
-            exit 0
-    fi
+Pin-Priority: -10' >"${pref_file}"
+
+	if [ -f "/etc/apt/apt.conf.d/51unattended-upgrades-origins" ]; then
+
+		grep ";" /etc/apt/apt.conf.d/51unattended-upgrades-origins | grep -vE 'origin=(Debian|Ubuntu)(ESM(Apps)?)?' | sed 's/;//' | sed 's/"//g' | while IFS= read -r line; do
+			{
+				echo "" # Newline for new section
+				echo "Package: *"
+				echo "Pin: release ${line}"
+				echo "Pin-Priority: -10"
+			} >>"${pref_file}"
+		done
+
+	fi
+	output=$(apt-get -s -o Dir::Etc::Preferences="${pref_file}" upgrade | grep -P '^\d+\supgraded,\s\d+\snewly installed,\s\d+ to remove and \d+ not upgraded.$')
+	rm "${pref_file}"
+	packages_to_upgrade=$(echo "${output}" | sed -E 's/^([0-9]+)\s.+/\1/g')
+	base_output="${packages_to_upgrade} packages to upgrade which are not covered by unattended-updates. | available_upgrades=${packages_to_upgrade};;;0"
+	if [ "${packages_to_upgrade}" -ne 0 ]; then
+		echo "APT WARN: ${base_output}"
+		exit 1
+	else
+		echo "APT OK: ${base_output}"
+		exit 0
+	fi
 }
 
 if [ -f /etc/apt/apt.conf.d/20auto-upgrades ]; then
-    if grep -q 'APT::Periodic::Unattended-Upgrade "1";' /etc/apt/apt.conf.d/20auto-upgrades; then
-        unattended_check
-    fi
+	if grep -q 'APT::Periodic::Unattended-Upgrade "1";' /etc/apt/apt.conf.d/20auto-upgrades; then
+		unattended_check
+	fi
 else
-    default_check
+	default_check
 fi