2

Running a base install of Ubuntu 22.04 using Nagios and NRPE to monitor hosts, all running 22.04. My issue is with check_apt returning two different results:

$# /usr/lib/nagios/plugins/check_apt
 APT OK: 0 packages available for upgrade (0 critical updates). |available_upgrades=0;;;0 critical_updates=0;;;0


$# /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 -c check_apt
APT WARNING: 9 packages available for upgrade (0 critical updates). |available_upgrades=9;;;0 critical_updates=0;;;0

One reports 0 packages, the other 9 even though they are the same server. Having checked in depth there are no updates

Has anyone come across this before?

kevin wincott
  • 21
  • 1
  • 5
  • My guess would be that they’re running as different users. For example, you may be running the test as root but nrpe runs it as the nagios user, and potentially causing the plug-in to malfunction. Try running the plug-in as user nagios to make sure. – pzkpfw Jun 24 '22 at 12:17
  • yep ive checked that, confirmed same if using root or Nagios – kevin wincott Jun 24 '22 at 15:20
  • In that case the only thing I can think of is that the definition of the check_apt command in the nrpe.cfg is not actually exactly as you run it yourself. Please include the definition in your question. – pzkpfw Jun 25 '22 at 12:53

3 Answers3

1

The issue is due to PrivateTmp=true in /etc/systemd/system/multi-user.target.wants/nagios-nrpe-server.service.

Overriding this to PrivateTmp=false, then reloading systemd config and nagios-nrpe-server.service fixed the issue for me.

Note : somewhat similar to this issue with check_disk via nrpe

EiZ
  • 11
1

PrivateTmp=true triggers it but the real reason is that /usr/bin/ischroot tool returns True/1 when PrivateTmp is enabled.

That changes apt-get behaviour since phased updates were implemented as described at: https://discourse.ubuntu.com/t/phased-updates-in-apt-in-21-04/20345/24

APT now implements phased update... To avoid breaking existing build chroots, chroots are excluded from this change for now

When apt-get is run in chroot or with PrivateTmp=true it will consider phased updates as normal updates that user has to upgrade. This causes check_apt to complain about available upgrades.

The easiest workaround it to disable phased updates from check_apt by adding -o APT::Get::Never-Include-Phased-Updates=true to default upgrade options:

-U, --upgrade=OPTS Perform an upgrade. If an optional OPTS argument is provided, apt-get will be run with these command line options instead of the default (-o 'Debug::NoLocking=true' -s -qq). Note that you may be required to have root privileges if you do not use the default options, which will only run a simulation and NOT perform the upgrade

like:

# cat /etc/nagios/nrpe.d/check_apt.cfg
command[check_apt]=/usr/lib/nagios/plugins/check_apt --upgrade="-o 'Debug::NoLocking=true' -o APT::Get::Never-Include-Phased-Updates=true -s -qq"
arekm
  • 11
0

You could find out the packages list with -l option in the check_apt command of NRPE. Also can check with apt-get dist-upgrade.

My apt-get dist-upgrade returns:

The following packages have been kept back:
  grub-efi-amd64 grub-efi-amd64-bin
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

Same result with the -l option in the check_apt command.

Work around solution is excluding the packages in the check_apt command with --exclude=REGEXP option.

NotTheDr01ds
  • 22,381
Luan Nguyen
  • 1
  • Welcome to Ask Ubuntu! I've fixed the formatting on your post, but for future reference, Ask Ubuntu uses the same Markdown that you are used to (from your account and answers) on Stack Overflow. – NotTheDr01ds Feb 26 '23 at 00:36