nk23x
3/2/2017 - 10:21 AM

debian unattended apt-get updates

debian unattended apt-get updates


In this example I update the libxml2 debian package and remove the cached output of 
check_mk apt plugin on an aws instance

  sudo /bin/bash -c "apt-get install --yes --fix-broken --fix-missing libxml2 && \
                     rm /var/lib/check_mk_agent/cache/*apt.cache && exit" \
  && exit

i used aws-cli to figure out which ssh key is used:

  ( aws ec2 describe-instances | \
    grep -iE '\"(InstanceId|PrivateIpAddress|KeyName|Value|VpcId)\":{1,2}' | \
    sed -e 's/^[ \t]*//' | grep -vE 'Value\": \"(disallowed|allowed)\"' ) \
  | uniq -u | perl -pe 's/\"PrivateIpAddress\": /\n\n\"PrivateIpAddress\": /g;s/\"//g;s/,//g;'
 
it's better to use json_xs or similar:

  aws ec2 describe-instances | json_xs -t yaml

if there is only one package to upgrade i do something like:

  for serv in server1 server2 server3; do \
    ssh root@$serv "apt-get install --yes tcpdump && \
                  rm /var/lib/check_mk_agent/cache/local_7200*apt.cache"; 
  done

another way to upgrade multiple packages would be:

  for pkg in $(apt-get -o 'Debug::NoLocking=true' -s -qq upgrade | \
               grep -v '^Conf' | cut -d ' ' -f 2 | tr '\n' ' '); do \
    apt-get install --yes $pkg; 
  done
	
or if you just want to install secutity related upgrades:

  for pkg in $(apt-get -o 'Debug::NoLocking=true' -s -qq upgrade | grep -v '^Conf' | \
               grep -i 'security' | cut -d ' ' -f 2 | tr '\n' ' '); do \
    apt-get install --yes $pkg; 
  done

in addition to all this we could slightly modify the check_mk apt check to provide a 
list of packages:

  #!/bin/bash
  apt-get update -qq
  upgrades=$( apt-get -o 'Debug::NoLocking=true' -s -qq upgrade | grep -v '^Conf' )
  
  if [ -z "$upgrades" ]; then
      count=0
      count_security=0
  else
      count=$( echo "$upgrades" | wc -l )
      count_security=$( echo "$upgrades" | grep -c 'Security')
  fi
  
  if [ $count_security -gt 0 ] ; then
      status=2
      statustxt=CRITICAL
      statustxt_detail=$( echo "$upgrades" | cut -d ' ' -f 2 | tr '\n' ' ' )
  elif [ $count -gt 0 ] ; then
      status=1
      statustxt=WARNING
      statustxt_detail=$( echo "$upgrades" | cut -d ' ' -f 2 | tr '\n' ' ' ) 
  else
      status=0
      statustxt=OK
  fi
  
  echo -n "$status APT upgrades=$count;1;;0;|
   security_upgrades=$count_security;;1;0 
   $statustxt - $count ($count_security security) 
   $statustxt_detail"

#!/bin/bash

if [ "$(echo $USERNAME)" != "root" ]; then 	
  echo "this script needs to be run by root"	
  exit 1
fi

if [ -f /etc/debian_version ]; then
  if [ -x $(which apt-get) ]; then
    for task in update "upgrade -y -m" clean autoclean; do
      apt-get $task -qq; 		
    done	
  fi
fi

exit 0
for PKGS in $(apt-get -s upgrade | grep -A 1 'The following packages will be upgraded:' | tail -n 1); do apt-get upgrade ${PKS}; done