Make ownership check consistent with cmk-agent 2.1

The new CheckMK agent uses UID 998 (dynamic) for itself. This causes
ownership problems with the old logic of this check. Move instead to a
range, where the UIDs from 200-599 are reserved for administrators, and
check for this range explicitly. Also eliminates the exceptions for ceph
and 2000 from previous iterations.

oneshot/update-pvc-cluster.yml

@@ -48,18 +48,12 @@
         state: "absent"
         force: "yes"
 
-    - name: check library freshness
+    - name: check freshness
-      command: /usr/lib/check_mk_agent/plugins/freshness
+      command: /usr/sbin/needrestart -p
       register: freshness
       changed_when: freshness.rc == 1
       failed_when: false
     
-    - name: check kernel version
-      command: /usr/lib/check_mk_agent/plugins/kernelversion
-      register: kernelversion
-      changed_when: kernelversion.rc == 1
-      failed_when: false
-   
     - name: restart system cleanly
       block:
         - name: secondary node
@@ -204,7 +198,7 @@
 
         - name: reset any systemd failures
           command: systemctl reset-failed
-      when: freshness.changed or kernelversion.changed
+      when: freshness.changed
 
     - name: wait 30 seconds for system to stabilize
       pause:

roles/base/files/usr/lib/check_mk_agent/plugins/freshness

@@ -1,52 +1,103 @@
-#!/bin/bash
+#!/usr/bin/env python
 
-# Open file handle freshness check for Check_MK
+# Check for freshness of various components using needrestart
-# Installed by PVC ansible
 
-OK=0
+import subprocess
-WARNING=1
+import re
+import json
 
-FRESHNESS="$( lsof -Fcftn / 2>/dev/null | grep -v '/tmp' | \
+try:
-awk '
+    nrout = subprocess.run(["/usr/sbin/needrestart", "-b"], timeout=5, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-{
+except subprocess.TimeoutExpired:
-    field=substr($0,1,1);
+    exit(2)
-    data=substr($0,2);
+except Exception:
-    if (field=="f") {
+    exit(1)
-        file_descriptor=data;
-    } else if (field=="t") {
-        file_type=data;
-    } else if (field=="c") {
-        command_name=data;
-    } else if (field=="n" && file_descriptor=="DEL" && file_type=="REG") {
-        name=data;
-        file[command_name]++;
-    }
-}
-END {
-    for (name in file) {
-        error++;
-    # Skip these problematic programs
-    if (name=="systemd-udevd") { continue; }
-    if (name=="pulseaudio") { continue; }
-    if (name=="light-locker") { continue; }
-    if (name=="at-spi-bus-laun") { continue; }
-    if (name=="node") { continue; }
-    if (error_name) { error_name=error_name " " };
-        error_name=error_name name;
-    }
-    if (error_name) {
-        print error_name;
-        exit error;
-    } else {
-        exit;
-    }
-}' )";
 
-echo "<<<freshness>>>"
+stdout = nrout.stdout.decode("ascii").split('\n')
-if [ "$FRESHNESS" ]; then
+stderr = nrout.stdout.decode("ascii").split('\n')
-    echo "Applications needing restart: $FRESHNESS"
+
-    exit $WARNING
+# Output data structure after parsing needrestart output
-else
+data = {
-    echo "No applications needing restart"
+    'kernel': {
-    exit $OK
+        'current': None,
-fi
+        'pending': None,
+        'state': 0,
+    },
+    'microcode': {
+        'current': None,
+        'pending': None,
+        'state': 0,
+    },
+    'services': {
+        'count': 0,
+        'list': list(),
+    },
+    'containers': {
+        'count': 0,
+        'list': list(),
+    },
+    'sessions': {
+        'count': 0,
+        'list': list(),
+    },
+}
+
+# NEEDRESTART-VER: 3.4
+# NEEDRESTART-KCUR: 4.19.0-6-amd64
+# NEEDRESTART-KEXP: 4.19.0-20-amd64
+# NEEDRESTART-KSTA: 3
+# NEEDRESTART-UCSTA: 2
+# NEEDRESTART-UCCUR: 0xb000038
+# NEEDRESTART-UCEXP: 0xb000040
+# NEEDRESTART-SVC: acpid
+# NEEDRESTART-SVC: cron
+# NEEDRESTART-SVC: irqbalance
+# NEEDRESTART-SVC: mcelog
+# NEEDRESTART-SVC: munin-node
+# NEEDRESTART-SVC: ntp
+# NEEDRESTART-SVC: ssh
+# NEEDRESTART-SVC: syslog-ng
+# NEEDRESTART-SVC: trousers
+# NEEDRESTART-SVC: watchdog
+# NEEDRESTART-SVC: wd_keepalive
+# NEEDRESTART-CONT: LXC web1
+# NEEDRESTART-SESS: metabase @ user manager service
+# NEEDRESTART-SESS: root @ session #28017
+
+# STA:
+#  0: unknown or failed to detect
+#  1: no pending upgrade
+#  2: ABI compatible upgrade pending
+#  3: version upgrade pending
+
+for line in stdout:
+    # Kernel version
+    if re.match(r'^NEEDRESTART-KSTA', line):
+        data['kernel']['state'] = int(line.split(': ')[-1])
+    elif re.match(r'^NEEDRESTART-KCUR', line):
+        data['kernel']['current'] = line.split(': ')[-1]
+    elif re.match(r'^NEEDRESTART-KEXP', line):
+        data['kernel']['pending'] = line.split(': ')[-1]
+    # Microcode version
+    elif re.match(r'^NEEDRESTART-UCSTA', line):
+        data['microcode']['state'] = int(line.split(': ')[-1])
+    elif re.match(r'^NEEDRESTART-UCCUR', line):
+        data['microcode']['current'] = line.split(': ')[-1]
+    elif re.match(r'^NEEDRESTART-UCEXP', line):
+        data['microcode']['pending'] = line.split(': ')[-1]
+    # Services needing restart
+    elif re.match(r'^NEEDRESTART-SVC', line):
+        data['services']['count'] += 1
+        data['services']['list'].append(' '.join(line.split(': ')[1:]))
+	# Containers needing restart
+    elif re.match(f'^NEEDRESTART-CONT', line):
+        data['containers']['count'] += 1
+        data['containers']['list'].append(' '.join(line.split(': ')[1:]))
+    # Sessions needing restart
+    elif re.match(f'^NEEDRESTART-SESS', line):
+        data['sessions']['count'] += 1
+        data['sessions']['list'].append(' '.join(line.split(': ')[1:]))
+
+print("<<<freshness>>>")
+print(json.dumps(data))
+exit(0)

roles/base/files/usr/lib/check_mk_agent/plugins/kernelversion

@@ -1,14 +0,0 @@
-#!/bin/bash
-OK=0
-WARNING=1
-
-echo "<<<kernelversion>>>"
-ACTIVE="$( uname -v | awk '{ print $4" "$5 }' )"
-ONDISK="$( strings /vmlinuz | grep 'Debian' | head -1 | awk '{ print $6" "$7 }' )"
-echo ${ACTIVE}
-echo ${ONDISK}
-if [[ ${ACTIVE} != ${ONDISK} ]]; then
-    exit $WARNING
-else
-    exit $OK
-fi

roles/base/files/usr/lib/check_mk_agent/plugins/ownership

@@ -1,16 +1,18 @@
 #!/bin/bash
 
 # File ownership check for Check_MK
+# Ensures that no files outside of homedirs are owned by administrative users
 # Installed by PVC ansible
 
-UID_MAX=199
+ADMIN_UID_MIN=200
+ADMIN_UID_MAX=599
 # http://www.debian.org/doc/debian-policy/ch-opersys.html
 # 0-99: Globally allocated by the Debian project
-# 100-199: (PVC) Dynamically allocated system users and groups
+# 100-199: (PVC) Dynamically allocated system users
 # 200-299: (PVC) provisioning users
 # 300-499: (PVC) reserved
 # 500-599: (PVC) system administrators
-# 600-999: (PVC) reserved
+# 600-999: (PVC) Dynamically allocated service users
 # 64045:   (PVC) ceph
 
 function is_element_of {
@@ -43,7 +45,7 @@ for FILESYSTEM in ${FILESYSTEMs[@]}; do
             fi
         fi
         FILEs+=($FILE)
-    done < <( find ${FILESYSTEM} -xdev -uid +$UID_MAX -not -uid +64000 -not -uid 2000 \
+    done < <( find ${FILESYSTEM} -xdev -uid +${ADMIN_UID_MIN} -uid -${ADMIN_UID_MAX} \
         -not \( -type d -a \( -path /media -o -path /mnt \) \) \
         -not \( -name '.*.swp' -a -mtime -3 \) \
         -not \( -path '*/.git' -o -path '*/.git/*' \) \

roles/base/tasks/main.yml

@@ -238,6 +238,7 @@
       - sysstat
       - binutils
       - deborphan
+      - needrestart
       - wget
       - curl
       - gawk
@@ -619,7 +620,6 @@
     - entropy
     - freshness
     - ipmi
-    - kernelversion
     - ownership
   tags: base-cmkagent