-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathos_patching_fact_generation.sh
151 lines (133 loc) · 4.57 KB
/
os_patching_fact_generation.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/bin/sh
#
# Generate cache of patch data for consumption by Puppet custom facts.
#
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/local/sbin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin
LOCKFILE=/var/run/os_patching_fact_generation.lock
trap "{ rm -f $LOCKFILE ; exit 255; }" 2 3 15
if [ -f "$LOCKFILE" ]
then
echo "Locked, exiting" >&2
exit 0
else
echo "$$" > $LOCKFILE
fi
case $(facter osfamily) in
RedHat)
# Sometimes yum check-update will output extra info like this:
# ---
# Security: kernel-3.14.6-200.fc20.x86_64 is an installed security update
# Security: kernel-3.14.2-200.fc20.x86_64 is the currently running version
# ---
# We need to filter those out as they screw up the package listing
FILTER='egrep -v "^Security:"'
PKGS=$(yum -q check-update 2>/dev/null| $FILTER | egrep -v "is broken|^Loaded plugins" | awk '/^[[:alnum:]]/ {print $1}')
SECPKGS=$(yum -q --security check-update 2>/dev/null| $FILTER | egrep -v "is broken|^Loaded plugins" | awk '/^[[:alnum:]]/ {print $1}')
HELDPKGS=$(awk -F'[:-]' '/:/ {print $2}' /etc/yum/pluginconf.d/versionlock.list)
;;
Suse)
PKGS=$(zypper --non-interactive --no-abbrev --quiet lu | grep '|' | grep -v '\sRepository' | awk -F'|' '/^[[:alnum:]]/ {print $3}' | sed 's/^\s*\|\s*$//')
SECPKGS=$(zypper --non-interactive --no-abbrev --quiet lp -g security | grep '|' | grep -v '^Repository' | awk -F'|' '/^[[:alnum:]]/ {print $2}' | sed 's/^\s*\|\s*$//')
HELDPKGS=$(zypper --non-interactive --no-abbrev --quiet ll | grep '|' | grep -v '^Repository' | awk -F'|' '/^[[:alnum:]]/ {print $2}' | sed 's/^\s*\|\s*$//')
;;
Debian)
PKGS=$(apt upgrade -s 2>/dev/null | awk '$1 == "Inst" {print $2}')
SECPKGS=$(apt upgrade -s 2>/dev/null | awk '$1 == "Inst" && /security/ {print $2}')
HELDPKGS=$(dpkg --get-selections | awk '$2 == "hold" {print $1}')
;;
*)
rm $LOCKFILE
exit 1
;;
esac
DATADIR='/var/cache/os_patching'
UPDATEFILE="$DATADIR/package_updates"
SECUPDATEFILE="$DATADIR/security_package_updates"
OSHELDPKGFILE="$DATADIR/os_version_locked_packages"
CATHELDPKGFILE="$DATADIR/catalog_version_locked_packages"
MISMATCHHELDPKGFILE="$DATADIR/mismatched_version_locked_packages"
CATALOG="$(facter -p puppet_vardir)/client_data/catalog/$(facter fqdn).json"
if [ -f "${CATALOG}" ]
then
VERSION_LOCK_FROM_CATALOG=$(cat $CATALOG | /opt/puppetlabs/puppet/bin/ruby -e "require 'json'; json_hash = JSON.parse(ARGF.read); json_hash['resources'].select { |r| r['type'] == 'Package' and r['parameters']['ensure'].match /\d.+/ }.each do | m | puts m['title'] end")
else
VERSION_LOCK_FROM_CATALOG=''
fi
if [ ! -d "${DATADIR}" ]
then
logger -p error -t os_patching_fact_generation.sh "Can't find ${DATADIR}, exiting"
rm $LOCKFILE
exit 1
fi
cat /dev/null > ${UPDATEFILE}
for UPDATE in $PKGS
do
echo "$UPDATE" >> ${UPDATEFILE}
done
cat /dev/null > ${SECUPDATEFILE}
for UPDATE in $SECPKGS
do
echo "$UPDATE" >> ${SECUPDATEFILE}
done
cat /dev/null > ${OSHELDPKGFILE}
for HELD in $HELDPKGS
do
echo "$HELD" >> ${OSHELDPKGFILE}
done
cat /dev/null > ${MISMATCHHELDPKGFILE}
cat /dev/null > ${CATHELDPKGFILE}
for CATHELD in $VERSION_LOCK_FROM_CATALOG
do
if [ $(egrep -c "^${CATHELD}$" ${OSHELDPKGFILE}) -eq 0 ]
then
echo "$CATHELD" >> ${MISMATCHHELDPKGFILE}
fi
echo "$CATHELD" >> ${CATHELDPKGFILE}
done
if [ -f '/usr/bin/needs-restarting' ]
then
case $(facter os.release.major) in
7)
/usr/bin/needs-restarting -r 2>/dev/null 1>/dev/null
if [ $? -gt 0 ]
then
echo "true" > $DATADIR/reboot_required
else
echo "false" > $DATADIR/reboot_required
fi
/usr/bin/needs-restarting 2>/dev/null | sed 's/[[:space:]]*$//' >$DATADIR/apps_to_restart
;;
6)
/usr/bin/needs-restarting 2>/dev/null 1>$DATADIR/apps_to_restart
if [ $? -gt 0 ]
then
echo "true" > $DATADIR/reboot_required
else
APPS_TO_RESTART=$(wc -l $DATADIR/apps_to_restart | awk '{print $1}')
if [ $APPS_TO_RESTART -gt 0 ]
then
echo "true" > $DATADIR/reboot_required
else
echo "false" > $DATADIR/reboot_required
fi
fi
;;
esac
else
touch $DATADIR/apps_to_restart
touch $DATADIR/reboot_required
fi
if [ $(facter osfamily) = 'Debian' ] || [ $(facter osfamily) = 'Suse' ]
then
if [ -f '/var/run/reboot-required' ]
then
echo "true" > $DATADIR/reboot_required
else
echo "false" > $DATADIR/reboot_required
fi
touch $DATADIR/apps_to_restart
fi
puppet facts upload 2>/dev/null 1>/dev/null
logger -p info -t os_patching_fact_generation.sh "patch data fact refreshed"
rm $LOCKFILE
exit 0