While the topic of opkg upgrade operations appears to be still a matter of discussion (and rightly so, as I had to learn myself :-)), I need to be able to find out if outdated (upgradable) packages are present.
Short of a ready-made check_apt I want my NRPE monitor to check on this. However, the nrpe
process runs as a non-privileged nagios
user and so:
$ opkg update
Collected errors:
* opkg_conf_load: Could not create lock file /var/lock/opkg.lock: Permission denied.
The same happens for opkg list-upgradable
, but of course it'd need to update the package lists first before it can check for upgradable packages.
The upstream (?) version of opkg understands a lock_file option in its configuration file, but the OpenWRT version doesn't seem to have this. I fiddled around with some other commandline switches but for some reason this didn't work, and no error is printed, even with -V3
:
$ cat /var/run/nagios/opkg.conf
dest root /var/run/nagios
dest ram /tmp
$ opkg --conf /var/run/nagios/opkg.conf --offline-root /var/run/nagios --dest root; echo $?
0
So, in spite of knowing of the dangers of upgrading, is there a way to run opkg
as a non-root user to be able to check for upgradable packages?
Oh, and I don't want to install sudo
as I did not want to have any SUID executables in the router. As a workaround, a recurring (root) cron
job writes the list of upgradable packages to a file and the NRPE user is then able to check on that file, but I'd rather have this w/o that workaround.
For this particular problem - the inability to write to /var/lock
, you can create a new group lock
. Add the nagios user to it. Then chown root:lock /var/lock
But you'll still have the problem writing to the files in /var/opkg-lists
. You could try a similar technique: chmod g+w lock /var/opkg-lists/*
. You might need to make the folder itself group-owned and writeable by group lock as well.
Alternatively, the solution where you just update the package list via an hourly/daily cron job, do the opkg list-upgradeable
into a file somewhere and then use your nagios script to cat the output strikes me as the best solution unless you actually need an on-demand update of the package list.
1 Like
Thank you for responding. Yes, adjusting permissions and ownerships of all involved files and directories would have helped indeed. I was hoping for some magic opkg
switches that would make tinkering with chown
/chmod
unecessary, but apperently those magic switches do not exist in that opk
version.
I'll continue to use that cron
workaround then. However, for completeness' sake, and if anyone comes across this post and wants to try this:
$ echo 'lock:x:54:nagios' >> /etc/group
$ chgrp lock /var/lock/
$ chmod g+w /var/lock/
And, for the package lists
$ chgrp -R lock /var/opkg-lists/
$ chmod g+ws /var/opkg-lists/
For some reason I had one key file in /etc/opkg/keys/
that was not world-readable and so the signature verification failed, causing newly downloaded package lists to be deleted:
$ chmod a+r /etc/opkg/keys/f94b9dd6febac963
With all that in place, both opkg update
and opkg list-upgradable
works as the nagios
user. But, as mentioned above, the cron
thingy is way less invasive and more stable, as these permission and ownership changes may get reset on the next sysupgrade
.