Now and again Debian package repositories change their signature key. When that happens, apt-get update usually starts failing. The problem is however, that icinga’s check_apt will not notice.

The technical reason for that is that apt-get update needs root rights in order to update its index. Which it doesn’t since the icinga check runs under the nagios (or icinga) user and doesn’t have those rights.

Here’s the necessary components to monitor whether apt-get update works. They get deployed by an ansible role, but can be used standalone.

$ cd roles/icinga2/check-apt-update

$ find
files
files/icinga2
files/icinga2/zones.d
files/icinga2/zones.d/global
files/icinga2/zones.d/global/apt-check-update.conf
files/check_apt_update
files/sudo
files/sudo/check-apt-update
tasks
tasks/main.yml
$ cat files/icinga2/zones.d/global/apt-check-update.conf
object CheckCommand "apt_update" {
  import "plugin-check-command"

  command = [ PluginDir + "/check_apt_update" ]
}

template Service "apt-update-service" {
  import "generic-service"

  # only check once a day if `apt-get update` works
  # since this is an expensive operation
  check_interval = 24h

  check_command = "apt_update"
}

# check should be active in all zones that do not
# explicitly disable it
#
apply Service "apt-update" {
  import "apt-update-service"

  assign where !regex("apt-update", host.vars.exclude_services
}
$ cat ./files/check_apt_update
#!/bin/sh

tmp=$( mktemp )
sudo apt-get update > "$tmp" 2>&1 

if grep '^W: ' "$tmp" || \
   grep '^Err: ' "$tmp"; then
  echo "CRITICAL - there was a problem with apt-get update"
  EXIT=2 # CRITICAL
else
  echo "OK - apt-get update executed successfully"
  EXIT=0 # OK
fi

rm "$tmp"
exit $EXIT
$ cat ./files/sudo/check-apt-update
# Allow the nagios user to execute `apt-get update`
nagios          ALL=NOPASSWD: /usr/bin/apt-get update
$ cat ./tasks/main.yml
- block:

  - name: install check_apt_update
    copy:
      src: check_apt_update
      dest: /usr/lib/nagios/plugins
      mode: +x
  
  - name: allow check_apt_update to run apt-get update
    copy:
      src: sudo/check-apt-update
      dest: /etc/sudoers.d
  
  # we are assuming here that the icinga master host is called `sysmon`
  #
  - name: add icinga2 definition for check_apt_update to sysmon
    copy:
      src: icinga2/zones.d/global/apt-check-update.conf
      dest: /etc/icinga2/zones.d/global/
    delegate_to: sysmon
    register: check_apt_update_install
  
  - name: reload icinga2
    service: name=icinga2 state=reloaded
    delegate_to: sysmon
    when: check_apt_update_install.changed

  when: ansible_os_family == 'Debian'

If you feel like you would want to create an ansible collection for this and put it on Github and into ansible galaxy then please feel welcome to do so. I’d be kind if you let me know and if the repo noted the origin of the code in the credits. The code is under the GPL. If you think that should be different the let me know why.

Happy sysadmin’ing.