This commit implements replacement functions for the previous
exec functions.
The replacements are implemented in a more "pure" style, the do no
longer receive pointer arguments which they will write to, but create
the pointers themselves and should therefore be easier to use,
since it is more obvious what goes in and what comes out.
Also a essentialy unused variable was removed with this.
This is a breaking change.
Testing whether a TLS certificate is still valid (expiration wise)
is now the default in check_smtp.
The reasoning is, that in most scenarios an expired certificate
will effectively mean that the service is not working anymore due to
the refusal of other software to talk to it.
There is a new cli parameter though to explicitly ignore that.
If the status line from a server ended with '\n' instead
of '\r\n' (defined by RFC 9112), check_curl failed to parse it
and exited with an alarm.
The RFC recommends to be lenient here and this change follows that
suggestion.
Due to MySQL changing several term in Version 8.0.22 the way to
determine the status of replicas has changed.
To adapt to these changes in a517dc614e
check_mysql was modified to adapt to different versions.
Some parts were missed though which results in failures to detect
the replica status properly.
This parts should be contained in this commit.
In the Debian Bug tracker (and then Github) a person pointed out,
that a MySQL server does not respond with a hint that is indeed the
MySQL software but only with the version string.
Which makes sense if one assumes to be the only implementation.
This commit changes the behaviour of the Replica check to assume
that the counterpart is a MySQL server if there are not hints that
it is a MariaDB server.
Fix build of check_swap for both CHECK_SWAP_SWAPCTL_SVR4 and
CHECK_SWAP_SWAPCTL_BSD build guards.
> $ make check_swap
> CC check_swap.d/swap.o
> check_swap.d/swap.c:58:32: error: too few arguments to function call, single argument 'config' was not specified
> 58 | return getSwapFromSwapctl_BSD();
> | ~~~~~~~~~~~~~~~~~~~~~~ ^
> ././check_swap.d/check_swap.h:48:13: note: 'getSwapFromSwapctl_BSD' declared here
> 48 | swap_result getSwapFromSwapctl_BSD(swap_config config);
> | ^ ~~~~~~~~~~~~~~~~~~
> 1 error generated.
> *** Error 1 in [...]/monitoring-plugins/plugins (Makefile:2869 'check_swap.d/swap.o': @echo " CC ...)
check_by_ssh no longer returns UNKNOWN if ssh(1) returns data on stderr.
But it can be enforced again by the new "--unknown-on-stderr" option.
---
The default logic of check_by_ssh results in an UNKNOWN state if the
ssh(1) process produces output on stderr. Using the "--skip-stderr=[n]"
option allows ignoring a certain amount of lines or disabling this check
altogether. Furthermore, passing the "--warn-on-stderr" option reduces
the exit code to WARNING.
The "--help" output does not document this behavior, only states that
"--warn-on-stderr" will result in the WARNING, but does not mention the
UNKNOWN by default.
The man page of ssh(1) mentions that debug information is logged to
stderr. This conflicts with the described logic, resulting in
check_by_ssh to go UNKNOWN, unless additional options are set.
Starting with OpenSSH version 10.1, ssh(1) will report warnings to
stderr if the opposite server does not support post-quantum
cryptography, <https://www.openssh.com/pq.html>.
This change, slowly being rolled out throughout the next months/years,
might result in mass-breakages of check_by_ssh.
By introducing a new "--unknown-on-stderr" option, enforcing the prior
default logic of an UNKNOWN state for data on stderr, and ignoring
output on stderr by default, check_by_ssh will continue to work. One
might even argue that this change converges actual implementation and
the documented behavior, as argued above.
---
$ ssh example '/usr/lib/nagios/plugins/check_dummy 0 demo'
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
OK: demo
$ echo $?
0
$ ./check_by_ssh -H example -C '/usr/lib/nagios/plugins/check_dummy 0 demo'
OK: demo
$ echo $?
0
$ ./check_by_ssh -H example -C '/usr/lib/nagios/plugins/check_dummy 0 demo' --warn-on-stderr
Remote command execution failed: ** WARNING: connection is not using a post-quantum key exchange algorithm.
$ echo $?
1
$ ./check_by_ssh -H example -C '/usr/lib/nagios/plugins/check_dummy 0 demo' --unknown-on-stderr
Remote command execution failed: ** WARNING: connection is not using a post-quantum key exchange algorithm.
$ echo $?
3
---
Fixes#2147.
