Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Auto update check, checks for updates to base system + packages and sends email alerts

    Installation and Upgrades
    10
    18
    5785
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • luckman212
      luckman212 LAYER 8 last edited by luckman212

      Here's an "automatic update checker" for pfSense. The script will check for major updates to the base pfSense system, as well as updates to any builtin or installed packages. If any updates are found, an email summary will be sent out with the details.

      I wanted to put this out there now, get feedback, comments etc. My goal is to make this into an actual pfSense package to make it simpler to install, but I'm still learning how to create packages. This should still be useful as-is. (Any pointers anyone has on getting this cobbled together into a real package would be greatly appreciated!)

      To install:

      • Save the script below as pkg_check.php in your /root directory
      • Set it up to run on whatever schedule you like using the Cron package. A sample screenshot* of how to configure the script is below.
      • Make sure you have valid SMTP (or Pushover) settings defined on your firewall so you can get the alerts!
      • For a Pushover version, use this gist instead (n.b: if you just want to send alerts to all of your configured targets, see the note on line 89 and make that small change)

      0_1542120802395_25ee79b8-8ba5-4e6c-bfb4-1156fb27b2e3-image.png
      *if you want to copy/paste the Cron command, use: /usr/local/bin/php -q /root/pkg_check.php

      pkg_check.php: (I also have a gist up at github if you find that easier to read/copy)

      <?php
      
        require_once("pkg-utils.inc");
        require_once("notices.inc");
        require_once("util.inc");
      
        $msg = null;
        $pmsg = null;
        $p = 0;
      
        log_error("Starting update check");
      
        // pfSense base system check
        $system_version = get_system_pkg_version(false, false);
        if ($system_version === false) {
          printf("%s\n", 'Unable to check for updates');
          log_error("Unable to check for updates, exiting");
          exit;
        }
      
        if (!is_array($system_version) ||
          !isset($system_version['version']) ||
          !isset($system_version['installed_version'])) {
          printf("%s\n", 'Error in version information');
          log_error("Error in version information, exiting");
          exit;
        }
      
        switch ($system_version['pkg_version_compare']) {
          case '<':
            //printf("%s%s%s\n", "pfSense version ", $system_version['version'], " is available");
            $msg = "An update to pfSense version " . $system_version['version'] . " is available\n\n";
            break;
          case '=':
            //printf("%s%s%s\n", "pfSense version ", $system_version['version'], " (installed) is current");
            break;
          case '>':
            printf("%s%s%s\n", "pfSense version ", $system_version['installed_version'], " is NEWER than the latest available version ", $system_version['version']);
            $msg = "pfSense version " . $system_version['version'] . " is available (downgrade)\n\n";
            break;
          default:
            printf("%s\n", 'Error comparing installed with latest version available');
            log_error("Error comparing installed with latest version available");
            break;
        }
      
        // package check
        $package_list = get_pkg_info('all', true, true);
        $installed_packages = array_filter($package_list, function($v) {
          return (isset($v['installed']) && isset($v['name']));
        });
      
        if (empty($installed_packages)) {
          printf("%s\n", 'No packages installed');
          log_error("No packages installed, exiting");
          exit;
        }
      
        foreach ($installed_packages as $pkg) {
          if (isset($pkg['installed_version']) && isset($pkg['version'])) {
            //printf("%s%s%s\n", $pkg['shortname'], ': ', $pkg['installed_version']);
            $version_compare = pkg_version_compare($pkg['installed_version'], $pkg['version']);
            if ($version_compare != '=') {
              $p++;
              $pmsg .= "\n".$pkg['shortname'].': '.$pkg['installed_version'].' ==> '.$pkg['version'];
              if ($version_compare == '>') {
                $pmsg .= ' (downgrade)';
              }
              printf("%s%s%s%s%s\n", $pkg['shortname'], ': ', $pkg['installed_version'], ' ==> ', $pkg['version']);
            }
          }
        }
      
        if ($p > 0) {
          $msg = $msg . "The following updates are available and can be installed using System > Package Manager:\n" . $pmsg;
        }
      
        // check for updates to builtin packages
        exec("/usr/sbin/pkg upgrade -n | /usr/bin/sed -ne '/UPGRADED/,/^$/p'", $output, $retval);
        if (($retval == 0) && (count($output))) {
          $msg .= "\n\n" . "Some packages are part of the base system and will not show up in Package Manager. If any such updates are listed below, run `pkg upgrade` from the shell to install them:\n\n";
          array_shift($output);
          $msg .= implode("\n", array_map('ltrim', $output));
        }
      
        if (!empty($msg)) {
          log_error("Updates were found - sending email");
          notify_via_smtp($msg);
          // to send alerts to ALL configured targets
          // (email, Pushover, Slack etc) use the line below instead:
          // notify_all_remote($msg);
        }
      
        log_error("Update check complete");
      
      ?>
      
      A 1 Reply Last reply Reply Quote 17
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        Needs more blinkenlight action! 😉

        Steve

        1 Reply Last reply Reply Quote 0
        • wgstarks
          wgstarks last edited by

          Pkg update notification has been at the top of my wish list for a while. I’ll difinately give this a try.

          Box: SG-3100
          CPU: ARM v7 Cortex-A9 @ 1.6 GHz with NEON SIMD and FPU

          1 Reply Last reply Reply Quote 0
          • wgstarks
            wgstarks last edited by

            This works great btw. Only problem I had getting it setup was a typo due to the fact that I missed a space in your cron screenshot.

            Box: SG-3100
            CPU: ARM v7 Cortex-A9 @ 1.6 GHz with NEON SIMD and FPU

            1 Reply Last reply Reply Quote 0
            • luckman212
              luckman212 LAYER 8 last edited by luckman212

              Glad to hear you got it working! I added a little text block below the screenshot to make it copy/pasteable.

              1 Reply Last reply Reply Quote 0
              • Gil
                Gil Rebel Alliance last edited by

                Nice job, like the way you set out the easy copy & paste also

                11 cheers for binary

                1 Reply Last reply Reply Quote 0
                • Raffi_
                  Raffi_ last edited by

                  @luckman212 Thanks for this it works great!

                  I notice the email notification mentioned updating packages that are not in the package manager via pkg update. There were a few packages not in the package manager which had new versions. I did the update and all went well. However, I was reading that the pkg update (FreeBSD method?) is not a supported pfSense update method.
                  https://forum.netgate.com/topic/118626/pkg-update-upgrade-vs-console-webgui-updates
                  In there it mentions the only methods supported are the GUI update and option 13 from console/SSH. This particular thread did not mention the GUI method for updating packages but that must be supported as well.
                  My guess is as long as updates to the actual pfSense version and installed packages are done via the GUI and/or option 13, then updating the remaining packages via pkg update should not be an issue?

                  Thanks,
                  Raffi

                  Grimson luckman212 2 Replies Last reply Reply Quote 0
                  • Grimson
                    Grimson Banned @Raffi_ last edited by

                    @raffi_ said in Auto update check, checks for updates to base system + packages and sends email alerts:

                    I notice the email notification mentioned updating packages that are not in the package manager via pkg update.

                    Probably those: https://forum.netgate.com/topic/140637/update-pfsense-packages-to-protect-against-nginx-libzmq4-and-curl-vulnerabilities you better update them.

                    1 Reply Last reply Reply Quote 1
                    • Raffi_
                      Raffi_ last edited by

                      @Grimson Thanks for the link. Yes, those were the exact updates which came up. I went ahead and updated them when I got the email notification thanks to the script. I'm on 2.4.4-p2. Wow they were major security updates I wouldn't have known about with this script. You learn something new everyday.

                      Thanks for the help and education guys.
                      Raffi

                      1 Reply Last reply Reply Quote 0
                      • luckman212
                        luckman212 LAYER 8 @Raffi_ last edited by

                        @raffi_ The post you linked to was pretty old. Updating via console should be safe as long as you have not messed with the repos. It's basically the same process that occurs when you update via the GUI, as pkg is always used anyway.

                        1 Reply Last reply Reply Quote 1
                        • Raffi_
                          Raffi_ last edited by

                          @luckman212 Awesome, thanks for the explanation. You're being too modest :)
                          I learned your script is not the same as the GUI update, it's actually better! The GUI didn't tell me about those vulnerabilities in the packages which required updating, but your script did.

                          Raffi

                          1 Reply Last reply Reply Quote 0
                          • A
                            atclaus @luckman212 last edited by

                            This post is deleted!
                            1 Reply Last reply Reply Quote 0
                            • O
                              Overlord last edited by

                              Nice plugin - has anybody made an Nagios or CheckMK plugin out of it?

                              R 1 Reply Last reply Reply Quote 0
                              • R
                                raidflex @Overlord last edited by

                                Will this script work with the built in pushover notifications enabled or do I need to still use SMTP?

                                luckman212 1 Reply Last reply Reply Quote 0
                                • luckman212
                                  luckman212 LAYER 8 @raidflex last edited by

                                  @raidflex Not the original one, but here's a quick modified version that should work, I haven't tested it so please give it a try.

                                  R 1 Reply Last reply Reply Quote 1
                                  • R
                                    raidflex @luckman212 last edited by

                                    @luckman212 said in Auto update check, checks for updates to base system + packages and sends email alerts:

                                    @raidflex Not the original one, but here's a quick modified version that should work, I haven't tested it so please give it a try.

                                    Looks to be working properly, thank you for the updated script!

                                    1 Reply Last reply Reply Quote 0
                                    • Referenced by  Gertjan Gertjan 
                                    • Referenced by  Gertjan Gertjan 
                                    • P
                                      pyrodex last edited by

                                      I love this script but I modified it ever so slightly to notify all configured methods setup in pfSense. If you find the line "notify_via_smtp($msg);" and replace it with "notify_all_remote($msg);" it will send out notifications to ALL configured methods. I've tested this and it works well.

                                      Thanks for all the hardwork!

                                      luckman212 1 Reply Last reply Reply Quote 1
                                      • luckman212
                                        luckman212 LAYER 8 @pyrodex last edited by

                                        @pyrodex Thanks for that contribution. I added it to the gist. One day I hope I can turn this into a proper package that has a GUI-configurable alert mode setting.

                                        1 Reply Last reply Reply Quote 2
                                        • Referenced by  Gertjan Gertjan 
                                        • Referenced by  luckman212 luckman212 
                                        • Referenced by  luckman212 luckman212 
                                        • Referenced by  fireodo fireodo 
                                        • Referenced by  K khorton 
                                        • First post
                                          Last post