Script to “centralize” checking for updates on FreeBSD

I have to administrate several FreeBSD-servers and I need to know which servers need updates. Eveen though I have a poudriere running, I also have a local ports-tree on the machines because they are either not using the poudriere because they are not migrated to it yet or there was some reason to have a locally compiled package.
Now I want to know daily which servers need package-updates and if any server has packages that have known CVEs. Thus I update the index of the portstree daily with the following cronjob for root:

0 3 * * * portsnap -I cron updateI have several “classes” of servers, thus I want mails for every class of server. For each class I have a cronjob like this in my personal crontab (or you could put it on one of your servers):
0 6 * * 1-5 /usr/local/scripts/check_for_updates.sh class1The user needs to be able to log into each server with an ssh-key.


#!/bin/sh

TMPFILE=`mktemp`
case $1 in
class1)
SERVERS="server1 server2"
MAILADDRESS="my@mailaddress.foo"
;;
class2)
SERVERS="server3 server4 server5"
MAILADDRESS="my@mailaddress.foo"
;;
private)
SERVERS="privateserver1 privateserver2"
MAILADDRESS="myprivate@mailaddress.foo"
;;
esac

for i in $SERVERS; do
  echo "$i:" >> $TMPFILE
  update_count=`ssh $i "pkg version" | grep \< | wc -l`
  if [ $update_count -gt 0 ]; then
    echo "$i needs $update_count updates" >> $TMPFILE
    ssh $i "pkg version" | grep \< >> $TMPFILE
    echo "" >> $TMPFILE
    echo "" >> $TMPFILE
    ssh $i "pkg audit" >> $TMPFILE
  else
    echo "$i needs no updates" >> $TMPFILE
  fi
  echo "" >> $TMPFILE
  echo "" >> $TMPFILE
done

mail -s "$1 update status" $MAILADDRESS < $TMPFILE
rm $TMPFILE

mail -s "$1 update status" $MAILADDRESS < $TMPFILE
rm $TMPFILE

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.