Jump to: navigation, search


Standard Nagios plugin

Download for openSUSE

Vendor: SUSE Linux Products GmbH
Developer: User:lrupp
License: BSD-4-Clause


  • You like to know which host in your server farm lacks security updates?
  • You like to know if there are package updates available from
  • You already use Nagios to monitor your host?

Then you want to use the Nagios Plugin: "check_zypper".


  • checking for patches with update levels "security", "recommended" and "optional"
  • checking for package updates from all enabled repositories
  • Return state can be configured depending on patch- or package level
  • automatic repository refresh before check can be configured
  • checks for unofficial packages (from unsupported repositories)
  • checks for outdated base system (SLES/openSUSE)


  -c, --critical
      A patch with this category result in critical status.
      Default: security
  -f, --releasefile
      Use the given file to get informations about the distribution.
      Default: /etc/SuSE-release
  -h, --help
      Print detailed help screen
  -i, --ignore <file>
      Ignore patches/packages that are mentioned in <file>
      Just list one patch/package per line - example:
      # comment
  -o, --ignore_outdated
      Don't warn if a repository is outdated.
  -r, --refresh_repos
      Tries to refresh the repositories before checking for updates.
      Note: this maybe needs an entry in /etc/sudoers like:
          nagios ALL = NOPASSWD: /usr/bin/zypper ref
      (and additional lines for the '-s' Option) if no check-zypp-wrapper is available.
  -s, --use_sudo
      Zypper needs root privileges on some distributions (known: 10.1 and SLE10).
      You can enable the script to use /usr/bin/sudo to start zypper.
      But don't forget to enable nopasswd sudo for the user starting check_zypper
      Via lines like the two below on in /etc/sudoers:
          nagios ALL = NOPASSWD: /usr/bin/zypper sl, \
                       /usr/bin/zypper --non-interactive --no-gpg-checks --terse list-updates
  -t, --timeout
      Just in case of problems, let's not hang Nagios and define a timeout.
      Default value is: 120 seconds
  -v, --verbose_output
      Print more information (useful only with Nagios v3.x).
  -w, --warning
      A patch with this category result in warning status.
      Default: recommended,optional
  -V, --version
      Print version information

Check the local host

For checking the local machine running the nagios daemon, add a command definition like:

define command {
       command_name    check_zypper
       command_line    $USER1$/check_zypper -v -t $ARG1$

and define a service definition like:

 define service{
       use                             generic-service
       host_name                       localhost
       service_description             Updates
       normal_check_interval           1440 # once a day
       display_name                    Updates for this machine
       check_command                   check_zypper!300

Check remote hosts

This example uses the Nagios Remote Plugin Executor - you need the nrpe-client package installed on the machine you want to monitor and the nrpe-server package installed on the machine running the nagios daemon for this.

First, define a command definition on your nagios server like:

define command{
       command_name check_nrpe
       command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$

and a service definition like:

define service{
       use                 generic-service
       host_name           my_client
       service_description Updates
       check_command       check_nrpe!check_zypper -t 120
Don't run this service check too often.

Normally, you want to check this service only once or twice a day, so it might be a good idea to define an additional service template like:

define service {
       name                            one-day-service
       use                             generic-service
       normal_check_interval           1440 ; Check the service every day
       retry_check_interval            240  ; Re-check every 6 hours
       notification_interval           1440 ; Notify about a problem once a day
and use this "one-day-service" in your service definition.

On the client side, add the following line to your /etc/nagios/nrpe.cfg on the client machine:


to your nagios configuration.

Refreshing or ignoring outdated repositories

Without any further option, check_zypper returns a warning state if one or more repositories are outdated (as they could contain updated packages). Beside this warning message, check_zypper nevertheless checks for updated packages/patches - but the result of this run is posted in the second line of the output.

If you want to ignore outdated repositories (this is normally the case for Build Service repositories and not for the official online update repositories), just use the Option '-o' resp. '--ignore_outdated'.

If you want to refresh all repositories automatically each time check_zypper is activated, use the Option '-r', resp. '--refresh_repos'. For SLES10, 10.1 and 10.2 based hosts, you need an additional entry in your sudoers file to get this working:

nagios ALL = NOPASSWD: /usr/bin/zypper ref

For all hosts based on openSUSE 10.3 and newer (even SLES11), this isn't necessary. To avoid confusion and to save bandwith, option '-r' has to be enabled for all distributions manually, if you want to get your repositories refreshed automatically.

If you are using PERMISSION_SECURITY="secure local" in /etc/sysconfig/security, check_zypper will not get the needed rights to run /usr/sbin/zypp-refresh-wrapper - in this case, please add a line like the following in /etc/permissions.local:

/usr/sbin/zypp-refresh-wrapper          root.root               4755

and run at least once the command SuSEconfig --module permissions to set the right permissions for the refresh wrapper. (Since 12.2 /usr/sbin/zypp-refresh-wrapper is gone and check_zypper can directly use /usr/sbin/zypp-refresh without any further changes.)

Running zypper on SLE10 or openSUSE 10.1 based hosts

Running zypper on SLE10 or openSUSE 10.1 needs root privileges. The plugin runs /usr/bin/zypper as the user defined in /etc/nagios/nrpe.cfg (client) or /etc/nagios/nagios.cfg (server) - which is normally the user nagios - and therefore needs root privileges for this command.

You can enable the script to use the command /usr/bin/sudo to start zypper. Enable the usage via the commandline option "-s". But don't forget to enable nopasswd sudo for the user starting check_zypper via a line like this on in /etc/sudoers:

nagios ALL = NOPASSWD: /usr/bin/zypper sl, \
                       /usr/bin/zypper --non-interactive --no-gpg-checks --terse list-updates

Now you can start and/or test the check via

check_zypper -s

If you want to refresh your repositories automatically, too, your /etc/sudoers should look like:

nagios ALL = NOPASSWD: /usr/bin/zypper ref, \
                       /usr/bin/zypper sl, \
                       /usr/bin/zypper --non-interactive --no-gpg-checks --terse list-updates

Define the return state

You can define the status by patch category. Available categories:

  • security
  • recommended
  • optional

Use a commata to list more than one category to a state.

check_zypper -w recommended,optional -c security

Ignoring Patches/Package Updates

Sometimes (for whatever reason) you want to stay on a defined version of a package. But check_zypper will warn you every time about an available update for this package or a patch containing this package. To ignore this, just create a file containing patches/packages you want to ignore. You can use the '#' to comment why you've disabled warnings for the patches/packages in this file.

Just add a line like this to ignore warnings about a patch with the name 'libtiff-devel':


and a line like this to ignore an updated package with the name 'libtiff3':


You can write each patch/package in a separate line or separated by whitespace - just the initial words 'patch:' and 'package:' have to be defined. All other lines not containing one of these words are ignored.

Afterwards use Option '-i', resp. '--ignore' <file> to define the file containing your ignores.

check_zypper will not count any patch/package in this <file>, but the long output of the command will contain lines like:

Ignored Patches : libtiff-devel
Ignored Packages: libtiff3

to inform you about the presence of the <file> and it's contents.

Verbose output

If you like to know the names of available patches and packages, use the "-v" option.

Debugging/Bug reporting

If you've problems with this plugin, please turn on Debug-Output by adding the option "-d" resp. "--debug" to your check_zypper commandline.

Note: you can run the command as root via commandline using the same options as in your Nagios config. For example:

/usr/lib/nagios/plugins/./check_zypper -v --debug

but this might not help always to debug the real problem, as especially external commands like "zypper ref" might have permission problems. So it might always be a good idea to run the command as user nagios - but this user needs a valid shell before you can proceed:

chsh -s /bin/bash nagios
su - nagios
/usr/lib/nagios/plugins/./check_zypper --debug $your_options >> /tmp/check_zypper_output.txt 2>&1
chsh -s /bin/false nagios

Please report any bug using and assign the bug to (attach the file /tmp/check_zypper_output.txt to the bug, if possible).

See also

External links