Add functionality to support EL7 extended output

[lewiseason]

On el7, yum will list all the packages available for update after the summary line, as well as in the transaction. At first I tried just checking for * 2 lines (as per #20) in the output before failing with the bad signature, but this didn't seem quite as robust.

I'm not sure if this will be too brittle with yum versions which don't output in this same format - perhaps you've got a better idea than I do?

[calestyo]

Hey.

I've just had look at this...
When I run check_yum under CentOS 7.2.1511, yum 3.4.3, it seems to run just fine.
I couldn't see the double lines thingy you and #20 describe.

Could you possibly tell me the exact verisons/etc. you're using, as well as giving debug output (-vvv)?
I would prefer to reproduce the issue myself before I merge code.

Cheers.

[lewiseason]

Thanks for getting back to me - I'm running CentOS 7.2.1511, yum 3.4.3 too.

The output of /usr/lib64/nagios/plugins/check_yum -vvv is here:
https://gist.github.com/lewiseason/6fbad22bb068fd495267f8c688cc9031

Obviously, if there weren't many outstanding non-security updates, the output signature check won't be tripped. Also, given how robust/defensive the rest of the code is, my PR probably isn't in a shippable state anyway.

[lewiseason]

A bit more info:

It seems that the double lines are only a subset of the packages listed in the excluded (updateinfo) part. In one specific case, it's stuff from a third-party repo and epel-release from extras, so I'm wondering if this is to do with repositories that are missing updateinfo.

I'm going to have a skim over the yum source and see if I can work out why it's actually happening. I'll update this pull with something better if I can find out what's going on.

Edit: I'm now seeing a different issue. I think this confirms that it's to do with updateinfo?:

[root@staging2 ~]# yum --security check-update | tail
 --> ipsilon-saml2-base-1.0.0-13.el7_3.noarch from updates excluded (updateinfo)
 --> ipsilon-client-1.0.0-13.el7_3.noarch from updates excluded (updateinfo)
 --> ipsilon-filesystem-1.0.0-13.el7_3.noarch from updates excluded (updateinfo)
 --> ipsilon-infosssd-1.0.0-13.el7_3.noarch from updates excluded (updateinfo)
 --> ipsilon-persona-1.0.0-13.el7_3.noarch from updates excluded (updateinfo)
 --> ipsilon-authform-1.0.0-13.el7_3.noarch from updates excluded (updateinfo)
 --> ipsilon-authgssapi-1.0.0-13.el7_3.noarch from updates excluded (updateinfo)
 --> ipsilon-authldap-1.0.0-13.el7_3.noarch from updates excluded (updateinfo)
 --> ipsilon-base-1.0.0-13.el7_3.noarch from updates excluded (updateinfo)
No packages needed for security; 0 packages available

Notice there are 0 packages available, but seemingly some updates which are being excluded (even if I don't pass --security it finds no packages to install).

Now:

[root@staging2 ~]# yum --security check-update | wc -l
20773

There's something quite badly wrong here - there's only about 300 packages installed. It seems to be spitting the same excluded packages out over and over again?

[lewiseason]

@calestyo I've read a little more about yum-security on el7 (where it isn't a plugin). Would you accept a PR which used the updateinfo command on versions of yum which were new enough?

For example:

yum -q updateinfo list updates security

This will output a list of packages which can be updated to which are considered security updates by the repo they come from. It'll do so one per line without anything else in the output as far as I can tell.

Thoughts?

[kjetilho]

I had a look at the code in yum-3.4.3-150.el7.centos., and it seems really broken to be honest.
/usr/lib/python2.7/site-packages/yum/updateinfo.py:

The output comes from this code:

def exclude_updates(base, filters=None):
    '''Exclude all packages to do with updates, using the updateinfo data.'''
    def ysp_del_pkg(pkg, reason="updateinfo"):
        """ Deletes a package from all trees that yum knows about """
        base.verbose_logger.log(INFO_1,
                                _(" --> %s from %s excluded (%s)") %
                                (pkg,pkg.repoid, reason))
        pkg.repo.sack.delPackage(pkg)

INFO_1 is the same verbosity as the output check_yum uses to find the summary, so it can't be filtered that way.

This output is emitted for every package not listed by _get_name2oldpkgtup:

 def _get_name2oldpkgtup(base):
     """ Get the pkgtups for all installed pkgs. which have an update. """
     oupdates = map(lambda x: x[1], base.up.getUpdatesTuples())
     return _get_name2pkgtup(base, oupdates)

So that function will return a list of packages which have updates, and the output about "excluded" will appear about every other package known to the system.

# yum --security check-update  | wc
  20990  146927 1639522

Useful output, hmm?

PS. CentOS 7 does not provide security updates information. You will only be notified by security updates if they appear in EPEL or 3rd party repositories. This is due to policy at RedHat, if you want this information, you must pay for RHEL7 support.