From a4d214e45165de36f719068af7cda29f4a863e85 Mon Sep 17 00:00:00 2001
From: Ludovic Cartier <ludovic.cartier@alterway.fr>
Date: Sat, 23 May 2026 11:38:21 +0200
Subject: [PATCH] revue de l'option reset du check_reboot_required (ajout d'un
 fichier d'exclusion)

---
 files/nrpe/check_reboot_required | 109 +++++++++++++++++++------------
 1 file changed, 66 insertions(+), 43 deletions(-)

diff --git a/files/nrpe/check_reboot_required b/files/nrpe/check_reboot_required
index 08110e9..b7cbe0b 100755
--- a/files/nrpe/check_reboot_required
+++ b/files/nrpe/check_reboot_required
@@ -4,18 +4,21 @@
 #
 # Supported distributions:
 #   - Debian / Ubuntu : checks /run/reboot-required (written by unattended-upgrades
-#     or update-notifier after kernel/libc upgrades)
+#     or update-notifier after kernel/libc upgrades), then falls back to comparing
+#     the running kernel with the latest installed kernel package.
 #
 # Exit codes:
-#   0 - OK       : No reboot required.
+#   0 - OK       : No reboot required (or alert acknowledged).
 #   1 - WARNING  : (not used)
 #   2 - CRITICAL : System needs to be rebooted.
 #   3 - UNKNOWN  : Cannot determine reboot status.
 #
-# Usage: check_reboot_required [-v] [-r]
+# Usage: check_reboot_required [-v] [-r] [-f <ack_file>]
 #   -v  Verbose: also print the list of packages that triggered the requirement.
-#   -r  Reset: remove /run/reboot-required (and .pkgs) to clear the alert.
-#       Requires root privileges (or sudo).
+#   -r  Acknowledge: create the ack file to suppress the alert until next reboot.
+#       The ack file is auto-removed once no reboot is needed anymore.
+#   -f  Path to the acknowledgement file
+#       (default: /var/lib/nagios/reboot_required_ack).
 #
 
 # --- Nagios exit codes ---
@@ -25,30 +28,28 @@ STATE_CRITICAL=2
 STATE_UNKNOWN=3
 
 VERBOSE=0
-RESET=0
+ACK=0
+ACK_FILE="/var/lib/nagios/reboot_required_ack"
 
-while getopts "vr" opt; do
+while getopts "vrf:" opt; do
     case $opt in
         v) VERBOSE=1 ;;
-        r) RESET=1 ;;
-        *) echo "Usage: $0 [-v] [-r]"; exit $STATE_UNKNOWN ;;
+        r) ACK=1 ;;
+        f) ACK_FILE="$OPTARG" ;;
+        *) echo "Usage: $0 [-v] [-r] [-f <ack_file>]"; exit $STATE_UNKNOWN ;;
     esac
 done
 
 # -----------------------------------------------------------------------
-# Reset: remove /run/reboot-required to clear the alert
+# Acknowledge mode: create the ack file to suppress the alert
 # -----------------------------------------------------------------------
-if [ "$RESET" -eq 1 ]; then
-    if [ ! -f /run/reboot-required ]; then
-        echo "OK: /run/reboot-required does not exist, nothing to clear."
-        exit $STATE_OK
-    fi
-    rm -f /run/reboot-required /run/reboot-required.pkgs 2>/dev/null
+if [ "$ACK" -eq 1 ]; then
+    touch "$ACK_FILE" && chmod 640 "$ACK_FILE"
     if [ $? -eq 0 ]; then
-        echo "OK: /run/reboot-required cleared successfully."
+        echo "OK: Reboot alert acknowledged. Alert suppressed until next reboot."
         exit $STATE_OK
     else
-        echo "UNKNOWN: Failed to remove /run/reboot-required (permission denied?)"
+        echo "UNKNOWN: Failed to create acknowledgement file '${ACK_FILE}' (permission denied?)"
         exit $STATE_UNKNOWN
     fi
 fi
@@ -59,7 +60,6 @@ fi
 _debian_pkg_list() {
     local pkgs_file="/run/reboot-required.pkgs"
     if [ -f "$pkgs_file" ] && [ -s "$pkgs_file" ]; then
-        # Deduplicate, sort, join on commas
         sort -u "$pkgs_file" | tr '\n' ',' | sed 's/,$//' | sed 's/,/, /g'
     else
         echo "(package list unavailable)"
@@ -67,25 +67,30 @@ _debian_pkg_list() {
 }
 
 # -----------------------------------------------------------------------
-# Debian / Ubuntu path
-# -----------------------------------------------------------------------
-if [ -f /run/reboot-required ]; then
-    if [ "$VERBOSE" -eq 1 ]; then
-        pkg_list=$(_debian_pkg_list)
-        echo "CRITICAL: Reboot required. Triggering packages: ${pkg_list}"
-    else
-        echo "CRITICAL: Reboot required."
-    fi
-    exit $STATE_CRITICAL
-fi
-
-# -----------------------------------------------------------------------
-# Fallback: compare running kernel with installed kernel
+# Detect if a reboot is needed
 # -----------------------------------------------------------------------
 running_kernel=$(uname -r)
+reboot_needed=0
+reboot_reason=""
+
+# Primary: /run/reboot-required (set by unattended-upgrades / update-notifier)
+if [ -f /run/reboot-required ]; then
+    reboot_needed=1
+    if [ "$VERBOSE" -eq 1 ]; then
+        pkg_list=$(_debian_pkg_list)
+        reboot_reason="Reboot required. Triggering packages: ${pkg_list}"
+    else
+        reboot_reason="Reboot required."
+    fi
+fi
+
+# Fallback: compare running kernel with latest installed kernel
+if [ "$reboot_needed" -eq 0 ]; then
+    if ! command -v dpkg >/dev/null 2>&1; then
+        echo "UNKNOWN: 'dpkg' not found. Cannot determine reboot status."
+        exit $STATE_UNKNOWN
+    fi
 
-# Try Debian/Ubuntu kernel package name
-if command -v dpkg >/dev/null 2>&1; then
     installed_kernel=$(dpkg -l "linux-image-*" 2>/dev/null \
         | awk '/^ii/{print $2}' \
         | sed 's/linux-image-//' \
@@ -93,14 +98,32 @@ if command -v dpkg >/dev/null 2>&1; then
         | sort -V \
         | tail -1)
 
-    if [ -n "$installed_kernel" ] && [ "$installed_kernel" != "$running_kernel" ]; then
-        echo "CRITICAL: Reboot required. Running kernel: ${running_kernel}, latest installed: ${installed_kernel}."
-        exit $STATE_CRITICAL
-    elif [ -n "$installed_kernel" ]; then
-        echo "OK: No reboot required. Running kernel: ${running_kernel}."
-        exit $STATE_OK
+    if [ -z "$installed_kernel" ]; then
+        echo "UNKNOWN: No versioned kernel package found via dpkg."
+        exit $STATE_UNKNOWN
+    fi
+
+    if [ "$installed_kernel" != "$running_kernel" ]; then
+        reboot_needed=1
+        reboot_reason="Reboot required. Running kernel: ${running_kernel}, latest installed: ${installed_kernel}."
     fi
 fi
 
-echo "UNKNOWN: Unable to determine if a reboot is required on this system."
-exit $STATE_UNKNOWN
+# -----------------------------------------------------------------------
+# Evaluate result
+# -----------------------------------------------------------------------
+if [ "$reboot_needed" -eq 0 ]; then
+    # Auto-clear the ack file once the system no longer needs a reboot
+    rm -f "$ACK_FILE" 2>/dev/null
+    echo "OK: No reboot required. Running kernel: ${running_kernel}."
+    exit $STATE_OK
+fi
+
+# Reboot is needed: check if it has been acknowledged
+if [ -f "$ACK_FILE" ]; then
+    echo "OK: ${reboot_reason} (acknowledged - waiting for reboot)"
+    exit $STATE_OK
+fi
+
+echo "CRITICAL: ${reboot_reason}"
+exit $STATE_CRITICAL