Different results apt list --upgradeable and check_apt --list


I recognized a strange behavior of my apt check command on a host:

The result of manual ssh command “apt list --upgradeable” is one upgradeable package while the result of the check command is no upgradeable packages.

Any one an idea what’s the reason for this behavior?

  • Director version (System - About): 1.8.1
  • Icinga Web 2 version and modules (System - About): 2.9.3
  • Icinga 2 version (icinga2 --version): r2.13.1-1
  • Operating System and version: Debian 10
  • Webserver, PHP versions: 7.3.31-1~deb10u1
object CheckCommand "apt" {
    import "plugin-check-command"
    command = [ PluginDir + "/check_apt" ]
    timeout = 5m
    arguments += {
        "--critical" = {
            description = "If the full package information of any of the upgradable packages match this REGEXP, the plugin will return CRITICAL status. Can be specified multiple times."
            value = "$apt_critical$"
        "--dist-upgrade" = {
            description = "Perform a dist-upgrade instead of normal upgrade. Like with -U OPTS can be provided to override the default options."
            value = "$apt_dist_upgrade$"
        "--exclude" = {
            description = "Exclude packages matching REGEXP from the list of packages that would otherwise be included. Can be specified multiple times."
            value = "$apt_exclude$"
        "--extra-opts" = {
            description = "Read options from an ini file."
            value = "$apt_extra_opts$"
        "--include" = {
            description = "Include only packages matching REGEXP. Can be specified multiple times the values will be combined together."
            value = "$apt_include$"
        "--list" = {
            description = "List packages available for upgrade."
            set_if = "$apt_list$"
        "--only-critical" = {
            description = "Only warn about critical upgrades."
            set_if = "$apt_only_critical$"
        "--timeout" = {
            description = "Seconds before plugin times out (default: 10)."
            value = "$apt_timeout$"
        "--upgrade" = {
            description = "[Default] Perform an upgrade. If an optional OPTS argument is provided, apt-get will be run with these command line options instead of the default."
            value = "$apt_upgrade$"
template Service "check_apt" {
    check_command = "apt"
    command_endpoint = host_name
    vars.apt_list = true
apply Service "check_apt" {
    import "check_apt"

    assign where "debian" in host.groups

    import DirectorOverrideTemplate

In general I get the correct informations - even on this machine. But its the second time (on a different host) that I could recognize this.

Thanks Alex

Out of curiosity, what is the expanded command that Icinga executes? You can usually grab this from a log (not sure if debug needs to be enabled or not), or if you use Icinga Director, you can inspect within Icingaweb2

Sorry, I missed that information:

'/usr/lib/nagios/plugins/check_apt' '--list'

APT OK: 0 packages available for upgrade (0 critical updates).

Not an expert on them but there are differences between the apt command you use on the cli and the older apt-get command the check_apt binary uses.

check_apt --help
This plugin checks for software updates on systems that use
package management systems based on the apt-get(8) command
found in Debian GNU/Linux

And I guess this is why the output is not the same.

Also keep in mind that checks are executed by the user running the icinga process (nagios in case of debian/ubuntu, icinga in case of rhel/centos/suse) and there can also by a difference in check behavior compared to executing the check as root on the cli.
So if you want to verify your check run it with sudo -u nagios

Thanks, if I run apt list --upgradeable as nagios user, the package is listed, too:


Maybe this explains it.


1 Like