Solved How to detect END-OF-LIFE on an OS release via script?

D-FENS

Aspiring Daemon

Reaction score: 255
Messages: 803

I would like to implement a detection within a script that gives me an answer if the release is at END OF LIFE or still current.
In a nutshell, I call freebsd-update from my script and I need to differentiate between a legitimate error and the error code 1 returned by freebsd-update when the update was successful but the release is not supported anymore:
Code:
WARNING: FreeBSD 12.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.
Any security issues discovered after Sun Jan 31 00:00:00 UTC 2021
will not have been corrected.
# echo $?
1
Ideally I would like to check if the release has passed the end of life date and simply skip it without executing the update.
I don't want to maintain a database with the different versions and their end of life dates.

Any idea on how to do that? Is this logic hardcoded in freebsd-update?
Maybe I could parse the table from this URL: https://www.freebsd.org/security/unsupported/ ?

Edit:
I discovered that a simple curl/grep on the above URL gives me an answer if the release in question is within the unsupported list:
Code:
curl https://www.freebsd.org/security/unsupported/ | grep 12.1-RELEASE
[ $? -eq 0 ] && echo "Release is unsupported"

Is there a better way, or is that the way to go?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,892
Messages: 40,606

I call freebsd-update from my script and I need to differentiate between a legitimate error and the error code 1 returned by freebsd-update when the update was successful
Both cases are legitimate errors that need further investigation. So why would you need to differentiate between them?
 
OP
D-FENS

D-FENS

Aspiring Daemon

Reaction score: 255
Messages: 803

My problem is technical. I have a number of base jails with fixed versions. Whenever I need a newer version, I create a new base jail for it.
I am implementing a function to update all base jails with a single command. Currently the base jails for 12.0 and 12.1 give me an update error and break the script.
I would like to identify they are out of support and then handle appropriately (issue a warning to the user, then ignore the base jail for the current update) instead of interrupting the whole script (which should be the case if an update was performed but failed).
 

rootbert

Well-Known Member

Reaction score: 219
Messages: 469

why not trigger on "HAS PASSED ITS END-OF-LIFE DATE" from the output of freebsd-update?
 

covacat

Daemon

Reaction score: 788
Messages: 1,445

this the official way (with some more tests / pulled from /usr/sbin/freebsd-update)

Code:
 [ $(fetch -q -o - http://update.freebsd.org/12.1-RELEASE/amd64/latest.ssl| openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify |cut -f6 -d\|) -lt $(TZ=UTC date +%s) ] && echo EXPIRED
 

astyle

Daemon

Reaction score: 986
Messages: 1,971

this the official way (with some more tests / pulled from /usr/sbin/freebsd-update)

Code:
 [ $(fetch -q -o - http://update.freebsd.org/12.1-RELEASE/amd64/latest.ssl| openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify |cut -f6 -d\|) -lt $(TZ=UTC date +%s) ] && echo EXPIRED
yeah, and stuff that into cron, so that you can get an email that's screaming "FREEBSD 12 HAS REACHED EOL, UPGRADE ASAP, OR ELSE!" 🤪
 
OP
D-FENS

D-FENS

Aspiring Daemon

Reaction score: 255
Messages: 803

this the official way (with some more tests / pulled from /usr/sbin/freebsd-update)

Code:
 [ $(fetch -q -o - http://update.freebsd.org/12.1-RELEASE/amd64/latest.ssl| openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify |cut -f6 -d\|) -lt $(TZ=UTC date +%s) ] && echo EXPIRED
WOW! Thanks, that's quite a command line!
 
Top