[Qa-jenkins-scm] [jenkins.debian.net] 01/01: install /u/l/sbin/nagios-check-libs /u/l/bin/dsa-check-packages and /u/l/bin/dsa-check-running-kernel on all Debian hosts

Holger Levsen holger at moszumanska.debian.org
Wed Oct 14 15:43:11 UTC 2015


This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch master
in repository jenkins.debian.net.

commit ed56ad1f91afae55e07c1ea8968bcaa7ed511c5b
Author: Holger Levsen <holger at layer-acht.org>
Date:   Wed Oct 14 17:42:11 2015 +0200

    install /u/l/sbin/nagios-check-libs /u/l/bin/dsa-check-packages and /u/l/bin/dsa-check-running-kernel on all Debian hosts
---
 .../bpi0-armhf-rb/usr/local/bin/dsa-check-packages | 339 +++++++++++++++++++++
 .../usr/local/bin/dsa-check-running-kernel         | 253 +++++++++++++++
 .../bpi0-armhf-rb/usr/local/sbin/nagios-check-libs | 198 ++++++++++++
 .../usr/local/bin/dsa-check-packages               | 339 +++++++++++++++++++++
 .../usr/local/bin/dsa-check-running-kernel         | 253 +++++++++++++++
 .../usr/local/sbin/nagios-check-libs               | 198 ++++++++++++
 .../hb0-armhf-rb/usr/local/bin/dsa-check-packages  | 339 +++++++++++++++++++++
 .../usr/local/bin/dsa-check-running-kernel         | 253 +++++++++++++++
 .../hb0-armhf-rb/usr/local/sbin/nagios-check-libs  | 198 ++++++++++++
 hosts/jenkins/usr/local/bin/dsa-check-packages     | 339 +++++++++++++++++++++
 .../jenkins/usr/local/bin/dsa-check-running-kernel | 253 +++++++++++++++
 hosts/jenkins/usr/local/sbin/nagios-check-libs     | 198 ++++++++++++
 .../usr/local/bin/dsa-check-packages               | 339 +++++++++++++++++++++
 .../usr/local/bin/dsa-check-running-kernel         | 253 +++++++++++++++
 .../usr/local/sbin/nagios-check-libs               | 198 ++++++++++++
 .../usr/local/bin/dsa-check-packages               | 339 +++++++++++++++++++++
 .../usr/local/bin/dsa-check-running-kernel         | 253 +++++++++++++++
 .../usr/local/sbin/nagios-check-libs               | 198 ++++++++++++
 .../usr/local/bin/dsa-check-packages               | 339 +++++++++++++++++++++
 .../usr/local/bin/dsa-check-running-kernel         | 253 +++++++++++++++
 .../usr/local/sbin/nagios-check-libs               | 198 ++++++++++++
 .../usr/local/bin/dsa-check-packages               | 339 +++++++++++++++++++++
 .../usr/local/bin/dsa-check-running-kernel         | 253 +++++++++++++++
 .../usr/local/sbin/nagios-check-libs               | 198 ++++++++++++
 .../usr/local/bin/dsa-check-packages               | 339 +++++++++++++++++++++
 .../usr/local/bin/dsa-check-running-kernel         | 253 +++++++++++++++
 .../usr/local/sbin/nagios-check-libs               | 198 ++++++++++++
 .../usr/local/bin/dsa-check-packages               | 339 +++++++++++++++++++++
 .../usr/local/bin/dsa-check-running-kernel         | 253 +++++++++++++++
 .../usr/local/sbin/nagios-check-libs               | 198 ++++++++++++
 .../wbq0-armhf-rb/usr/local/bin/dsa-check-packages | 339 +++++++++++++++++++++
 .../usr/local/bin/dsa-check-running-kernel         | 253 +++++++++++++++
 .../wbq0-armhf-rb/usr/local/sbin/nagios-check-libs | 198 ++++++++++++
 33 files changed, 8690 insertions(+)

diff --git a/hosts/bpi0-armhf-rb/usr/local/bin/dsa-check-packages b/hosts/bpi0-armhf-rb/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/bpi0-armhf-rb/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/bpi0-armhf-rb/usr/local/bin/dsa-check-running-kernel b/hosts/bpi0-armhf-rb/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/bpi0-armhf-rb/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/bpi0-armhf-rb/usr/local/sbin/nagios-check-libs b/hosts/bpi0-armhf-rb/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/bpi0-armhf-rb/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;
diff --git a/hosts/cbxi4pro0-armhf-rb/usr/local/bin/dsa-check-packages b/hosts/cbxi4pro0-armhf-rb/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/cbxi4pro0-armhf-rb/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/cbxi4pro0-armhf-rb/usr/local/bin/dsa-check-running-kernel b/hosts/cbxi4pro0-armhf-rb/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/cbxi4pro0-armhf-rb/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/cbxi4pro0-armhf-rb/usr/local/sbin/nagios-check-libs b/hosts/cbxi4pro0-armhf-rb/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/cbxi4pro0-armhf-rb/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;
diff --git a/hosts/hb0-armhf-rb/usr/local/bin/dsa-check-packages b/hosts/hb0-armhf-rb/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/hb0-armhf-rb/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/hb0-armhf-rb/usr/local/bin/dsa-check-running-kernel b/hosts/hb0-armhf-rb/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/hb0-armhf-rb/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/hb0-armhf-rb/usr/local/sbin/nagios-check-libs b/hosts/hb0-armhf-rb/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/hb0-armhf-rb/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;
diff --git a/hosts/jenkins/usr/local/bin/dsa-check-packages b/hosts/jenkins/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/jenkins/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/jenkins/usr/local/bin/dsa-check-running-kernel b/hosts/jenkins/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/jenkins/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/jenkins/usr/local/sbin/nagios-check-libs b/hosts/jenkins/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/jenkins/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;
diff --git a/hosts/profitbricks-build1-amd64/usr/local/bin/dsa-check-packages b/hosts/profitbricks-build1-amd64/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/profitbricks-build1-amd64/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/profitbricks-build1-amd64/usr/local/bin/dsa-check-running-kernel b/hosts/profitbricks-build1-amd64/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/profitbricks-build1-amd64/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/profitbricks-build1-amd64/usr/local/sbin/nagios-check-libs b/hosts/profitbricks-build1-amd64/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/profitbricks-build1-amd64/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;
diff --git a/hosts/profitbricks-build2-amd64/usr/local/bin/dsa-check-packages b/hosts/profitbricks-build2-amd64/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/profitbricks-build2-amd64/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/profitbricks-build2-amd64/usr/local/bin/dsa-check-running-kernel b/hosts/profitbricks-build2-amd64/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/profitbricks-build2-amd64/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/profitbricks-build2-amd64/usr/local/sbin/nagios-check-libs b/hosts/profitbricks-build2-amd64/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/profitbricks-build2-amd64/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;
diff --git a/hosts/profitbricks-build3-amd64/usr/local/bin/dsa-check-packages b/hosts/profitbricks-build3-amd64/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/profitbricks-build3-amd64/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/profitbricks-build3-amd64/usr/local/bin/dsa-check-running-kernel b/hosts/profitbricks-build3-amd64/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/profitbricks-build3-amd64/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/profitbricks-build3-amd64/usr/local/sbin/nagios-check-libs b/hosts/profitbricks-build3-amd64/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/profitbricks-build3-amd64/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;
diff --git a/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-packages b/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-running-kernel b/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/profitbricks-build4-amd64/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/profitbricks-build4-amd64/usr/local/sbin/nagios-check-libs b/hosts/profitbricks-build4-amd64/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/profitbricks-build4-amd64/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;
diff --git a/hosts/profitbricks-build5-amd64/usr/local/bin/dsa-check-packages b/hosts/profitbricks-build5-amd64/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/profitbricks-build5-amd64/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/profitbricks-build5-amd64/usr/local/bin/dsa-check-running-kernel b/hosts/profitbricks-build5-amd64/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/profitbricks-build5-amd64/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/profitbricks-build5-amd64/usr/local/sbin/nagios-check-libs b/hosts/profitbricks-build5-amd64/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/profitbricks-build5-amd64/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;
diff --git a/hosts/profitbricks-build6-amd64/usr/local/bin/dsa-check-packages b/hosts/profitbricks-build6-amd64/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/profitbricks-build6-amd64/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/profitbricks-build6-amd64/usr/local/bin/dsa-check-running-kernel b/hosts/profitbricks-build6-amd64/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/profitbricks-build6-amd64/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/profitbricks-build6-amd64/usr/local/sbin/nagios-check-libs b/hosts/profitbricks-build6-amd64/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/profitbricks-build6-amd64/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;
diff --git a/hosts/wbq0-armhf-rb/usr/local/bin/dsa-check-packages b/hosts/wbq0-armhf-rb/usr/local/bin/dsa-check-packages
new file mode 100755
index 0000000..3ea088d
--- /dev/null
+++ b/hosts/wbq0-armhf-rb/usr/local/bin/dsa-check-packages
@@ -0,0 +1,339 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel at stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+		}
+	}
+
+	my (%current, %obsolete, %outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			$outofdate{$pkgname} = $pkg;
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/hosts/wbq0-armhf-rb/usr/local/bin/dsa-check-running-kernel b/hosts/wbq0-armhf-rb/usr/local/bin/dsa-check-running-kernel
new file mode 100755
index 0000000..1157480
--- /dev/null
+++ b/hosts/wbq0-armhf-rb/usr/local/bin/dsa-check-running-kernel
@@ -0,0 +1,253 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+	local file needle
+
+	file="$1"
+	needle="$2"
+	perl -e '
+		undef $/;
+		$i = index(<>, "'"$needle"'");
+		if ($i < 0) {
+			exit 1;
+		};
+		print $i,"\n"' < "$file"
+}
+
+get_avail() {
+	# This is wrong, but leaves room for when we have to care for machines running
+	# myfirstunix-image-0.1-dsa-arm
+	local prefix="$1"; shift
+
+	local kervers=$(uname -r)
+
+	local metavers=''
+
+	# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+	# Debian uses versions of the form 2.6.29-2-amd64
+	if [ "${kervers#3}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+	elif [ "${kervers//dsa}" != "$kervers" ]; then
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+	else
+		metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+	fi
+
+	# Attempt to track back to a metapackage failed.  bail
+	if [ "$metavers" = "$kervers" ]; then
+		return 2
+	fi
+
+	# We're just going to give up if we can't find a matching metapackage
+	# I tried being strict once, and it just caused a lot of headaches.  We'll see how
+	# being lax does for us
+
+	local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+	local metaavailvers=$(echo "$output" | grep '^  Candidate:' | awk '{print $2}')
+	local metainstavers=$(echo "$output" | grep '^  Installed:' | awk '{print $2}')
+
+	if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+		return 2
+	fi
+	if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+		return 2
+	fi
+
+	if [ "$metaavailvers" != "$metainstavers" ] ; then
+		echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+		return 1
+	fi
+
+	local imagename=0
+	# --no-all-versions show shows only the candidate
+	for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+		if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+			imagename=$vers
+		fi
+	done
+
+	if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+		return 2
+	fi
+
+	if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+		if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+			return 2
+		fi
+		echo "$imagename" != "${prefix}-image-${kervers}"
+		return 1
+	fi
+
+	local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^  Candidate' | awk '{print $2}')
+	local kernelversion=$(apt-cache policy ${prefix}-image-${kervers} 2>/dev/null | grep '^  Installed:' | awk '{print $2}')
+
+	if [ "$availvrs" = "$kernelversion" ]; then
+		return 0
+	fi
+
+	echo "$kernelversion != $availvrs"
+	return 1
+}
+
+cat_vmlinux() {
+	local image header filter hdroff
+
+	image="$1"
+	header="$2"
+	filter="$3"
+	hdroff="$4"
+
+	off=`get_offset "$image" $header`
+	if [ "$?" != 0 ]; then
+		# not found, exit
+		return 1
+	fi
+
+	(dd ibs="$((off+$hdroff))" skip=1 count=0 && dd bs=512k) < "$image"  2>/dev/null | $filter 2>/dev/null
+}
+
+get_image_linux() {
+	local image
+
+	image="$1"
+
+	# gzip compressed image
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x00"      "zcat"   0; then return; fi
+	if cat_vmlinux "$image" "\x1f\x8b\x08\x08"      "zcat"   0; then return; fi
+	# lzma compressed image
+	if cat_vmlinux "$image" "\x00\x00\x00\x02\xff"  "xzcat" -1; then return; fi
+	if cat_vmlinux "$image" "\x00\x00\x00\x04\xff"  "xzcat" -1; then return; fi
+	# xz compressed image
+	if cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat"  0; then return; fi
+
+	echo "ERROR: Unable to extract kernel image." 2>&1
+	exit 1
+}
+
+
+freebsd_check_running_version() {
+	local imagefile="$1"; shift
+
+	local r="$(uname -r)"
+	local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+	local q='@\(#\)FreeBSD '"$r $v"
+
+	if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+		echo "OK"
+	else
+		echo "not OK"
+	fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+	STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+	STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+	"/boot/vmlinuz-`uname -r`"\
+	"/boot/vmlinux-`uname -r`"\
+	"/boot/kfreebsd-`uname -r`.gz"; do
+
+	if [ -e "$on_disk" ]; then
+		if [ -z "$STRINGS" ]; then
+			echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+			exit $UNKNOWN
+		fi
+		if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+			on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			if [ -x /usr/bin/lsb_release ] ; then
+				vendor=$(lsb_release -i -s)
+				if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+					on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+				fi
+			fi
+			[ -z "$on_disk_version" ] || break
+			on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+			[ -z "$on_disk_version" ] || break
+
+			echo "UNKNOWN: Failed to get a version string from image $on_disk"
+			exit $UNKNOWN
+		else
+			on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+		fi
+	fi
+	searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+	echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+	exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+	running_version="`cat /proc/version`"
+	if [ -z "$running_version" ] ; then
+		echo "UNKNOWN: Failed to get a version string from running system"
+		exit $UNKNOWN
+	fi
+
+	if [ "$running_version" != "$on_disk_version" ]; then
+		echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+		exit $WARNING
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+else
+	image_current=$(freebsd_check_running_version $on_disk)
+	running_version="`uname -s` `uname -r` `uname -v`"
+	if [ "$image_current" != "OK" ]; then
+		approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+		echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+		exit $WARNING;
+	fi
+
+	ret="$(get_avail linux)"
+	if [ $? = 1 ]; then
+		echo "WARNING: Kernel needs upgrade [$ret]"
+		exit $WARNING
+	fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/hosts/wbq0-armhf-rb/usr/local/sbin/nagios-check-libs b/hosts/wbq0-armhf-rb/usr/local/sbin/nagios-check-libs
new file mode 100755
index 0000000..977605d
--- /dev/null
+++ b/hosts/wbq0-armhf-rb/usr/local/sbin/nagios-check-libs
@@ -0,0 +1,198 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter at palfrader.org>
+#               2012 Uli Martens <uli at youam.net>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use English;
+use Getopt::Long;
+
+$ENV{'PATH'} = '/bin:/sbin:/usr/bin:/usr/sbin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+my $LSOF = '/usr/bin/lsof -F0';
+my $VERSION = '0.2012042101';
+
+# nagios exit codes
+my $OK = 0;
+my $WARNING = 1;
+my $CRITICAL = 2;
+my $UNKNOWN = 3;
+
+my $params;
+my $config;
+
+Getopt::Long::config('bundling');
+
+sub dief {
+	print STDERR @_;
+	exit $UNKNOWN;
+}
+
+if (!GetOptions (
+	'--help'	=> \$params->{'help'},
+	'--version'	=> \$params->{'version'},
+	'--quiet'       => \$params->{'quiet'},
+	'--verbose'	=> \$params->{'verbose'},
+	'--config=s'	=> \$params->{'config'},
+	)) {
+	dief ("$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n");
+};
+if ($params->{'help'}) {
+	print "$PROGRAM_NAME: Usage: $PROGRAM_NAME [--help|--version] [--verbose] [--quiet] [--config=<CONFIGFILE>]\n";
+	print "Reports processes that are linked against libraries that no longer exist.\n";
+	print "The optional config file can specify ignore rules - see the sample config file.\n";
+	exit (0);
+};
+if ($params->{'version'}) {
+	print "nagios-check-libs $VERSION\n";
+	print "nagios check for availability of debian (security) updates\n";
+	print "Copyright (c) 2005, 2006, 2007, 2008, 2012 Peter Palfrader <peter\@palfrader.org>\n";
+	exit (0);
+};
+
+if (! defined $params->{'config'}) {
+	$params->{'config'} = '/etc/nagios/check-libs.conf';
+} elsif (! -e $params->{'config'}) {
+	dief("Config file $params->{'config'} does not exist.\n");
+}
+
+if (-e $params->{'config'}) {
+	eval "use YAML::Syck; 1" or dief "you need YAML::Syck (libyaml-syck-perl) to load a config file";
+	open(my $fh, '<', $params->{'config'}) or dief "Cannot open config file $params->{'config'}: $!";
+	$config = LoadFile($fh);
+	close($fh);
+	if (!(ref($config) eq "HASH")) {
+		dief("Loaded config is not a hash!\n");
+	}
+} else {
+	$config = {
+		'ignorelist' => [
+			'$path =~ m#^/proc/#',
+			'$path =~ m#^/var/tmp/#',
+			'$path =~ m#^/SYS#',
+			'$path =~ m#^/drm$# # xserver stuff',
+			'$path =~ m#^/dev/zero#',
+			'$path =~ m#^/dev/shm/#',
+		]
+	};
+}
+
+if (! exists $config->{'ignorelist'}) {
+	$config->{'ignorelist'} = [];
+} elsif (! (ref($config->{'ignorelist'}) eq 'ARRAY')) {
+	dief("Config->ignorelist is not an array!\n");
+}
+
+
+my %processes;
+
+sub getPIDs($$) {
+	my ($user, $process) = @_;
+	return join(', ', sort keys %{ $processes{$user}->{$process} });
+};
+sub getProcs($) {
+	my ($user) = @_;
+
+	return join(', ', map { $_.' ('.getPIDs($user, $_).')' } (sort {$a cmp $b} keys %{ $processes{$user} }));
+};
+sub getUsers() {
+	return join('; ', (map { $_.': '.getProcs($_) } (sort {$a cmp $b} keys %processes)));
+};
+sub inVserver() {
+	my ($f, $key);
+	if (-e "/proc/self/vinfo" ) {
+		$f = "/proc/self/vinfo";
+		$key = "XID";
+	} else {
+		$f = "/proc/self/status";
+		$key = "s_context";
+	};
+	open(F, "< $f") or return 0;
+	while (<F>) {
+		my ($k, $v) = split(/: */, $_, 2);
+		if ($k eq $key) {
+			close F;
+			return ($v > 0);
+		};
+	};
+	close F;
+	return 0;
+}
+
+my $INVSERVER = inVserver();
+
+print STDERR "Running $LSOF -n\n" if $params->{'verbose'};
+open (LSOF, "$LSOF -n|") or dief ("Cannot run $LSOF -n: $!\n");
+my @lsof=<LSOF>;
+close LSOF;
+if ($CHILD_ERROR) { # program failed
+	dief("$LSOF -n returned with non-zero exit code: ".($CHILD_ERROR / 256)."\n");
+};
+
+my ($process, $pid, $user);
+LINE: for my $line (@lsof)  {
+	if ( $line =~ /^p/ ) {
+		my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+		$process = $fields{c};
+		$pid     = $fields{p};
+		$user    = $fields{L};
+		next;
+	}
+
+	unless ( $line =~ /^f/ ) {
+		dief("UNKNOWN strange line read from lsof\n");
+		# don't print it because it contains NULL characters...
+	}
+
+	my %fields = map { m/^(.)(.*)$/ ; $1 => $2 } grep { defined $_  and length $_ >1} split /\0/, $line;
+
+	my $fd    = $fields{f};
+	my $inode = $fields{i};
+	my $path  = $fields{n};
+	if ($path =~ m/\.dpkg-/ || $path =~ m/\(deleted\)/ || $path =~ /path inode=/ || $fd eq 'DEL') {
+		for my $i (@{$config->{'ignorelist'}}) {
+			my $ignore = eval($i);
+			next LINE if $ignore;
+		}
+		next if ($INVSERVER && ($process eq 'init') && ($pid == 1) && ($user eq 'root'));
+		if ( $params->{'verbose'} ) {
+			print STDERR "adding $process($pid) because of [$path]:\n";
+			print STDERR $line;
+		}
+		$processes{$user}->{$process}->{$pid} = 1;
+	};
+};
+
+
+
+my $message='';
+my $exit = $OK;
+if (keys %processes) {
+	$exit = $WARNING;
+	$message = 'The following processes have libs linked that were upgraded: '. getUsers()."\n";
+} else {
+	$message = "No upgraded libs linked in running processes\n" unless $params->{'quiet'};
+};
+
+print $message;
+exit $exit;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/qa/jenkins.debian.net.git



More information about the Qa-jenkins-scm mailing list