needrestart changes in Ubuntu 24.04: service restarts
We have made significant changes to the default behavior of needrestart in Ubuntu during the Noble Numbat cycle. This post describes those changes, the rationale behind them, and how to adjust your systems to deal with them.
What is needrestart, exactly?
needrestart is a tool that probes your system to see if either the system itself or some of its services should be restarted. That last part is the one of interest in this document. Notably, a service is considered as needing to be restarted if one of its processes is using a shared library whose initial file isn’t on the system anymore (for instance, if it has been overwritten by a new version as part of a package update).
We ship this tool in our server images, and it is configured by default to run at the end of APT transactions, e.g. when doing apt install/upgrade/remove or during unattended-upgrades. Most of our modifications only affect needrestart in that context.
New behavior
Previously, needrestart behaved differently depending on the context in which apt was invoked. If it was called in an interactive context like a shell prompt or a GUI frontend, it would prompt you with a list of affected services, usually defaulting to restarting most of the listed daemons. Once the user acknowledged the prompt, the tool would restart the selected services.
A noninteractive context, such as invoked from a script, would instead result in needrestart listing the affected services on the standard output and nothing more.
We have changed both of these behaviors. The tool now behaves the same in both cases by directly restarting the affected services (as was previously the default in the interactive case). Any affected service that hasn’t been restarted is also listed on the standard output.
Rationale
If we update a library on a stable series, there is a reasonable chance it is to fix a security issue in that library. Notably, unattended-upgrades in its default configuration only installs updates from the security pocket.
Now, having a fixed package is good, but that doesn’t mean that the system itself is secure. As long as there are services using the outdated library, they are still vulnerable.
Furthermore, loading multiple shared objects from different versions of a given package can very easily lead to crashes and data loss.
Troubleshooting
If this new behavior causes issues, try one of the following:
Prevent a single service from being restarted
Ideally, you should modify your service to gracefully support being restarted. However, in the event it isn’t possible or relevant, you can tell needrestart not to automatically restart a given service by adding a regexp matching its service file to $nrconf{override_rc} in/etc/needrestart/needrestart.conf.
It can also be done by dropping a Perl one-liner in a file in /etc/needrestart/needrestart.conf.d/, for example:
echo '$nrconf{override_rc}{qr(^mycompany-(dispatch|worker)\.service$)} = 0;' | sudo tee /etc/needrestart/conf.d/mycompany.conf
Restore the previous behavior
You can permanently restore the previous behavior by editing /etc/apt/apt.conf.d/99needrestart to remove the -m u CLI option.
A more ephemeral approach can be taken by forcing the needrestart UI, e.g.
NEEDRESTART_UI=NeedRestart::UI::Debconf sudo apt upgrade