In Ubuntu, whenever updates are applied of individual services there is often a need to restart them to ensure that security updates are actually applied and being used.
Most maintainer scripts do that automatically for the service itself. However, there is a long chain of dependencies that also results in a need to restart things.
For example, when one installs upgraded libssl1.1 packages with security vulnerabilities one needs to restart all processes that link with it. Otherwise vulnerable libssl1.1 is still loaded in all the processes and used to establish connections. libssl1.1 maintainer script can’t find and restart all the things by itself hence we need something else.
We have recently completed review process and would like to start recommending ubuntu-server metapackage to install needrestart by default on Ubuntu Server.
This will results, in needrestart running at the end of each apt transaction and document
- services that need to be restarted, because they reference upgraded libraries
- if there is new kernel to boot
- if there is new microcode
- if there are VMs to restart
- if there are some containers to restart
By default it will prompt with debconf interface if one wants to restart things.
Restarting some things is not enabled by default, and it is quite disruptive to do even when opting in. I.e. when one restarts systemd-logind the tty / ssh sessions do get killed, thus one needs to reestablish the connection back in if one performs the action to restart that.
Overall the goal is to ensure that on stable releases one can deploy more security fixes quicker with less downtime. Ultimately the best way usually is to reboot as that’s one way to ensure that all the latest libraries are used by all processes. But that can be significant amount of downtime that one might not be able to afford. Hence introducing needrestart is a way to bridge the security coverage gap.
If you find needrestart too disruptive in your workflows one can change it’s configuration to not prompt, and only perform operations in list mode. If that too is annoying one can remove/uninstall needrestart.
What do you think about needrestart? is it helpful or annoying? How can we improve Ubuntu Server experience to ensure that everyone’s processes are up to date, irrespective of how they were deployed?