Needrestart for Servers

In Ubuntu, whenever updates are applied of individual services there is often a need to restart them to ensure that security updates are actually applied and being used.

Most maintainer scripts do that automatically for the service itself. However, there is a long chain of dependencies that also results in a need to restart things.

For example, when one installs upgraded libssl1.1 packages with security vulnerabilities one needs to restart all processes that link with it. Otherwise vulnerable libssl1.1 is still loaded in all the processes and used to establish connections. libssl1.1 maintainer script can’t find and restart all the things by itself hence we need something else.

We have recently completed review process and would like to start recommending ubuntu-server metapackage to install needrestart by default on Ubuntu Server.

This will results, in needrestart running at the end of each apt transaction and document

  • services that need to be restarted, because they reference upgraded libraries
  • if there is new kernel to boot
  • if there is new microcode
  • if there are VMs to restart
  • if there are some containers to restart
  • etc

By default it will prompt with debconf interface if one wants to restart things.

Restarting some things is not enabled by default, and it is quite disruptive to do even when opting in. I.e. when one restarts systemd-logind the tty / ssh sessions do get killed, thus one needs to reestablish the connection back in if one performs the action to restart that.

Overall the goal is to ensure that on stable releases one can deploy more security fixes quicker with less downtime. Ultimately the best way usually is to reboot as that’s one way to ensure that all the latest libraries are used by all processes. But that can be significant amount of downtime that one might not be able to afford. Hence introducing needrestart is a way to bridge the security coverage gap.

If you find needrestart too disruptive in your workflows one can change it’s configuration to not prompt, and only perform operations in list mode. If that too is annoying one can remove/uninstall needrestart.

What do you think about needrestart? is it helpful or annoying? How can we improve Ubuntu Server experience to ensure that everyone’s processes are up to date, irrespective of how they were deployed?

I’m using needrestart on virtually every Ubuntu machine and I find it very useful so it is +1 from me.

It would be nice to integrate it with update-motd.d and print information about the number of services needing restart.

1 Like

For server users that do apt operations remotely or via automation, a prompt during the workflow would not be seen. Has design work gone into integration of needrestart into larger hardware management processes? E.g. an email notification, or flagged in the LMA framework, or similar?

Hi bryce,
it can be plugged into nagios probing via:
'-p nagios plugin mode: makes output and exit codes nagios compatible`

I find the output of a no-op checkrestart run at the end of each apt session to be quite annoying. On a fresh Ubuntu Server 21.04 system, all apt invocations end with:

Processing triggers for man-db (2.9.4-2) ...
Scanning processes...                                                           
Scanning processor microcode...                                                 
Scanning linux images...                                                        

Running kernel seems to be up-to-date.

Failed to check for processor microcode upgrades.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

… which doesn’t seem to provide much value. There’s also a long delay after the “No user sessions” line.

Dimitri said in his initial post that one use case would be

if there are VMs to restart

I agree that this would be nice to know, but as of today needrestart can’t do this. I implemented the feature and proposed it upstream in

Hi bryce,
it can be plugged into nagios probing via:
'-p nagios plugin mode: makes output and exit codes nagios compatible`

In addition it uses libnotify-bin to push info to a desktop user via dbus. Mail info also exists (by default it is disabled and would go to the executing user which in apts case will be root which won’t help much in many cases, but once can enable and configure it as needed)
Finally anyone can plug in further custom notification in /etc/needrestart/notify.d/ so I guess the request for notification can be considered solved.