Hi,On Fri, 2 May 2025 14:48:06 +0200 Daniel =?utf-8?Q?Gr=C3=B6ber?= <d...@darkboxed.org> wrote:
On Fri, May 02, 2025 at 11:47:24AM +0200, Thomas Liske wrote: > I wonder why needrestart selects this service at all. Could you provide the > output of `needrestart -v` for this?Unfortunately we already restarted all the affected nodes. Do you want me to try and recreate the problem in debvm?
But today I have two affected nodes again (they were off for a while, now they are back on they show the same problem):
debian-ci@debci-22:~$ sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
Interestingly, needrestart isn't installed:
debian-ci@debci-22:~$ sudo /usr/sbin/needrestart -v
sudo: /usr/sbin/needrestart: command not found
So I can hardly blame it (so this bug very probably needs reassignment,
but where?). Maybe it should be installed and it would have even
prevented the issue? As in, maybe something *should* have been
restarted, but wasn't?
> > I think we should add an exception for nftables to $nrconf{override_rc} to > > avoid this problem since there doesn't seem to be any point in restarting > > it for security purposes.> > ACK, IMHO it should be completely ignored and one should consider the same> for iptables. But I still wonder why the service gets selected at all… My assumption: because the executable changed due to the migration of 1.1.2-1 to testing on 04-26. We saw the nftables service was restarted on affected nodes on 04-27 at about 6am i.e. almost certainly because of unattended-upgrades.
On this node, the upgrade of nftables happened at 2025-05-21 07:12:51,318 (according to the unattended-upgrade.log). Several minutes later, it was restarted.
debian-ci@debci-22:~$ sudo journalctl -u nftables Mar 13 15:25:58 debci-22 systemd[1]: Finished nftables.service - nftables. May 21 07:18:42 debci-22 systemd[1]: Stopping nftables.service - nftables...May 21 07:18:42 debci-22 systemd[1]: nftables.service: Deactivated successfully.
May 21 07:18:42 debci-22 systemd[1]: Stopped nftables.service - nftables. May 21 07:18:42 debci-22 systemd[1]: Starting nftables.service - nftables... May 21 07:18:42 debci-22 systemd[1]: Finished nftables.service - nftables. Paul
OpenPGP_signature.asc
Description: OpenPGP digital signature
