** Description changed:
- For many years, I have had a script that checks for and installs
- available updates on Debian and Ubuntu servers.
+ [ Impact ]
+
+ * Servers and other systems running `unattended-upgrades` will not
+ automatically restart services that use binaries that were updated, even
+ when explicitly configured to do so. This may lead to security holes
+ remaining open or other misbehaviour, until the machine or services are
+ restarted for other reasons. This defeats the primary functionality of
+ that package.
+
+ [ Test Plan ]
+
+ * Use an Ubuntu Jammy test system with typical configuration. I used a
+ fresh LXD container.
+
+ * Install `unattended-upgrades`. Ensure `needrestart` and `update-
+ notifier-common` are also installed, but that should usually be the
+ case.
+
+ * Configure `needrestart` to automatically restart services:
+ * Create `/etc/needrestart/conf.d/auto-restart.conf` with content:
+ $nrconf{restart} = 'a';
+
+ * Locate any package that some running service has an indirect dependency on
(such as libc, libssl3, python, java, etc). Using something more uncommon like
java might be easier than something that has a lot of dependencies like
libc/libssl3.
+ * In my case I chose `<dep>=libc6` and `<service>=cron`.
+
+ * `apt list -a <dep>` to see other versions of the package. Usually
+ there will be an older version available from the main repository, while
+ the current version is from the update or security repository.
+
+ * `sudo apt install <dep>=<version>` to explicitly downgrade the package to
the older version. (You may need to select a different package, or more
packages, to resolve conflicts or avoid removing other packages.)
+ * Observe that the dependent services will be automatically restarted
when you do this. (I checked this via the start time in `systemctl status
<service>`.)
+
+ * `sudo unattended-upgrade` to request immediate upgrade of outdated
packages, which should reverse the above change.
+ * Observe that while
`/var/log/unattended-upgrades/unattended-upgrades-dpkg.log` reports
`NEEDRESTART-SVC` as expected, the services in question are not actually
restarted. (Again I confirmed this via `systemctl status <service>`.)
+
+ [ Where problems could occur ]
+
+ * There is a low chance of regressions given that the patch has been
+ included in the packaged deb since kinetic.
+
+ * Since this bug has been around for some time a number of users may have
implemented workarounds in their scripts that this fix could break.
+ * I have tested at least one workaround which was discussed on the
associated github issue (https://github.com/liske/needrestart/issues/270) and
confirmed that this fix does not break it. Namely running `needrestart -r a -f
readline` after `unattended-upgrade` does not prompt and does not cause any
additional restarts.
+
+ * Someone could have been relying on the broken behavior to avoid
+ automatic restarts. This seems unlikely, as it is directly against the
+ described behavior of the package.
+
+ [ Other Info ]
+
+ Related:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/2055280
+ Related: https://github.com/liske/needrestart/issues/270
+ Related: https://github.com/liske/needrestart/pull/214 (upstream patch)
+
+ The debdiff has been updated since security patches were released since
juergh's upload,
+ but the fix is substantially the same.
+
+ ---Original bug---
+ For many years, I have had a script that checks for and installs available
updates on Debian and Ubuntu servers.
Code:
#!/bin/bash
apt-get update
apt-get dist-upgrade -y
[then clear cache, refresh snaps, restart if needed etc]
With the Ubuntu 22.04 servers, it happily 'apt-get update's and then
does the upgrade without pausing to ask if I want to do it :) but it
then checks to see if any services need restarting and if any might do,
asks if I want to restart them and won't continue until I answer. :( :(
:(
Typically some are preselected (if apache has been updated, then apache
will be preselected, for example) and some are unselected (unattended-
upgrades is the classic example). Sometimes, all are unselected meaning
it doesn't think any do need restarting, but it will still stay waiting
for my OK not to do so.
More info is given than before:
[do actual update]
- Scanning processes...
- Scanning candidates...
- Scanning linux images...
+ Scanning processes...
+ Scanning candidates...
+ Scanning linux images...
Running kernel seems to be up-to-date.
[wait for interaction here or after next line]
Restarting services...
Service restarts being deferred:
systemctl restart systemd-logind.service
systemctl restart unattended-upgrades.service
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
- [all done!]
+ [all done!]
So some significant stuff has changed, but if I do
man apt-get
there is no indication that the behaviour has been changed like this:
the bit about the -y command line option still says "run non-
interactively", yet there it is waiting for interaction. There is also
no indication of any new command line option to really be non-
interactive.
It is lovely that it is now explicitly checking things like this, but if
I ask for a non-interactive upgrade, I should get a non-interactive
upgrade!
I have not come across an instance where the suggestion about which
services need restarting has been wrong, so I am happy to accept the
recommendation and just restart/not restart as suggested.
# lsb_release -a
No LSB modules are available.
- Distributor ID: Ubuntu
- Description: Ubuntu 22.04.1 LTS
- Release: 22.04
- Codename: jammy
+ Distributor ID: Ubuntu
+ Description: Ubuntu 22.04.1 LTS
+ Release: 22.04
+ Codename: jammy
+ ---/Original Bug---
** Patch added: "needrestart_3.5-5ubuntu2.5.debdiff"
https://bugs.launchpad.net/ubuntu/+source/needrestart/+bug/2004203/+attachment/5908508/+files/needrestart_3.5-5ubuntu2.5.debdiff
** Description changed:
[ Impact ]
- * Servers and other systems running `unattended-upgrades` will not
+ * Servers and other systems running `unattended-upgrades` will not
automatically restart services that use binaries that were updated, even
when explicitly configured to do so. This may lead to security holes
remaining open or other misbehaviour, until the machine or services are
restarted for other reasons. This defeats the primary functionality of
that package.
[ Test Plan ]
- * Use an Ubuntu Jammy test system with typical configuration. I used a
+ * Use an Ubuntu Jammy test system with typical configuration. I used a
fresh LXD container.
- * Install `unattended-upgrades`. Ensure `needrestart` and `update-
+ * Install `unattended-upgrades`. Ensure `needrestart` and `update-
notifier-common` are also installed, but that should usually be the
case.
- * Configure `needrestart` to automatically restart services:
- * Create `/etc/needrestart/conf.d/auto-restart.conf` with content:
- $nrconf{restart} = 'a';
+ * Configure `needrestart` to automatically restart services:
+ * Create `/etc/needrestart/conf.d/auto-restart.conf` with content:
+ $nrconf{restart} = 'a';
- * Locate any package that some running service has an indirect dependency on
(such as libc, libssl3, python, java, etc). Using something more uncommon like
java might be easier than something that has a lot of dependencies like
libc/libssl3.
- * In my case I chose `<dep>=libc6` and `<service>=cron`.
+ * Locate any package that some running service has an indirect dependency on
(such as libc, libssl3, python, java, etc). Using something more uncommon like
java might be easier than something that has a lot of dependencies like
libc/libssl3.
+ * In my case I chose `<dep>=libc6` and `<service>=cron`.
- * `apt list -a <dep>` to see other versions of the package. Usually
+ * `apt list -a <dep>` to see other versions of the package. Usually
there will be an older version available from the main repository, while
the current version is from the update or security repository.
- * `sudo apt install <dep>=<version>` to explicitly downgrade the package to
the older version. (You may need to select a different package, or more
packages, to resolve conflicts or avoid removing other packages.)
- * Observe that the dependent services will be automatically restarted
when you do this. (I checked this via the start time in `systemctl status
<service>`.)
+ * `sudo apt install <dep>=<version>` to explicitly downgrade the package to
the older version. (You may need to select a different package, or more
packages, to resolve conflicts or avoid removing other packages.)
+ * Observe that the dependent services will be automatically restarted
when you do this. (I checked this via the start time in `systemctl status
<service>`.)
- * `sudo unattended-upgrade` to request immediate upgrade of outdated
packages, which should reverse the above change.
- * Observe that while
`/var/log/unattended-upgrades/unattended-upgrades-dpkg.log` reports
`NEEDRESTART-SVC` as expected, the services in question are not actually
restarted. (Again I confirmed this via `systemctl status <service>`.)
+ * `sudo unattended-upgrade` to request immediate upgrade of outdated
packages, which should reverse the above change.
+ * Observe that while
`/var/log/unattended-upgrades/unattended-upgrades-dpkg.log` reports
`NEEDRESTART-SVC` as expected, the services in question are not actually
restarted. (Again I confirmed this via `systemctl status <service>`.)
[ Where problems could occur ]
- * There is a low chance of regressions given that the patch has been
+ * There is a low chance of regressions given that the patch has been
included in the packaged deb since kinetic.
- * Since this bug has been around for some time a number of users may have
implemented workarounds in their scripts that this fix could break.
- * I have tested at least one workaround which was discussed on the
associated github issue (https://github.com/liske/needrestart/issues/270) and
confirmed that this fix does not break it. Namely running `needrestart -r a -f
readline` after `unattended-upgrade` does not prompt and does not cause any
additional restarts.
+ * Since this bug has been around for some time a number of users may have
implemented workarounds in their scripts that this fix could break.
+ * I have tested at least one workaround which was discussed on the
associated github issue (https://github.com/liske/needrestart/issues/270) and
confirmed that this fix does not break it. Namely running `needrestart -r a -f
readline` after `unattended-upgrade` does not prompt and does not cause any
additional restarts.
- * Someone could have been relying on the broken behavior to avoid
+ * Someone could have been relying on the broken behavior to avoid
automatic restarts. This seems unlikely, as it is directly against the
described behavior of the package.
[ Other Info ]
Related:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/2055280
Related: https://github.com/liske/needrestart/issues/270
Related: https://github.com/liske/needrestart/pull/214 (upstream patch)
- The debdiff has been updated since security patches were released since
juergh's upload,
- but the fix is substantially the same.
-
- ---Original bug---
- For many years, I have had a script that checks for and installs available
updates on Debian and Ubuntu servers.
-
- Code:
-
- #!/bin/bash
- apt-get update
- apt-get dist-upgrade -y
- [then clear cache, refresh snaps, restart if needed etc]
-
- With the Ubuntu 22.04 servers, it happily 'apt-get update's and then
- does the upgrade without pausing to ask if I want to do it :) but it
- then checks to see if any services need restarting and if any might do,
- asks if I want to restart them and won't continue until I answer. :( :(
- :(
-
- Typically some are preselected (if apache has been updated, then apache
- will be preselected, for example) and some are unselected (unattended-
- upgrades is the classic example). Sometimes, all are unselected meaning
- it doesn't think any do need restarting, but it will still stay waiting
- for my OK not to do so.
-
- More info is given than before:
-
- [do actual update]
- Scanning processes...
- Scanning candidates...
- Scanning linux images...
-
- Running kernel seems to be up-to-date.
-
- [wait for interaction here or after next line]
- Restarting services...
- Service restarts being deferred:
- systemctl restart systemd-logind.service
- systemctl restart unattended-upgrades.service
-
- No containers need to be restarted.
-
- No user sessions are running outdated binaries.
-
- No VM guests are running outdated hypervisor (qemu) binaries on this host.
- [all done!]
-
- So some significant stuff has changed, but if I do
-
- man apt-get
-
- there is no indication that the behaviour has been changed like this:
- the bit about the -y command line option still says "run non-
- interactively", yet there it is waiting for interaction. There is also
- no indication of any new command line option to really be non-
- interactive.
-
- It is lovely that it is now explicitly checking things like this, but if
- I ask for a non-interactive upgrade, I should get a non-interactive
- upgrade!
-
- I have not come across an instance where the suggestion about which
- services need restarting has been wrong, so I am happy to accept the
- recommendation and just restart/not restart as suggested.
-
- # lsb_release -a
- No LSB modules are available.
- Distributor ID: Ubuntu
- Description: Ubuntu 22.04.1 LTS
- Release: 22.04
- Codename: jammy
- ---/Original Bug---
+ The debdiff has been updated since security patches were released since
+ juergh's upload, but the fix is substantially the same.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2004203
Title:
With needrestart, apt-get does not respect non-interactive instruction
when upgrading services
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/needrestart/+bug/2004203/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
