I propose to add the needrestart pkg :
New in this release is the needrestart package. When installed, it will perform a check after each APT upgrade session. If any services running on the system require a restart to take advantage of changes in the upgraded packages then it offers to perform these restarts. It is recommended to install needrestart to ensure that security updates in libraries are propagated to running services.
Good point.
Somewhat documented in the deepness of expand buttons updating documentation:
https://www.whonix.org/wiki/Security_Guide#Operating_System
Somewhat related to T135.
Have you actually tried this? I worry about the usability of this thing. It mentions that a lot services need to be restarted. A few of them are checked by default, other such as kdm not. Now, if a user who is trying hard to be secure checks kdm, then kdm is shut down. Together with the Konsole that was running apt-get. All other open windows, all unsaved work would be lost. Surely a nice tool for slightly advanced users, but installed by default? Maybe it can be configured to prevent such a mess.
needrestart can be set to only list the packages that need a restart without taking action. Users will be notified and take the necessary steps before restarting their system:
https://github.com/liske/needrestart/blob/master/man/needrestart.1
See this screneshot.
{F71}
When users think they doing something good and check all these boxes, it will kill kdm, their Konsole session, apt-get that was run by the Konsole session as well as all unsaved work.
Right. But if you run needrestart -v -r l
(Small L)
It would only act as a notification only without giving options for restart.
Not talking about manual invocation here. It automatically runs with that option during apt-get dist-upgrade. Maybe it's possible to configure this, but then this would require shipping a configuration file. Either as part of the usability-misc package or a separate packages.
Apparmor issue:
May 26 16:03:45 host kernel: [ 7239.228434] audit: type=1400 audit(1432656225.140:100): apparmor="DENIED" operation="open" profile="/usr/bin/whonixcheck" name="/etc/dpkg/dpkg.cfg.d/needrestart" pid=13517 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Needs more work. Therefore moving to Whonix 12.
Testing the following config... /etc/needrestart/conf.d/50_user.conf
$nrconf{restart} = 'l';Therefore it doesn't run interactively anymore. Prevents users selecting services such as kdm and thereby shooting their own feet.
Then the extraneous output when running 'apt-get dist-upgrade' is the following.
Scanning processes... Scanning candidates... Scanning kernel images... Failed to retrieve available kernel versions. Services to be restarted: Skipping dbus.service... systemctl restart polkitd.service
Is this output any helpful to users? Let's go through it line by line.
Unless this can be configured better, I think by default, for most users, with the current advice to reboot after upgrading is better. (Not installing needrestart by default.) (For advanced users there can be a hint about needrestart in documentation.)
-r
set restart mode
l
(l)ist only
i
(i)nteractive restart
a
(a)utomatically restart
Running apt-get updates quietly can be done with:
apt-get dist-upgrade -qq
We can add the "-qq" as a condition if needrestart is included.
I think not. Users know these messages. So we have a genuine disagreement here.
- Most people will have no idea what these messages mean to even bother asking if they are hacked.
A different answer:
If that is so, if they don't know what these messages mean, why bother installing the needrestart then? If they don't know what these messages mean, then this ticket wasn't an improvement.
- Using a package manager GUI will hide all the information.
Judging by the current rate of progress, I find this unrealistic and I am not convinced we are getting there anytime soon.
- There might still be a way to hide this output either with a needrestart option "a" or in apt-get itself. needrestart manual page:
l
(l)ist only
Is what I was using above. The issues described:
T324#6134
i
(i)nteractive restart
Problematic UI as mentioned here:
T324#4951
a
(a)utomatically restart
Restarting without asking is too intrusive and causing all kind of trouble. Nothing we should set by default.
If you don't agree with the quiet option for apt-get dist-upgrade too then this ticket is good for closing.
OK I reread what the package does and a compromise would be to make a wrapper for it that hides the output that could trigger support threads and only say: Some packages that were updated need a system restart for the changes to take effect. Restart? Yes/No
we could have the details logged by needrestart to a logfile that advanced users can optionally check out.
https://gehrcke.de/2014/06/good-to-know-checkrestart-from-debian-goodies/
Useful blog post. There is checkrestart from debian-goodies pkg that does the same thing but works different.
Debian upstream considering shipping either by default.
I guess checkrestart is too dated?
A wrapper could work. Disabling the hooks that come with needrestart. Adding new hooks. Having the wrapper run needrestart with hidden output. And showing a simplified message to users as appropriate.
apt-file list needrestart
Another TODO: contacting the author. Giving feedback. Asking if such a wrapper is necessary at all of if there is a simpler solution.
Another related thing:
https://packages.debian.org/stretch/needrestart-session
It also has a batch mode.
sudo needrestart -b
NEEDRESTART-VER: 1.2 NEEDRESTART-KCUR: 3.18.17-5.pvops.qubes.x86_64 NEEDRESTART-KSTA: 0 NEEDRESTART-SVC: dbus.service NEEDRESTART-SVC: polkitd.service
- Failed to retrieve available kernel versions. - Probably a Qubes specific issue. May or may not be possible to fix this.
That could be fixed. /etc/needrestart/conf.d/50_qubes.conf
$nrconf{kernelhints} = '0';sudo needrestart -l -b
NEEDRESTART-VER: 1.2 NEEDRESTART-SVC: dbus.service NEEDRESTART-SVC: polkitd.service
feature request...
optional non-zero exit codes in case of restart(s) required:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794099
Qubes bug report:
needrestart reports 'Failed to retrieve available kernel versions.'
https://github.com/QubesOS/qubes-issues/issues/1442
Qubes bug fix:
Prevent services from being accidentally restarted by 'needrestart'.
https://github.com/marmarek/qubes-core-agent-linux/pull/51
needrestart feature request:
easy mode for needrestart
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819824
Readded Whonix 14 by accident during batch edit (adding all debian stretch tickets to Whonix 14).
needrestart works good enough for it to be implemented as a test in whonixcheck (--verbose?).
sudo needrestart -r l -b
NEEDRESTART-VER: 3.4 NEEDRESTART-KCUR: 4.19.43-1.pvops.qubes.x86_64 NEEDRESTART-KEXP: 4.19.0-5-amd64 NEEDRESTART-KSTA: 3
See https://github.com/liske/needrestart/blob/master/README.batch.md for meaning of NEEDRESTART-KSTA.
Output NEEDRESTART-KSTA cannot be interpreted directly yet in Qubes-Whonix but a temporary auto-generated config file as per T324#6180 could do.
What is a good way to detect that users are using VM kernel in Qubes? @marmarek If uname -r outputs 4.19.43-1.pvops.qubes.x86_64 i.e. matches *pvops* it means that no VM kernel is being used?