Page MenuHomePhabricator

Add package needrestart
Open, NormalPublic

Description

I propose to add the needrestart pkg :

New in this release is the needrestart package. When installed, it will perform a check after each APT upgrade session. If any services running on the system require a restart to take advantage of changes in the upgraded packages then it offers to perform these restarts. It is recommended to install needrestart to ensure that security updates in libraries are propagated to running services.

Details

Impact
High

Event Timeline

HulaHoop updated the task description. (Show Details)May 24 2015, 6:28 AM
HulaHoop set Impact to Needs Triage.
HulaHoop added a subscriber: HulaHoop.
HulaHoop created this task.
HulaHoop raised the priority of this task from to Normal.
Patrick changed Impact from Needs Triage to High.
Patrick added a subscriber: nrgaway.

Good point.

Somewhat documented in the deepness of expand buttons updating documentation:
https://www.whonix.org/wiki/Security_Guide#Operating_System

Somewhat related to T135.

Have you actually tried this? I worry about the usability of this thing. It mentions that a lot services need to be restarted. A few of them are checked by default, other such as kdm not. Now, if a user who is trying hard to be secure checks kdm, then kdm is shut down. Together with the Konsole that was running apt-get. All other open windows, all unsaved work would be lost. Surely a nice tool for slightly advanced users, but installed by default? Maybe it can be configured to prevent such a mess.

needrestart can be set to only list the packages that need a restart without taking action. Users will be notified and take the necessary steps before restarting their system:

https://github.com/liske/needrestart/blob/master/man/needrestart.1

https://packages.debian.org/jessie/admin/needrestart

See this screneshot.

When users think they doing something good and check all these boxes, it will kill kdm, their Konsole session, apt-get that was run by the Konsole session as well as all unsaved work.

Right. But if you run needrestart -v -r l
(Small L)

It would only act as a notification only without giving options for restart.

Not talking about manual invocation here. It automatically runs with that option during apt-get dist-upgrade. Maybe it's possible to configure this, but then this would require shipping a configuration file. Either as part of the usability-misc package or a separate packages.

Apparmor issue:

May 26 16:03:45 host kernel: [ 7239.228434] audit: type=1400 audit(1432656225.140:100): apparmor="DENIED" operation="open" profile="/usr/bin/whonixcheck" name="/etc/dpkg/dpkg.cfg.d/needrestart" pid=13517 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Needs more work. Therefore moving to Whonix 12.

Patrick edited projects, added Whonix 12; removed Whonix 11.May 26 2015, 6:54 PM

Testing the following config... /etc/needrestart/conf.d/50_user.conf

$nrconf{restart} = 'l';

Therefore it doesn't run interactively anymore. Prevents users selecting services such as kdm and thereby shooting their own feet.

Then the extraneous output when running 'apt-get dist-upgrade' is the following.

Scanning processes...                                                                                                 
Scanning candidates...                                                                                                
Scanning kernel images...                                                                                             
Failed to retrieve available kernel versions.
Services to be restarted:
Skipping dbus.service...
systemctl restart polkitd.service

Is this output any helpful to users? Let's go through it line by line.

  • Failed to retrieve available kernel versions. - Probably a Qubes specific issue. May or may not be possible to fix this. But for let's ignore this, since I have greater worries that needrestart actually worsens usability.
  • Skipping dbus.service... - I see it coming. Users become concerned, asking in the forums, it said "Skipping dbus.service...", am I hacked? (What this really means, I guess is something like "dbus is on a list of packages, that are not pre-selected for automatic restart recommendation".)
  • systemctl restart polkitd.service - Alright. Users would either ignore this or know that this is convenient for them to copy and paste this.

Unless this can be configured better, I think by default, for most users, with the current advice to reboot after upgrading is better. (Not installing needrestart by default.) (For advanced users there can be a hint about needrestart in documentation.)

  • Most people will have no idea what these messages mean to even bother asking if they are hacked.
  • Using a package manager GUI will hide all the information.
  • There might still be a way to hide this output either with a needrestart option "a" or in apt-get itself. needrestart manual page:

-r
set restart mode

l
(l)ist only

i
(i)nteractive restart

a
(a)utomatically restart

Running apt-get updates quietly can be done with:

apt-get dist-upgrade -qq

We can add the "-qq" as a condition if needrestart is included.

In T324#6148, @HulaHoop wrote:
  • Most people will have no idea what these messages mean to even bother asking if they are hacked.

I think not. Users know these messages. So we have a genuine disagreement here.

  • Most people will have no idea what these messages mean to even bother asking if they are hacked.

A different answer:
If that is so, if they don't know what these messages mean, why bother installing the needrestart then? If they don't know what these messages mean, then this ticket wasn't an improvement.

  • Using a package manager GUI will hide all the information.

Judging by the current rate of progress, I find this unrealistic and I am not convinced we are getting there anytime soon.

  • There might still be a way to hide this output either with a needrestart option "a" or in apt-get itself. needrestart manual page:

l
(l)ist only

Is what I was using above. The issues described:
T324#6134

i
(i)nteractive restart

Problematic UI as mentioned here:
T324#4951

a
(a)utomatically restart

Restarting without asking is too intrusive and causing all kind of trouble. Nothing we should set by default.

If you don't agree with the quiet option for apt-get dist-upgrade too then this ticket is good for closing.

OK I reread what the package does and a compromise would be to make a wrapper for it that hides the output that could trigger support threads and only say: Some packages that were updated need a system restart for the changes to take effect. Restart? Yes/No

we could have the details logged by needrestart to a logfile that advanced users can optionally check out.

https://gehrcke.de/2014/06/good-to-know-checkrestart-from-debian-goodies/

Useful blog post. There is checkrestart from debian-goodies pkg that does the same thing but works different.

Debian upstream considering shipping either by default.

I guess checkrestart is too dated?

A wrapper could work. Disabling the hooks that come with needrestart. Adding new hooks. Having the wrapper run needrestart with hidden output. And showing a simplified message to users as appropriate.

apt-file list needrestart

Another TODO: contacting the author. Giving feedback. Asking if such a wrapper is necessary at all of if there is a simpler solution.

Another related thing:
https://packages.debian.org/stretch/needrestart-session

It also has a batch mode.

sudo needrestart -b
NEEDRESTART-VER: 1.2
NEEDRESTART-KCUR: 3.18.17-5.pvops.qubes.x86_64
NEEDRESTART-KSTA: 0
NEEDRESTART-SVC: dbus.service
NEEDRESTART-SVC: polkitd.service

  • Failed to retrieve available kernel versions. - Probably a Qubes specific issue. May or may not be possible to fix this.

That could be fixed. /etc/needrestart/conf.d/50_qubes.conf

$nrconf{kernelhints} = '0';
sudo needrestart -l -b
NEEDRESTART-VER: 1.2
NEEDRESTART-SVC: dbus.service
NEEDRESTART-SVC: polkitd.service

feature request...
optional non-zero exit codes in case of restart(s) required:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794099

Patrick edited projects, added Whonix 13; removed Whonix 12.Aug 20 2015, 12:04 AM

Qubes bug report:
needrestart reports 'Failed to retrieve available kernel versions.'
https://github.com/QubesOS/qubes-issues/issues/1442

Qubes bug fix:
Prevent services from being accidentally restarted by 'needrestart'.
https://github.com/marmarek/qubes-core-agent-linux/pull/51

needrestart feature request:
easy mode for needrestart
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819824

In T324#8576, @Patrick wrote:

needrestart feature request:
easy mode for needrestart
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819824

This feature has just been implemented! The author is asking for testing.

entr0py added a subscriber: entr0py.Jun 4 2016, 5:12 AM
Patrick edited projects, added Whonix 15; removed Whonix 14.Jan 12 2017, 7:26 PM
Patrick closed this task as Resolved.
Patrick claimed this task.

Readded Whonix 14 by accident during batch edit (adding all debian stretch tickets to Whonix 14).

Patrick reopened this task as Open.Jan 18 2017, 10:34 AM
Patrick removed Patrick as the assignee of this task.Oct 1 2018, 1:17 PM

needrestart works good enough for it to be implemented as a test in whonixcheck (--verbose?).

sudo needrestart -r l -b
NEEDRESTART-VER: 3.4
NEEDRESTART-KCUR: 4.19.43-1.pvops.qubes.x86_64
NEEDRESTART-KEXP: 4.19.0-5-amd64
NEEDRESTART-KSTA: 3

See https://github.com/liske/needrestart/blob/master/README.batch.md for meaning of NEEDRESTART-KSTA.

Output NEEDRESTART-KSTA cannot be interpreted directly yet in Qubes-Whonix but a temporary auto-generated config file as per T324#6180 could do.

What is a good way to detect that users are using VM kernel in Qubes? @marmarek If uname -r outputs 4.19.43-1.pvops.qubes.x86_64 i.e. matches *pvops* it means that no VM kernel is being used?

In T324#18696, @Patrick wrote:

What is a good way to detect that users are using VM kernel in Qubes? @marmarek If uname -r outputs 4.19.43-1.pvops.qubes.x86_64 i.e. matches *pvops* it means that no VM kernel is being used?

I'd match *qubes*. Yes, should be good.