Why. not consume the output of `dnf needs-restarting` ?

[bexelbie]

I am using dnf-automatic and wouldn't mind getting restarts as needed. Can you help me understand the philosophy here versus dnf needs-restarting?

[agross]

Hi @bexelbie,

The philosophy is rather simple: I wasn't aware of dnf needs-restarting ;-) But I'll give it a try!

[agross]

Correction: See #1 for a discussion about dnf needs-restarting. I'll have a look whether the output has changed in recent years.

[agross]

I'll have a look whether the output has changed in recent years.

It hasn't.

$ dnf needs-restarting
Failed to read PID 3091283's smaps.
1 : /usr/lib/systemd/systemd rhgb --switched-root --system --deserialize 32
810 : /usr/lib/systemd/systemd-journald
834 : /usr/lib/systemd/systemd-udevd
1007 : /usr/lib/systemd/systemd-oomd
1010 : /sbin/auditd
1047 : avahi-daemon: running [router.local]
1052 : /usr/lib/polkit-1/polkitd --no-debug
1054 : /usr/lib/systemd/systemd-logind
1055 : /usr/bin/VGAuthService -s
1056 : /usr/bin/vmtoolsd
...

[bexelbie]

I've added a comment in #1 about a possible method to turn dnf needs-restarting output into a systemd unit. I am unable to trigger that issue to reopen.

[MartinNowak]

Seems like dnf-needs-restarting got support for listing services directly, see https://github.com/agross/dnf-automatic-restart/issues/1#issuecomment-1550969334.

[jeffshead]

Using needs-restarting would be better in my opinion.

@agross

This is how someone else did it:

#!/bin/sh
if [ ! -f "/usr/bin/needs-restarting" ]; then
    yum -y install yum-utils
fi

if [ -f "/var/run/yum.pid" ]; then
        echo "Yum running"
        exit 0;
fi

typeset -i COUNT=0
COUNT=$(pgrep dnf|wc -l)

if [ $COUNT -gt 0 ] ; then
        echo "DNF running";
        exit 0;
fi

needs-restarting -r >/dev/null || { reboot; exit 0; }
NEEDS=`needs-restarting`

echo $NEEDS| grep -q auditd && { reboot; exit 0; }
echo $NEEDS| grep -q '/usr/sbin/httpd' && { systemctl restart httpd; }
echo $NEEDS| grep -q '/usr/sbin/sshd' && { systemctl restart sshd; }
echo $NEEDS| grep -q '/usr/sbin/nginx' && { systemctl restart nginx; }
echo $NEEDS| grep -q '/usr/sbin/chronyd' && { systemctl restart chronyd; }
echo $NEEDS| grep -q '/usr/libexec/postfix/master' && { systemctl restart postfix;}
echo $NEEDS| grep -q '/var/run/mariadb/' && { systemctl restart mariadb;}
echo $NEEDS| grep -q 'sbin/mydns' && { systemctl restart mydns; }
echo $NEEDS| grep -q 'sbin/pdns_server' && { systemctl restart pdns; }
echo $NEEDS| grep -q 'php-fpm:' && { systemctl restart php-fpm;}

I tested it and I know it works to restart the server but I had to remove the if statements because I kept getting nothing but DNF running until I removed them. I don't know if the service restarts are working.

The script above is less than optimal. One issue with doing it this way is that you have to know what to grep for and every server will have different services running but... That's where the needs-restarting -s option comes to the rescue. Since the -s option lists only the names of the services that need restarting, it should be able to replace tracer, right?

---

Below is a small script that utilizes needs-restarting -s:

#!/bin/bash
needs-restarting -r >/dev/null || { reboot; exit 0; }
NEEDS=$(needs-restarting -s)
echo $NEEDS | grep -q auditd.service && { reboot; exit 0; }
echo $NEEDS | xargs --no-run-if-empty -n1 systemctl restart

I'm just a novice so correct me if I'm wrong but if you have something like NGINX or NPM running in a Docker container and you are using it as a reverse-proxy for everything, you don't have to worry about restarting Docker AFTER firewalld if you add the following firewalld rules, do you?

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https

For all containers behind the reverse-proxy, change their listening ports from ALL IP's to only listening internally. A docker-compose example is below.

Change from:

ports:
      - '90:80'
      - '9443:443'
      - '8000:8000'

To:

ports:
      - '127.0.0.1:90:80'
      - '127.0.0.1:9443:443'
      - '127.0.0.1:8000:8000'

The port changes above basically keep Docker from poking holes in the firewall.