software: defer automatic reboots & service restarts (when possible), and have a UI for it

[garrett]

As a follow-up to https://github.com/cockpit-project/cockpit/pull/14581 and based on https://askbot.fedoraproject.org/en/question/134425/dnf-automatic-enable-install-disable-restart/, we should retrofit the automatic updates UI to allow:

1. auto-downloading of packages without applying anything
   • this speeds up the interactive updating process and lets a sysadmin watch over the machine
2. ~auto-download without rebooting or restarting services~
   • I'm not completely sure about this one, but I guess it could patch things and would be ready whenever someone manually restarts services or reboots? -- pitti: nack, this is too dangerous/brittle to encourage
3. auto-downloading and installation without rebooting, but restarting services automatically
   • have the system as up-to-date as possible without rebooting, which may require a password on boot
4. apply all updates, restart and reboot (whatever is needed)
   • this is what we do now, except we always reboot when there has been an update... the change would be to do whatever tracer says
5. apply all updates, and always reboot when there are updates
   • this is exactly what we do now... if we have # 4, then I'm not sure if we need this one

When someone logs into Cockpit after the auto step happens, Cockpit will show the results from Tracer and inform the user what needs to happen (if anything).

Additionally, we may want to let someone know that an update happened and the system restarted services or rebooted, if this happened.

[garrett]

@skobyda, @martinpitt, and I talked about this in IRC and were in :crossed_swords::crossed_swords: VIOLENT AGREEMENT :crossed_swords::crossed_swords: about it, so I figured I should open up this issue so we don't forget. :wink:

[zwimer]

It would be great to have the option to disable automatic-reboots after a software upgrade! There are some systems that shouldn't be shutdown automatically either because they need to stay available 24/7 or because reinitialization of their services is either difficult, takes time, or requires manual intervention.

Forcing system restarts discourages the use of this tool and the reason I needed to disable it on one of my servers.

[martinpitt]

@zwimer : Sorry, this is not a valid use case in my opinion. You really should not install updated packages unattended and then not reboot, especially if these machines must be available. Files changing underneath running services/programs can lead to weird bugs, not everything auto-restarts on upgrade. We are not going to support/encourage this.

[zwimer]

@martinpitt Would it be possible to add a toggle not to install programs that require a restart? Really, the main package I'm thinking of is the kernel which, on some distros, updates very frequently and leads to frequent restarts.

[martinpitt]

@zwimer: That is really hard to predict in general. Even tracer and needrestart can only tell this after installing packages. For the kernel specifically there are better solutions, like kpatch. Some distros (like RHEL and Ubuntu) offer that. Cockpit explicitly supports at least RHEL's kpatch.

[zwimer]

That's surprising and unfortunate, good to know about the kpatch bit though, I'll give that a shot! Thanks!

Also, since the idea was just rejected, would it be better to cross out bullet point 3 on the initial post?

[martinpitt]

In #19648 we defer to dnf now to decide when to reboot and when not. That's about as far as I'm willing to go. See this downstream comment for some details.