Feature request: segments to show if there are security updates and/or if need to reboot

[huyz]

On ubuntu, /run/motd.dynamic shows useful information:

• # of updates pending
• # of security updates pending
• need to reboot

But this only shows up for people who ssh or login regularly. Not everyone does that; many folks just keep long-running sessions. Having indicators in the prompt would thus be useful.

[romkatv]

Is there a detailed description of what this file contains? If not, can you post examples for all bullet points you've mentioned?

[romkatv]

Closing due to inactivity.

[huyz]

@romkatv Sorry for replying late.

TL;DR: the easiest to implement would be for the Debian family where are all you have to do is check the existence of one file (to know whether to reboot) and parse another simple file (to see how many regular & security updates are pending). For other Linux families, or to get even more information in the Debian family about restarting services/binaries/processor microcodes, some extra packages may need to be present. (I personally would just be happy with the Debian family since that's what I use)

To detect if a reboot is needed

It depends on the OS, but here's some common ones (Debian, Redhat, Suse families): https://megamorf.gitlab.io/2019/06/10/check-if-reboot-is-required-after-installing-linux-updates/

For instance, for the Debian family:

% cat /var/run/reboot-required  # The mere presence of the file is sufficient (no need to look inside)
*** System restart required ***
% cat /var/run/reboot-required.pkgs   # If one wanted to know why a reboot is required
libssl1.0.0
linux-base
linux-base
linux-base
libc6
linux-base

To detect if a service/binary/processor microcode needs to be restarted

Optionally, if needrestart (supports Debian, Redhat, and Arch families) is installed, then you can also get information about needing to restart services/binaries/processor microcode.

If the shell is run by a regular user, you only get a listing of the user's affected binaries:

% needrestart -r l
Scanning processes...
Your outdated processes:
systemd[4863]

But if needrestart is run by root, then you get a ton more information about services/binaries and processor microcode that need to be restarted. For example:

% # `-u NeedRestart::UI::stdio` to disable the Text UI interactive prompt
%  # The extra `| cat` is to disable console prompts
% sudo needrestart -r l -u NeedRestart::UI::stdio 2>&1 | cat 

Pending kernel upgrade!

Running kernel version:
  5.4.0-47-generic

Diagnostics:
  The currently running kernel version is not the expected kernel version 5.4.0-53-generic.

Restarting the system to load the new kernel will not be handled automatically, so you should consider rebooting. [Return]

Pending processor microcode upgrade!

Diagnostics:
  The currently running processor microcode revision is 0x1 which is not the expected microcode revision 0x71a.

Restarting the system to load the new processor microcode will not be handled automatically, so you should consider rebooting. [Return]

Services to be restarted:
 systemctl restart accounts-daemon.service
 systemctl restart apache-htcacheclean.service
 systemctl restart apache2.service
 systemctl restart atd.service
 systemctl restart avahi-daemon.service
 systemctl restart bind9.service
 systemctl restart cron.service
 systemctl restart dictd.service
 systemctl restart dovecot.service
 systemctl restart google-accounts-manager.service
 systemctl restart google-address-manager.service
 systemctl restart haveged.service
 systemctl restart lvm2-lvmetad.service
 systemctl restart mailman3-web.service
 systemctl restart mailman3.service
 systemctl restart mattermost.service
 systemctl restart ModemManager.service
 systemctl restart mysql.service
 systemctl restart networkd-dispatcher.service
 systemctl restart ntp.service
 systemctl restart opendkim.service
 systemctl restart php7.2-fpm.service
 systemctl restart polkit.service
 systemctl restart postfix@-.service
 systemctl restart postgresql@10-main.service
 systemctl restart postgrey.service
 systemctl restart postsrsd.service
 systemctl restart rsyslog.service
 systemctl restart serial-getty@ttyS0.service
 systemctl restart squid.service
 systemctl restart ssh.service
 systemctl restart sshguard.service
 /etc/needrestart/restart.d/systemd-manager
 systemctl restart systemd-resolved.service
 systemctl restart systemd-udevd.service
 systemctl restart tor@default.service
 systemctl restart uuidd.service

Service restarts being deferred:
 /etc/needrestart/restart.d/dbus.service
 systemctl restart getty@tty1.service
 systemctl restart lxcfs.service
 systemctl restart openvpn@ofb.service
 systemctl restart openvpn@ofb_vpn.service
 systemctl restart systemd-journald.service
 systemctl restart systemd-logind.service
 systemctl restart unattended-upgrades.service
 systemctl restart wpa_supplicant.service

No containers need to be restarted.

User sessions running outdated binaries:
 user1 @ session #224: screen[22997]
 user1 @ user manager service: systemd[22818]
 user2 @ session #1507: bash[4060,13665,14620,20496,27425,28106], man[4983,10146], screen[32388]
 user2 @ user manager service: systemd[24956]
 user3 @ user manager service: systemd[11578]
 user4 @ user manager service: systemd[1621]
 user5 @ session #31936: tmux: server[15332]
 user5 @ user manager service: systemd[15019]
 user6 @ session #126019: ssh-agent[13475]
 user6 @ session #126479: ssh-agent[27878]
 user6 @ session #126972: ssh-agent[2885]
 user6 @ session #127025: ssh-agent[17519]
 user6 @ session #136825: ssh-agent[26505]
 user6 @ session #140037: ssh-agent[4584]
 user6 @ session #141990: ssh-agent[22205]
 user6 @ session #146139: ssh-agent[16162]
 user6 @ session #15: ssh-agent[6814]
 user6 @ user manager service: systemd[4863]
 user7 @ session #18: bash[8065], screen[8064]
 user7 @ user manager service: systemd[7209]
 user8 @ session #26724: mosh-server[22222], zsh[22223]
 user8 @ session #26728: mosh-server[22821], zsh[22822]
 user8 @ session #7: screen[4189], zsh[4191]
 user8 @ user manager service: systemd[3997]
 user9 @ session #93: screen[25619], zsh[25620]
 user9 @ user manager service: systemd[25485]
 user10 @ session #49935: screen[18381], zsh[12380,18382,18524,18534]
 user10 @ user manager service: systemd[5873]
 user11 @ session #173: sshd[10519,10606], zsh[10607]
 user11 @ session #29253: sshd[16037,16110]
 user11 @ user manager service: systemd[10539]
 user12 @ user manager service: systemd[27334]
 user13 @ session #608: screen[29245], zsh[29247]
 user13 @ user manager service: systemd[19409]
 user14 @ session #74572: bash[21472,26451], screen[21470]
 user14 @ user manager service: systemd[21351]

If one only cared about outdated services and processor microcode, and not outdated binaries, one could just add the -q flag to the needrestart invocation.

For detection of available (regular and security) updates

On Ubuntu (and probably the Debian family), you can look at the content of /var/lib/update-notifier/updates-available:

% cat /var/lib/update-notifier/updates-available

30 packages can be updated.
0 updates are security updates.

Note that on Ubuntu 20.04, this works for regular users. But before that (e.g. Ubuntu 18), there was a bug (now fixed) on the permissions so that only root could see the contents of that file.

More Ubuntu output examples here (but they're pretty much the same): https://askubuntu.com/questions/774805/how-to-get-a-list-of-all-pending-security-updates

On Redhat, one would have to check if the yum-security package is installed and then you could run the command yum updateinfo command:

# yum updateinfo list security all
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
              : subscription-manager, verify, versionlock
  RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64
  RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64
  RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64
  RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64
  RHSA-2016:2594 Moderate/Sec.  389-ds-base-1.3.5.10-11.el7.x86_64
  RHSA-2017:0920 Important/Sec. 389-ds-base-1.3.5.10-20.el7_3.x86_64
  RHSA-2017:2569 Moderate/Sec.  389-ds-base-1.3.6.1-19.el7_4.x86_64
  RHSA-2018:0163 Important/Sec. 389-ds-base-1.3.6.1-26.el7_4.x86_64
  RHSA-2018:0414 Important/Sec. 389-ds-base-1.3.6.1-28.el7_4.x86_64
  RHSA-2018:1380 Important/Sec. 389-ds-base-1.3.7.5-21.el7_5.x86_64
  RHSA-2018:2757 Moderate/Sec.  389-ds-base-1.3.7.5-28.el7_5.x86_64
  RHSA-2018:3127 Moderate/Sec.  389-ds-base-1.3.8.4-15.el7.x86_64
  RHSA-2014:1031 Important/Sec. 389-ds-base-libs-1.3.1.6-26.el7_0.x86_64

Let me know if you need more info

[romkatv]

Thanks for the info. Reopening. No ETA for doing anything here.