Open huyz opened 3 years ago
Is there a detailed description of what this file contains? If not, can you post examples for all bullet points you've mentioned?
Closing due to inactivity.
@romkatv Sorry for replying late.
TL;DR: the easiest to implement would be for the Debian family where are all you have to do is check the existence of one file (to know whether to reboot) and parse another simple file (to see how many regular & security updates are pending). For other Linux families, or to get even more information in the Debian family about restarting services/binaries/processor microcodes, some extra packages may need to be present. (I personally would just be happy with the Debian family since that's what I use)
It depends on the OS, but here's some common ones (Debian, Redhat, Suse families): https://megamorf.gitlab.io/2019/06/10/check-if-reboot-is-required-after-installing-linux-updates/
For instance, for the Debian family:
% cat /var/run/reboot-required # The mere presence of the file is sufficient (no need to look inside)
*** System restart required ***
% cat /var/run/reboot-required.pkgs # If one wanted to know why a reboot is required
libssl1.0.0
linux-base
linux-base
linux-base
libc6
linux-base
Optionally, if needrestart
(supports Debian, Redhat, and Arch families) is installed, then you can also get information about needing to restart services/binaries/processor microcode.
If the shell is run by a regular user, you only get a listing of the user's affected binaries:
% needrestart -r l
Scanning processes...
Your outdated processes:
systemd[4863]
But if needrestart
is run by root, then you get a ton more information about services/binaries and processor microcode that need to be restarted. For example:
% # `-u NeedRestart::UI::stdio` to disable the Text UI interactive prompt
% # The extra `| cat` is to disable console prompts
% sudo needrestart -r l -u NeedRestart::UI::stdio 2>&1 | cat
Pending kernel upgrade!
Running kernel version:
5.4.0-47-generic
Diagnostics:
The currently running kernel version is not the expected kernel version 5.4.0-53-generic.
Restarting the system to load the new kernel will not be handled automatically, so you should consider rebooting. [Return]
Pending processor microcode upgrade!
Diagnostics:
The currently running processor microcode revision is 0x1 which is not the expected microcode revision 0x71a.
Restarting the system to load the new processor microcode will not be handled automatically, so you should consider rebooting. [Return]
Services to be restarted:
systemctl restart accounts-daemon.service
systemctl restart apache-htcacheclean.service
systemctl restart apache2.service
systemctl restart atd.service
systemctl restart avahi-daemon.service
systemctl restart bind9.service
systemctl restart cron.service
systemctl restart dictd.service
systemctl restart dovecot.service
systemctl restart google-accounts-manager.service
systemctl restart google-address-manager.service
systemctl restart haveged.service
systemctl restart lvm2-lvmetad.service
systemctl restart mailman3-web.service
systemctl restart mailman3.service
systemctl restart mattermost.service
systemctl restart ModemManager.service
systemctl restart mysql.service
systemctl restart networkd-dispatcher.service
systemctl restart ntp.service
systemctl restart opendkim.service
systemctl restart php7.2-fpm.service
systemctl restart polkit.service
systemctl restart postfix@-.service
systemctl restart postgresql@10-main.service
systemctl restart postgrey.service
systemctl restart postsrsd.service
systemctl restart rsyslog.service
systemctl restart serial-getty@ttyS0.service
systemctl restart squid.service
systemctl restart ssh.service
systemctl restart sshguard.service
/etc/needrestart/restart.d/systemd-manager
systemctl restart systemd-resolved.service
systemctl restart systemd-udevd.service
systemctl restart tor@default.service
systemctl restart uuidd.service
Service restarts being deferred:
/etc/needrestart/restart.d/dbus.service
systemctl restart getty@tty1.service
systemctl restart lxcfs.service
systemctl restart openvpn@ofb.service
systemctl restart openvpn@ofb_vpn.service
systemctl restart systemd-journald.service
systemctl restart systemd-logind.service
systemctl restart unattended-upgrades.service
systemctl restart wpa_supplicant.service
No containers need to be restarted.
User sessions running outdated binaries:
user1 @ session #224: screen[22997]
user1 @ user manager service: systemd[22818]
user2 @ session #1507: bash[4060,13665,14620,20496,27425,28106], man[4983,10146], screen[32388]
user2 @ user manager service: systemd[24956]
user3 @ user manager service: systemd[11578]
user4 @ user manager service: systemd[1621]
user5 @ session #31936: tmux: server[15332]
user5 @ user manager service: systemd[15019]
user6 @ session #126019: ssh-agent[13475]
user6 @ session #126479: ssh-agent[27878]
user6 @ session #126972: ssh-agent[2885]
user6 @ session #127025: ssh-agent[17519]
user6 @ session #136825: ssh-agent[26505]
user6 @ session #140037: ssh-agent[4584]
user6 @ session #141990: ssh-agent[22205]
user6 @ session #146139: ssh-agent[16162]
user6 @ session #15: ssh-agent[6814]
user6 @ user manager service: systemd[4863]
user7 @ session #18: bash[8065], screen[8064]
user7 @ user manager service: systemd[7209]
user8 @ session #26724: mosh-server[22222], zsh[22223]
user8 @ session #26728: mosh-server[22821], zsh[22822]
user8 @ session #7: screen[4189], zsh[4191]
user8 @ user manager service: systemd[3997]
user9 @ session #93: screen[25619], zsh[25620]
user9 @ user manager service: systemd[25485]
user10 @ session #49935: screen[18381], zsh[12380,18382,18524,18534]
user10 @ user manager service: systemd[5873]
user11 @ session #173: sshd[10519,10606], zsh[10607]
user11 @ session #29253: sshd[16037,16110]
user11 @ user manager service: systemd[10539]
user12 @ user manager service: systemd[27334]
user13 @ session #608: screen[29245], zsh[29247]
user13 @ user manager service: systemd[19409]
user14 @ session #74572: bash[21472,26451], screen[21470]
user14 @ user manager service: systemd[21351]
If one only cared about outdated services and processor microcode, and not outdated binaries, one could just add the -q
flag to the needrestart
invocation.
On Ubuntu (and probably the Debian family), you can look at the content of /var/lib/update-notifier/updates-available
:
% cat /var/lib/update-notifier/updates-available
30 packages can be updated.
0 updates are security updates.
Note that on Ubuntu 20.04, this works for regular users. But before that (e.g. Ubuntu 18), there was a bug (now fixed) on the permissions so that only root could see the contents of that file.
More Ubuntu output examples here (but they're pretty much the same): https://askubuntu.com/questions/774805/how-to-get-a-list-of-all-pending-security-updates
On Redhat, one would have to check if the yum-security
package is installed and then you could run the command yum updateinfo
command:
# yum updateinfo list security all
Loaded plugins: changelog, package_upload, product-id, search-disabled-repos,
: subscription-manager, verify, versionlock
RHSA-2014:1031 Important/Sec. 389-ds-base-1.3.1.6-26.el7_0.x86_64
RHSA-2015:0416 Important/Sec. 389-ds-base-1.3.3.1-13.el7.x86_64
RHSA-2015:0895 Important/Sec. 389-ds-base-1.3.3.1-16.el7_1.x86_64
RHSA-2016:0204 Important/Sec. 389-ds-base-1.3.4.0-26.el7_2.x86_64
RHSA-2016:2594 Moderate/Sec. 389-ds-base-1.3.5.10-11.el7.x86_64
RHSA-2017:0920 Important/Sec. 389-ds-base-1.3.5.10-20.el7_3.x86_64
RHSA-2017:2569 Moderate/Sec. 389-ds-base-1.3.6.1-19.el7_4.x86_64
RHSA-2018:0163 Important/Sec. 389-ds-base-1.3.6.1-26.el7_4.x86_64
RHSA-2018:0414 Important/Sec. 389-ds-base-1.3.6.1-28.el7_4.x86_64
RHSA-2018:1380 Important/Sec. 389-ds-base-1.3.7.5-21.el7_5.x86_64
RHSA-2018:2757 Moderate/Sec. 389-ds-base-1.3.7.5-28.el7_5.x86_64
RHSA-2018:3127 Moderate/Sec. 389-ds-base-1.3.8.4-15.el7.x86_64
RHSA-2014:1031 Important/Sec. 389-ds-base-libs-1.3.1.6-26.el7_0.x86_64
Let me know if you need more info
Thanks for the info. Reopening. No ETA for doing anything here.
On ubuntu,
/run/motd.dynamic
shows useful information:But this only shows up for people who ssh or login regularly. Not everyone does that; many folks just keep long-running sessions. Having indicators in the prompt would thus be useful.