Bug 248116 - RFE; rpm should suggest services to restart after library/perl-module update
RFE; rpm should suggest services to restart after library/perl-module update
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Fedora Packaging Toolset Team
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-13 07:38 EDT by Peter Bieringer
Modified: 2016-05-19 08:37 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-19 08:37:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Extracted bash program which only checks for missing service restarts after update (6.20 KB, application/x-shellscript)
2007-07-13 08:15 EDT, Peter Bieringer
no flags Details

  None (edit)
Description Peter Bieringer 2007-07-13 07:38:48 EDT
Perhaps we should start a survey on Fedora / Red Hat server system administrator
 to run the lsof part of rpm-check to see, how many library & application
updates are still not used because services aren't restarted.

BTW: a harder part would be implementing the same for Perl modules (think about
the last perl-Net-DNS update...it is not used, if e.g. postgrey or amavisd
aren't restarted). Unfortunately, lsof doesn't help here...is there a Perl
helper program available which can analyse running Perl program what they are
currently using?

BTW2: current lsof check does not use option "-n", this can lead to hanging
while DNS resolving, will be fixed next.


+++ This bug was initially created as a clone of Bug #247251 +++

Description of problem:
From security point of view it makes not much sense to update supplied libraries
all the time without restarting the programs which uses this libraries, because
still the old library code would be used and e.g. a network service can be still
exploitable. Reboot after each library update is overkill.

Version-Release number of selected component (if applicable):
all current version

How reproducible:
After each library package update

Steps to Reproduce:
Update e.g. on a systems krb5-libs
Take a look on open but deleted files

Actual results:
You will see that programs (e.g. daemons listening on network sockets) still
using the old but deleted library.

Expected results:
rpm at least suggest to restart related programs.

Additional info:
I've created now a cron job, which does this check on regular basis all days and
suggest me a list of services to restart or to reboot the system, if nothing
else would help.

Take this solution as start for discussion, how to solve this issue completly.

For middle term, perhaps every library package can get an additional program
call which (if exists) run the open-but-deleted-file check and automagically
suggests the services which should be restarted.
In case of using yum or up2date, this should only run once after the upgrade, so
the additional program has to detect, whether it was called by postinstall from
standalone rpm usage or triggered via yum|up2date->rpm->postinstall


I've created a rpm package for that and additional checks:
ftp://ftp.aerasec.de/pub/linux/repository/public/redhat/enterprise/4ES/SRPMS/rpm-check-0.3.1-1.RHEL4.AERAsec.1.src.rpm
ftp://ftp.aerasec.de/pub/linux/repository/public/redhat/enterprise/4ES/i386/rpm-check-0.3.1-1.RHEL4.AERAsec.1.noarch.rpm

cron.daily/rpm-check-updates.cron:
Checks for available packages, if automatic update is not active, search for
open but deleted files and check latest installed against running kernel version.

cron.weekly/rpm-list-extras.cron
Checks for packages which are not covered by yum or up2date channels - so
administrator have to look for updates manually here

-- Additional comment from pb@bieringer.de on 2007-07-06 07:32 EST --
Created an attachment (id=158653)
Daily check of open files, et.al.


-- Additional comment from n3npq@mac.com on 2007-07-07 19:38 EST --
Restarting running processes to insure that libraries with security updates
are used by persistent processes is outside the scope of package management.

Your goal can be accomplisehed without any assistance from rpm applications, as
you have shown.

-- Additional comment from pb@bieringer.de on 2007-07-08 04:24 EST --
But the current problem is, that the "check" process needs to be started by rpm,
up2date or yum at the end of each run, so a hook or trigger would be needed - or
an optional wrapper.

Currently, my check is started by cron each day, this can be too late in
important security cases.
Comment 1 Peter Bieringer 2007-07-13 08:15:13 EDT
Created attachment 159161 [details]
Extracted bash program which only checks for missing service restarts after update
Comment 2 Peter Bieringer 2007-07-31 03:56:53 EDT
Sources are now available at ftp://ftp.aerasec.de/pub/linux/rpm-check
Comment 3 Peter Bieringer 2007-08-02 02:07:02 EDT
Just for your information, this is an output of my current implementation
(mentioned in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248116#c2) -
happen after automatic update of cups:

/etc/cron.daily/rpm-check-updates.cron:


# 'lsof' report of binaries which uses files with link count = 0 (missing
restart after update)
# Method2:
smbd       4074    root  mem       REG        9,1               48366
/usr/lib/libcups.so.2 (path inode=48222)
smbd       4078    root  mem       REG        9,1               48366
/usr/lib/libcups.so.2 (path inode=48222)

# Suggested list for service restart: smb
#  Execute e.g.:
#   service smb restart;
Comment 4 Red Hat Bugzilla 2007-08-21 01:35:10 EDT
User pnasrat@redhat.com's account has been closed
Comment 5 Panu Matilainen 2007-08-22 02:34:39 EDT
Reassigning to owner after bugzilla made a mess, sorry about the noise...
Comment 6 Jon Stanley 2008-04-23 16:30:20 EDT
Adding FutureFeature keyword to RFE's.
Comment 7 Fedora Admin XMLRPC Client 2012-04-13 19:12:59 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Fedora Admin XMLRPC Client 2012-04-13 19:14:13 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Joel 2012-07-03 15:38:50 EDT
What is the status of this feature?  Is there an updated versions of the script for detecting which services need to be restarted?
Comment 10 Ľuboš Kardoš 2016-05-19 08:37:35 EDT
This functionality is provided by dnf needs-restarting plugin[1] and tracer plugin [2] and we don't plan to add this functionality into rpm.

[1] http://dnf-plugins-core.readthedocs.io/en/latest/needs_restarting.html
[2] http://dnf-plugins-extras.readthedocs.io/en/latest/tracer.html

Note You need to log in before you can comment on or make changes to this bug.