[리눅스] ubuntu 22.04 Daemons using outdated libraries(needrestart)

ubuntu 22.04 Daemons using outdated libraries

요구사항(requirements)

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:        22.04
Codename:       jammy

 needrestart - 라이브러리 업데이트 후 데몬 다시 시작.

                      패키지 업그레이드/설치 후 needrestart를 호출하고 보류 중인 서비스 다시 시작을 확인합니다.

                      설치 중 오류가 없는 경우에만 트리거되어야 합니다.

Which services should be restarted? 

 

cat /etc/needrestart/needrestart.conf

$ cat /etc/needrestart/needrestart.conf
# needrestart - Restart daemons after library updates.
#
# This is the configuration file of needrestart. This is perl syntax.
# needrestart uses reasonable default values, you might not need to
# change anything.
#

# Verbosity:
#  0 => quiet
#  1 => normal (default)
#  2 => verbose
#$nrconf{verbosity} = 2;

# Path of the package manager hook scripts.
#$nrconf{hook_d} = '/etc/needrestart/hook.d';

# Path of user notification scripts.
#$nrconf{notify_d} = '/etc/needrestart/notify.d';

# Path of restart scripts.
#$nrconf{restart_d} = '/etc/needrestart/restart.d';

# Disable sending notifications to user sessions running obsolete binaries
# using scripts from $nrconf{notify_d}.
#$nrconf{sendnotify} = 0;

# If needrestart detects systemd it assumes that you use systemd's pam module.
# This allows needrestart to easily detect user session. In case you use
# systemd *without* pam_systemd.so you should set has_pam_systemd to false
# to enable legacy session detection!
#$nrconf{has_pam_systemd} = 0;

# Restart mode: (l)ist only, (i)nteractive or (a)utomatically.
#
# ATTENTION: If needrestart is configured to run in interactive mode but is run
# non-interactive (i.e. unattended-upgrades) it will fallback to list only mode.
#
#$nrconf{restart} = 'i';

# Use preferred UI package.
#$nrconf{ui} = 'NeedRestart::UI::stdio';

# Change default answer to 'no' in (i)nteractive mode.
#$nrconf{defno} = 1;

# Set UI mode to (e)asy or (a)dvanced.
#$nrconf{ui_mode} = 'e';

# Print a combined `systemctl restart` command line for skipped services.
#$nrconf{systemctl_combine} = 1;

# Blacklist binaries (list of regex).
$nrconf{blacklist} = [
    # ignore sudo (not a daemon)
    qr(^/usr/bin/sudo(\.dpkg-new)?$),

    # ignore DHCP clients
    qr(^/sbin/(dhclient|dhcpcd5|pump|udhcpc)(\.dpkg-new)?$),

    # ignore apt-get (Debian Bug#784237)
    qr(^/usr/bin/apt-get(\.dpkg-new)?$),
];

# Blacklist services (list of regex) - USE WITH CARE.
# You should prefer to put services to $nrconf{override_rc} instead.
# Any service listed in $nrconf{blacklist_rc} will be ignored completely!
#$nrconf{blacklist_rc} = [
#];

# Override service default selection (hash of regex).
$nrconf{override_rc} = {
    # DBus
    qr(^dbus) => 0,

    # display managers
    qr(^gdm) => 0,
    qr(^kdm) => 0,
    qr(^nodm) => 0,
    qr(^sddm) => 0,
    qr(^wdm) => 0,
    qr(^xdm) => 0,
    qr(^lightdm) => 0,
    qr(^slim) => 0,
    qr(^lxdm) => 0,

    # networking stuff
    qr(^bird) => 0,
    qr(^network) => 0,
    qr(^NetworkManager) => 0,
    qr(^ModemManager) => 0,
    qr(^wpa_supplicant) => 0,
    qr(^openvpn) => 0,
    qr(^quagga) => 0,
    qr(^frr) => 0,
    qr(^tinc) => 0,
    qr(^(open|free|libre|strong)swan) => 0,
    qr(^bluetooth) => 0,

    # gettys
    qr(^getty@.+\.service) => 0,

    # systemd --user
    qr(^user@\d+\.service) => 0,

    # misc
    qr(^zfs-fuse) => 0,
    qr(^mythtv-backend) => 0,
    qr(^xendomains) => 0,
    qr(^lxcfs) => 0,
    qr(^libvirt) => 0,
    qr(^virtlogd) => 0,
    qr(^virtlockd) => 0,
    qr(^docker) => 0,

    # systemd stuff
    # (see also Debian Bug#784238 & #784437)
    qr(^emergency\.service$) => 0,
    qr(^rescue\.service$) => 0,
    qr(^elogind) => 0,

    # do not restart oneshot services, see also #862840
    qr(^apt-daily\.service$) => 0,
    qr(^apt-daily-upgrade\.service$) => 0,
    qr(^unattended-upgrades\.service$) => 0,
    # do not restart oneshot services from systemd-cron, see also #917073
    qr(^cron-.*\.service$) => 0,

    # ignore rc-local.service, see #852864
    qr(^rc-local\.service$) => 0,

    # don't restart systemd-logind, see #798097
    qr(^systemd-logind) => 0,
};

# Override container default selection (hash of regex).
$nrconf{override_cont} = {
};

# Disable interpreter scanners.
#$nrconf{interpscan} = 0;

# Ignore script files matching these regexs:
$nrconf{blacklist_interp} = [
    # ignore temporary files
    qr(^/tmp/),
    qr(^/var/),
    qr(^/run/),

];

# Ignore +x mapped files matching one of these regexs:
$nrconf{blacklist_mappings} = [
    # special device paths
    qr(^/(SYSV00000000( \(deleted\))?|drm(\s|$)|dev/)),

    # ignore memfd mappings
    qr(^/memfd:),

    # aio(7) mapping
    qr(^/\[aio\]),

    # Oil Runtime Compiler's JIT files
    qr#/orcexec\.[\w\d]+( \(deleted\))?$#,

    # plasmashell (issue #65)
    qr(/#\d+( \(deleted\))?$),

    # Java Native Access (issues #142 #185)
    qr#/jna\d+\.tmp( \(deleted\))?$#,

    # temporary stuff
    qr#^(/var)?/tmp/#,
    qr#^(/var)?/run/#,
];

# Verify mapped files in filesystem:
# 0 : enabled
# -1: ignore non-existing files, workaround for chroots and broken grsecurity kernels (default)
# 1 : disable check completely, rely on content of maps file only
$nrconf{skip_mapfiles} = -1;

# Enable/disable hints on pending kernel upgrades:
#  1: requires the user to acknowledge pending kernels
#  0: disable kernel checks completely
# -1: print kernel hints to stderr only
#$nrconf{kernelhints} = -1;

# Filter kernel image filenames by regex. This is required on Raspian having
# multiple kernel image variants installed in parallel.
#$nrconf{kernelfilter} = qr(kernel7\.img);

# Enable/disable CPU microcode update hints:
#  1: requires the user to acknowledge pending updates
#  0: disable microcode checks completely
#$nrconf{ucodehints} = 0;

# Nagios Plugin: configure return code use by nagios
# as service status[1].
#
# [1] https://nagios-plugins.org/doc/guidelines.html#AEN78
#
# Default:
#  'nagios-status' => {
#     'sessions' => 1,
#     'services' => 2,
#     'kernel' => 2,
#     'ucode' => 2,
#     'containers' => 1
#  },
#
# Example: to ignore outdated sessions (status OK)
# $nrconf{'nagios-status'}->{sessions} = 0;


# Read additional config snippets.
if(-d q(/etc/needrestart/conf.d)) {
      foreach my $fn (sort </etc/needrestart/conf.d/*.conf>) {
              print STDERR "$LOGPREF eval $fn\n" if($nrconf{verbosity} > 1);
              eval do { local(@ARGV, $/) = $fn; <>};
              die "Error parsing $fn: $@" if($@);
      }
}

# Restart mode: (l)ist only, (i)nteractive or (a)utomatically.
#
# ATTENTION: If needrestart is configured to run in interactive mode but is run non-interactive (i.e. unattended-upgrades) it will fallback to list only mode.
#
#$nrconf{restart} = 'i';

•  list only : 재부팅이 필요한 서비스만 표시(l)
•  interactive : 서비스별로 재시작이 필요한지 여부를 통지(i)
•  automatically : 필요한 모든 서비스는 자동으로 다시 시작됨(a)

 

설정 변경

echo "\$nrconf{restart} = 'l';" | sudo tee /etc/needrestart/needrestart.conf

needrestart 패키지

dpkg -l | grep needrestart

$ dpkg -l | grep needrestart
ii  needrestart    3.5-5ubuntu2.1    all    check which daemons need to be restarted after library upgrades

needrestart -b -v

$ needrestart -b -v
[main] eval /etc/needrestart/needrestart.conf
[main] needrestart v3.5
[main] running in root mode
[main] systemd detected
[main] vm detected
NEEDRESTART-VER: 3.5
[main] #644 uses deleted /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
[LXC] LXD installed via snap
[main] #644 is not a child
[main] #645 uses deleted /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
[main] #645 is not a child
[main] #647 uses deleted /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
[main] #647 is not a child
[main] #653 uses deleted /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
[main] #653 is not a child
[main] #691 uses deleted /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
[main] #691 is not a child
[main] #698 uses deleted /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
[main] #698 is not a child
[main] #702 uses deleted /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
[main] #702 is not a child
[main] #2955 uses deleted /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
[main] #2955 is not a child
[main] #644 exe => /usr/bin/python3.10
[Core] #644 is a NeedRestart::Interp::Python
[Core] #644 source is /usr/bin/networkd-dispatcher
[main] trying systemctl status
[main] #644 is networkd-dispatcher.service
[main] #645 exe => /usr/libexec/polkitd
[main] trying systemctl status
...
[main] inside container or vm, skipping microcode checks
[Kernel] Linux: kernel release 5.15.0-50-generic, kernel version #56-Ubuntu SMP Tue Sep 20 13:23:26 UTC 2022
[Kernel/Linux] /boot/vmlinuz.old => 5.15.0-50-generic (buildd@lcy02-amd64-086) #56-Ubuntu SMP Tue Sep 20 13:23:26 UTC 2022 [5.15.0-50-generic]*
[Kernel/Linux] /boot/vmlinuz-5.15.0-50-generic => 5.15.0-50-generic (buildd@lcy02-amd64-086) #56-Ubuntu SMP Tue Sep 20 13:23:26 UTC 2022 [5.15.0-50-generic]*
[Kernel/Linux] /boot/vmlinuz => 5.15.0-50-generic (buildd@lcy02-amd64-086) #56-Ubuntu SMP Tue Sep 20 13:23:26 UTC 2022 [5.15.0-50-generic]*
[Kernel/Linux] Expected linux version: 5.15.0-50-generic
NEEDRESTART-KCUR: 5.15.0-50-generic
NEEDRESTART-KEXP: 5.15.0-50-generic
NEEDRESTART-KSTA: 1
NEEDRESTART-SVC: ModemManager.service
NEEDRESTART-SVC: networkd-dispatcher.service
NEEDRESTART-SVC: packagekit.service
NEEDRESTART-SVC: polkit.service
NEEDRESTART-SVC: rsyslog.service
NEEDRESTART-SVC: ssh.service
NEEDRESTART-SVC: udisks2.service
NEEDRESTART-SVC: unattended-upgrades.service

 

참고URL

- https://blog.n-z.jp/blog/2022-04-22-needrestart.html

- https://gihyo.jp/admin/serial/01/ubuntu-recipe/0718