[Bug 1747499] Re: 98-reboot-required and Interaction with livepatch
David Coronel
david.coronel at canonical.com
Fri May 15 15:43:22 UTC 2020
Here are some extra details about the status of livepatch when a kernel
upgrade is required.
I am running an 18.04 VM with an old 4.15.0-20-generic kernel from April
2018. Here is status in yaml format:
ubuntu at bioniclivepatcholdkernel:~$ canonical-livepatch status --format yaml
client-version: 9.5.5
architecture: x86_64
cpu-model: Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz
last-check: 2020-05-15T11:29:29-04:00
boot-time: 2020-05-15T15:28:49Z
uptime: 59s
status:
- kernel: 4.15.0-20.21-generic
running: true
livepatch:
checkState: checked
patchState: kernel-upgrade-required
version: "42.1"
fixes: |-
* CVE-2018-10323
* CVE-2018-10840
[...removing some CVEs to keep this short...]
There are no kernel upgrades pending a reboot on this box, so no
/var/run/reboot-required:
ubuntu at bioniclivepatcholdkernel:~$ ls -l /var/run/reboot-required*
ls: cannot access '/var/run/reboot-required*': No such file or directory
If I upgrade to a new kernel, those files are created:
ubuntu at bioniclivepatcholdkernel:~$ ls -l /var/run/reboot-required*
-rw-r--r-- 1 root root 32 May 15 11:37 /var/run/reboot-required
-rw-r--r-- 1 root root 11 May 15 11:37 /var/run/reboot-required.pkgs
ubuntu at bioniclivepatcholdkernel:~$ cat /var/run/reboot-required
*** System restart required ***
ubuntu at bioniclivepatcholdkernel:~$ cat /var/run/reboot-required.pkgs
linux-base
And nothing changes in the output of canonical-livepatch status --format yaml:
ubuntu at bioniclivepatcholdkernel:~$ canonical-livepatch status --format yaml
client-version: 9.5.5
architecture: x86_64
cpu-model: Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz
last-check: 2020-05-15T11:29:29-04:00
boot-time: 2020-05-15T15:28:49Z
uptime: 9m38s
status:
- kernel: 4.15.0-20.21-generic
running: true
livepatch:
checkState: checked
patchState: kernel-upgrade-required
version: "42.1"
fixes: |-
* CVE-2018-10323
* CVE-2018-10840
[...removing some CVEs to keep this short...]
And if I reboot into a recent kernel, the up to date status is:
ubuntu at bioniclivepatcholdkernel:~$ canonical-livepatch status --format yaml
client-version: 9.5.5
architecture: x86_64
cpu-model: Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz
last-check: 2020-05-15T11:42:09-04:00
boot-time: 2020-05-15T15:41:28Z
uptime: 50s
status:
- kernel: 4.15.0-99.100-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10323
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10840
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/1747499
Title:
98-reboot-required and Interaction with livepatch
Status in update-notifier package in Ubuntu:
Confirmed
Bug description:
If a system is using canonical livepatch, has it enabled, and patches
are applied, it could be confusing for a user to receive a "system
restart required" messages in the MOTD when logging in.
That message, when present, is printed by 98-reboot-required which
essentially just cats /var/run/reboot-required to stdout. That file is
placed by packages that require a reboot so that they are properly
used in their updated versions. Examples that come to mind are libc
and the kernel.
There is a secondary file that can be created which says which
packages requested the reboot. That would be /var/run/reboot-
required.pkgs
Ideally that script should not print out the reboot required message
if a) livepatch is installed and enabled; b) the only trigger for the
reboot is a kernel update.
For (a), one can use the command "ubuntu-advantage is-livepatch-
enabled" and check $?. That is in the ubuntu-advantage-tools package.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1747499/+subscriptions
More information about the foundations-bugs
mailing list