Hi, systemd security updates to stable systemd (232-25+deb9u8) stretch-security; urgency=high systemd (232-25+deb9u7) stretch-security; urgency=high required reboot to take effect, but /var/run/reboot-required was not `touch`ed. Therefore the unattended-upgrades package did not notify the user that a reboot is required. (There were related upgrades to udev and other packages.) There are probably many systems which installed the upgrade automatically but did not reboot and so the patch did not take effect. "The Internet" says that it is the postinst script which should touch /var/run/reboot-required. There is also a (new) bug against debian-policy because policy does not mention the mechanism: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919507 See also: https://sources.debian.org/src/unattended-upgrades/1.9/unattended-upgrade/#L83 Regards, Karl
Control: severity -1 wishlist This should probably be /run/reboot-required, /var/run is a symlink to /run. That said, an update of the systemd package does not strictly require a reboot of the system. We do reexec PID 1 and restart all binaries (besides logind), so I'm a bit undecided if we should actually trigger that message or not.
On Thu, 28 Feb 2019 19:55:59 +0100 Michael Biebl <biebl@debian.org> wrote: Yes. See latest debian policy doc patch at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919507 by package upgrade then the only reason to require a restart would be if some changes in new systemd packages required a restart of non-systemd components. So maybe this is a non-bug. Regards, Karl <kop@meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
Control: retitle -1 restart logind on package updates Control: block -1 by 798097 https://salsa.debian.org/systemd-team/systemd/commit/b8c239e122ef193c6aab1c65ab1c6d2b598de3d7 logind nowadays supports being restarted https://github.com/systemd/systemd/commit/aed24c4cd7641da6f530853d10637568c13c8f35 So the remaining bit is that Xorg no longer aborts on logind restarts See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798097 https://gitlab.freedesktop.org/xorg/xserver/issues/531 Once that is fixed in xserver-xorg, I would rather restart logind on upgrades then requesting a reboot. So re-purposing the bug report accordingly. It's a bit sad that #798097 is still unfixed, but I'm not sure what I can do to move this issue forward. Regards, Michael
This is blocked by a bug in gnome-shell which dies when logind is restarted: https://gitlab.gnome.org/GNOME/gnome-shell/issues/1881
The Xorg issue has been fixed in the mean time. What remains are issues in both systemd and mutter: https://github.com/systemd/systemd/issues/17308 https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1556
The default of not restarting systemd-logind as it ends graphical sessions (in all cases I've tested) seems reasonable. Having it detect a non-GUI system and restart in that case wouldn't be unreasonable. People who REALLY want to restart daemons on update should have needrestart installed as nothing less will cover the case of upgrading security related libraries that are used by externally facing daemons (EG SSL libraries). The needrestart package defaults to not restarting systemd-logind but when run from "apt upgrade" provides a user interface to allow selecting to do it. https://lists.debian.org/debian-security-announce/2019/msg00008.html As an aside the systemd update that inspired this bug had fixes for "a memory leak in systemd-journald" and "an unrelated bug in systemd-coredump" which shows that for most users that bug wouldn't require restarting systemd-logind. Should this bug be closed wih "can be fixed by installing needrestart"?