False needrestart trigger

[upnort]

While experience with package management and system design is the better foundation for knowing when to reboot a system, we use the needrestart tool as an additional guide and only as a guide.

Some time ago I noticed the needrestart tool wants to always restart lxc-monitord.service and pve-container*.

Today there was a single Debian package update: tcpdump. There should not be any related triggers with that one update, but nonetheless we saw a restart request.

As a test, I rebooted one Proxmox host and immediately ran needrestart. The tool again wanted to restart lxc-monitord.service and pve-container*.

A full reboot is not required. Run systemctl restart lxc-monitord.service and then run needrestart and again the tool wants to restart the service.

Next I shutdown containers and restarted lxc-monitord.service. Again needrestart wants to restart the service.

This seems to be a bug. Is there anything unique about Proxmox that triggers this incorrect prompt?

I would be grateful if somebody would confirm this behavior.

In the short term I added the following needrestart configuration file:

/etc/needrestart/conf.d/proxmox.conf
$nrconf{override_rc} = {
  qr(^pve) => 0,
  qr(^lxc-monitord) => 0,
};

I tried blacklist_rc rather than override_rc but that always resulted in a perl Not an ARRAY reference error.

Regardless, there should be no restart prompt at all.

Thank you.

 

[t.lamprecht]

This seems to be a bug. Is there anything unique about Proxmox that triggers this incorrect prompt?

seems rather like an issue in needsrestart, I'd guess that it cannot cope with the processes from the CTs (which are visible on the host) and thus generates false positives, as the CT porcesses loaded libraries do not always match the PVE host ones... (which is totally fine, theiy are their own distro, after all)

 

[upnort]

I found this bug report that distinguishes Proxmox as well as the difference between privileged and unprivileged containers. No resolution offered as the conversation implies this is a problem with Proxmox rather than Debian or needrestart.

 

[t.lamprecht]

I tried to reproduce this, with no success.. I downgraded tcpdump, installed needrestart and and run a upgrade where tcpdump and a libspice-server1 upgrade was done, needrestart did not report any false positive..

Then I upgraded a CT, ran needrestart on the host and it detected the CT (but only the correct CT) for needing to be restarted.
After that, it did not report anything again. Which is even a bit weird as I expected that the QEMU VMs would need to be restarted to pull in the new libspice-server1 version..

Anyway, what versions do you even run, Proxmox VE 6? And what runs in the CTs?

I keep needrestart installed for a while, if I run into something I can see if it's really because from us or something else.

 

[upnort]

We're running 5.x fully updated.

I suspect the trigger is caused by privileged containers. In your test did you use unprivileged?

We use privileged containers to support NFS.

 

[Izzy]

I can reproduce this on every single host(all of them 6.x, patch state doesn't really matter it seems, reproducible even on an older Test-VM).

Now here's the catch: On one cluster I run exactly 0 containers. Don't have any on it yet needrestart still complains about lxc-monitord.service needing a restart and neither restarting the daemon nor rebooting helps. So I doubt it's anything to do with actual containers running but everything with the daemon itself.

 

[t.lamprecht]

In your test did you use unprivileged?

Yes, both.

I can reproduce this on every single host(all of them 6.x, patch state doesn't really matter it seems, reproducible even on an older Test-VM).

I still cannot reproduce this effects at all here, neither with nor without CTs running, upgraded them, the host, all working just fine.. So something has to be different..