4

When Ubuntu Livepatch has patched the kernel but recommends restarting to boot into the new version, a message appears in the motd like this:

*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window

It doesn't touch /run/reboot-required, even when apt upgrade has installed the new kernel.

I'm in the fortunate situation of having a weekly maintenance window, and I would like the system to reboot automatically when Livepatch recommends it. In other words, I want Livepatch's immediate patch functionality, but I don't need marathon uptime.

What's the best way of achieving this? As far as I can tell, there are four possibilities:

  1. Is there a way to set Livepatch to touch /run/reboot-required?
  2. Is there a way to set apt to touch /run/reboot-required after a kernel upgrade, even though Livepatch is active?
  3. Is there a way to set unattended-upgrades to reboot when recommended by Livepatch, even when /run/reboot-required isn't present?
  4. Is there a way to test whether Livepatch is recommending a restart, programmatically? canonical-livepatch kernel-upgrade-required appears to produce specific return codes, but these don't seem to be documented officially.
Look Out Explosive Woofy
  • 161
  • 5

1 Answers1

2

The problem described in the question is a (possibly unforeseen) side effect of a change made by Ubuntu to the unattended-upgrades package.

Until this issue is resolved by Ubuntu, the best workaround I've found is to use this script from current versions of Debian, which will restore usual reboot-required behaviour after kernel upgrades without taking account of Livepatch:

#!/bin/sh

case "$DPKG_MAINTSCRIPT_PACKAGE::$DPKG_MAINTSCRIPT_NAME" in
   linux-image-extra*::postrm)
      exit 0;;
esac


if [ -d /var/run ]; then
    touch /var/run/reboot-required
    if ! grep -q "^$DPKG_MAINTSCRIPT_PACKAGE$" /var/run/reboot-required.pkgs 2> /dev/null ; then
        echo "$DPKG_MAINTSCRIPT_PACKAGE" >> /var/run/reboot-required.pkgs
    fi
fi

Details:

  • Add it as a new file in the /etc/kernel/postinst.d directory (for example /etc/kernel/postinst.d/x-user-unattended-upgrades).
  • In some circumstances it may duplicate functionality found in other kernel post-install hook scripts, but it will do so harmlessly.
  • The system needs to have the unattended-upgrades package installed for the script to be useful.
  • I've confirmed it's applicable for all recent versions of Ubuntu at time of writing. If you come to this answer at some point in the distant future, double-check it's still applicable and relevant.

A bug has been registered concerning this issue in Launchpad.

Look Out Explosive Woofy
  • 161
  • 5