98-reboot-required and Interaction with livepatch
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
unattended-upgrades (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
update-notifier (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* If a system is using canonical livepatch, has it enabled, and patches are applied, it could be confusing for a user to receive a "system restart required" messages in the MOTD when logging in.
* Livepatch is available on LTS releases. Thus, the users can be confused following a kernel update on 20.04.
* The upload prevents update-notifier and unattended-ugprades hooks from adding "system restart"-related messages to motd when Livepatch is enabled.
Livepatch, when enabled, already contributes to the motd message so there is no need to have duplicate (and sometimes contradictory) information.
[Test Plan]
* how to reproduce the bug:
1. Install and boot a 20.04 server VM
2. Make sure it runs a generic kernel (or another flavour that supports Livepatch)
3. Enable Livepatch using the following command:
$ ua attach <token> # replace <token> by an actual contract token
4. Upgrade the kernel (if you are already running the latest available kernel update, you can install a different flavour)
5. Upon logging in again, the motd will show ***System restart required***.
* other testing appropriate to perform before landing this update:
* Making sure that the patch has no impact when livepatch is not enabled.
* The motd should show ***System restart required*** after upgrading the kernel if livepatch is not enabled.
[Where problems could occur]
* The change updates a hook script in /etc/kernel/
* If the implementation is wrong, we might end up "losing" the ***System restart required*** message when livepatch is disabled
[Original bug description]
If a system is using canonical livepatch, has it enabled, and patches are applied, it could be confusing for a user to receive a "system restart required" messages in the MOTD when logging in.
That message, when present, is printed by 98-reboot-required which essentially just cats /var/run/
There is a secondary file that can be created which says which packages requested the reboot. That would be /var/run/
Ideally that script should not print out the reboot required message if a) livepatch is installed and enabled; b) the only trigger for the reboot is a kernel update.
For (a), one can use the command "ubuntu-advantage is-livepatch-
CVE References
description: | updated |
tags: | added: fr-1788 |
tags: | added: reboot-required |
The position of the Security Team has been consistent that kernel live patching allows users to defer reboots, it does not allow users to avoid them. Because not all security fixes are included in live patches, and because correlating the live patch CVEs to the kernel deb CVEs requires knowledge that's external to the packages themselves, hiding the 'reboot required' message will give users a false sense of security about their system.
Cc:ing Tyler for any further comment.
Whatever our policy is going to be here, it should be consistent across the board for both desktop and server (which may fall out naturally from changes to update-notifier, but maybe not).