[SRU] Do not restart keepalived on unattended-upgrades

Bug #2089155 reported by vrc
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keepalived (Ubuntu)
New
Undecided
Unassigned
Noble
New
Undecided
Unassigned
Oracular
New
Undecided
Unassigned
needrestart (Ubuntu)
Fix Released
Undecided
Pragyansh Chaturvedi
Noble
New
Undecided
Unassigned
Oracular
New
Undecided
Unassigned

Bug Description

[ Impact ]

 * keepalived.service should not be automatically restarted after an
   update as other services which depend on it might get disrupted.

 * This change adds a regex pattern for keepalived.service in the default
   needrestart.conf to prevent it's automatic restart.

[ Test Plan ]

 * Install keepalived

 * Create /etc/keepalived/keepalived.conf and add some sample text in it after ! (essentially a comment)

 * Enable and start keepalived using systemctl (it might get stuck while starting, just interrupt it using Ctrl-C)

 * Then run `sudo apt reinstall libc6`

 * keepalived.service will appear under `Restarting services...`, while it
   should actually appear under `Service restarts being deferred:`

[ Where problems could occur ]

 * If another service using /usr/sbin/keepalived gets restarted, this problem
   might reoccur.

[ Other Info ]

 * Original bug report:
```
unattended-upgrades has restarted keepalived (noble,now 1:2.2.8-1build2 amd64) due to the update of library libglib2.0-0t64.
It is not excluded in /etc/needrestart/needrestart.conf, like other services (OpenVPN, frr).
Please add an entry so keepalived is not restarted automatically by unattended-upgrades.
```

Related branches

vrc (vrc-vlm)
affects: needrestart (Ubuntu) → keepalived (Ubuntu)
Bryce Harrington (bryce)
tags: added: server-triage-discuss
Revision history for this message
Simon Chopin (schopin) wrote :

Hi,

We usually centralize those exceptions in the default needrestart conf rather than through snippets shipped per-package since a needrestart SRU is typically less costly.

Now, I have to ask a potentially stupid question here: *why* shouldn't keepalived be restarted?

Revision history for this message
vrc (vrc-vlm) wrote :

There are quite a few reasons:

- If you restart a keepalived service that is acting as MASTER, the floating IP(s) will be removed from that machine, causing service disruption.

- The floating IP(s) may be moved to one of the BACKUP keepalived instances that you may have in the network for a brief moment and then moved back to the MASTER keepalived instance. This produces a sequence of GARP requests that the switches may or may not honor properly.

- This can get quite more complicated and disruptive if using scripts that do things like start/stop/restart services when keepalived status changes. Even talking about seconds of downtime are a lot for some services (firewalls, haproxy, VoIP), specially if it is unplanned.

- There's always the risk that the service does not start o misbehave after the update, so I definitely prefer to restart it manually during a planned intervention.

summary: - Do not restart keepalived on unattended-upgrades
+ [SRU] Do not restart keepalived on unattended-upgrades
Changed in needrestart (Ubuntu):
assignee: nobody → Pragyansh Chaturvedi (r41k0u)
description: updated
Changed in needrestart (Ubuntu):
status: New → In Progress
Bryce Harrington (bryce)
tags: removed: server-triage-discuss
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package needrestart - 3.6-8ubuntu7

---------------
needrestart (3.6-8ubuntu7) plucky; urgency=medium

  * Don't restart glusterd automatically (LP: #2085070)
    - d/p/lp2085070/0020-ubuntu-avoid-restart-glusterd.patch:
      Add regex to ignore glusterd and for automatic restart
  * Don't restart keepalived automatically (LP: #2089155)
    - d/p/lp2089155/0021-ubuntu-avoid-restart-keepalived.patch:
      Add regex to ignore keepalived and for automatic restart

 -- Pragyansh Chaturvedi <email address hidden> Tue, 10 Dec 2024 13:22:02 +0530

Changed in needrestart (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.