Bug#886611: needrestart: detect need to reboot due to AMD microcode updates

2020-01-27 Thread Paul Wise 
On Mon, 2020-01-27 at 21:10 +0100, Thomas Liske wrote:

> I was able to add some microcode parsing for AMD (see also 
> https://github.com/liske/needrestart/issues/150). It will be a 
> experimental feature of the upcoming needrestart 3.5 release.

Excellent, thanks for your work on needrestart.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part

Bug#886611: needrestart: detect need to reboot due to AMD microcode updates

2020-01-27 Thread thomas 



tags 886611 fixed-upstream
thanks


Hi pabs,

I was able to add some microcode parsing for AMD (see also 
https://github.com/liske/needrestart/issues/150). It will be a 
experimental feature of the upcoming needrestart 3.5 release.



HTH,
Thomas


On Mon, 8 Jan 2018, Paul Wise wrote:


On Mon, 2018-01-08 at 08:00 +0100, Thomas Liske wrote:


checking if initramfs is newer than uptime might be a good idea


Possibly, but there might be false positives if the initramfs was
regenerated without having updated any files in it. Also, not every
initramfs contains files that are currently loaded/running. Only ones
that are include microcode and Linux kernel modules, but see below.


A reboot may be also required due to updates of 3rd party
kernel modules (like DKMS) if they are part of the initramfs.


Those can often just be unloaded and then reloaded again.

It would be good to detect when that is needed and possible, but Linux
doesn't seem to expose any info about the filesystem timestamp of the
currently loaded modules.

Once that is exposed, then you would have to determine if any resources
the modules expose are being used by any processes/mounts/etc.

Ones that aren't being used can just be unloaded/reloaded if they are
compatible with the current Linux kernel ABI.

Ones that are used will need a complicated dance where the services are
stopped (or processes stopped), the module reloaded and services
started again.


I would avoid to parse the initramfs in needrestart (would need to
handle different compression and archive file types etc.) just to look
for the microcode files. Report and recommend a reboot if there is an
updated initramfs should be sufficient, shouldn't it?


Agreed, this is why I suggested to look at the files from the AMD
microcode package instead. As explained above, I think that would
result in some false positives. Since reboots are costly for some
systems, I would recommend avoiding those false positives.




--

::  WWW:https://fiasko-nw.net/~thomas/  ::
   :::  GnuPG: 0x49D0C2C3  mailto:tho...@fiasko-nw.net  :::
::  flickr: https://www.flickr.com/photos/laugufe/  ::

Bug#886611: needrestart: detect need to reboot due to AMD microcode updates

2018-01-08 Thread Paul Wise 
On Mon, 2018-01-08 at 08:00 +0100, Thomas Liske wrote:

> checking if initramfs is newer than uptime might be a good idea

Possibly, but there might be false positives if the initramfs was
regenerated without having updated any files in it. Also, not every
initramfs contains files that are currently loaded/running. Only ones
that are include microcode and Linux kernel modules, but see below.

> A reboot may be also required due to updates of 3rd party
> kernel modules (like DKMS) if they are part of the initramfs.

Those can often just be unloaded and then reloaded again.

It would be good to detect when that is needed and possible, but Linux
doesn't seem to expose any info about the filesystem timestamp of the
currently loaded modules.

Once that is exposed, then you would have to determine if any resources
the modules expose are being used by any processes/mounts/etc.

Ones that aren't being used can just be unloaded/reloaded if they are
compatible with the current Linux kernel ABI.

Ones that are used will need a complicated dance where the services are
stopped (or processes stopped), the module reloaded and services
started again.

> I would avoid to parse the initramfs in needrestart (would need to
> handle different compression and archive file types etc.) just to look
> for the microcode files. Report and recommend a reboot if there is an
> updated initramfs should be sufficient, shouldn't it?

Agreed, this is why I suggested to look at the files from the AMD
microcode package instead. As explained above, I think that would
result in some false positives. Since reboots are costly for some
systems, I would recommend avoiding those false positives.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part

Bug#886611: needrestart: detect need to reboot due to AMD microcode updates

2018-01-07 Thread Thomas Liske 

tags 886611 upstream
thanks

Hi Paul,

checking if initramfs is newer than uptime might be a good idea in
general. A reboot may be also required due to updates of 3rd party
kernel modules (like DKMS) if they are part of the initramfs.

I would avoid to parse the initramfs in needrestart (would need to
handle different compression and archive file types etc.) just to look
for the microcode files. Report and recommend a reboot if there is an
updated initramfs should be sufficient, shouldn't it?


HTH,
Thomas


Paul Wise  writes:

> Package: needrestart
> Version: 2.11-4
> Severity: wishlist
>
> Please detect the need to reboot to apply AMD microcode updates.
>
> The amd64-microcode maintainer suggested that this could be done by 
> detecting that the initramfs is newer than uptime, and if so, look at
> the microcode files in the package and check if they are newer than
> uptime but older than the initramfs. If the microcode files are newer
> than the initramfs and newer than the uptime there could be a warning.
>
> $ apt-file show amd64-microcode | grep ucode
> amd64-microcode: /lib/firmware/amd-ucode/microcode_amd.bin
> amd64-microcode: /lib/firmware/amd-ucode/microcode_amd_fam15h.bin
> amd64-microcode: /lib/firmware/amd-ucode/microcode_amd_fam16h.bin
>
> This might require packaging the Unix::Uptime CPAN module:
>
> https://metacpan.org/pod/Unix::Uptime
> https://github.com/pioto/Unix-Uptime
>
> Until that happens, you could parse /proc/uptime manually.
>
> -- 
> bye,
> pabs
>
> https://wiki.debian.org/PaulWise

-- 

::  WWW:https://fiasko-nw.net/~thomas/  ::
   :::  Jabber:   xmpp:tho...@jabber.fiasko-nw.net  :::
::  flickr: https://www.flickr.com/photos/laugufe/  ::

Bug#886611: needrestart: detect need to reboot due to AMD microcode updates

2018-01-07 Thread Paul Wise 
Package: needrestart
Version: 2.11-4
Severity: wishlist

Please detect the need to reboot to apply AMD microcode updates.

The amd64-microcode maintainer suggested that this could be done by 
detecting that the initramfs is newer than uptime, and if so, look at
the microcode files in the package and check if they are newer than
uptime but older than the initramfs. If the microcode files are newer
than the initramfs and newer than the uptime there could be a warning.

$ apt-file show amd64-microcode | grep ucode
amd64-microcode: /lib/firmware/amd-ucode/microcode_amd.bin
amd64-microcode: /lib/firmware/amd-ucode/microcode_amd_fam15h.bin
amd64-microcode: /lib/firmware/amd-ucode/microcode_amd_fam16h.bin

This might require packaging the Unix::Uptime CPAN module:

https://metacpan.org/pod/Unix::Uptime
https://github.com/pioto/Unix-Uptime

Until that happens, you could parse /proc/uptime manually.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part