After a library update (such as OpenSSL or glibc), the services that use it keep running with the old version loaded in memory.
needrestart is a tool that intelligently detects these services and asks you whether they should be restarted to apply the security or stability fixes.
Why use needrestart?
- Security: Ensures that library security fixes are actually applied to running services.
- Stability: Prevents inconsistencies between the new libraries on disk and the old ones in memory.
- Convenience: Integrates seamlessly with
apton Debian/Ubuntu to check services after every update. - Control: Lets you choose to restart, skip, or automatically restart services.
Prerequisites
- A Debian-based Linux system (Debian, Ubuntu, Mint...).
- Root access or sudo privileges.
Installation
needrestart is available in the default Debian and Ubuntu repositories.
sudo apt-get update
sudo apt-get install -y needrestartDuring installation, you will likely be asked to choose a default restart mode. The "interactive" mode (-i) is the safest to start with: it will ask for confirmation before each restart.
Usage
The main use of needrestart is automatic. After an apt upgrade command, it will run on its own.
You can also run it manually at any time to check the state of your system:
sudo needrestartExample output
Scanning processes...
Scanning candidates...
Scanning linux images...
Running kernel seems to be up-to-date.
Restarting services...
Service "cron" is using old libraries and needs to be restarted.
Restarting cron...
systemctl restart cron.service
...
If you are in interactive mode, it will present a list of services to restart and ask you to choose which ones to restart.
If
needrestart asks you nothing after an update, that means no running service is affected.
Configuration
The main configuration file is /etc/needrestart/needrestart.conf. There you can adjust the tool's behavior.
sudo nano /etc/needrestart/needrestart.confRestart mode
The most important line is $nrconf{restart}.
# 'i' - Interactive: asks for confirmation before each restart (default).
# 'l' - List: only lists the services, without restarting them.
# 'a' - Automatic: automatically restarts services without asking (Careful!).
$nrconf{restart} = 'i';
For a production server, interactive mode (i) or list mode (l) are recommended to avoid unplanned service interruptions.
Ignoring certain services
If you have a sensitive service that you never want needrestart to restart, you can add it to the ignore list.
# Example to ignore the PostgreSQL database server
$nrconf{override_rc}{postgresql} = 0;
needrestart will also warn you if a kernel update has been installed, indicating that a full system reboot is required to activate it. Unlike services, it cannot restart the kernel itself.
Conclusion
needrestart is a simple but essential tool for the maintenance and security of Debian-like systems. It fills an important gap in the update process by ensuring that fixes are properly applied not only on disk, but also to actively running services. Using it is a strongly recommended best practice for any system administrator.
Comments