Bug#1104582: needrestart breaks lxc networking by restarting nftables.service

Fri, 02 May 2025 06:27:19 -0700 

Control: severity -1 normal

On Fri, May 02, 2025 at 02:48:15PM +0200, Daniel Gröber wrote:
> On Fri, May 02, 2025 at 11:47:24AM +0200, Thomas Liske wrote:
> > I wonder why needrestart selects this service at all. Could you provide the
> > output of `needrestart -v` for this?
> 
> Unfortunately we already restarted all the affected nodes. Do you want me
> to try and recreate the problem in debvm?

I recreated the situation in a trixie debvm I do indeed not see needrestart
trying to restart nftables.service but only lxc-net.service due to dnsmasq
being linked against libnftables1 which changed SONAME and consequently
moved.

So my assumption that nftables was being (directly) restarted by
needrestart is probably invalid. See below for -v output.

I reviewed lxc-net and it only flushes it's own table(s) not the whole
ruleset. It runs:

    flush table ip6 lxc
    flush table inet lxc

and doesn't otherwise seem to trigger a nftables.service restart
otherwise. Odd.

I'm downgrading the severity then and will try to find another explaination
for what happened here.

--Daniel

Log:

root@testvm:~# /usr/sbin/needrestart -v
[main] eval /etc/needrestart/needrestart.conf
[main] needrestart v3.11
[main] running in root mode
[Core] Using UI 'NeedRestart::UI::stdio'...
[main] systemd detected
[main] vm detected
[main] #7541 is /usr/sbin/dnsmasq
[main] #7541 uses deleted /usr/lib/x86_64-linux-gnu/libnftables.so.1.1.0
[main] #7541 is not a child
[main] #7541 exe => /usr/sbin/dnsmasq
[main] #7541 is lxc-net.service
[main] inside container or vm, skipping microcode checks
[Kernel] Linux: kernel release 6.12.22-cloud-amd64, kernel version #1 SMP 
PREEMPT_DYNAMIC Debian 6.12.22-1 (2025-04-10)
Failed to load NeedRestart::Kernel::kFreeBSD: [Kernel/kFreeBSD] Not running on 
GNU/kFreeBSD!
[Kernel/Linux] /boot/vmlinuz-6.12.22-cloud-amd64 => 6.12.22-cloud-amd64 
(debian-ker...@lists.debian.org) #1 SMP PREEMPT_DYNAMIC Debian 6.12.22-1 
(2025-04-10) [6.12.22-cloud-amd64]*
[Kernel/Linux] Expected linux version: 6.12.22-cloud-amd64

Running kernel seems to be up-to-date.

Restarting services...
Services to be restarted:
Restart «lxc-net.service»? [yNas?] 
Service restarts being deferred:
 systemctl restart lxc-net.service

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

Attachment: signature.asc
Description: PGP signature

Reply via email to