Ubuntu
needrestart package

VM detection is broken, leading to prompt to restart for microcode updates

Bug #2020826 reported by Seth Arnold
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
needrestart (Debian)
Fix Released
Unknown
needrestart (Ubuntu)
Fix Released
Medium
Matthew Ruffell
Kinetic
Fix Released
Medium
Matthew Ruffell
Lunar
Fix Released
Medium
Matthew Ruffell
Mantic
Fix Released
Medium
Matthew Ruffell

Bug Description

[Impact]

VM detection in needrestart was quietly and subtly broken in version 3.6 that ships in kinetic, lunar and mantic, where a spelling mistake had been made that incorrectly called /usr/bin/systemds-detect-virt over /usr/bin/systemd-detect-virt.

This causes needrestart to think we are running in bare metal always, and it spends extra time checking microcode status, and sometimes prompting the user that their microcode is out of date, even though there is no way to apply microcode updates, which can mislead users each time they run apt install commands.

The fix is to correct the spelling mistake.

[Testcase]

Start a VM, I used a m5.large on AWS, with either kinetic, lunar or mantic.

If you run needrestart from your prompt, it checks for microcode. This run is on a system where the microcode package is at its latest, but on systems where it is out of date, you receive a curses prompt.

$ /usr/sbin/needrestart -w -v
[main] eval /etc/needrestart/needrestart.conf
[main] needrestart v3.6
[main] running in user mode
[Core] Using UI 'NeedRestart::UI::stdio'...
[main] systemd detected
[ucode] using NeedRestart::uCode::AMD
[ucode] using NeedRestart::uCode::Intel
[uCode/AMD] #0 cpu vendor id mismatch
[uCode/Intel] #0 current revision: 0x2006f05
+ + grep -oE [^[:space:]]+$
iucode_tool --scan-system
+ sig=0x00050654
+ [ -r /sys/devices/system/cpu/cpu0/microcode/processor_flags ]
+ filter=-S
+ test -r /etc/needrestart/iucode.sh
+ . /etc/needrestart/iucode.sh
+ type bsdtar
+ IUCODE_TOOL_EXTRA_OPTIONS=
+ test -r /etc/default/intel-microcode
+ . /etc/default/intel-microcode
+ test = no
+ [ -r /usr/share/misc/intel-microcode* ]
+ iucode_tool -l+ -Sgrep 0x00050654
 --ignore-broken -tb /lib/firmware/intel-ucode
[uCode/Intel] #0 available revision: 0x2006e05

The processor microcode seems to be up-to-date.

If you install the test packages from the below ppa:

https://launchpad.net/~mruffell/+archive/ubuntu/sf361263-test

The expected output is to correctly register that we are running inside a VM and microcode checks can be skipped:

$ /usr/sbin/needrestart -w -v
[main] eval /etc/needrestart/needrestart.conf
[main] needrestart v3.6
[main] running in user mode
[Core] Using UI 'NeedRestart::UI::stdio'...
[main] systemd detected
[main] vm detected
[main] inside container or vm, skipping microcode checks

[Where problems could occur]

We are fixing a spelling mistake made in a previous commit, and not changing any functionality or behaviour. The spelling mistake changes invoking the incorrect /usr/bin/systemds-detect-virt to /usr/bin/systemd-detect-virt.

Beforehand, /usr/bin/systemd-detect-virt would not exist, and thus return false. We would never enter the if statement, and thus never check to see if we are in a VM. By fixing the mistake, we now call /usr/bin/systemd-detect-virt, and if we are inside a VM, skip some unnecessary steps, like checking microcode versions.

If a regression were to occur, it would cause needrestart to interpret running in a VM or bare metal differently, and may or may not prompt the user at the correct times to restart any services or the system.

One thing to note is that needrestart is called automatically by apt after every install or remove invocation, and a regression could cause apt to return an error code, even when the packages were installed or removed correctly.

[Other Info]

Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026026

This was fixed in the below commit, currently not tagged to a release:

commit 27bf4678bb92f68dfadd04ab04e96cba6ea2c376
From: zxyrepf <email address hidden>
Date: Sun, 24 Jul 2022 08:30:19 +0000
Subject: Fix VM detection regression introduced in f54d85c
Link: https://github.com/liske/needrestart/commit/27bf4678bb92f68dfadd04ab04e96cba6ea2c376

This fixes the regression introduced by:

commit f54d85cab33c450b2d4e17eaf359a5c7470ef91d
From: Thomas Liske <email address hidden>
Date: Tue, 17 May 2022 15:38:42 +0200
Subject: [Core] Use ImVirt for virtualization detection if not running
 on systemd (Debian Bug#984789 by Patrik Schindler <email address hidden>).
Link: https://github.com/liske/needrestart/commit/f54d85cab33c450b2d4e17eaf359a5c7470ef91d

See original description
Matthew Ruffell (mruffell)
Changed in needrestart (Ubuntu Kinetic):
status: New → In Progress
Changed in needrestart (Ubuntu Lunar):
status: New → In Progress
Changed in needrestart (Ubuntu Mantic):
status: New → In Progress
Changed in needrestart (Ubuntu Kinetic):
importance: Undecided → Medium
Changed in needrestart (Ubuntu Lunar):
importance: Undecided → Medium
Changed in needrestart (Ubuntu Mantic):
importance: Undecided → Medium
Changed in needrestart (Ubuntu Kinetic):
assignee: nobody → Matthew Ruffell (mruffell)
Changed in needrestart (Ubuntu Lunar):
assignee: nobody → Matthew Ruffell (mruffell)
Changed in needrestart (Ubuntu Mantic):
assignee: nobody → Matthew Ruffell (mruffell)
tags: added: sts
description: updated
summary: - typo systemds-detect-virt
+ VM detection is broken, leading to prompt to restart for microcode
+ updates
Revision history for this message
Matthew Ruffell (mruffell) wrote :

Attached is a debdiff for mantic that solves this issue.

Revision history for this message
Matthew Ruffell (mruffell) wrote :

Debdiff for needrestart on lunar that solves this issue.

Revision history for this message
Matthew Ruffell (mruffell) wrote :

Debdiff for needrestart on kinetic that solves this issue.

Matthew Ruffell (mruffell)
tags: added: sts-sponsor
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Debdiff for needrestart on mantic" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Heitor Alves de Siqueira (halves)
tags: added: se-sponsor-halves
Revision history for this message
Brian Murray (brian-murray) wrote :

needrestart (3.6-4) unstable; urgency=medium

  * Remove leftover conffile 30-pacman with 3.6-4.
    Closes: #1036526
  * Add patch 03-ignore-serial-getty from Helmut Grohne to ignore serial-getty.
    Closes: #1035721
  * Add upstream patch 04-vm-detection to fix a typo, which prevents the VM and
    microcode detection.
    Closes: #1026026

 -- Patrick Matthäi <email address hidden> Wed, 31 May 2023 16:47:03 +0200

Changed in needrestart (Ubuntu Mantic):
status: In Progress → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

I've uploaded this to the SRU queues for Lunar and Kinetic so I think unsubscribed the ubuntu-sponsors team.

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Seth, or anyone else affected,

Accepted needrestart into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/needrestart/3.6-3ubuntu0.23.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
Changed in needrestart (Ubuntu Lunar):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-lunar
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Seth, or anyone else affected,

Accepted needrestart into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/needrestart/3.6-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in needrestart (Ubuntu Kinetic):
status: In Progress → Fix Committed
tags: added: verification-needed-kinetic
Bug Watch Updater (bug-watch-updater)
Changed in needrestart (Debian):
status: Unknown → Fix Released
Revision history for this message
Matthew Ruffell (mruffell) wrote :
Download full text (3.6 KiB)

Performing verification for Lunar

I started a fresh Lunar VM on KVM, and ran needrestart 3.6-3 from -main.

$ /usr/sbin/needrestart -w -v
[main] eval /etc/needrestart/needrestart.conf
[main] needrestart v3.6
[main] running in user mode
[Core] Using UI 'NeedRestart::UI::stdio'...
[main] systemd detected
[ucode] using NeedRestart::uCode::AMD
[ucode] using NeedRestart::uCode::Intel
[uCode/AMD] #2 cpu vendor id mismatch
[uCode/Intel] #2 current revision: 0x0001
+ iucode_tool --scan-system
+ grep -oE [^[:space:]]+$
+ sig=found
+ [ -r /sys/devices/system/cpu/cpu0/microcode/processor_flags ]
+ filter=-S
+ test -r /etc/needrestart/iucode.sh
+ . /etc/needrestart/iucode.sh
+ type bsdtar
+ IUCODE_TOOL_EXTRA_OPTIONS=
+ test -r /etc/default/intel-microcode
+ test = no
+ [ -r /usr/share/misc/intel-microcode* ]
+ iucode_tool -l -S --ignore-broken -tb /lib/firmware/intel-ucode
+ grep found
Use of uninitialized value $processor in concatenation (.) or string at /usr/share/perl5/NeedRestart/uCode.pm line 61.
[ucode] # did not get available microcode version
[uCode/AMD] #0 cpu vendor id mismatch
[uCode/Intel] #0 current revision: 0x0001
+ iucode_tool --scan-system
+ grep -oE [^[:space:]]+$
+ sig=found
+ [ -r /sys/devices/system/cpu/cpu0/microcode/processor_flags ]
+ filter=-S
+ test -r /etc/needrestart/iucode.sh
+ . /etc/needrestart/iucode.sh
+ type bsdtar
+ IUCODE_TOOL_EXTRA_OPTIONS=
+ test -r /etc/default/intel-microcode
+ test = no
+ [ -r /usr/share/misc/intel-microcode* ]
+ iucode_tool -l -S --ignore-broken -tb /lib/firmware/intel-ucode
+ grep found
Use of uninitialized value $processor in concatenation (.) or string at /usr/share/perl5/NeedRestart/uCode.pm line 61.
[ucode] # did not get available microcode version
[uCode/AMD] #3 cpu vendor id mismatch
[uCode/Intel] #3 current revision: 0x0001
+ iucode_tool --scan-system
+ grep -oE [^[:space:]]+$
+ sig=found
+ [ -r /sys/devices/system/cpu/cpu0/microcode/processor_flags ]
+ filter=-S
+ test -r /etc/needrestart/iucode.sh
+ . /etc/needrestart/iucode.sh
+ type bsdtar
+ IUCODE_TOOL_EXTRA_OPTIONS=
+ test -r /etc/default/intel-microcode
+ test = no
+ [ -r /usr/share/misc/intel-microcode* ]
+ iucode_tool -l -S --ignore-broken -tb /lib/firmware/intel-ucode
+ grep found
Use of uninitialized value $processor in concatenation (.) or string at /usr/share/perl5/NeedRestart/uCode.pm line 61.
[ucode] # did not get available microcode version
[uCode/AMD] #1 cpu vendor id mismatch
[uCode/Intel] #1 current revision: 0x0001
+ iucode_tool --scan-system
+ grep -oE [^[:space:]]+$
+ sig=found
+ [ -r /sys/devices/system/cpu/cpu0/microcode/processor_flags ]
+ filter=-S
+ test -r /etc/needrestart/iucode.sh
+ . /etc/needrestart/iucode.sh
+ type bsdtar
+ IUCODE_TOOL_EXTRA_OPTIONS=
+ test -r /etc/default/intel-microcode
+ test = no
+ [ -r /usr/share/misc/intel-microcode* ]
+ iucode_tool -l -S --ignore-broken -tb /lib/firmware/intel-ucode
+ grep found
Use of uninitialized value $processor in concatenation (.) or string at /usr/share/perl5/NeedRestart/uCode.pm line 61.
[ucode] # did not get available microcode version

Failed to check for processor microcode upgrades.

Needrestart attempted to determine what microcode was needed, eve...

Read more...

tags: added: verification-done-lunar
removed: verification-needed-lunar
Revision history for this message
Matthew Ruffell (mruffell) wrote :
Download full text (3.6 KiB)

Performing verification for Kinetic

I started a fresh Kinetic VM on KVM, and ran needrestart 3.6-1 from -main.

$ /usr/sbin/needrestart -w -v
[main] eval /etc/needrestart/needrestart.conf
[main] needrestart v3.6
[main] running in user mode
[Core] Using UI 'NeedRestart::UI::stdio'...
[main] systemd detected
[ucode] using NeedRestart::uCode::Intel
[ucode] using NeedRestart::uCode::AMD
[uCode/Intel] #0 current revision: 0x0001
+ iucode_tool --scan-system
+ grep -oE [^[:space:]]+$
+ sig=found
+ [ -r /sys/devices/system/cpu/cpu0/microcode/processor_flags ]
+ filter=-S
+ test -r /etc/needrestart/iucode.sh
+ . /etc/needrestart/iucode.sh
+ type bsdtar
+ IUCODE_TOOL_EXTRA_OPTIONS=
+ test -r /etc/default/intel-microcode
+ test = no
+ [ -r /usr/share/misc/intel-microcode* ]
+ + grep found
iucode_tool -l -S --ignore-broken -tb /lib/firmware/intel-ucode
Use of uninitialized value $processor in concatenation (.) or string at /usr/share/perl5/NeedRestart/uCode.pm line 61.
[ucode] # did not get available microcode version
[uCode/AMD] #0 cpu vendor id mismatch
[uCode/Intel] #3 current revision: 0x0001
+ iucode_tool --scan-system
+ grep -oE [^[:space:]]+$
+ sig=found
+ [ -r /sys/devices/system/cpu/cpu0/microcode/processor_flags ]
+ filter=-S
+ test -r /etc/needrestart/iucode.sh
+ . /etc/needrestart/iucode.sh
+ type bsdtar
+ IUCODE_TOOL_EXTRA_OPTIONS=
+ test -r /etc/default/intel-microcode
+ test = no
+ [ -r /usr/share/misc/intel-microcode* ]
+ + grep found
iucode_tool -l -S --ignore-broken -tb /lib/firmware/intel-ucode
Use of uninitialized value $processor in concatenation (.) or string at /usr/share/perl5/NeedRestart/uCode.pm line 61.
[ucode] # did not get available microcode version
[uCode/AMD] #3 cpu vendor id mismatch
[uCode/Intel] #1 current revision: 0x0001
+ iucode_tool --scan-system
+ grep -oE [^[:space:]]+$
+ sig=found
+ [ -r /sys/devices/system/cpu/cpu0/microcode/processor_flags ]
+ filter=-S
+ test -r /etc/needrestart/iucode.sh
+ . /etc/needrestart/iucode.sh
+ type bsdtar
+ IUCODE_TOOL_EXTRA_OPTIONS=
+ test -r /etc/default/intel-microcode
+ test = no
+ [ -r /usr/share/misc/intel-microcode* ]
+ iucode_tool -l -S+ --ignore-broken -tb /lib/firmware/intel-ucode
grep found
Use of uninitialized value $processor in concatenation (.) or string at /usr/share/perl5/NeedRestart/uCode.pm line 61.
[ucode] # did not get available microcode version
[uCode/AMD] #1 cpu vendor id mismatch
[uCode/Intel] #2 current revision: 0x0001
+ iucode_tool --scan-system
+ grep -oE [^[:space:]]+$
+ sig=found
+ [ -r /sys/devices/system/cpu/cpu0/microcode/processor_flags ]
+ filter=-S
+ test -r /etc/needrestart/iucode.sh
+ . /etc/needrestart/iucode.sh
+ type bsdtar
+ IUCODE_TOOL_EXTRA_OPTIONS=
+ test -r /etc/default/intel-microcode
+ test = no
+ [ -r /usr/share/misc/intel-microcode* ]
+ iucode_tool -l -S --ignore-broken -tb+ /lib/firmware/intel-ucodegrep found

Use of uninitialized value $processor in concatenation (.) or string at /usr/share/perl5/NeedRestart/uCode.pm line 61.
[ucode] # did not get available microcode version
[uCode/AMD] #2 cpu vendor id mismatch

Failed to check for processor microcode upgrades.

Needrestart attempted to determine what microcode was needed,...

Read more...

tags: added: verification-done-kinetic
removed: sts-sponsor verification-needed verification-needed-kinetic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package needrestart - 3.6-3ubuntu0.23.04.1

---------------
needrestart (3.6-3ubuntu0.23.04.1) lunar; urgency=medium

  * Fix VM detection by correcting a spelling mistake, changing
    /usr/bin/systemds-detect-virt to /usr/bin/systemd-detect-virt.
    This ensures users are not prompted for microcode upgrades inside
    VMs. (LP: #2020826)
    - lp2020826-Fix-VM-detection-regression-introduced-in-f54d85c.patch

 -- Matthew Ruffell <email address hidden> Fri, 09 Jun 2023 14:58:44 -0700

Changed in needrestart (Ubuntu Lunar):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for needrestart has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package needrestart - 3.6-1ubuntu0.1

---------------
needrestart (3.6-1ubuntu0.1) kinetic; urgency=medium

  * Fix VM detection by correcting a spelling mistake, changing
    /usr/bin/systemds-detect-virt to /usr/bin/systemd-detect-virt.
    This ensures users are not prompted for microcode upgrades inside
    VMs. (LP: #2020826)
    - lp2020826-Fix-VM-detection-regression-introduced-in-f54d85c.patch

 -- Matthew Ruffell <email address hidden> Fri, 09 Jun 2023 15:04:49 -0700

Changed in needrestart (Ubuntu Kinetic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.