Operating System: AlmaLinux 8.8 (Sapphire Caracal)
CPE OS Name: cpe:/o:almalinux:almalinux:8::baseos
Kernel: Linux 4.18.0-477.21.1.el8_8.x86_64
Architecture: x86-64
I’ve installed dnf-automatic and I’ve configured it to apply updates automatically.
dnf install dnf-automatic -y
Edit the config file:
nano /etc/dnf/automatic.conf
Change to: apply_updates = yes
Enable the service:
systemctl enable --now dnf-automatic.timer
Next, I created a bash file: nano /etc/cron.daily/autorestart.cron to restart services or reboot the system if needed. The autorestart.cron file is set to root/root 0755.
...
# If server needs restarting, send email and restart in 5 minutes.
needs-restarting -r >/dev/null || { printf '%s\n' "Updates were installed on $(hostname) which require a reboot." \
"The reboot will take place on $(date -d '5 min' +'%a, %b %d, %Y @ %r')." | mail -r $from_email -s "$(hostname) will \
reboot in 5 minutes @ $(date -d '5 min' +'%r')" me@example.com; sleep 5m; reboot; exit 0; }
# Set variable for services that need restarting.
NEEDS=$(needs-restarting -s)
# Send email and restart server is auditd service needs restarting.
echo $NEEDS | grep -q auditd.service && { printf '%s\n' "Updates (auditd) were installed on $(hostname) which require a reboot." \
"The reboot will take place on $(date -d '5 min' +'%a, %b %d, %Y @ %r')." | mail -r $from_email -s "$(hostname) will \
reboot in 5 minutes @ $(date -d '5 min' +'%r')" me@example.com; sleep 5m; reboot; exit 0; }
# Restart all services that need restarting
echo $NEEDS | xargs --no-run-if-empty -n1 systemctl restart
...
Everything seems to work but I get emails with the following info:
…
/etc/cron.daily/autorestart.cron:
Failed to read PID 2880028’s smaps.
Failed to read PID 2880030’s smaps.
Failed to read PID 2880031’s smaps.
Failed to read PID 2880032’s smaps.
Failed to read PID 2880033’s smaps.
Failed to read PID 2880034’s smaps.
…
How can I make it to where I do not encounter these errors?
What’s happening in your ellipses? Do you have some systemd or container setup where you’re dropping CAP_SYS_PTRACE?
Are you running SELinux in enforcing mode, and are you getting AVC denials in /var/log/audit/audit.log? (I didn’t think custom cronjobs were confined, but maybe?)
Is it listing every pid, or just a subset? If you look up the processes of those pids, are they still running and do they have anything in common?
What’s happening in your ellipses? Do you have some systemd or container setup where you’re dropping CAP_SYS_PTRACE?
Can you elaborate? I pieced together my cron script from info I gathered on the Internet. I simply want to restart services that needs-restarting -s lists or reboot the server if needs-restarting -r says a reboot is needed.
Are you running SELinux in enforcing mode, and are you getting AVC denials in /var/log/audit/audit.log? (I didn’t think custom cronjobs were confined, but maybe?)
SELinux is disabled.
Is it listing every pid, or just a subset? If you look up the processes of those pids, are they still running and do they have anything in common?
I don’t know if every PID is listed. By the time I get the email, those PID’s do not exist.
I’m just looking for reasons the cronjob environment would lack the necessary privileges. You’re able to run needs-restarting interactively as root without those messages? What if you run the whole /etc/cron.daily/autorestart.cron script interactively?
You’re able to run needs-restarting interactively as root without those messages?
Yes
What if you run the whole /etc/cron.daily/autorestart.cron script interactively?
I do not recall ever encountering this issue when running the script interactively BUT trying to catch the system at the precise moment, after updates have been installed, when services need restarting or the system needs rebooting is extremely difficult.
I don’t know how to recreate, at will, the required system state (i.e. updates applied, services or system needs restarting) to perform tests.
I would think you’d get those errors every time, whether there’s a change or not, since needs-restarting has to look through all the smaps to see what packages to check. Do you not?
I’m worried about taking you on a wild-goose chase, but it’s occurring to me that “Failed to read PID %d’s smaps” isn’t necessarily EACCES, so my inclination if I were you would be to strace -Ze trace=openat within the cronjob and confirm what the actual error is to see if that’s illuminating in any way.
EACCES failures look like
openat(AT_FDCWD, "/proc/2948995/smaps", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
Failed to read PID 2948995's smaps.
openat(AT_FDCWD, "/proc/2948988/smaps", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
Failed to read PID 2948988's smaps.
If the openats aren’t what’s erroring, you’d need to expand the scope of the strace. Sorry I can’t be more useful than debug suggestions (though maybe if we keep bumping the thread like this someone will come along who already figured this out on their own system and has an actual answer, ha).
It seems that such messages are just warnings and that needs-restarting continues:
I called needs-restarting -s from Ansible and this was logged, notice “rc”: 0, i.e. clean exit.
{"changed": false, "cmd": ["needs-restarting", "-s"], "delta": "0:00:01.302874", "end": "2024-01-29 13:55:37.586568", "failed_when_result": false, "msg": "", "rc": 0, "start": "2024-01-29 13:55:36.283694", "stderr": "Failed to read PID 65828's smaps.\nFailed to read PID 65829's smaps.", "stderr_lines": ["Failed to read PID 65828's smaps.", "Failed to read PID 65829's smaps."], "stdout": "smartd.service\nsystemd-logind.service\nsshd.service\nrsyslog.service\nuser@1000.service\nsystemd-journald.service\nirqbalance.service\npolkit.service\ndbus.service\nwaagent.service\nfirewalld.service\nchronyd.service\nNetworkManager.service\nrngd.service\nsystemd-udevd.service\ntuned.service", "stdout_lines": ["smartd.service", "systemd-logind.service", "sshd.service", "rsyslog.service", "user@1000.service", "systemd-journald.service", "irqbalance.service", "polkit.service", "dbus.service", "waagent.service", "firewalld.service", "chronyd.service", "NetworkManager.service", "rngd.service", "systemd-udevd.service", "tuned.service"]}