0

Recently due to a vulnerability detected in java, new version of packages (Ubuntu 22.04) were installed via the unattended upgrades procedure:

Start-Date: 2024-11-12  06:15:15
Commandline: /usr/bin/unattended-upgrade
Upgrade: openjdk-17-jre:amd64 (17.0.12+7-1ubuntu2~22.04, 17.0.13+11-2ubuntu1~22.04), openjdk-17-jre-headless:amd64 (17.0.12+7-1ubuntu2~22.04, 17.0.13+11-2ubuntu1~22.04)
End-Date: 2024-11-12  06:15:18

more info: https://ubuntu.com/security/notices/USN-7098-1

The update appear not to cause any problems, the java processes continued to work but only superficially. Code logic that called external processes started failing with:

java.io.IOException error=0, Failed to exec spawn helper: pid: 2187894, exit value: 1.

To resolve the problem a restart of the java process was needed.

My questions would be:

Is it possible to force restarting of services (systemd) that were installed via debian packages and had java as dependency? e.g. tomcat9

Would package pinning hold back unattended-upgrades from updating that package?

Kuba
  • 103

2 Answers2

2

What Ubuntu version do you have? Ubuntu 24.04 has an elaborate system of scanning for outdated library use and restart any process that uses a replaced library. See the announcement needrestart changes in Ubuntu 24.04: service restarts. It's a feature I actually turn off on occasion (by commenting out the line in /etc/apt/apt.conf.d/99needrestart) because of its aggressiveness.

The funny thing is, I don't think this works for Java runtime environments and processes that uses it. This is something that may warrant some actual discussion with Ubuntu.

And yes, package pinning holds back updates, including security updates.

Halfgaar
  • 8,534
1

1. Forcing Service Restarts for Packages with Java Dependencies

To ensure services that rely on Java (such as Tomcat) restart automatically after an update, you can set up a post-upgrade hook within the unattended-upgrade configuration. This hook will detect Java updates and restart any dependent services.

Here’s how to configure it:

  1. Create a Hook for Unattended Upgrades:

    • Create a file in the directory /etc/apt/apt.conf.d/, such as /etc/apt/apt.conf.d/99restart-java-services.

  2. Add the Following Hook Script:

    // Restart services after Java update
Unattended-Upgrade::Post-Invoke-Success {"if systemctl list-units --all --type=service | grep -q 'tomcat'; then systemctl restart tomcat9; fi"};

    Adjust the script as necessary to include other services that need restarting after a Java update. You can list multiple services by adding additional systemctl restart commands.

  3. Make Sure the Script is Executable: Set executable permissions if needed:

    sudo chmod +x /etc/apt/apt.conf.d/99restart-java-services

This approach ensures any services depending on Java (like Tomcat) restart after an unattended Java upgrade, minimizing service disruptions.

2. Using Package Pinning to Hold Back Unattended Upgrades

If you prefer to prevent unattended upgrades from automatically updating specific packages like OpenJDK, you can use package pinning to “hold” those packages at a specific version.

  1. Create a Pinning File: Create a pinning file for Java in /etc/apt/preferences.d/, such as /etc/apt/preferences.d/java-pin.

  2. Configure the Pinning File: Add the following content to hold back the OpenJDK package:

    Package: openjdk-17-jre openjdk-17-jre-headless
Pin: version 17.0.12+7-1ubuntu2~22.04
Pin-Priority: 1001

    Adjust the package name and version as necessary. This configuration will prevent unattended upgrades from updating the specified version of OpenJDK.

  3. Verify the Hold: Run the following command to confirm that the pinning has been applied:

    apt-cache policy openjdk-17-jre

    With this setup, unattended upgrades will skip updates for the pinned package, preserving the specified version until you decide to update manually.

Vinoth Chitrarasu
  • 205