How often should you do Graceful Server Reboot?

[yagami_kira]

Under WHM -->Security Center --> Security Advisor. There's an error saying:

=====
Detected processes that are running outdated binary executables.
Reboot the system in the “Graceful Server Reboot” area. Alternatively, SSH into this server and run ‘/bin/needs-restarting’, then manually restart each of the listed processes.
=====

Even after doing Graceful Server Reboot, eventually the above error will appear again. It seems it always happen every time there's a major update to the system. But so far it happens frequently, at least a few times a month. It won't be good if I always do Graceful Server Reboot everytime I see that error since that will always cause a brief downtime.

The question is in your experiences, generally and practically, how often should one do a Graceful Server Reboot with a good balance of uptime and security ?

 

[sktest123]

Verify
/usr/bin/needs-restarting

Then restart manually the listed services

 

[yagami_kira]

The last time I checked on /bin/needs-restarting, there were about 8 services or processes that need to be restarted. There will also be different commands in restarting each and every one of them of which I don't know how. This will be therefore impractical and time consuming if done manually every time.

 

[cPanelMichael]

Hello,

It's important to restart processes that are running outdated binary executables to help prevent the use of exploits on your system. Is there a particular service from the "/usr/bin/needs-restarting" output that you need help with? If so, we're happy to provide guidance.

Thank you.

 

[yagami_kira]

These are what appears when running the command:

[email protected] [~]# /usr/bin/needs-restarting
145 : /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
1 : /usr/lib/systemd/systemd --system --deserialize 17
114 : /usr/lib/systemd/systemd-logind
180 : /usr/sbin/nscd
152 : /usr/sbin/sshd
246 : /usr/sbin/atd -f
13356 : /usr/lib/systemd/systemd-udevd
139 : /usr/sbin/rsyslogd -n
237 : /usr/sbin/crond -n
78 : /usr/lib/systemd/systemd-journald

I do not know the command though on how to restart each one of them. By the way, will restarting them one by one cause downtime to the web browsing of visitors including disruption of incoming mails?

I'm eyeing for simple long-term solution. Twice a year we would have an event where there is very few visitors to the site. Is twice a year Graceful Reboot just fine?

 

[cPanelMichael]

Hello,

Some services do require a full reboot of the system. You can use the --reboothint flag to see if that's the case on your system:

 /usr/bin/needs-restarting --reboothint

However, there's no harm in restarting the services that don't require a reboot until you can schedule a good time to reboot the system. For example, you can restart the following services listed in your output without rebooting the system:

/scripts/restartsrv_nscd
/scripts/restartsrv_sshd
/scripts/restartsrv_rsyslogd
/scripts/restartsrv_crond

Access to the services you are restarting should only be limited during the few seconds it takes to complete the restart.

I'm eyeing for simple long-term solution. Twice a year we would have an event where there is very few visitors to the site. Is twice a year Graceful Reboot just fine?

I'd aim to reboot the system when a new kernel is available, at a minimum. Otherwise, you may want to consider a third-party solution such as KernelCare to avoid reboots during kernel updates:

CloudLinux - Main | New template

Thank you.

 

[David Colter]

Not working code snippets: Two couple comments (unable to post there due to age) from posts in:

How often should you do a Graceful Server Reboot?

Some services do require a full reboot of the system. You can use the --reboothint flag to see if that's the case on your system:

# /usr/bin/needs-restarting --reboothint

Usage:

    needs-restarting: Report a list of process ids of programs that started

                    running before they or some component they use were updated.


needs-restarting: error: no such option: --reboothint

Additionally, running

# /scripts/restartsrv_sshd
# /scripts/restartsrv_cpsrvd

did not remove them from the list of services that need restarting.

Their PID's did not change either.

 

[cPanelMichael]

Hello @David Colter,

The "--reboothint" flag is only supported on CentOS 7. Additionally, simply restarting the service may not work in all cases. There's additional discussion of this topic at:

Restart services without rebooting server?

Thank you.