13

I want to update glibc according to RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html

Is it required restart a server after the glibc upgrade?

Michael
  • 251
  • 2
  • 5

3 Answers3

23

A restart is not technically required, because only programs which use glibc need to be restarted, and the kernel does not use glibc.

That being said, restarting everything that uses glibc is sufficiently broad that you might as well just reboot.

For example, /sbin/init uses glibc. However restarting it is trivial (run init u as root).

gowenfawr
  • 1,767
  • 11
  • 12
  • 3
    OTOH I seriously doubt that `init` is vulnerable due to the CVE :) – Erbureth Jan 28 '15 at 14:57
  • 11
    @Erbureth, I agree, but I think "I think _this program_ is vulnerable, I think _that program_ is not" is "a strange game. The only winning move is not to play." – gowenfawr Jan 28 '15 at 16:06
  • sysvinit is safe (no DNS calls, and often but not always statically linked too). `systemd` appears to have a resolver all of its own. In my experience replacing libraries used by long-running processes can cause instabilities. Reboot, and be happy. – mr.spuratic Jan 28 '15 at 17:20
  • 2
    sysvinit can be restarted. Issue the command init u and it will exec /sbin/init. – Joshua Jan 29 '15 at 00:03
  • FYI: [Restarting init without restarting the system](http://unix.stackexchange.com/questions/181782/restarting-init-without-restarting-the-system) – Gilles 'SO- stop being evil' Jan 29 '15 at 21:55
  • @gowenfawr Someone was asking how to play the game yesterday: http://superuser.com/questions/870805/determine-vulnerable-programs-affected-by-glibcs-ghost-bug – Barmar Jan 30 '15 at 18:43
  • @Barmar to continue the movie quotes, "See, the sad thing about a guy like that is in 50 years he's gonna staht doin some thinkin on his own and he's gonna come up with the fact that there are two certaintees in life. One, don't do that. And Two, he wasted a lot of time and energy looking for someone to tell him answers and give him fancy shell scripts to try and assure him of something he'd get for free if he'd just throw it a reboot." – gowenfawr Jan 30 '15 at 18:54
9

If you are happy with manually restarting individual services that are using the vulnerable library, you can run this command and restart the listed processes:

# lsof | awk '/libc-/ {print $1}' | sort -u

You will probably find it will be easier to restart the machine entirely.

deed02392
  • 2,982
  • 6
  • 26
  • 36
  • 9
    `lsof | awk '/DEL.*libc/{print $1}' | sort -u` to match only on those that link to the now _deleted_ (after the update) libc. – sch Jan 28 '15 at 15:38
  • 2
    Did anyone actually check the output of `lsof | grep libc`? It matches a ton of libraries including libcurl, libcups, libcairo etc. Grepping for `libc-` seems to produce the correct results. –  Jan 28 '15 at 16:28
  • That's a pretty roundabout and inaccurate method. [How do I detect running processes using a library package?](http://unix.stackexchange.com/questions/181697/how-do-i-detect-running-processes-using-a-library-package) Anyway, for glibc, the answer is pretty much every process. What would be useful would be to know which processes are left over with the old copy, and this command won't tell you. – Gilles 'SO- stop being evil' Jan 29 '15 at 21:56
7

Yes, so the processes that depend on the old version of glibc start again with the new version of the library. Statically linked programs also need to be recompiled for this reason.

Ohnana
  • 681
  • 4
  • 5
  • Static linking is probably rare though, given the interactions of DNS functions with NSS,glibc and the [historical biases of the former glibc maintainer](http://www.akkadia.org/drepper/no_static_linking.html). – mr.spuratic Jan 28 '15 at 17:32