Which packages require a system reboot after the update?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8

Issue

  • It is commonly known that reboots are required to load a newly-installed kernel, but which other packages require a reboot after being updated?

Resolution

  • Red Hat recommends that systems be rebooted after installation of an updated package. This ensures that all processes and services benefit from updates to core libraries and services. Such reboots do come at a cost to system uptime, however, which we know many customers are keen to avoid. This article outlines when a reboot is required, best practice for customers following updates, and guidance on particular package update scenarios.

  • Each of the following packages requires1 a reboot in order to be fully-utilized. This list is for informational use and subject to change at Red Hat's discretion.

  • Red Hat Enterprise Linux 5:

    • kernel
    • kernel-smp
    • kernel-PAE
    • kernel-xen
    • glibc2
    • hal
  • Red Hat Enterprise Linux 6:

    • kernel
    • *-firmware-*
    • glibc[^2]
    • hal
  • Red Hat Enterprise Linux 7:

    • kernel
    • glibc[^2]
    • linux-firmware
    • systemd
    • udev
    • dbus
    • openssl-libs
    • gnutls
    • kernel-rt
  • Red Hat Enterprise Linux 8:

    • kernel
    • glibc[^2]
    • linux-firmware
    • systemd
    • dbus
  • The needs-restarting command will find out if a full reboot is required or not.

    # needs-restarting -r
    

Note:- Full reboot is required (returns 1) or not (returns 0). The package yum-utils should be installed.

  • The 'needs-restarting' command is not available in RHEL 5.
  • The 'needs-restarting' command is available in RHEL 6, but is silent (meaning there is no output, the '-r, --reboothint' flag is not available for this version).

  • For packages that provide a service (e.g. xen, bind, cronie, cups, ntp, openssh-server), restarting the service after updating the package is sufficient to make use of the updated binaries34. Similarly to system reboots, Red Hat is aware that restarting services may also incur downtime for the provided service.

  • For packages that provide both services and daemons (e.g. dbus), restarting all daemons and services by bringing the system down to single user mode (runlevel 1), and back up to the previous runlevel, is the recommended best practice.

  • NOTE: All errata pushed live to RHN after September 16 2015 for packages listed above will be tagged as "reboot_suggested" on RHN Classic Hosted and Red Hat Satellite 5.6/5.7 so customers can be aware and decide to boot systems after applying these errata.


  1. Note : This doesn't mean it is strictly required to reboot the system immediately after updating these packages. 

  2. Typically it is sufficient to restart services after applying a non-security glibc erratum (i.e. RHBA rather than RHSA). The restarted services will immediately make use of the new glibc runtime. Until that time, such services will continue to use the earlier version of those libraries, having been loaded by the dynamic linker at service startup. Note that, depending on the nature of the bug being fixed, it may not be necessary to immediately restart the service. Lastly, disk space will continue to be consumed by the old runtimes until all packages referencing them close their open file descriptors allowing the kernel to free the reserved storage. 

  3. This excludes any updates to packages which have an explicit or implicit dependency on kernel updates; in these cases a reboot is still required to benefit from the updates to those packages. 

  4. Updates to security-sensitive libraries, such as openssl and gnutls, are especially important. Any services that depend on such libraries should be restarted to ensure that related errata are effectively used. In the case of updates to significant vulnerabilities, a full reboot is still the conservatively correct approach. 

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

13 Comments

It would be nice to have a flag in the yum output to recommend reboots when necessary.

I agree with you, such as Debian system using the flag /var/run/reboot-required.pkgs.
This file containt the list of package that need reboot and it will delete after reboot.

If you install the yum-utils package, you can do this:

List any services that need restarting:

needs-restarting -s

List any services that require a reboot, and if so, return 1:

needs-restarting -r

AIX has such a flag. It is nice to be able to determine if you need a downtime/reboot or not.

How does a Satellite 5.7 admin see the reboot_suggested tag?
I do not see it for the latest RHEL 7 kernel: any tag in the rpm overview.
Also as others asked in the comments, can the tag be viewed using rpm of yum?

Does it now support kpatch?

This article says it applies to RHEL 5/6/7, but RHEL 6, the needs-restarting command doesnt support the -r argument [root@/]# needs-restarting -r Usage: needs-restarting: Report a list of process ids of programs that started running before they or some component they use were updated.

needs-restarting: error: no such option: -r

Yes Nathan. That is correct. This doesn't work in RHEL6 release. I've updated the 'yum-utils' package as well and tested. When I run the command "needs-restarting -r" it says there is no such option. But works good on RHEL7.

Red Hat team, please update the knowledge base with proper details.

What about microcode_ctl updates? Afaik the server should be rebooted afterwards, so shouldn't needs-restarting -r detect that as well?

"The 'needs-restarting' command is available in RHEL 6, but is silent (meaning there is no output, the '-r, --reboothint' flag is not available for this version)."

What does this statement mean for the command on RHEL6 . I updated the kernel and together with it kernel-firmware was updated. But the command has no output and $? shows 0. So how does this command work or help in RHEL6?

needs-restarting

echo $? 0

uname -a Linux sgpvmc0054 2.6.32-754.33.1.el6.x86_64 #1 SMP Mon Aug 10 10:29:45 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux

Either the glibc in RHEL5 is more "square" than in RHEL 6/7/8 or someone needs to correct the syntax for the footnote references on RHEL 6/7/8:

RHEL5: glibc2

RHEL6/7/8: glibc[^2]

Alas... not sure how to get the html syntax to appear as text and not the link... but I guess you get the point.

Maybe I am mistaken, but it seems to me that every time there is an update to google-chrome a reboot is required which is most annoying. When I am in windows there is a button in the upper right hand corner that says update, I click on it, and the browsers closes and reopens in its past state which is very convenient.

More importantly, it seems like there should be a "needs rebooting" tag that is associated with Security patches. Patches can normally be installed sooner if a full downtime is not required.