Tools

Tools: Stop Rebooting Linux Just in Case: Practical `needrestart` After APT Upgrades

2026-04-19 0 views admin
Tools: Stop Rebooting Linux Just in Case: Practical `needrestart` After APT Upgrades

What needrestart actually does

Why this is different from unattended-upgrades

Install it

The safest manual workflow

Example: service restart instead of full reboot

Batch mode for automation and monitoring

A small shell check for alerts

A practical reboot decision tree

Reboot the host when:

Prefer targeted service restarts when:

Do a second verification pass when:

Using it with unattended upgrades

A tiny post-upgrade helper script

What not to assume

Final take If you manage Debian or Ubuntu systems long enough, you eventually hit the same messy question after apt upgrade: "Do I actually need to reboot this machine, or do I just need to restart a few services?" A lot of admins solve that uncertainty with habit: reboot everything. It works, but it is often unnecessary, and on production boxes it can be a sloppy answer to a more precise problem. needrestart is the tool built for that gap. It checks which running processes still use old libraries after package upgrades, can detect pending kernel upgrades, and integrates with APT through hooks. This guide shows a safe, practical workflow for using it without turning every patch cycle into an avoidable reboot. According to the Debian and Ubuntu man pages, needrestart checks which daemons need to be restarted after library upgrades. It also supports checking for an obsolete kernel, and in batch mode it can produce machine-friendly output for scripting and monitoring. That distinction matters: So the question is not just "was there an update?" It is "what is still running the old code?" unattended-upgrades is the mechanism that installs approved updates automatically. Its own documentation says it logs activity to: That tells you what got installed. needrestart tells you what still needs attention after installation. One subtle but important behavior from the needrestart man page: if it is configured for interactive mode but runs in a non-interactive context such as unattended-upgrades, it falls back to list-only mode. That is a good default for automation, because it avoids surprise restarts during unattended patching. If the package is present but your normal patch workflow has never shown any needrestart summary, it is still worth running manually once after an upgrade. After upgrading packages, run needrestart in list-only mode first: This is the mode I recommend first on servers, especially if you are patching over SSH or touching stateful workloads. Imagine you upgraded OpenSSL or glibc on a host running Nginx, SSH, and a few app services. A cautious workflow looks like this: Because the first pass tells you what is stale. After you restart the affected services, the second pass confirms whether you cleared the backlog or whether a reboot is still justified. You can also inspect service state directly: One of needrestart's most useful features is batch mode: The upstream batch-mode documentation shows output like this: Upstream documents these kernel status values: That makes batch mode easy to wire into health checks. You could run that from a systemd timer, a monitoring agent, or a post-upgrade audit script. Here is the simplest policy that stays honest: That second pass is the part many people skip, and it is where needrestart earns its keep. If you already use unattended-upgrades, keep the responsibility split clean: For hosts where you do not want the APT hook to run needrestart automatically, the man page documents NEEDRESTART_SUSPEND for suppressing the hook in an apt-get context. That gives you a fully explicit post-upgrade review step. If you want a repeatable operator workflow, save this as /usr/local/sbin/post-apt-restart-check: Then your patch routine becomes: It is simple, but it turns post-upgrade guesswork into an explicit checklist. In other words: use the tool to reduce blind reboots, not to skip judgment. If your current post-update policy is "reboot because maybe," needrestart gives you a much sharper answer. Use -r l first, restart only what is actually stale, rerun the check, and reserve full reboots for when the kernel or your own operations policy genuinely requires them. That is a better patching habit, and a calmer one. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install needrestart -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install needrestart -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install needrestart needrestart -v needrestart -v needrestart -v -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo needrestart -r l -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo needrestart -r l -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo needrestart -r l -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo needrestart -r l -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart nginx -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart myapp.-weight: 500;">service -weight: 600;">sudo needrestart -r l -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo needrestart -r l -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart nginx -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart myapp.-weight: 500;">service -weight: 600;">sudo needrestart -r l -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo needrestart -r l -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart nginx -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart myapp.-weight: 500;">service -weight: 600;">sudo needrestart -r l -weight: 500;">systemctl -weight: 500;">status nginx --no-pager -weight: 500;">systemctl -weight: 500;">status myapp.-weight: 500;">service --no-pager -weight: 500;">systemctl -weight: 500;">status nginx --no-pager -weight: 500;">systemctl -weight: 500;">status myapp.-weight: 500;">service --no-pager -weight: 500;">systemctl -weight: 500;">status nginx --no-pager -weight: 500;">systemctl -weight: 500;">status myapp.-weight: 500;">service --no-pager -weight: 600;">sudo needrestart -b -weight: 600;">sudo needrestart -b -weight: 600;">sudo needrestart -b NEEDRESTART-VER: 2.1 NEEDRESTART-KCUR: 3.19.3-tl1+ NEEDRESTART-KEXP: 3.19.3-tl1+ NEEDRESTART-KSTA: 1 NEEDRESTART-SVC: systemd-journald.-weight: 500;">service NEEDRESTART-SVC: systemd-machined.-weight: 500;">service NEEDRESTART-VER: 2.1 NEEDRESTART-KCUR: 3.19.3-tl1+ NEEDRESTART-KEXP: 3.19.3-tl1+ NEEDRESTART-KSTA: 1 NEEDRESTART-SVC: systemd-journald.-weight: 500;">service NEEDRESTART-SVC: systemd-machined.-weight: 500;">service NEEDRESTART-VER: 2.1 NEEDRESTART-KCUR: 3.19.3-tl1+ NEEDRESTART-KEXP: 3.19.3-tl1+ NEEDRESTART-KSTA: 1 NEEDRESTART-SVC: systemd-journald.-weight: 500;">service NEEDRESTART-SVC: systemd-machined.-weight: 500;">service #!/usr/bin/env bash set -euo pipefail out=$(-weight: 600;">sudo needrestart -b) echo "$out" if grep -q '^NEEDRESTART-KSTA: [23]$' <<<"$out"; then echo "Kernel reboot pending" fi if grep -q '^NEEDRESTART-SVC:' <<<"$out"; then echo "One or more services need -weight: 500;">restart" fi #!/usr/bin/env bash set -euo pipefail out=$(-weight: 600;">sudo needrestart -b) echo "$out" if grep -q '^NEEDRESTART-KSTA: [23]$' <<<"$out"; then echo "Kernel reboot pending" fi if grep -q '^NEEDRESTART-SVC:' <<<"$out"; then echo "One or more services need -weight: 500;">restart" fi #!/usr/bin/env bash set -euo pipefail out=$(-weight: 600;">sudo needrestart -b) echo "$out" if grep -q '^NEEDRESTART-KSTA: [23]$' <<<"$out"; then echo "Kernel reboot pending" fi if grep -q '^NEEDRESTART-SVC:' <<<"$out"; then echo "One or more services need -weight: 500;">restart" fi -weight: 600;">sudo NEEDRESTART_SUSPEND=1 -weight: 500;">apt-get -weight: 500;">upgrade -weight: 600;">sudo needrestart -r l -weight: 600;">sudo NEEDRESTART_SUSPEND=1 -weight: 500;">apt-get -weight: 500;">upgrade -weight: 600;">sudo needrestart -r l -weight: 600;">sudo NEEDRESTART_SUSPEND=1 -weight: 500;">apt-get -weight: 500;">upgrade -weight: 600;">sudo needrestart -r l #!/usr/bin/env bash set -euo pipefail -weight: 600;">sudo needrestart -r l || true echo echo "If services are listed, -weight: 500;">restart them selectively with:" echo " -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart <-weight: 500;">service>" echo echo "Then verify again with:" echo " -weight: 600;">sudo needrestart -r l" #!/usr/bin/env bash set -euo pipefail -weight: 600;">sudo needrestart -r l || true echo echo "If services are listed, -weight: 500;">restart them selectively with:" echo " -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart <-weight: 500;">service>" echo echo "Then verify again with:" echo " -weight: 600;">sudo needrestart -r l" #!/usr/bin/env bash set -euo pipefail -weight: 600;">sudo needrestart -r l || true echo echo "If services are listed, -weight: 500;">restart them selectively with:" echo " -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart <-weight: 500;">service>" echo echo "Then verify again with:" echo " -weight: 600;">sudo needrestart -r l" -weight: 600;">sudo -weight: 500;">install -m 0755 post--weight: 500;">apt--weight: 500;">restart-check /usr/local/sbin/post--weight: 500;">apt--weight: 500;">restart-check -weight: 600;">sudo -weight: 500;">install -m 0755 post--weight: 500;">apt--weight: 500;">restart-check /usr/local/sbin/post--weight: 500;">apt--weight: 500;">restart-check -weight: 600;">sudo -weight: 500;">install -m 0755 post--weight: 500;">apt--weight: 500;">restart-check /usr/local/sbin/post--weight: 500;">apt--weight: 500;">restart-check -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo /usr/local/sbin/post--weight: 500;">apt--weight: 500;">restart-check -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo /usr/local/sbin/post--weight: 500;">apt--weight: 500;">restart-check -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -weight: 600;">sudo /usr/local/sbin/post--weight: 500;">apt--weight: 500;">restart-check - some updates only require -weight: 500;">service restarts - some updates leave user sessions or daemons mapped to old libraries - kernel changes still require a reboot to boot into the new kernel - /var/log/unattended-upgrades/unattended-upgrades.log - /var/log/unattended-upgrades/unattended-upgrades-dpkg.log - -r l means list-only -weight: 500;">restart mode - it reports what needs a -weight: 500;">restart without restarting anything - it can also report whether the running kernel is older than the installed one - NEEDRESTART-SVC lists services that should be restarted - NEEDRESTART-KCUR is the current kernel - NEEDRESTART-KEXP is the expected kernel - NEEDRESTART-KSTA is kernel -weight: 500;">status - 0: unknown or failed to detect - 1: no pending -weight: 500;">upgrade - 2: ABI-compatible -weight: 500;">upgrade pending - 3: version -weight: 500;">upgrade pending - needrestart shows a pending kernel -weight: 500;">upgrade - you updated something that your own platform policy requires a reboot for - you want a clean maintenance window reset after broad base-system changes - only specific daemons are using old libraries - the host runs long-lived services you can -weight: 500;">restart one by one - you want to avoid rebooting a production node unnecessarily - you restarted the listed services manually - you are patching a critical host and want proof that stale processes are gone - let unattended-upgrades -weight: 500;">install packages - review its logs if needed - use needrestart output to decide between -weight: 500;">service restarts and a reboot - needrestart helps identify stale daemons and pending kernel upgrades, but it is not a substitute for application-specific maintenance knowledge. - Restarting a -weight: 500;">service may still need coordination if the app has connection draining, clustering, or session-state concerns. - A clean needrestart -r l result after -weight: 500;">service restarts is strong evidence, but your own change policy still wins. - Debian man page, needrestart(1): https://manpages.debian.org/bookworm/needrestart/needrestart.1.en.html - Ubuntu man page, needrestart(1): https://manpages.ubuntu.com/manpages/jammy/man1/needrestart.1.html - Upstream needrestart repository: https://github.com/liske/needrestart - Upstream batch-mode documentation: https://raw.githubusercontent.com/liske/needrestart/master/README.batch.md - Debian package metadata for needrestart: https://packages.debian.org/bookworm/needrestart - Debian man page, unattended--weight: 500;">upgrade(8): https://manpages.debian.org/bookworm/unattended-upgrades/unattended--weight: 500;">upgrade.8.en.html - Ubuntu man page, unattended--weight: 500;">upgrade(8): https://manpages.ubuntu.com/manpages/jammy/man8/unattended--weight: 500;">upgrade.8.html

🏷️ Tags

toolsutilitiessecurity toolsrebootinglinuxpracticalneedrestartafterupgradesapt

More from Tools

Tools: Kubuntu vs KDE Neon: A Technical Deep Dive (2026)

Tools: Kubuntu vs KDE Neon: A Technical Deep Dive (2026)

2026-04-19 0
Tools: Breaking: Run Your First Podman Container: Images, Lifecycle, and Flags (2026)

Tools: Breaking: Run Your First Podman Container: Images, Lifecycle, and Flags (2026)

2026-04-19 0
Tools: How I Turned My Old 2019 Laptop Into a 100% Private AI Node in 5 Days 🚀 (2026)

Tools: How I Turned My Old 2019 Laptop Into a 100% Private AI Node in 5 Days 🚀 (2026)

2026-04-19 0
Tools: Update: Why status page aggregators matter for engineering teams

Tools: Update: Why status page aggregators matter for engineering teams

2026-04-19 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views