[Bug 2017401] [NEW] Unexpected / unwanted unattended-upgrades behaviour after kernel upgrade when Livepatch enabled

[Launchpad Bug Tracker]

You have been subscribed to a public bug by Benjamin Drung (bdrung):

Following the resolution for bug #1747499, after a kernel upgrade when
Livepatch is enabled, the current behaviour in unattended-upgrades
(2.3ubuntu0.2 and later) is not to touch /var/run/reboot-required so as
not to confuse users with two separate messages calling for a restart in
motd. This functionality is implemented in the script at
/etc/kernel/postinst.d/unattended-upgrades.

While this works as intended in terms of suppressing an extra message in
motd, it defeats the ability of unattended-upgrades to restart
automatically with the new kernel, which is reliant on /var/run/reboot-
required being present.

This is unexpected / unwanted behaviour in scenarios where a) Livepatch
is being used to provide fast-response kernel patching; and b)
Unattended-Upgrade::Automatic-Reboot is set to true, to enable automatic
reboots during a regular maintenance window. In this case, without
administrative intervention, the system could never boot into the new
kernel even though it would be expected to, leaving Livepatch to do all
the heavy lifting indefinitely, and unnecessarily.

I believe this counts as a regression caused by the resolution to bug
#1747499. It also has the potential to be a security threat if Livepatch
doesn't work comprehensively for a particular kernel flaw, and an
administrator is reliant on expected behaviour according to unattended-
upgrades settings.

Potential options for a fix that come to mind:
1. Revert to original behaviour in /etc/kernel/postinst.d/unattended-upgrades, and change the ***System restart required*** message to be less alarming or confusing when the cause is a kernel upgrade that's being patched by Livepatch.
2. Add an extra configuration setting (eg Unattended-Upgrade::Automatic-Reboot-After-Livepatch) that triggers a reboot when it's 'recommended' by Livepatch, not reliant on the presence of /var/run/reboot-required.
3. Add support in /etc/kernel/postinst.d/unattended-upgrades for an extra file somewhere. When present, /var/run/reboot-required is always touched, even if Livepatch is enabled.

(This is my first time reporting a bug in this system, and I apologise
if I haven't followed the usual descriptive format.)

** Affects: unattended-upgrades (Ubuntu)
     Importance: Undecided
     Assignee: Canonical Server (canonical-server)
         Status: Confirmed

** Affects: unattended-upgrades (Ubuntu Focal)
     Importance: Undecided
         Status: Confirmed

** Affects: unattended-upgrades (Ubuntu Jammy)
     Importance: Undecided
         Status: Confirmed


** Tags: focal foundations-todo fr-5133 regression-update
-- 
Unexpected / unwanted unattended-upgrades behaviour after kernel upgrade when Livepatch enabled
https://bugs.launchpad.net/bugs/2017401
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to the bug report.