Trying to completely automate software updates, including reboot

I’m trying to set up dnf-automatic-install to

  1. call rkhunter --propupd when software is updated
  2. reboot when a new kernel is installed

I’m running Fedora 34, and using dnf-automatic, set to install any updates. I have added a ExecStopPost line to dnf-automatic-install.service, which calls a script:

ExecStopPost=/bin/sh -c '/root/bin/dnf-automatic-stop-post'

The problem is that this script is called every time dnf-automatic is run, even when no software is updated. How can I get it to run only after updates?

If I must, I’ll write a script that duplicates dnf-automatic, using the exit code from:

dnf check-update

The documentation says it returns exit code 100 when there is updates, but it returns 0. Do I have to write a parser to solve this issue, or am I doing it wrong?

I’m trying to do what I want using the stock Fedora utilities, but when they don’t work as advertised, this makes it frustrating.

Could you use DNF needs-restarting?

Thanks for your reply! The issue with needs-restarting is it seems to be broken:

root@bix[~]# dnf needs-restarting -r
Core libraries or services have been updated since boot-up:
  * kernel
  * systemd

Reboot is required to fully utilize these updates.
More information: https://access.redhat.com/solutions/27943

This is just after I rebooted. The kernel and systemd are up to date, so I don’t know why it’s telling me it needs restarting when it doesn’t need restarting. Am I missing something?

That’s odd, it’s working fine for me.

sudo dnf history --rev

Show anything?

dnf-utils-4.0.22-1.fc34.noarch
I’m using aarch64 on a pi, and x86_64 on various Intel CPUs, all with the same result.

What output are you getting exactly?

dnf history --rev

shows me nothing out of the ordinary. The last kernel update was before the last reboot.

No core libraries or services have been updated since boot-up.
Reboot should not be necessary.

So it looks like some are reporting as expected, some not. Oh dear. Not encouraging at all. I don’t know if there are any differences between the hosts.

Could you check: 1960437 – needs-restarting calculating wrong boot time and the associated PR

I just reinstalled linux firmare and verified it needed reboot and after a reboot it no longer indicated a reboot was needed.

I’m also on 4.0.22-3 on F35 at the moment, but it looks like the only additional commit had to do with enabling copr.

The hosts with the issue all know their last reboot times, and have up to date clocks. Puzzling.

The copr repo version you linked to does not solve the problem.

Works for me on Fedora 34:

sudo dnf check-update &> /dev/null; \
if [ "${?}" -eq "100" ]; then ...; fi

Returning to the rkhunter part of the original question: one way to check if it needs to be rerun would be to compare the date of the most recent transaction from dnf history list with the timestamp of a separate timestamp file. You might wish to use date +%s --date=… to get the timestamp in a convenient format.

Perhaps you already parse the output of dnf history to know what packages to do propupd on so you don’t accidentally hide actual changes rkhunter should have warned about?

For the restart part, dnf needs-restarting -r will (when it is working) signal more than just a kernel update. But perhaps it is actually closer to what you really want for that part of the script?

I wrote a script that calls the update check, then if an update is pending, regular rkhunter, then if no errors, does the update, then the propupd.

After weeks of grief trying to get systemd dnf-automatic.sevice to work consistently, my script was written in a couple of hours and works reliably 100% of the time, with full logging.

I’ve learned the hard way that if a part of the systemd borg gets in the way, turn it off instead of trying to fix it.