Managing updates on Debian Wheezy servers presents a unique challenge - determining when a reboot is actually necessary. The common belief that /var/run/reboot-required is the definitive indicator isn't always reliable, as many administrators (myself included) have discovered through hands-on experience.
While kernel updates always require a reboot, other packages have more nuanced requirements. Let's examine your recent updates:
krb5-locales 1.10.1+dfsg-5+deb7u3
libdbus-1-3 1.6.8-1+deb7u6
libgssapi-krb5-2 1.10.1+dfsg-5+deb7u3
libk5crypto3 1.10.1+dfsg-5+deb7u3
libkrb5-3 1.10.1+dfsg-5+deb7u3
libkrb5support0 1.10.1+dfsg-5+deb7u3
libruby1.8 1.8.7.358-7.1+deb7u2
libxml2 2.8.0+dfsg1-7+wheezy3
ruby1.8 1.8.7.358-7.1+deb7u2
Here are three reliable ways to check if your system needs a reboot:
Method 1: Check Running Processes
Use this command to find processes using deleted library files:
sudo lsof +c0 -d DEL | grep 'lib.*\.so'Method 2: Kernel Version Check
Compare running and installed kernel versions:
uname -a
dpkg -l | grep linux-imageMethod 3: Package Manager Hints
Some newer Debian versions provide better tools:
sudo needrestart -bFor scripted solutions, consider this bash function:
check_reboot_needed() {
# Check for kernel update
[[ $(uname -r) != $(dpkg -l | awk '/linux-image-[0-9]/{print $3}' | cut -d- -f3- | sort -V | tail -1) ]] && return 0
# Check for critical services
sudo lsof +c0 -d DEL | grep -q 'lib.*\.so' && return 0
# Check traditional reboot marker
[ -f /var/run/reboot-required ] && return 0
return 1
}The Kerberos-related libraries (libkrb5, libgssapi) typically don't require reboots, but services using them might need restarting. For example:
sudo service ssh restart
sudo service apache2 restart1. Implement a rolling restart strategy for clustered environments
2. Schedule reboots during low-traffic periods
3. Use the at command for delayed reboots:
echo "sudo shutdown -r now" | at 2am tomorrowFor sysadmins managing Debian Wheezy servers, one persistent question emerges: When exactly should I reboot after updates? You're absolutely right that constantly rebooting production servers isn't practical, especially when handling frequent security updates across multiple machines.
While the /var/run/reboot-required file is the standard indicator, Debian Wheezy (being older) doesn't always create it. Here are more reliable methods:
# Method 1: Check running kernel vs installed kernel
uname -r
dpkg -l | grep linux-image
# Method 2: List updated packages requiring reboot
sudo debconf-show debian-sys-maint | grep -i "needs-restarting"
# Method 3: Using needs-restart (for newer Debian)
sudo apt install needrestart
sudo needrestart -r lFor your recent package updates:
- krb5/krb5-locales/libkrb*: Kerberos authentication libraries - typically don't require reboot
- libdbus-1-3: Message bus system - may require restart of DBus services (not full reboot)
- libruby1.8/ruby1.8: Ruby interpreter - requires restart of Ruby services
- libxml2: XML parsing library - applications using it need restart
Create this monitoring script (/usr/local/bin/check-reboot-needed):
#!/bin/bash
# Check if reboot is needed after updates
# Kernel check
CURRENT_KERNEL=$(uname -r)
NEWEST_KERNEL=$(ls -t /boot/vmlinuz-* | head -1 | cut -d'-' -f2-)
if [ "$CURRENT_KERNEL" != "${NEWEST_KERNEL%%}" ]; then
echo "[!] Kernel update requires reboot"
exit 1
fi
# Check for critical library updates
LIB_UPDATES=$(apt-listchanges --which=latest | grep -E 'libc6|libssl|linux-image')
if [ -n "$LIB_UPDATES" ]; then
echo "[!] Critical libraries updated:"
echo "$LIB_UPDATES"
exit 1
fi
# Traditional reboot-required check
if [ -f /var/run/reboot-required ]; then
echo "[!] Reboot required file exists"
exit 1
fi
echo "[OK] No reboot required"
exit 0Instead of full reboots, consider targeted service restarts:
# After libxml2 update
sudo service apache2 restart
sudo service nginx restart
# After Ruby updates
sudo service unicorn restart
sudo service passenger restart
# After DBus updates
sudo service dbus restartAdd this to your apticron post-update script:
#!/bin/sh
/usr/local/bin/check-reboot-needed
if [ $? -eq 1 ]; then
echo "Server $(hostname) requires reboot" | mail -s "Reboot Alert" admin@example.com
fi