checkrestart

Find processes that need restarting after an upgrade

2020-02-26

checkrestart is a FreeBSD semi-workalike of the old checkrestart program from debian-goodies — it looks for running processes with open files to replaced binaries and libraries, indicating they’ve not been restarted since a software update.

It is a C program using the libprocstat(3) and sysctl(3) interfaces, with output handled using libxo(3), providing both traditional text-based output, and structured JSON and XML for consumption by other programs:

-# checkrestart
  PID   JID NAME         UPDATED COMMAND
44960     0 weechat      Binary  weechat
84169     0 zsh          Binary  /usr/local/bin/zsh
81345     0 tmux         Binary  tmux: server (/tmp/tmux-1001/default)

-# checkrestart --libxo=json,pretty 44960
{
  "__version": "1",
  "checkrestart": {
    "process": [
      {
        "pid": 44960,
        "jid": 0,
        "name": "weechat",
        "updated": "Binary",
        "command": "weechat"
      }
    ]
  }
}

And indeed, I have an old tmux-attached weechat client hanging around, running under an old shell.

Here’s an example of it detecting a stale library after an upgrade:

...
[11/15] Upgrading mod_php72 from 7.2.27 to 7.2.28...
...

-# checkrestart
  PID   JID NAME         UPDATED COMMAND
66750     0 httpd        Library /usr/local/sbin/httpd
...

In the name of keeping the program simple, and unlike my previous implementation in pkg-cruft, checkrestart makes no attempt to guess or detect what package a program belongs to, if any. Such things are probably best left to other tools.

checkrestart is available in the FreeBSD ports system under sysutils/checkrestart, which even includes a periodic(8) security script so it can spam you about any stale processes.

periodic.conf:

security_checkrestart_enable="YES"

“daily security run output” email:

Checking for stale processes:
  PID     JID USER         COMMAND      WHY ARGUMENTS
  86026     0 freaky       tmux         .so /usr/local/bin/tmux