Sonarqube blacklist not possible

[735trv]

Hi @liske,
I've a Debian server on which Sonarqube (Community EditionVersion 9.4 build 54424) is installed. When running needrestart, it always reports that the sonarqube service needs a restart. Unfortunately adding it to the blacklist didn't work. Would be nice if you could check this. Thanks! 🙂

systemctl edit --full sonarqube

[Unit]
Description=SonarQube Server service
After=syslog.target network.target

[Service]
Type=forking
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop

User=sonar
Group=sonar
Restart=always
LimitNOFILE=131072
LimitNPROC=8192
TimeoutStartSec=5

[Install]
WantedBy=multi-user.target

cat /etc/needrestart/conf.d/blacklist_mappings.conf

push @{ $nrconf{blacklist_mappings} }, qr(^/opt/sonarqube/);

[koitsu]

If you run needrestart -b -vvvv what do you end up seeing as the applicable program path? Your unit has a shell script wrapper, so what you might think to match may not be what you actually need to match. Why? Because blacklist_mappings actually reads /proc/PID/maps. If those wrapper scripts use exec to replace the existing process space when the daemon launches, the actual process path in /proc/PID/maps won't talk about the script, but potentially some other binary.

[735trv]

@koitsu Thanks for your explanation. Understand now how this works in the background 👍

This is the output

[main] eval /etc/needrestart/needrestart.conf
[main] eval /etc/needrestart/conf.d/blacklist_mappings.conf
[main] needrestart v3.5
[main] running in root mode
[main] systemd detected
[main] vm detected
NEEDRESTART-VER: 3.5
[Core] #602 is a NeedRestart::Interp::Python
[Python] #602: source=/usr/share/unattended-upgrades/unattended-upgrade-shutdown
[main] #1085 uses obsolete binary /usr/bin/xfsettingsd
[main] #1085 is a child of #893
[Core] #1144 is a NeedRestart::Interp::Perl
[Perl] #1144: source=/opt/asbru/asbru-cm
[Core] #1168 is a NeedRestart::Interp::Python
[Python] #1168: source=/usr/share/system-config-printer/applet.py
[Core] #80004 is a NeedRestart::Interp::Java
[Core] #80032 is a NeedRestart::Interp::Java
[Core] #80156 is a NeedRestart::Interp::Java
[Core] #80156 uses obsolete script file(s):
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/l10nde/sonar-l10n-de-plugin-1.2.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/config/sonar-config-plugin-1.2.0.267.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/go/sonar-go-plugin-1.9.0.3429.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/iac/sonar-iac-plugin-1.7.0.2012.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/sonarscala/sonar-scala-plugin-1.9.0.3429.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/csharp/sonar-csharp-plugin-8.36.1.44192.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/text/sonar-text-plugin-1.0.0.120.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/php/sonar-php-plugin-3.23.1.8766.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/ruby/sonar-ruby-plugin-1.9.0.3429.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/java/sonar-java-plugin-7.11.0.29148.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/python/sonar-python-plugin-3.12.0.9583.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/javascript/sonar-javascript-plugin-9.1.0.17747.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/kotlin/sonar-kotlin-plugin-2.9.0.1147.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/xml/sonar-xml-plugin-2.5.0.3376.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/vbnet/sonar-vbnet-plugin-8.36.1.44192.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/flex/sonar-flex-plugin-2.7.0.2865.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/jacoco/sonar-jacoco-plugin-1.1.1.1157.jar
[Core] #80156  /opt/sonarqube/data/web/deploy/plugins/web/sonar-html-plugin-3.6.0.3106.jar
[main] #80156 is a child of #80004
[Core] #80207 is a NeedRestart::Interp::Java
[Core] #80207 uses obsolete script file(s):
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/javascript/sonar-javascript-plugin-9.1.0.17747.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/xml/sonar-xml-plugin-2.5.0.3376.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/flex/sonar-flex-plugin-2.7.0.2865.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/java/sonar-java-plugin-7.11.0.29148.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/php/sonar-php-plugin-3.23.1.8766.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/go/sonar-go-plugin-1.9.0.3429.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/ruby/sonar-ruby-plugin-1.9.0.3429.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/l10nde/sonar-l10n-de-plugin-1.2.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/jacoco/sonar-jacoco-plugin-1.1.1.1157.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/sonarscala/sonar-scala-plugin-1.9.0.3429.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/text/sonar-text-plugin-1.0.0.120.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/python/sonar-python-plugin-3.12.0.9583.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/vbnet/sonar-vbnet-plugin-8.36.1.44192.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/web/sonar-html-plugin-3.6.0.3106.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/config/sonar-config-plugin-1.2.0.267.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/iac/sonar-iac-plugin-1.7.0.2012.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/csharp/sonar-csharp-plugin-8.36.1.44192.jar
[Core] #80207  /opt/sonarqube/temp/ce-exploded-plugins/kotlin/sonar-kotlin-plugin-2.9.0.1147.jar
[main] #80207 is a child of #80004
[Core] #98246 is a NeedRestart::Interp::Perl
[Perl] #98246: source=/opt/asbru/lib/asbru_conn
[Core] #167836 is a NeedRestart::Interp::Perl
[Perl] #167836: source=/opt/asbru/lib/asbru_conn
[Perl] #167836: use cached file list
[Core] #167871 is a NeedRestart::Interp::Perl
[Perl] #167871: source=/opt/asbru/lib/asbru_conn
[Perl] #167871: use cached file list
[main] #893 exe => /usr/bin/xfce4-session
[main] #893 part of user session: uid=1000 sess=1
[main] #80004 exe => /usr/lib/jvm/java-11-openjdk-amd64/bin/java
[Core] #80004 is a NeedRestart::Interp::Java
[Core] #80004 source is UNKNOWN
[main] #80004 is sonarqube.service
[main] inside container or vm, skipping microcode checks
[Kernel] Linux: kernel release 5.10.0-19-amd64, kernel version #1 SMP Debian 5.10.149-2 (2022-10-21)
[Kernel/Linux] /boot/vmlinuz-5.10.0-19-amd64 => 5.10.0-19-amd64 ([email protected]) #1 SMP Debian 5.10.149-2 (2022-10-21) [5.10.0-19-amd64]*
[Kernel/Linux] /boot/vmlinuz-5.10.0-18-amd64 => 5.10.0-18-amd64 ([email protected]) #1 SMP Debian 5.10.140-1 (2022-09-02) [5.10.0-18-amd64]
[Kernel/Linux] Expected linux version: 5.10.0-19-amd64
NEEDRESTART-KCUR: 5.10.0-19-amd64
NEEDRESTART-KEXP: 5.10.0-19-amd64
NEEDRESTART-KSTA: 1
NEEDRESTART-SVC: sonarqube.service

And yes, it is a wrapper script, for a Java application (Source)

[MarcFinetRtone]

For my specific usage (nexus in a docker), I had also to teach needrestart to ignore some files. Rather than ignoring the whole service (as suggested in #59 that in my case would make the whole containerd service to be restarted), I just ignored files from the mounted volume.

In fact there are multiple ignore mechanisms.

The logs

user@machine:~# needrestart -v                                                    
[main] eval /etc/needrestart/needrestart.conf                  
[main] needrestart v3.5                                                                                                                                                                                              
[main] running in root mode                                    
[Core] Using UI 'NeedRestart::UI::stdio'...                                                         
[main] systemd detected                                                                     
[Core] #760 is a NeedRestart::Interp::Python                                                                                                                                                                         
[Python] #760: source=/usr/bin/fail2ban-server                                                                                                                                                                       
[Core] #1441 is a NeedRestart::Interp::Java                                                                                                                                                                          
[Core] #1441 uses obsolete script file(s):                                                                
[Core] #1441  /nexus-data/cache/bundle191/version0.0/bundle.jar
[Core] #1441  /nexus-data/cache/bundle244/version0.0/nexus-blobstore-s3-3.63.0-01.jar-embedded/aws-java-sdk-dynamodb-1.12.299.jar                                                                                    
[Core] #1441  /nexus-data/cache/bundle88/version0.0/bundle.jar
[Core] #1441  /nexus-data/cache/bundle210/version0.0/bundle.jar
[Core] #1441  /nexus-data/cache/bundle95/version0.0/bundle.jar
[Core] #1441  /nexus-data/cache/bundle80/version0.0/bundle.jar
[Core] #1441  /nexus-data/cache/bundle244/version0.0/nexus-blobstore-s3-3.63.0-01.jar-embedded/aws-java-sdk-cloudwatch-1.12.299.jar                                                                                  
[Core] #1441  /nexus-data/cache/bundle293/version0.0/bundle.jar
[Core] #1441  /nexus-data/cache/bundle94/version0.0/bundle.jar
[Core] #1441  /nexus-data/cache/bundle360/version0.0/bundle.jar
[…]

The full file: /etc/needrestart/conf.d/ignore-nexus-files.conf

# Ignore nexus stuff
# ignore deleted JNA files (cf. https://github.com/liske/needrestart/commit/30d3b27033bacfc7650690a92a132b8bfe977980)
push(@{$nrconf{blacklist_mappings}}, qr#/jna\d+\.tmp( \(deleted\))?$#);
# ignore obsolete script files
push(@{$nrconf{blacklist_interp}}, qr(^/nexus-data));

Notes:

• yes, needrestart's a version is prior 30d3b27 (hence the first ignore line)
• the /nexus-data in the docker image is in fact /home/nexus/nexus-data in my host
• ignoring /nexus-data in blacklist_mappings was not helping, as you experienced @735trv