A patched library does not help a daemon until that daemon stops using the old mapped file. Needrestart closes that post-update gap on Ubuntu by scanning services, user sessions, containers, CPU microcode, and kernel state after package work, then showing which restarts or reboots still matter.
Ubuntu packages Needrestart in the default main repository for Ubuntu 26.04, 24.04, and 22.04. The install command and binary path stay the same across those releases, but package versions and APT hook behavior differ enough that restart policy deserves an explicit configuration step instead of relying on defaults.
Install Needrestart on Ubuntu
Refresh APT Metadata
Refresh package metadata from the enabled APT sources before installing Needrestart.
sudo apt updateThese commands use
sudofor package installation, systemd unit files, and root-owned configuration under/etc/needrestart/. If your account cannot run administrative commands yet, use the root account or add a new user to sudoers on Ubuntu first.
If you are adding Needrestart during a maintenance window, finish your broader package updates before interpreting its report. The separate Ubuntu package update workflow covers the full apt update, upgrade, and cleanup sequence.
Compare Needrestart Packages Across Ubuntu Releases
The Ubuntu package comes from main, so no PPA or vendor repository is required. Current APT metadata showed these release differences:
| Ubuntu Release | APT Candidate | Source | Operational Difference |
|---|---|---|---|
| Ubuntu 26.04 | 3.11-1ubuntu2 | main | Uses /usr/sbin/needrestart and an APT hook that calls apt-pinvoke -m u. |
| Ubuntu 24.04 | 3.6-7ubuntu4.5 | noble-updates and noble-security | Uses the same binary path as 26.04 and the same Ubuntu-mode APT hook. |
| Ubuntu 22.04 | 3.5-5ubuntu2.5 | jammy-updates | Uses the same binary path, but its APT hook calls apt-pinvoke without the newer -m u flag. |
The commands are identical on all three releases. The dependency set differs by release, especially on Ubuntu 22.04 where APT may install binutils if it is not already present, so let APT resolve dependencies instead of copying a dependency list by hand. The Ubuntu Needrestart source package on Launchpad shows Ubuntu’s packaged source, while the upstream Needrestart project is useful for release notes and deeper configuration reference.
Install Needrestart with APT
Install the Ubuntu package with APT.
sudo apt install needrestartAPT installs Needrestart, the Perl modules it uses for process scanning, and the packaged APT post-invoke hook. Needrestart is not a background daemon; it runs after package transactions through the hook or when you call the command manually.
Verify the Needrestart Command and Version
Check the command path, upstream version line, and package ownership before you use the tool in scripts or systemd units. The grep filter keeps the actual version record because Ubuntu’s Needrestart packages print a blank line before the version text.
command -v needrestart
needrestart --version | grep '^needrestart '
dpkg -S "$(command -v needrestart)"Ubuntu 26.04 reports this command path and version branch:
/usr/sbin/needrestart needrestart 3.11 - Restart daemons after library updates. needrestart: /usr/sbin/needrestart
Ubuntu 24.04 reports needrestart 3.6, and Ubuntu 22.04 reports needrestart 3.5. Use /usr/sbin/needrestart in custom units and scripts on Ubuntu, because that is the package-owned path on all three releases.
Confirm Needrestart APT Hook Files
List the package-owned hook and configuration files when you need to prove how Needrestart is integrated with APT.
dpkg -L needrestart | grep -E '/(99needrestart|apt-pinvoke|needrestart.conf)$'Relevant output includes:
/etc/apt/apt.conf.d/99needrestart /etc/needrestart/needrestart.conf /usr/lib/needrestart/apt-pinvoke
The file under /etc/apt/apt.conf.d/ calls Needrestart after successful package installs or upgrades. If you want predictable behavior across Ubuntu releases, set the restart mode explicitly before relying on the hook.
Control Needrestart Restart Behavior on Ubuntu
Needrestart has three restart modes. Choose the mode before you let APT transactions trigger service restart decisions on important servers.
| Mode | Meaning | Best Use |
|---|---|---|
l | List only | Reports services, sessions, kernel state, and containers without restarting anything. |
i | Interactive | Prompts in a real terminal so you can choose restart candidates. |
a | Automatic | Restarts eligible services without prompting; use only when brief interruptions are acceptable. |
Set List-Only Mode for Safer Defaults
List-only mode is the safest default for production systems because it reports stale services without restarting them during an APT transaction. Create a drop-in file so your policy survives package updates.
printf '%s\n' "\$nrconf{restart} = 'l';" | sudo tee /etc/needrestart/conf.d/restart-mode.conf > /dev/nullThat drop-in overrides the release-specific APT hook difference between Ubuntu 26.04, 24.04, and 22.04. Use i instead of l if you want terminal prompts, or a if you have already accepted automatic service restarts for that host.
Validate Needrestart Configuration Syntax
Needrestart configuration files use Perl syntax. Check the main file and the new drop-in before you trust the policy.
perl -c /etc/needrestart/needrestart.conf
perl -c /etc/needrestart/conf.d/restart-mode.confA clean configuration reports syntax OK for both files.
/etc/needrestart/needrestart.conf syntax OK /etc/needrestart/conf.d/restart-mode.conf syntax OK
For scripts, timers, and other noninteractive contexts, set the debconf frontend explicitly so Needrestart does not try to open a terminal UI.
sudo env DEBIAN_FRONTEND=noninteractive needrestart -r lThat command keeps the run list-only and prevents debconf frontend warnings in logs. Normal terminal use does not require the environment variable.
Use Needrestart on Ubuntu
List Restart Recommendations Safely
Start with list-only mode after package updates. It shows what needs attention without changing service state.
sudo needrestart -r lThe -r l option means restart mode list-only. Do not confuse it with the separate -l option, which limits the run to obsolete-library checks.
Needrestart output can include Services to be restarted, Service restarts being deferred, User sessions running outdated binaries, Pending kernel upgrade, container checks, VM guest checks, and CPU microcode hints. Treat each heading as a different action path: services may restart, deferred services need manual judgment, user sessions usually need logout or reconnect, and kernel state needs a reboot.
Run Needrestart Interactively
Interactive mode is useful when you are working in a real terminal and want to review restart candidates one by one.
sudo needrestartUse this mode during a hands-on maintenance window. Avoid it in cron jobs, systemd timers, unattended-upgrades hooks, or SSH automation that does not allocate a terminal.
Read Needrestart Batch Output
Batch mode prints records that are easier for scripts and monitoring checks to parse.
sudo needrestart -b| Record | Meaning |
|---|---|
NEEDRESTART-VER | Needrestart version branch used for the scan. |
NEEDRESTART-KCUR | Currently running kernel release. |
NEEDRESTART-KEXP | Expected installed kernel release. |
NEEDRESTART-KSTA | Kernel status value. 1 means no pending kernel upgrade; 3 means a versioned kernel upgrade needs a reboot. |
NEEDRESTART-SVC | Service unit that Needrestart considers stale. |
NEEDRESTART-SESS | User session that still has outdated binaries mapped. |
Needrestart also documents NEEDRESTART-KSTA value 0 for unknown or detection failure and 2 for an ABI-compatible kernel upgrade. Use those values as status signals, then send the human-readable report to the administrator who will decide when to restart services or reboot.
Run Component-Specific Checks
Use component-specific modes when you only need one part of the report.
sudo needrestart -k
sudo needrestart -l
sudo needrestart -w-kchecks whether the running kernel matches the expected installed kernel.-lchecks processes that are using obsolete shared libraries.-wchecks CPU microcode status when that check applies to the system.
For routine post-update maintenance, sudo needrestart -r l is usually more useful than the individual checks because it keeps the complete report while preventing restarts.
Restart Services Automatically After Review
Automatic restart mode restarts eligible services without prompting.
sudo needrestart -r aAutomatic mode can restart web servers, databases, remote-access helpers, print services, and other long-running units immediately. Review list-only output first and use automatic mode only when service interruptions are acceptable.
Configure Needrestart Policy on Ubuntu
Local policy belongs in /etc/needrestart/conf.d/. That keeps your changes separate from Ubuntu’s packaged /etc/needrestart/needrestart.conf file.
Adjust Needrestart Verbosity
Increase verbosity temporarily when you need more scan detail while troubleshooting.
printf '%s\n' "\$nrconf{verbosity} = 2;" | sudo tee /etc/needrestart/conf.d/verbosity.conf > /dev/nullA value of 0 is quiet, 1 is normal, and 2 is verbose. Remove the drop-in after the troubleshooting session if the extra output becomes noisy.
Keep Sensitive Services Out of Automatic Restarts
The override_rc hash controls whether matching services are selected for restart. Ubuntu’s packaged configuration already excludes sensitive units such as display managers, networking services, DBus, gettys, and some virtualization services. Add local overrides when your own service needs the same protection.
printf '%s\n' "\$nrconf{override_rc}->{qr(^postgresql)} = 0;" | sudo tee /etc/needrestart/conf.d/postgresql-override.conf > /dev/nullThe pattern uses Perl regular expressions. In this example, qr(^postgresql) matches service names that start with postgresql, and value 0 tells Needrestart not to select matching services for restart.
Exclude a Binary from Needrestart Scans
The $nrconf{blacklist} array excludes specific binary paths from stale-library checks. Add entries with push so you extend the packaged list instead of replacing it.
printf '%s\n' 'push(@{$nrconf{blacklist}}, qr(^/opt/myapp/worker$));' | sudo tee /etc/needrestart/conf.d/myapp-blacklist.conf > /dev/nullUse exact paths for exclusions. Broad patterns can hide real restart requirements, especially on systems that run several services from the same custom prefix.
Disable Kernel or Microcode Hints
Disable kernel or microcode hints only when another maintenance process already tracks those signals for you.
printf '%s\n' "\$nrconf{kernelhints} = 0;" "\$nrconf{ucodehints} = 0;" | sudo tee /etc/needrestart/conf.d/no-kernel-microcode-hints.conf > /dev/nullKeep these hints enabled on general-purpose servers unless your monitoring already alerts on pending kernel reboots and microcode updates.
Automate Needrestart Reports on Ubuntu
The packaged APT hook already runs Needrestart after successful APT package transactions. A custom systemd timer is useful only when you want periodic list-only reports in the journal between package runs; it does not install updates by itself. For automated package installation, configure unattended upgrades on Ubuntu separately.
Create a Needrestart systemd Service
Create a oneshot service that runs a noninteractive list-only scan.
sudo tee /etc/systemd/system/needrestart-check.service > /dev/null <<'EOF'
[Unit]
Description=Check services that need restart
After=network.target
[Service]
Type=oneshot
Environment=DEBIAN_FRONTEND=noninteractive
ExecStart=/usr/sbin/needrestart -r l
[Install]
WantedBy=multi-user.target
EOFThe Environment=DEBIAN_FRONTEND=noninteractive line keeps scheduled runs from logging debconf frontend warnings on systems without a controlling terminal.
Create a Needrestart systemd Timer
Create a daily timer for the report service.
sudo tee /etc/systemd/system/needrestart-check.timer > /dev/null <<'EOF'
[Unit]
Description=Run needrestart report periodically
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
EOFEnable and Test the Needrestart Timer
Verify the units, reload systemd, and enable the timer.
sudo systemd-analyze verify /etc/systemd/system/needrestart-check.service /etc/systemd/system/needrestart-check.timer
sudo systemctl daemon-reload
sudo systemctl enable --now needrestart-check.timerCheck that systemd accepted and started the timer.
systemctl is-enabled needrestart-check.timer
systemctl is-active needrestart-check.timerenabled active
Start the service once and review the latest journal output.
sudo systemctl start needrestart-check.service
sudo journalctl -u needrestart-check.service --no-pager -n 30The journal should contain the same list-only sections you see from sudo needrestart -r l. If the timer is too noisy for your environment, disable it and keep the packaged APT hook as the normal trigger.
Troubleshoot Needrestart on Ubuntu
Needrestart Prompts or Restarts During APT Transactions
APT hook behavior depends on the Ubuntu release and local configuration. Inspect the hook and any restart-mode overrides first.
grep -H 'apt-pinvoke' /etc/apt/apt.conf.d/99needrestart
grep -R "nrconf{restart}" /etc/needrestart/needrestart.conf /etc/needrestart/conf.d/*.conf 2>/dev/nullIf no local drop-in sets $nrconf{restart}, create /etc/needrestart/conf.d/restart-mode.conf with the list-only setting from the configuration section, then retest with sudo env DEBIAN_FRONTEND=noninteractive needrestart -r l.
Needrestart Reports User Sessions Running Outdated Binaries
This message means a login session, desktop session, or user service still has processes mapped to old files after an update. Use list-only mode to see the affected session group.
sudo needrestart -r lIf the affected session is your current SSH connection, disconnect and reconnect after the maintenance window. For a desktop session, log out and back in. For a named user service, restart that user service or sign out the affected account.
Needrestart Shows a Pending Kernel Upgrade
A pending kernel message means Ubuntu has installed a newer kernel than the one currently running. Needrestart cannot load the new kernel into the running system.
sudo needrestart -kSchedule a reboot when the system can tolerate it, then run the check again. If kernel modules or DKMS builds are part of the same maintenance work, use the install Linux kernel headers on Ubuntu workflow to confirm the matching headers.
A Service Still Appears After Restarting
If a service remains in Needrestart output after a restart, replace service-name.service with the exact unit from the report and check the unit state before restarting it again.
sudo systemctl status service-name.service --no-pager
sudo systemctl restart service-name.service
sudo needrestart -r lWorker-based services can leave child processes running after a normal restart. If the service is safe to interrupt, a full stop and start may be cleaner than another restart. For busy services, do that during a maintenance window.
Debconf Frontend Warnings Appear in Logs
Warnings such as unable to initialize frontend usually mean Needrestart ran without a controlling terminal. Use a noninteractive frontend for scripted runs.
sudo env DEBIAN_FRONTEND=noninteractive needrestart -r lFor a systemd service, keep Environment=DEBIAN_FRONTEND=noninteractive in the unit file and run the same list-only restart mode.
Needrestart Command Is Missing After Installation
Confirm package state before reinstalling. A missing command after a claimed install usually means the package was not installed, was removed, or the shell command cache is stale.
command -v needrestart
dpkg -l needrestart | grep '^ii'If the installed-state check does not return an ii row, reinstall the package and clear the current shell’s command cache.
sudo apt install --reinstall needrestart
hash -r
command -v needrestartUpdate or Remove Needrestart on Ubuntu
Update Needrestart with APT
Needrestart updates through the normal Ubuntu package sources. To upgrade only this installed package, refresh metadata and use --only-upgrade.
sudo apt update
sudo apt install --only-upgrade needrestartIf APT reports that Needrestart is already the newest version, there is no package update available for your enabled Ubuntu sources.
Remove an Optional Needrestart Timer
Remove any custom timer before removing the package because the service unit depends on the Needrestart binary.
if [ -f /etc/systemd/system/needrestart-check.timer ]; then
sudo systemctl disable --now needrestart-check.timer
fi
sudo rm -f /etc/systemd/system/needrestart-check.service
sudo rm -f /etc/systemd/system/needrestart-check.timer
sudo systemctl daemon-reloadRemove the Needrestart Package
Remove the package when you no longer want the command or the APT hook active.
sudo apt remove needrestartAPT removal keeps residual configuration files. Use purge only when you also want to remove package configuration such as /etc/apt/apt.conf.d/99needrestart and /etc/needrestart/needrestart.conf.
sudo apt purge needrestartIf you created local drop-ins under /etc/needrestart/conf.d/, review them before deleting the remaining directory.
The cleanup command deletes local Needrestart policy files. Back up any restart-mode, service override, or blacklist drop-ins you may need later.
sudo find /etc/needrestart -maxdepth 2 -type f -print 2>/dev/null
sudo rm -rf /etc/needrestartConfirm the package and command are gone.
dpkg -l needrestart | grep '^ii' || echo "needrestart not installed"
command -v needrestart || echo "needrestart command removed"needrestart not installed needrestart command removed
Conclusion
Needrestart is installed with Ubuntu’s APT hook, a verified command path, and an explicit restart policy. Keep list-only mode for cautious maintenance, switch to interactive or automatic restarts only when the host workflow allows it, and use batch or timer output when you need a repeatable report for operations.
Formatting tips for your comment
You can use basic HTML to format your comment. Useful tags currently allowed in published comments:
<code>command</code>command<strong>bold</strong><em>italic</em><blockquote>quote</blockquote>