Moved reboot required decision to the agent side

I had to do that because kernel image package version often is not the same as its meta-package's version.

backend/device_registry/api_views.py

@@ -114,8 +114,10 @@ def post(self, request, *args, **kwargs):
                                                                  version=kernel_meta_package['version'],
                                                                  arch=kernel_meta_package['arch'],
                                                                  os_release_codename=os_release['codename'])
+            device.reboot_required = kernel_meta_package['reboot_required']
         else:
             device.kernel_meta_package = None
+            device.reboot_required = None
         device.cpu = data.get('cpu', {})
         device.os_release = os_release
         device.mysql_root_access = data.get('mysql_root_access')
@@ -163,7 +165,7 @@ def post(self, request, *args, **kwargs):
         device.save(update_fields=['last_ping', 'agent_version', 'audit_files', 'deb_packages_hash',
                                    'update_trust_score', 'os_release', 'auto_upgrades',
                                    'mysql_root_access', 'cpu', 'kernel_deb_package', 'kernel_meta_package',
-                                   'default_password_users'])
+                                   'reboot_required', 'default_password_users'])
         # Un-snooze recommended actions which were "Fixed" (i.e. snoozed until next ping)
         device.recommendedactionstatus_set.filter(status=RecommendedAction.Status.SNOOZED_UNTIL_PING) \
             .update(status=RecommendedAction.Status.AFFECTED)

backend/device_registry/migrations/0086_auto_20200306_1702.py

@@ -32,6 +32,11 @@ class Migration(migrations.Migration):
             name='kernel_meta_package',
             field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='+', to='device_registry.DebPackage'),
         ),
+        migrations.AddField(
+            model_name='device',
+            name='reboot_required',
+            field=models.BooleanField(blank=True, db_index=True, null=True),
+        ),
         migrations.AlterField(
             model_name='vulnerability',
             name='name',

backend/device_registry/models.py

@@ -116,6 +116,7 @@ class SshdIssueItem(NamedTuple):
     kernel_deb_package = models.ForeignKey(DebPackage, null=True, on_delete=models.SET_NULL, related_name='+')
     kernel_meta_package = models.ForeignKey(DebPackage, null=True, blank=True,
                                             on_delete=models.SET_NULL, related_name='+')
+    reboot_required = models.BooleanField(null=True, blank=True, db_index=True)
     audit_files = JSONField(blank=True, default=list)
     os_release = JSONField(blank=True, default=dict)
     auto_upgrades = models.BooleanField(null=True, blank=True)
@@ -125,19 +126,6 @@ class SshdIssueItem(NamedTuple):
     class Meta:
         ordering = ('created',)
 
-    @property
-    def reboot_required(self):
-        """
-        OS reboot required because the newer kernel package installed
-         but not running.
-        It's supposed that kernel image package and its meta-package always
-         have the same versions.
-        """
-        if self.kernel_deb_package and self.kernel_meta_package:
-            return apt_pkg.version_compare(self.kernel_meta_package.version,
-                                           self.kernel_deb_package.version) > 0
-        return None
-
     @property
     def default_password(self):
         if self.default_password_users is not None:
@@ -493,28 +481,6 @@ def set_meta_tags(self):
         if all_devices_tag not in self.tags:
             self.tags.add(all_devices_tag)
 
-    @property
-    def vulnerable_packages(self):
-        """
-        We exclude all kernel-related packages except meta-packages.
-        It is supposed that (and our practical checks confirm this):
-         1. Every excluded kernel-related package *always* has a meta-package
-          installed.
-         2. All kernel meta-packages *always* have the same (including zero)
-          vulnerabilities as their children kernel-related packages.
-        """
-        # TODO: check whether we need `.distinct()` and `.order_by()` here.
-        if self.deb_packages_hash and self.deb_packages.exists() and self.os_release:
-            # Ubuntu.
-            if self.os_release.get('codename') in UBUNTU_SUITES:
-                return self.deb_packages.filter(vulnerabilities__isnull=False).exclude(
-                    name__regex=UBUNTU_KERNEL_PACKAGES_RE_PATTERN).distinct().order_by('name')
-            # Debian.
-            elif self.os_release.get('codename') in DEBIAN_SUITES:
-                return self.deb_packages.filter(vulnerabilities__isnull=False).exclude(
-                    name__regex=DEBIAN_KERNEL_PACKAGES_RE_PATTERN).distinct().order_by('name')
-        return DebPackage.objects.none()
-
     @property
     def cve_count(self):
         """

backend/device_registry/recommended_actions.py

@@ -501,6 +501,10 @@ def severity(cls, param=None):
 class RebootRequiredAction(SimpleAction, metaclass=ActionMeta):
     _severity = Severity.MED
 
+    @classmethod
+    def _affected_devices(cls, qs):
+        return qs.filter(reboot_required=True)
+
     @classmethod
     def _is_affected(cls, device) -> bool:
         return device.reboot_required is True

backend/device_registry/tests/test_recommended_actions.py

@@ -587,10 +587,5 @@ class RebootRequiredActionTest(TestsMixin, TestCase):
     action_class = RebootRequiredAction
 
     def enable_action(self):
-        self.device.kernel_deb_package = DebPackage.objects.create(
-            os_release_codename='buster', name='linux', version='5.0.0', source_name='linux', source_version='5.0.0',
-            arch=DebPackage.Arch.i386)
-        self.device.kernel_meta_package = DebPackage.objects.create(
-            os_release_codename='buster', name='linux-meta', version='5.0.1', source_name='linux',
-            source_version='5.0.1', arch=DebPackage.Arch.i386)
-        self.device.save(update_fields=['kernel_deb_package', 'kernel_meta_package'])
+        self.device.reboot_required = True
+        self.device.save(update_fields=['reboot_required'])

backend/recommended_actions.yaml

@@ -506,7 +506,6 @@
 
 - title: Reboot required
   class: RebootRequiredAction
-  subtitle: To boot updated kernel please reboot the node.
   short: |
     Lorem ipsum dolor sit amet, consectetur adipiscing elit.
   long: |