Minh Nguyen
Sydney Full Stack Web Developer

Automatic updates for packages in CentOS

This guide sets up a tool called yum-cron which can handle unmanaged updates on your behalf at a scheduled interval. While this guide is for CentOS, you could apply it to other similar distros, such as Amazon Linux 2, Fedora, or Red Hat.

Things before you begin

You should have one of the above distros of Linux, which is connected to the internet. crond should also be installed and its associated service should be enabled and started.

If you’re going to enable automatic updates, be aware this does carry some risk—I wouldn’t recommend it if you have mission critical software or services running on your machine. Consider running automatic updates on a staging machine and schedule running updates yourself.

Overview

  1. Install the yum-cron package
  2. Configure yum-cron to your needs/wants
  3. Enable and start the yum-cron service

Installing the package

First off, you should make sure that your system is up to date. On the assumption that you can elevate permissions through sudo, you can do that by running sudo yum update .

Once that’s done, you should be able to install yum-cron with the command sudo yum install yum-cron.

For the next part, check the contents of your /etc/yum/ directory. Here’s mine for reference:

$ ls /etc/yum -l
total 12
drwxr-xr-x 1 root root    0 Nov  5 01:53 fssnap.d
drwxr-xr-x 1 root root   36 Nov  5 01:53 pluginconf.d
drwxr-xr-x 1 root root   24 Apr  5 07:23 protected.d
drwxr-xr-x 1 root root   30 Apr  5 07:16 vars
-rw-r--r-- 1 root root  444 Nov  5 01:53 version-groups.conf
-rw-r--r-- 1 root root 2565 Nov  5 01:53 yum-cron-hourly.conf
-rw-r--r-- 1 root root 2603 Nov  5 01:53 yum-cron.conf

This means I can configure yum-cron either on a hourly basis by modifying yum-cron-hourly.conf, or on a daily basis if I edit yum-cron.conf.

Configuring yum-cron

Once you’ve picked the file you want to configure, open it up in an editor of your choice. Here’s what the top part of yum-cron.conf looks like for me:

[commands]
#  What kind of update to use:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix update-minimal
# minimal-security                   = yum --security update-minimal
# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
update_cmd = default

# Whether a message should be emitted when updates are available,
# were downloaded, or applied.
update_messages = yes

# Whether updates should be downloaded when they are available.
download_updates = yes

# Whether updates should be applied when they are available.  Note
# that download_updates must also be yes for the update to be applied.
apply_updates = no

Now, for most systems I manage, I usually do the following:

  • Set update_cmd to security—this allows packages to be automatically updated if they have a security update available
  • Set apply_updates to yes—that way updates are installed without any manual process

Save your file, and you should be ready to go!

Running the yum-cron service

Now that you’ve done all that, you actually don’t need to do anything else. crond.service takes care of the rest, since the yum-cron package installs some cron services which will run. You can verify this by examining the cron directories in /etc/:

$ ls -d /etc/*/ | grep 'cron'
/etc/cron.d/
/etc/cron.daily/
/etc/cron.hourly/
/etc/cron.monthly/
/etc/cron.weekly/

$ ls -l /etc/cron.daily
total 8
-rwxr-xr-x 1 root root 332 Nov  5 01:53 0yum-daily.cron
-rwx------ 1 root root 219 Oct 30 19:12 logrotate

In conclusion

By installing a service like yum-cron, you can keep your systems up to date without having to do it yourself. This isn’t suitable for all situations, but for most cases, it is.