DevInTheMiddle_

Stop updating your server, you are wasting time!

Published on Aug 11, 2020

Isn't it boring to install updates manually on every server you manage?

When you have to deal with a big number of servers, it can be really a pain to manually update all of them, every time.

So why don't we make the servers update automatically?

yum-cron is the solution

I know, yum is only available on distros based on RedHat, but - hey - let's start from somewhere!

If it is true that is very easy to just run yum update and update the packages, automating this process is peace of mind.

You can use yum-cron to automatically update the software on the machine, running exactly like you would do with cron jobs.

Installation and configuration on CentOS7/RHEL7

Install yum-cron package:

$ sudo yum install yum-cron

Enable the service at boot time:

$ sudo systemctl enable yum-cron.service

yum-cron is configured from a central configuration file under /etc/yum/yum-cron.conf, where you can also configure the patches to apply on the system. You can simply download them on the machine, if needed.

Edit the configuration file with vim (yes, I finally learned how to quit from vim!):

$ sudo vim /etc/yum/yum-cron.conf

With the default configuration we are going to download the updates only, in order to make the cron also install the updates, we need to change:

apply_updates = yes

It is also possible to choose to apply only the security updates, changing the update_cmd from default to security:

update_cmd = security

And if you you do not want to apply kernel packages, add them to the exclusion list:

exclude = kernel*

If you want to receive a notification when updates are installed, you can specify an email_from and an email_to:

email_from = root@localhost
email_to = your-tech-email@domain.whatever

In case you are using an external MTA, you should provide its email_host:

email_host = your.mta.your.domain

Save the file, and exit (hint: :wq)

In this way yum-cron will check for updates on a daily base.

In case you want to have an hourly update check, you must configure /etc/yum/yum-cron-hourly.conf. The structure will be the same.

At this point we can start our configured yum-cron daemon and check its status:

$ sudo systemctl start yum-cron.service

$ sudo systemctl status yum-cron.service
● yum-cron.service - Run automatic yum updates as a cron job
   Loaded: loaded (/usr/lib/systemd/system/yum-cron.service; enabled; vendor preset: disabled)
   Active: active (exited) since Thu 2020-08-06 20:30:53 CEST; 25s ago
  Process: 9937 ExecStart=/bin/touch /var/lock/subsys/yum-cron (code=exited, status=0/SUCCESS)
 Main PID: 9937 (code=exited, status=0/SUCCESS)

Ok, now you can forget yum update command!

Written by

Fabio Zambrino

GitHub •  Fingerprint

Senior System Engineer with a genuine passion for Information Security. Making professional mistakes since 2005.
Thinks of himself to be a real Security Guru... But always forget to lock the car!