Configure Automatic Updates with yum-cron on CentOS 7

Published on

4 min read

CentOS Automatic Updates

Regularly updating your CentOS system is one of the most important aspects of overall system security. If you don’t update your operating system’s packages with the latest security patches, you are leaving your machine vulnerable to attacks.

If you manage multiple CentOS machines, manually updating the system packages may be time-consuming. Even if you manage a single CentOS installation sometimes you may overlook an important update. This is where automatic updates come handy.

In this tutorial, we will go through the process of configuring automatic updates on CentOS 7. The same instructions apply for CentOS 6.

Prerequisites

Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges .

Installing yum-cron Package

The yum-cron package allows you to automatically run the yum command as a cron job to check for, download, and apply updates. Chances are that this package is already installed on your CentOS system. If not installed you can install the package by running the following command:

sudo yum install yum-cron

Once the installation is complete, enable and start the service:

sudo systemctl enable yum-cronsudo systemctl start yum-cron

To verify that the service is running, type the following command:

systemctl status yum-cron

Information about the yum-cron service status will be displayed on the screen:

● yum-cron.service - Run automatic yum updates as a cron job
   Loaded: loaded (/usr/lib/systemd/system/yum-cron.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sat 2019-05-04 21:49:45 UTC; 8min ago
  Process: 2713 ExecStart=/bin/touch /var/lock/subsys/yum-cron (code=exited, status=0/SUCCESS)
 Main PID: 2713 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/yum-cron.service

Configuring yum-cron

yum-cron comes with two configuration files that are stored in the /etc/yum directory, the hourly configuration file yum-cron-hourly.conf and the daily configuration file yum-cron.conf.

The yum-cron service only controls whether or not the cron jobs will run. The yum-cron utility is called by the /etc/cron.hourly/0yum-hourly.cron and /etc/cron.daily/0yum-daily.cron cron files.

By default, the hourly cron is configured to do nothing. If there are updates available the daily cron is set to download but not install the available updates and send messages to stdout. The default configuration is sufficient for critical production systems where you want to receive notifications and do the update manually after testing the updates on test servers.

The configuration file is structured in sections and each section contains comments that describe what each configuration line does.

To edit the yum-cron configuration file, open the file in your text editor:

sudo nano /etc/yum/yum-cron-hourly.conf

In the first section, [commands] you can define the types of packages that you want to be updated, enable messages and downloads and set to automatically apply updates when they are available. By default, the update_cmd is set to default which will update all packages. If you want to set automatic unattended updates it is recommended to change the value to security which will tell yum to update packages that only fix a security issue.

In the following example we changed the update_cmd to security and enabled unattended updates by setting apply_updates to yes:

/etc/yum/yum-cron-hourly.conf
[commands]
update_cmd = security
update_messages = yes
download_updates = yes
apply_updates = no
random_sleep = 360

The second sections defines how to send messages. To send messages to both stdout and email change the value of emit_via to stdio,email.

/etc/yum/yum-cron-hourly.conf
[emitters]
system_name = None
emit_via = stdio,email
output_width = 80

In the [email] section you can set the sender and receiver email address. Make sure that you have a tool that can send emails installed on your system, such as mailx or postfix.

/etc/yum/yum-cron-hourly.conf
[email]
email_from = root@centos.host
email_to = me@example.com
email_host = localhost

The [base] section allows you to override the settings defined in the yum.conf file. If you want to exclude specific packages from being updated you can use the exclude parameter. In the following example, we are excluding the [mongodb] package.

/etc/yum/yum-cron-hourly.conf
[base]
debuglevel = -2
mdpolicy = group:main
exclude = mongodb*

You don’t need to restart the yum-cron service for changes to take effect.

Viewing logs

Use grep to check whether the cron jobs associated with yum are executed:

sudo grep yum /var/log/cron
May  4 22:01:01 localhost run-parts(/etc/cron.hourly)[5588]: starting 0yum-hourly.cron
May  4 22:32:01 localhost run-parts(/etc/cron.daily)[5960]: starting 0yum-daily.cron
May  4 23:01:01 localhost run-parts(/etc/cron.hourly)[2121]: starting 0yum-hourly.cron
May  4 23:01:01 localhost run-parts(/etc/cron.hourly)[2139]: finished 0yum-hourly.cron

The history of the yum updates is logged in the /var/log/yum file. You can view the latest updates using the tail command :

sudo tail -f  /var/log/yum.log
May 04 23:47:28 Updated: libgomp-4.8.5-36.el7_6.2.x86_64
May 04 23:47:31 Updated: bpftool-3.10.0-957.12.1.el7.x86_64
May 04 23:47:31 Updated: htop-2.2.0-3.el7.x86_64

Conclusion

In this tutorial, you have learned how to configure automatic updates and keep your CentOS system up-to-date.

If you have any questions or feedback, feel free to leave a comment.