Unattended Automatic Updates in CentOS 8

CentOS is without doubt one of the most widely used Linux distributions, mainly among Linux servers. It's a free, community-supported fork of Red Hat Enterprise Linux (RHEL) that provides a stable and fine-tuned operating system. 

The latest version, CentOS 8, introduces a new software package manager called DNF, which is Dandified YUM (Yellowdog Updater, Modified). YUM is the default package manager for all CentOS versions. Because of this, the update process hasn't changed much and continues to be straightforward and uncomplicated. The problem is when we have several CentOS instances. It might be best to look for alternatives to automate the process. That is what we'll be covering in this article. 

Before heading to the automation, it's pertinent to address how we can manually check for upgrades for CentOS, apply them, maintain our system, exclude specific packages, and a few tips and tricks. 

How to Check for Updates 

CentOS 8 supports dnf and yum, so we will be covering both package managers, with subsequent code blocks presented in that order. 

A few utilities can help improve the system’s speed and performance and expand the usage of the package manager while installing updates. The recommended plugins for dnf and yum are below.

Dnf:

• python3-dnf-plugin-versionlock 
• epel-release 
• dnf-plugins-core 
• dnf-automatic

Yum:

• yum-plugin-versionlock 
• epel-release 
• yum-utils 
• yum-cron 
• yum-plugin-fastestmirror

To make sure those are installed, we will need to run this command (depending on the package manager of your choosing).

dnf install python3-dnf-plugin-versionlock epel-release dnf-plugins-core dnf-automatic

yum install yum-plugin-versionlock epel-release yum-utils yum-cron yum-plugin-fastestmirror

To enable the fastest mirror on dnf (if using yum, installing yum-plugin-fastestmirror will do the trick), we need to edit its configuration file (located at /etc/dnf/dnf.conf) and add the following lines under the [main] section.

sudo vi /etc/dnf/dnf.conf 
[main]
...
skip_if_unavailable=True
fastestmirror=1

Once added, it's good practice to clean all the accumulated cached data from enabled repositories before checking for updates. 

dnf clean all

yum clean all

Now let's verify which updates are available.

LiquidWeb # dnf check-update
NetworkManager.x86_64               1:1.26.0-12.el8_3              BaseOS
NetworkManager-libnm.x86_64         1:1.26.0-12.el8_3              BaseOS
NetworkManager-team.x86_64          1:1.26.0-12.el8_3              BaseOS
NetworkManager-tui.x86_64           1:1.26.0-12.el8_3              BaseOS
authselect.x86_64                   1.2.1-2.el8                    BaseOS
authselect-libs.x86_64              1.2.1-2.el8                    BaseOS
bash.x86_64                         4.4.19-12.el8                  BaseOS
bind-export-libs.x86_64             32:9.11.20-5.el8_3.1           BaseOS
...

LiquidWeb # yum check-updates
176 packages excluded due to repository priority protections
LiquidWeb #

Updating the Packages Manually

In this section, we will be discussing the specific package updates.

1. General Update

To update all packages to the latest versions, use the following command.

dnf update

yum update

This command will update the whole CentOS system, including obsolete packages, kernel, and any outdated system utility, to ensure the system is up to date.

2. Security Updates Only

Another interesting use case is when we only need to maintain the latest security patches. For yum, the plugin yum-security will accomplish that task without touching the rest of the installed packages. As it has been integrated since CentOS 7, we just need to use the command.

LiquidWeb # dnf upgrade --security
No security updates needed, but 15 updates available
Dependencies resolved.
Nothing to do.
Complete!

LiquidWeb # yum update --security
No security updates needed, but 207 updates available
Dependencies resolved.
Nothing to do.
Complete!

3. Excluding Packages

In some instances, we might want to keep a certain software running on a specific version. Suppose we have MariaDB as our database management system, and our sites and applications work really well with version 10.1.12. It would be an undesirable situation that an automatic upgrade ended up breaking all sites. To avoid that, we can use the versionlock plugin, which we installed earlier for dnf and yum. Below is the command to lock a package into a specific version.

LiquidWeb # dnf versionlock add mariadb
Adding versionlock on: mariadb-10.1.12.el7*

LiquidWeb # yum versionlock add mariadb
Loaded plugins: fastestmirror, priorities, universal-hooks, versionlock
Adding versionlock on: 0:mariadb-10.1.12.el7
versionlock added: 1

This action will create a file (/etc/dnf/plugins/versionlock.list or /etc/yum/pluginconf.d/versionlock.list) containing all the custom blocks. Alternatively, we can use the -x tag to exclude certain packages from the update command.

dnf -x mariadb update

yum -x mariadb update

4. Excluding Kernel Updates 

If our environment is sensitive to sudden changes, we can exclude important kernel updates to keep things stable. As in the previous section, we'll be using the -x tag.

dnf update -x kernel -x redhat-release*

yum update -x kernel -x redhat-release*

To make the changes permanent, we can modify the configuration files directly (always under the [main] section).

sudo vi /etc/dnf/dnf. conf 
[main]
...
# Excluded packages
exclude=kernel, redhat-release*

sudo vi /etc/yum.conf
[main]
...
# Excluded packages
exclude = kernel, redhat-release*

Automating the Upgrade Process

Now that we know how to update our system manually, let's get to the fun. We're going to discuss two main tools: dnf-automatic or yum-cron and the cron utility. We'll display some ideas on automating the update process using these tools and setting custom configurations.  

1. Package Manager Utilities

Dnf-automatic and yum-cron are services that act very similar to the scheduling utility cron. However, these plugins are optimized to upgrade tasks that run daily. The recommended approach to make the most of the plugins is to explore the configuration files in detail to determine the most suitable options.

There are a couple of settings to tweak:

• The type of update we want to perform.
• How we should handle notifications if we want to download or install the upgrades.

We can even exclude packages from updating. We installed the plugins earlier, so now we have to enable them.

LiquidWeb # systemctl enable --now dnf-automatic.timer
Created symlink /etc/systemd/system/timers.target.wants/dnf-automatic.timer → /usr/lib/systemd/system/dnf-automatic.timer.

LiquidWeb # systemctl enable yum-cron
LiquidWeb # systemctl start yum-cron
LiquidWeb # systemctl status yum-cron
● yum-cron.service - Run automatic yum updates as a cron job
   Loaded: loaded (/usr/lib/systemd/system/yum-cron.service; enabled; vendor preset: disabled)
   Active: active (exited) 
 Main PID: 44673 (code=exited, status=0/SUCCESS)

Now that the services are enabled, we have a free way to customize and set them up as we see fit. The configuration files are /etc/dnf/automatic.conf and /etc/yum/yum-cron.conf.

Here are some of the most important directives.

[commands]
...
upgrade_type = default
download_updates = yes
apply_updates = no

[emitters]
...
emit_via = email

[email]
...
email_from = root@localhost
email_to = centos@somedomain.com

[base]
...
debuglevel = 1
exclude = mariadb*

Starting with the [commands] section, we can highlight these three commands:

• upgrade_type: Determines the type of upgrade we want to perform (default, security, minimal).
• download_updates: Download the files for the update.
• apply_updates: Install the downloaded files.

In the [emitters] section, the option emit_via lets us set how we’d like to get notifications (stdio, email, or motd). This section works in conjunction with the [email] section to establish the mail settings. 

Lastly, we have the [base] section. It allows us to override the main dnf.conf or yum.conf files (configuration files). Several options can be set here, including debug level, excluding rules, and custom commands. 

2. Cron Jobs

We can automate server scripts by using the command crontab -e. The command allows us to open the cron jobs file and add scheduled tasks. Listed below are some of the most common tasks to schedule.

0 0 * * * /usr/bin/dnf update # Daily full updates 
0 0 * * * /usr/bin/dnf update --security # Daily security updates 
0 0 * * * /usr/bin/dnf -x mariadb update # Daily updates excluding a single package 

0 0 * * * /usr/bin/dnf update -x kernel -x redhat-release* # Daily executions excluding kernel updates
0 0 1 * * /usr/bin/dnf update kernel* redhat-release* # To use along the previous job, updates the kernel each 1st day of the month

0 0 * * * /usr/bin/yum update # Daily full updates 
0 0 * * * /usr/bin/yum update --security # Daily security updates 
0 0 * * * /usr/bin/yum -x mariadb update # Daily updates excluding a single package 

0 0 * * * /usr/bin/yum update -x kernel -x redhat-release* # Daily executions excluding kernel updates
0 0 1 * * /usr/bin/yum update kernel* redhat-release* # To use along the previous job, updates the kernel each 1st day of the month

Conclusion

Unix/Linux systems provide users with a great deal of flexibility, and CentOS is no exception. The initial configuration might take a while, but once correctly set up, your system will reach speeds that meet your particular needs and will only update what needs to be updated.

Have additional site needs? Explore Liquid Web's hosting add-ons to help boost your site storage, security, and performance.