CentOS is without doubt one of the most widely used Linux distributions, mainly among Linux servers. It's a free, community-supported fork of Red Hat Enterprise Linux (RHEL) that provides a stable and fine-tuned operating system.
The latest version, CentOS 8, introduces a new software package manager called DNF, which is Dandified YUM (Yellowdog Updater, Modified). YUM is the default package manager for all CentOS versions. Because of this, the update process hasn't changed much and continues to be straightforward and uncomplicated. The problem is when we have several CentOS instances. It might be best to look for alternatives to automate the process. That is what we'll be covering in this article.
Before heading to the automation, it's pertinent to address how we can manually check for upgrades for CentOS, apply them, maintain our system, exclude specific packages, and a few tips and tricks.
How to Check for Updates
CentOS 8 supports dnf and yum, so we will be covering both package managers, with subsequent code blocks presented in that order.
A few utilities can help improve the system’s speed and performance and expand the usage of the package manager while installing updates. The recommended plugins for dnf and yum are below.
To make sure those are installed, we will need to run this command (depending on the package manager of your choosing).
dnf install python3-dnf-plugin-versionlock epel-release dnf-plugins-core dnf-automatic
yum install yum-plugin-versionlock epel-release yum-utils yum-cron yum-plugin-fastestmirror
To enable the fastest mirror on dnf (if using yum, installing yum-plugin-fastestmirror will do the trick), we need to edit its configuration file (located at /etc/dnf/dnf.conf) and add the following lines under the [main] section.
sudo vi /etc/dnf/dnf.conf [main] ... skip_if_unavailable=True fastestmirror=1
Once added, it's good practice to clean all the accumulated cached data from enabled repositories before checking for updates.
dnf clean all
yum clean all
Now let's verify which updates are available.
LiquidWeb # dnf check-update NetworkManager.x86_64 1:1.26.0-12.el8_3 BaseOS NetworkManager-libnm.x86_64 1:1.26.0-12.el8_3 BaseOS NetworkManager-team.x86_64 1:1.26.0-12.el8_3 BaseOS NetworkManager-tui.x86_64 1:1.26.0-12.el8_3 BaseOS authselect.x86_64 1.2.1-2.el8 BaseOS authselect-libs.x86_64 1.2.1-2.el8 BaseOS bash.x86_64 4.4.19-12.el8 BaseOS bind-export-libs.x86_64 32:9.11.20-5.el8_3.1 BaseOS ...
LiquidWeb # yum check-updates 176 packages excluded due to repository priority protections LiquidWeb #
Updating the Packages Manually
In this section, we will be discussing the specific package updates.
1. General Update
To update all packages to the latest versions, use the following command.
This command will update the whole CentOS system, including obsolete packages, kernel, and any outdated system utility, to ensure the system is up to date.
2. Security Updates Only
Another interesting use case is when we only need to maintain the latest security patches. For yum, the plugin yum-security will accomplish that task without touching the rest of the installed packages. As it has been integrated since CentOS 7, we just need to use the command.
LiquidWeb # dnf upgrade --security No security updates needed, but 15 updates available Dependencies resolved. Nothing to do. Complete!
LiquidWeb # yum update --security No security updates needed, but 207 updates available Dependencies resolved. Nothing to do. Complete!
3. Excluding Packages
In some instances, we might want to keep a certain software running on a specific version. Suppose we have MariaDB as our database management system, and our sites and applications work really well with version 10.1.12. It would be an undesirable situation that an automatic upgrade ended up breaking all sites. To avoid that, we can use the versionlock plugin, which we installed earlier for dnf and yum. Below is the command to lock a package into a specific version.
LiquidWeb # dnf versionlock add mariadb Adding versionlock on: mariadb-10.1.12.el7*
LiquidWeb # yum versionlock add mariadb Loaded plugins: fastestmirror, priorities, universal-hooks, versionlock Adding versionlock on: 0:mariadb-10.1.12.el7 versionlock added: 1
This action will create a file (/etc/dnf/plugins/versionlock.list or /etc/yum/pluginconf.d/versionlock.list) containing all the custom blocks. Alternatively, we can use the -x tag to exclude certain packages from the update command.
dnf -x mariadb update
yum -x mariadb update
4. Excluding Kernel Updates
If our environment is sensitive to sudden changes, we can exclude important kernel updates to keep things stable. As in the previous section, we'll be using the -x tag.
dnf update -x kernel -x redhat-release*
yum update -x kernel -x redhat-release*
To make the changes permanent, we can modify the configuration files directly (always under the [main] section).
sudo vi /etc/dnf/dnf. conf [main] ... # Excluded packages exclude=kernel, redhat-release*
sudo vi /etc/yum.conf [main] ... # Excluded packages exclude = kernel, redhat-release*
Automating the Upgrade Process
Now that we know how to update our system manually, let's get to the fun. We're going to discuss two main tools: dnf-automatic or yum-cron and the cron utility. We'll display some ideas on automating the update process using these tools and setting custom configurations.
1. Package Manager Utilities
Dnf-automatic and yum-cron are services that act very similar to the scheduling utility cron. However, these plugins are optimized to upgrade tasks that run daily. The recommended approach to make the most of the plugins is to explore the configuration files in detail to determine the most suitable options.
There are a couple of settings to tweak:
- The type of update we want to perform.
- How we should handle notifications if we want to download or install the upgrades.
We can even exclude packages from updating. We installed the plugins earlier, so now we have to enable them.
LiquidWeb # systemctl enable --now dnf-automatic.timer Created symlink /etc/systemd/system/timers.target.wants/dnf-automatic.timer → /usr/lib/systemd/system/dnf-automatic.timer.
LiquidWeb # systemctl enable yum-cron LiquidWeb # systemctl start yum-cron LiquidWeb # systemctl status yum-cron ● yum-cron.service - Run automatic yum updates as a cron job Loaded: loaded (/usr/lib/systemd/system/yum-cron.service; enabled; vendor preset: disabled) Active: active (exited) Main PID: 44673 (code=exited, status=0/SUCCESS)
Now that the services are enabled, we have a free way to customize and set them up as we see fit. The configuration files are /etc/dnf/automatic.conf and /etc/yum/yum-cron.conf.
Here are some of the most important directives.
[commands] ... upgrade_type = default download_updates = yes apply_updates = no [emitters] ... emit_via = email [email] ... email_from = root@localhost email_to = firstname.lastname@example.org [base] ... debuglevel = 1 exclude = mariadb*
Starting with the [commands] section, we can highlight these three commands:
- upgrade_type: Determines the type of upgrade we want to perform (default, security, minimal).
- download_updates: Download the files for the update.
- apply_updates: Install the downloaded files.
In the [emitters] section, the option emit_via lets us set how we’d like to get notifications (stdio, email, or motd). This section works in conjunction with the [email] section to establish the mail settings.
Lastly, we have the [base] section. It allows us to override the main dnf.conf or yum.conf files (configuration files). Several options can be set here, including debug level, excluding rules, and custom commands.
2. Cron Jobs
We can automate server scripts by using the command crontab -e. The command allows us to open the cron jobs file and add scheduled tasks. Listed below are some of the most common tasks to schedule.
0 0 * * * /usr/bin/dnf update # Daily full updates 0 0 * * * /usr/bin/dnf update --security # Daily security updates 0 0 * * * /usr/bin/dnf -x mariadb update # Daily updates excluding a single package 0 0 * * * /usr/bin/dnf update -x kernel -x redhat-release* # Daily executions excluding kernel updates 0 0 1 * * /usr/bin/dnf update kernel* redhat-release* # To use along the previous job, updates the kernel each 1st day of the month
0 0 * * * /usr/bin/yum update # Daily full updates 0 0 * * * /usr/bin/yum update --security # Daily security updates 0 0 * * * /usr/bin/yum -x mariadb update # Daily updates excluding a single package 0 0 * * * /usr/bin/yum update -x kernel -x redhat-release* # Daily executions excluding kernel updates 0 0 1 * * /usr/bin/yum update kernel* redhat-release* # To use along the previous job, updates the kernel each 1st day of the month
Unix/Linux systems provide users with a great deal of flexibility, and CentOS is no exception. The initial configuration might take a while, but once correctly set up, your system will reach speeds that meet your particular needs and will only update what needs to be updated.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.