Configure Automatic Updates with yum-cron on CentOS 7
4 min read
Regularly updating your CentOS system is one of the most important aspects of overall system security. If you don't update your operating system's packages with the latest security patches, you are leaving your machine vulnerable to attacks.
If you manage multiple CentOS machines, manually updating the system packages may be time-consuming. Even if you manage a single CentOS installation sometimes you may overlook an important update. This is where automatic updates come handy.
In this tutorial, we will go through the process of configuring automatic updates on CentOS 7. The same instructions apply for CentOS 6.
Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges.
Installing yum-cron Package
yum-cron package allows you to automatically run the yum command as a cron job to check for, download, and apply updates. Chances are that this package is already installed on your CentOS system. If not installed you can install the package by running the following command:
sudo yum install yum-cron
Once the installation is complete, enable and start the service:
sudo systemctl enable yum-cron
sudo systemctl start yum-cron
To verify that the service is running, type the following command:
systemctl status yum-cron
Information about the yum-cron service status will be displayed on the screen:
● yum-cron.service - Run automatic yum updates as a cron job Loaded: loaded (/usr/lib/systemd/system/yum-cron.service; enabled; vendor preset: disabled) Active: active (exited) since Sat 2019-05-04 21:49:45 UTC; 8min ago Process: 2713 ExecStart=/bin/touch /var/lock/subsys/yum-cron (code=exited, status=0/SUCCESS) Main PID: 2713 (code=exited, status=0/SUCCESS) CGroup: /system.slice/yum-cron.service
yum-cron comes with two configuration files that are stored in the
/etc/yum directory, the hourly configuration file
yum-cron.conf and the daily configuration file
yum-cron service only controls whether or not the cron jobs will run. The
yum-cron utility is called by the
/etc/cron.daily/0yum-daily.cron cron files.
By default, the hourly cron is configured to do nothing. If there are updates available the daily cron is set to download but not install the available updates and send messages to stdout. The default configuration is sufficient for critical production systems where you want to receive notifications and do the update manually after testing the updates on test servers.
The configuration file is structured in sections and each section contains comments that describe what each configuration line does.
To edit the yum-cron configuration file, open the file in your text editor:
sudo nano /etc/yum/yum-cron-hourly.conf
In the first section,
[commands] you can define the types of packages that you want to be updated, enable messages and downloads and set to automatically apply updates when they are available. By default, the
update_cmd is set to default which will update all packages. If you want to set automatic unattended updates it is recommended to change the value to
security which will tell yum to update packages that only fix a security issue.
In the following example we changed the
security and enabled unattended updates by setting
[commands] update_cmd = security update_messages = yes download_updates = yes apply_updates = no random_sleep = 360
The second sections defines how to send messages. To send messages to both stdout and email change the value of
[emitters] system_name = None emit_via = stdio,email output_width = 80
[email] section you can set the sender and receiver email address. Make sure that you have a tool that can send emails installed on your system, such as mailx or postfix.
[email] email_from = email@example.com email_to = firstname.lastname@example.org email_host = localhost
[base] section allows you to override the settings defined in the
yum.conf file. If you want to exclude specific packages from being updated you can use the
exclude parameter. In the following example, we are excluding the [
[base] debuglevel = -2 mdpolicy = group:main exclude = mongodb*
You don't need to restart the
yum-cron service for changes to take effect.
Use grep to check whether the cron jobs associated with yum are executed:
sudo grep yum /var/log/cron
May 4 22:01:01 localhost run-parts(/etc/cron.hourly): starting 0yum-hourly.cron May 4 22:32:01 localhost run-parts(/etc/cron.daily): starting 0yum-daily.cron May 4 23:01:01 localhost run-parts(/etc/cron.hourly): starting 0yum-hourly.cron May 4 23:01:01 localhost run-parts(/etc/cron.hourly): finished 0yum-hourly.cron
The history of the yum updates is logged in the
/var/log/yum file. You can view the latest updates using the tail command:
sudo tail -f /var/log/yum.log
May 04 23:47:28 Updated: libgomp-4.8.5-36.el7_6.2.x86_64 May 04 23:47:31 Updated: bpftool-3.10.0-957.12.1.el7.x86_64 May 04 23:47:31 Updated: htop-2.2.0-3.el7.x86_64
In this tutorial, you have learned how to configure automatic updates and keep your CentOS system up-to-date.
If you have any questions or feedback, feel free to leave a comment.