YUM – Automating updates

Posted on December 21, 2012 by Adrian

It’s important to make sure your operating system and applications are regularly patched, to ensure the system is kept up-to-date and reduce the chances of it being compromised.

If you run Red Hat Enterprise, Fedora or CentOS (any rpm/yum based distro) you can use yum-updatesd to automate the updates.

It’s probably not running by default, so will need starting:

service yum-updatesd start

Then make sure it starts again reboots by running:

chkconfig yum-updatesd on

The main configuration file can be edited by running:

vi /etc/yum/yum-updatesd.conf

First, set how often the daemon will check for updates. You can set this to run as frequently as you need, but lets set it to check every 24 hours. Values are in seconds, so change the value of the run_interval directive to:

run_interval = 86400

Next, set up email notifications. It can be set to send noifications to the logs or via the message bus, but emails is easier and more convenient. Edit the following directives:

# set how to send notifications:
emit_via = email

# set email address to send to:
email_to =

# set email address to send from:

email_from =

Note: There must be a mail service running on the server to be able to send mail from it. Install the mailx program if you need one installing – it’s usually just a matter of running ‘yum install mailx’ to install it.

Next, set it to automatically update any packages, including downloading any dependancies, by setting the next three directives to ‘yes’:

# automatically install updates
do_update = yes

# automatically download updates
do_download = yes

# automatically download deps of updates
do_download_deps = yes

Save the file and restart the yum-updatesd service to load changes:

/etc/init.d/yum-updatesd restart

One important caveat of this approach is, there is no conflict or fault resolution mechanism in this system. And, as it’s automated, you don’t get any approval over what is or isn’t installed on the system (beyond any ‘excludes’ inherited from yum.conf), which might cause problems with some systems.

An alternative (and perhaps, safer) approach is to leave the checking and email notification options enabled, but set the automatic download and install options to ‘no’.

Whenever yum-updatesd runs and finds updates are available, it will then send you an email alert, and you can then decide whether or not to update it.

A typical email (here, notifying of 3 updates) looks something like this:

Hi,
This is the automatic update system on myserver.co.uk.
There are 3 package updates available. Please run the system updater.
Packages available for update:
httpd
mod_ssl
perl
Thank You,
Your Computer

Which option you use depends on your system and particular requirements. If you use generic settings and applications, then there shouldn’t be any issues with automating the updates. But, if your code base replies on specific versions and is heavily modified, the ‘notify only’ approach may be your best option.

Post to Digg Digg This Post Post to Reddit Post to Reddit Post to StumbleUpon Stumble This Post Post to Technorati Post to Technorati

This entry was posted in Managed Hosting. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>