Automating package updates in CentOS 6 is a quick process and it ensures that your system receives the latest available security patches, bugfixes and enhancements. Although it’s easy and available right from yum on a normal CentOS 6 system, I still find that many people aren’t aware of it.
Before you enable automatic updates, you’ll want to ensure that you’re excluding certain packages which may be integral to your system. You can either make a list of those packages now or configure the automated updates so that you’re emailed a report of what needs to be installed rather than having those packages installed automatically.
To get started, install yum-cron:
yum -y install <code>yum-cron</code> |
By default, it’s configured to download all of the available updates and apply them immediately after downloading. Reports will be emailed to the root user on the system. To change these settings, just open /etc/sysconfig/yum-cron in your favorite text editor and adjust these lines:
# Default - check for updates, download, and apply CHECK_ONLY=no DOWNLOAD_ONLY=no # Download the updates and email a report CHECK_ONLY=no DOWNLOAD_ONLY=yes # Don't download the updates, just email a report CHECK_ONLY=yes DOWNLOAD_ONLY=no |
As mentioned earlier, if you want to exclude certain packages from these updates, just edit your /etc/yum.conf and add:
exclude=kernel* mysql* |
The cron jobs from the yum-cron package are active immediately after installing the package and there’s no extra configuration necessary. The job will be run when your normal daily cron jobs are set to run.
And if you want to update and have a report?
linuxgine — Just go with the defaults. You’ll get updates applied automatically with a report emailed to root.
Doesn’t the exclusion variable in yum.conf then prevent those from being installed, even with a manual yum run?
It would also be much nicer to be able to automate security updates but leave less urgent ones to a manual run.
@Martin Barry:
The CentOS packages are missing information about the security impact of updates. When you install “yum-plugin-security” you’ll notice that `yum –security check-update` never gives you anything useful. I got a script to reduce the output of (distribution specific) security updates listing tools to a single number (for Zabbix to query) and after some weeks I realized the CentOS hosts _never_ report security updates to install (as opposed to Ubuntu, Debian, Gentoo and Fedora).
@Major:
The RSS-feed for your blog (not just comments for single posts) is well hidden, I wasn’t able to find it…
For excluding packages only from yum-cron but not manual yum, in /etc/sysconfig/yum-cron set
YUM_PARAMETER=”-x foopkg”
instead.
@linuxgine
If you would like the report to go somewhere besides root, in /etc/sysconfig/yum-cron set
MAILTO=”me@mydomain.dom”
Thank you for this article.
I did however have quite a problem getting yum-cron to run on CentOS 6.4 until I realized the cron job that actually does the work (/etc/cron.daily/0yum.cron) relies on a flag having been set by the yum-cron _daemon_.
On my systems, yum-cron would not work until I told this daemon to start at boot, like so:
chkconfig yum-cron on
service yum-cron start