How to enable automatic security updates on CentOS 7 with yum-cron -

If CentOS helps to power your data center, you might be interested in knowing it is possible (and fairly easy) to enable the automatic updating of security updates. This is especially handy if you have a number of CentOS 7 machines and would like this process to happen without you having to set aside precious time each week to make it so.

Why would you do this? Simple: Security updates are critical to keep your servers running smoothly and safely. When security patches arrive, it is in your best interest to apply them as soon as possible. To that end, depending upon a manual process can lead to human error. The last thing you want to is become victim of an exploit ... knowing had you only applied that recent security patch, the breach could have been avoided.

And so, let's take a look at how you can enable automatic security updates on CentOS 7. This will be taken care of, thanks to a small program, called yum-cron. Let's install the application and see how it is used.

Installation

Since yum-cron can be found in the standard repositories, the installation can be done with a simple, single command. Open up a terminal window and issue the following:

sudo yum -y install yum-cron

When that command completes, the tool is ready to be used.

Once installed, start and enable yum-cron with the commands:

sudo systemctl start yum-cron
sudo systemctl enable yum-cron

Usage

As you might have expected, yum-cron is a command line tool that needs to be configured from, you guessed it, the command line. Open up the configuration file with the command:

sudo nano /etc/yum/yum-cron.conf

Within that configuration file, you'll want to change the following line from:

update_cmd = default

update_cmd = security

Next, locate the line:

apply_updates = no

Change that line to:

apply_updates = yes

Now we want to stay informed when updates occur. To do this, locate the line:

emit_via = stdio

Change that line to:

emit_via = email

Below that, you will see the [email] section. Change email_from to the address you want the reports to come from, email_to to the email address you want reports sent and, if necessary, change the email_host to your required email host (Figure A).

Figure A

That's all there is to the configuration. Save and close the file. In order for the changes to take place, you must restart yum-cron with the command:

sudo systemctl restart yum-cron

At this point, yum-cron will take over and start downloading and applying updates on a regular basis.

Beyond the basics

You might have a need to exclude certain packages from being included in the security updates. Say, for instance, you want to hold back kernel upgrades to run them manually. That makes perfect sense, as often a kernel upgrade requires a system reboot (in order for the changes to take effect). With yum-cron you can set up package exclusions. To do that, go back to the /etc/yum/yum-cron.conf file, scroll down to the [base] section. In that section, you will need to add the following line (to exclude kernel upgrades):

exclude = kernel*

Once you've added that line, save and close the file. Once again, restart yum-cron with the command:

sudo systemctl restart yum-cron

Now yum-cron won't include the kernel in the upgrades. You should, however, make sure to schedule regular manual upgrades, to ensure the kernel is up to date.

All you have to do now is wait for the yum-cron reports to grace your inbox.

Keep those systems updated

There are many reasons why updates are released—one of the more important being security patches. If you're not regularly updating your systems, you are vulnerable to who knows what. If you don't have time to constantly be updating and upgrading your CentOS systems, yum-cron has your back.