5

How do I set up my centos instances to automatically apply security updates?

Is it as simple as setting up a cron job that does yum -y update at 1:00am ?

user1172468
  • 299
  • 1
  • 2
  • 11

2 Answers2

9

This is done with yum-cron. It includes a cron job at /etc/cron.daily/yum.cron which only runs if the yum service (CentOS 5 'extras' repo) or yum-cron service (CentOS 6 'base' repo) is activated:

CentOS 5:

# yum install yum-cron
# chkconfig --level 345 yum on
# service yum start

CentOS 6:

# yum install yum-cron
# chkconfig --level 345 yum-cron on
# service yum-cron start
Jeremy Visser
  • 1,444
  • 8
  • 16
Tiffany Walker
  • 6,681
  • 14
  • 56
  • 82
  • @Tiffany_Walker, hi, I was trying to implement this on Centos 6 ... but no luck get: error reading information on service yum: No such file or directory – user1172468 Feb 08 '13 at 13:53
  • 2
    CentOS 6 has something call yum-cron that needs to be installed – Tiffany Walker Feb 08 '13 at 17:32
  • @TiffanyWalker I’ve edited your answer to incorporate your comment. – Jeremy Visser Sep 11 '13 at 00:42
  • Note if you want to install updates automatically you also need to enable `apply_updates` in `/etc/yum/yum-cron.conf` – grahamparks Dec 12 '14 at 17:44
  • @TiffanyWalker Question: How can we ensure that updates are installed but the CentOS release does not get upgraded from A.X to A.Y or B.X, etc. Need to ensure CentOS sticks with the same release (i.e. 7.6) for compatibility purposes. I believe exluding kernel patches isn't enough (?) – pmdci Jul 06 '19 at 09:52
0

I have done research about how to update redhat/centos automatically, most of them recommend installing yum-cron, but for me, I have tried to just put a cronjob in /etc/crontab. This config has done the job for me for a couple of months for many servers, without a single hiccup

0       1       *       *       sun     root    yum -y update

I also set up an email alias so that when the cron mails root@localhost, this mail is forwarded to my personal work email. This way I know exactly which packages was updated in our systems

For the kernel update, its risky so its better to do it manually :)

Shâu Shắc
  • 356
  • 2
  • 4