How to enable the automatic updates on CentOS 8 / AlmaLinux / Rocky Linux / RHEL

H

In today’s world, where vulnerabilities are found daily, it is imperative that you keep your servers updated. If you do not have the time and energy to do it manually, there’s a simple solution from a package called dnf-automatic.

First, we install the dnf-automatic package:

dnf install -y dnf-automatic

Next, we update the configuration to apply the updates automatically.
Edit /etc/dnf/automatic.conf with your favorite editor (vi/nano etc) and replace:

apply_updates = no

with

apply_updates = yes

By default, all packages are updated. This can be risky if your application is generally sensitive to updates, so you could set it to apply only the security updates by replacing

upgrade_type = default

with

upgrade_type = security

You can also set up the email notifications by [email] block with your email address and the source address.

In the end, we need to start and enable the dnf-automatic service. We do this by running:

systemctl enable --now dnf-automatic.timer

We strongly suggest to use this feature, at least for security updates. There are too many compromised hosts which would have been safe have they used dnf-automatic or similar automatic updates tools

Updating the system is not always enough. The applications also need to be restarted and sometimes the system needs to be rebooted in order to fix kernel bugs.

We have created the following script, which restarts the applications or reboots the system daily if necessary. The script would need to be adapted to the applications you are using and your applications should be setup to start on boot.

Create /etc/cron.daily/0autoreboot.cron and write inside:

#!/bin/sh
if [ ! -f "/usr/bin/needs-restarting" ]; then
    yum -y install yum-utils
fi

if [ -f "/var/run/yum.pid" ]; then
        echo "Yum running"
        exit 0;
fi

typeset -i COUNT=0
COUNT=$(pgrep dnf|wc -l)

if [ $COUNT -gt 0 ] ; then
        echo "DNF running";
        exit 0;
fi


needs-restarting -r >/dev/null || { reboot; exit 0; }
NEEDS=`needs-restarting`



echo $NEEDS| grep -q auditd && { reboot; exit 0; }
echo $NEEDS| grep -q '/usr/sbin/httpd' && { systemctl restart httpd; }
echo $NEEDS| grep -q '/usr/sbin/sshd' && { systemctl restart sshd; }
echo $NEEDS| grep -q '/usr/sbin/nginx' && { systemctl restart nginx; }
echo $NEEDS| grep -q '/usr/sbin/chronyd' && { systemctl restart chronyd; }
echo $NEEDS| grep -q '/usr/libexec/postfix/master' && { systemctl restart postfix;}
echo $NEEDS| grep -q '/var/run/mariadb/' && { systemctl restart mariadb;}
echo $NEEDS| grep -q 'sbin/mydns' && { systemctl restart mydns; }
echo $NEEDS| grep -q 'sbin/pdns_server' && { systemctl restart pdns; }
echo $NEEDS| grep -q 'php-fpm:' && { systemctl restart php-fpm;}

Run: chmod +x /etc/cron.daily/0autoreboot.cron and you are done.

Recent Posts

Archives

Categories