I tried to verify yum-cron

Overview

yum-cron is an alternate interface to yum that is optimised to be convenient to call from cron. It provides methods to keep repository metadata up to date, and to check for, download, and apply updates. Rather than accepting many different command line arguments, the different functions of yum-cron can be accessed through config files.

(From man page)

The yum-cron service automatically checks for and downloads package updates

(From the reference link)

On a server that rarely logs in, if you log in after a long time, a large number of yum package updates may be accumulated.

For security reasons, it is preferable to install the latest package, so we verified the installation of yum-cron.

environment

CentOS Linux release 7.8.2003 (Core)

install yum-cron with yum

yum install yum-cron

Confirm that the configuration file has been placed

There are two types of configuration files

The yum-cron service has two configuration files.

  • /etc/yum/yum-cron.conf

For daily tasks.

  • /etc/yum/yum-cron-hourly.conf

For hourly tasks

(From the reference link)

Actually confirmed

It is arranged.

>>> ll /etc/yum/yum-cron*
-rw-r--r--.1 root root 2565 April 3 2020/etc/yum/yum-cron-hourly.conf
-rw-r--r--.1 root root 2603 April 3 2020/etc/yum/yum-cron.conf

Back up original files

>>> ll /etc/yum/yum-cron*
-rw-r--r--.1 root root 2565 April 3 2020/etc/yum/yum-cron-hourly.conf
-rw-r--r--.1 root root 2565 October 30 18:29 /etc/yum/yum-cron-hourly.conf.org
-rw-r--r--.1 root root 2603 April 3 2020/etc/yum/yum-cron.conf
-rw-r--r--.1 root root 2603 October 30 18:29 /etc/yum/yum-cron.conf.org

Start setting

Enable automatic update installation

To enable automatic installation of downloaded updates ... (omitted) ... Set ʻapply_updates` as follows:

apply_updates = yes

(From the reference link)

Check the default settings just in case

The default of the parameter is as follows.

>>> cat /etc/yum/yum-cron-hourly.conf.org | grep apply_updates
apply_updates = no
>>> cat /etc/yum/yum-cron.conf.org | grep apply_updates
apply_updates = no

Set

Since hourly jobs are too frequent in my environment, I set them to start daily.

>>> sdiff -sw 50 /etc/yum/yum-cron.conf /etc/yum/yum-cron.conf.org 
#apply_updates = no   |	apply_updates = no
apply_updates = yes   <

Supplement of other setting items

Here are some items that seem to be important.

update_cmd

Specify the update conditions. The lower the number, the stricter the requirements (= the job execution frequency becomes smaller).

When introducing it into a production environment, it may be safer to make it as strict as possible. This time it is a verification, so leave it as it is.

/etc/yum/yum-cron.conf


#  What kind of update to use:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix update-minimal
# minimal-security                   = yum --security update-minimal
# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
update_cmd = default

system_name

System name when sending a message. There is no problem with the default host name, so leave it as it is.

/etc/yum/yum-cron.conf


# Name to use for this system in messages that are emitted.  If
# system_name is None, the hostname will be used.
system_name = None

emit_via

Whether to notify the message by email or standard output. There is no problem with standard output, so leave it as it is.

If you select ʻemail, check the parameters of the [email] `directive.

/etc/yum/yum-cron.conf


# How to send messages.  Valid options are stdio and email.  If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages.  If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via is None or left blank, no messages will be sent.
emit_via = stdio

debuglevel

Debug level. There is no problem by default, so leave it as it is.

/etc/yum/yum-cron.conf


# Use this to filter Yum core messages
# -4: critical
# -3: critical+errors
# -2: critical+errors+warnings (default)
debuglevel = -2

Enable or disable individual repositories

yum-cron does not support certain repository settings. To enable or disable individual repositories with yum-cron instead of yum, follow these steps:

... (omitted)

(From the reference link)

There is no support because it is not specified this time.

Testing yum-cron settings

Check the operation.

Add the following to the configuration file (/etc/yum/yum-cron.conf)

By default, random_sleep = 360 is described, so comment it out.

random_sleep = 0

Save settings

yum-cron /etc/yum/yum-cron.conf

result

renovated.

>>> yum-cron /etc/yum/yum-cron.conf
warning: nginx-1:1.18.0-2.el7.ngx.x86_64:Header V4 RSA/SHA1 Signature, key ID 7bd9bf62: NOKEY
The following updates will be applied on ******:
================================================================================
Package architecture
Version repository capacity
================================================================================
Update:
 nginx         x86_64         1:1.18.0-2.el7.ngx            nginx         769 k

Transaction summary
================================================================================
Update 1 package
The updates were successfully applied

in conclusion

If the update range (≈ range of influence) is narrowed down appropriately, it can be considered as a convenient tool. I plan to send standard output to Slack to let me know what kind of update was done on which server.

Reference material

-[9.7. Automatic update of package database using YUM-CRON and download of update](https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-Automatically_refreshing_the_package_database_and_download_updates#sec -Setting_up_optional_email_notifications)

Recommended Posts

I tried to verify yum-cron
I tried to verify AdoptOpenJDK 11 (11.0.2) with Docker image
I tried to chew C # (indexer)
I tried to summarize iOS 14 support
I tried to interact with Java
I tried to explain the method
I tried to summarize Java learning (1)
I tried to understand nil guard
I tried to summarize Java 8 now
I tried to chew C # (polymorphism: polymorphism)
I tried to explain Active Hash
I tried to summarize the methods used
I tried to introduce CircleCI 2.0 to Rails app
I tried migrating Processing to VS Code
I tried to summarize Java lambda expressions
I tried to get started with WebAssembly
I tried to solve AOJ's Binary Search
I tried Spring.
I tried to implement the Iterator pattern
I tried tomcat
I tried youtubeDataApi.
I tried to summarize the Stream API
I tried refactoring ①
I tried to build AdoptOpenjdk 11 on CentOS 7
What is Docker? I tried to summarize
I tried to build Ruby 3.0.0 from source
I tried to use Selenium like JQuery
I tried to touch JavaScript Part.2 Object-oriented
I tried FizzBuzz.
I tried to implement ModanShogi with Kinx
I tried JHipster 5.1
I tried to summarize about JVM / garbage collection
I tried to make Basic authentication with Java
I tried to implement polymorphic related in Nogizaka.
[Rails] I tried to raise the Rails version from 5.0 to 5.2
I tried to manage login information with JMX
I tried to organize the session in Rails
java I tried to break a simple block
I tried to link grafana and postgres [docker-compose]
I tried to develop a man-hour management tool
I tried to develop a DUO3.0 study website.
I tried to chew C # (basic of encapsulation)
I tried to implement deep learning in Java
[Must see !!!] I tried to summarize object orientation!
I tried to create a LINE clone app
I tried to build AdoptOpenJDK 8 (Addition: Amazon Corretto 8)
I tried to output multiplication table in Java
I tried to link JavaFX and Spring Framework.
I tried to set tomcat to run the Servlet.
I tried to develop an application in 2 languages
I tried to develop a website to record expenses.
I tried to implement a server using Netty
I tried to break a block with java (1)
[I tried] Spring tutorial
I tried running Autoware
I tried using Gson
I tried to verify whether it would be fun to combine "programming" and "hobbies".
I tried QUARKUS immediately
I tried Spring Batch
I tried node-jt400 (Programs)
I tried node-jt400 (execute)