I tried to verify yum-cron

Overview

yum-cron is an alternate interface to yum that is optimised to be convenient to call from cron. It provides methods to keep repository metadata up to date, and to check for, download, and apply updates. Rather than accepting many different command line arguments, the different functions of yum-cron can be accessed through config files.

(From man page)

The yum-cron service automatically checks for and downloads package updates

(From the reference link)

On a server that rarely logs in, if you log in after a long time, a large number of yum package updates may be accumulated.

For security reasons, it is preferable to install the latest package, so we verified the installation of yum-cron.

environment

CentOS Linux release 7.8.2003 (Core)

install yum-cron with yum

yum install yum-cron

Confirm that the configuration file has been placed

There are two types of configuration files

The yum-cron service has two configuration files.

• /etc/yum/yum-cron.conf

For daily tasks.

• /etc/yum/yum-cron-hourly.conf

For hourly tasks

(From the reference link)

Actually confirmed

It is arranged.

>>> ll /etc/yum/yum-cron*
-rw-r--r--.1 root root 2565 April 3 2020/etc/yum/yum-cron-hourly.conf
-rw-r--r--.1 root root 2603 April 3 2020/etc/yum/yum-cron.conf

Back up original files

>>> ll /etc/yum/yum-cron*
-rw-r--r--.1 root root 2565 April 3 2020/etc/yum/yum-cron-hourly.conf
-rw-r--r--.1 root root 2565 October 30 18:29 /etc/yum/yum-cron-hourly.conf.org
-rw-r--r--.1 root root 2603 April 3 2020/etc/yum/yum-cron.conf
-rw-r--r--.1 root root 2603 October 30 18:29 /etc/yum/yum-cron.conf.org

Start setting

Enable automatic update installation

To enable automatic installation of downloaded updates ... (omitted) ... Set ʻapply_updates` as follows:

apply_updates = yes

(From the reference link)

Check the default settings just in case

The default of the parameter is as follows.

>>> cat /etc/yum/yum-cron-hourly.conf.org | grep apply_updates
apply_updates = no
>>> cat /etc/yum/yum-cron.conf.org | grep apply_updates
apply_updates = no

Set

Since hourly jobs are too frequent in my environment, I set them to start daily.

>>> sdiff -sw 50 /etc/yum/yum-cron.conf /etc/yum/yum-cron.conf.org 
#apply_updates = no   |	apply_updates = no
apply_updates = yes   <

Supplement of other setting items

Here are some items that seem to be important.

update_cmd

Specify the update conditions. The lower the number, the stricter the requirements (= the job execution frequency becomes smaller).

When introducing it into a production environment, it may be safer to make it as strict as possible. This time it is a verification, so leave it as it is.

/etc/yum/yum-cron.conf

#  What kind of update to use:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix update-minimal
# minimal-security                   = yum --security update-minimal
# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
update_cmd = default

system_name

System name when sending a message. There is no problem with the default host name, so leave it as it is.

/etc/yum/yum-cron.conf

# Name to use for this system in messages that are emitted.  If
# system_name is None, the hostname will be used.
system_name = None

emit_via

Whether to notify the message by email or standard output. There is no problem with standard output, so leave it as it is.

If you select ʻemail, check the parameters of the [email] `directive.

/etc/yum/yum-cron.conf

# How to send messages.  Valid options are stdio and email.  If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages.  If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via is None or left blank, no messages will be sent.
emit_via = stdio

debuglevel

Debug level. There is no problem by default, so leave it as it is.

/etc/yum/yum-cron.conf

# Use this to filter Yum core messages
# -4: critical
# -3: critical+errors
# -2: critical+errors+warnings (default)
debuglevel = -2

Enable or disable individual repositories

yum-cron does not support certain repository settings. To enable or disable individual repositories with yum-cron instead of yum, follow these steps:

... (omitted)

(From the reference link)

There is no support because it is not specified this time.

Testing yum-cron settings

Check the operation.

Add the following to the configuration file (/etc/yum/yum-cron.conf)

By default, random_sleep = 360 is described, so comment it out.

random_sleep = 0

Save settings

yum-cron /etc/yum/yum-cron.conf

result

renovated.

>>> yum-cron /etc/yum/yum-cron.conf
warning: nginx-1:1.18.0-2.el7.ngx.x86_64:Header V4 RSA/SHA1 Signature, key ID 7bd9bf62: NOKEY
The following updates will be applied on ******:
================================================================================
Package architecture
Version repository capacity
================================================================================
Update:
 nginx         x86_64         1:1.18.0-2.el7.ngx            nginx         769 k

Transaction summary
================================================================================
Update 1 package
The updates were successfully applied

in conclusion

If the update range (≈ range of influence) is narrowed down appropriately, it can be considered as a convenient tool. I plan to send standard output to Slack to let me know what kind of update was done on which server.

Reference material

-[9.7. Automatic update of package database using YUM-CRON and download of update](https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-Automatically_refreshing_the_package_database_and_download_updates#sec -Setting_up_optional_email_notifications)