1. Managing Software
  2. Using the yum-cron Interface to Automatically Keep Your System Up To Date

9 Using the yum-cron Interface to Automatically Keep Your System Up To Date

As an alternative to manually running the yum update command to keep your system up to date with the latest security patches and bug fixes, you can use the yum-cron interface, which is provided as an additional package in Oracle Linux. The interface is used to provide automatic notifications of updates and also to download updates, which can then be installed automatically by using crontab.

To get started, install the yum-cron package from the ol7_latest repository. Then, enable and start the service so that it checks for updates daily: 

sudo yum install yum-cron
sudo systemctl enable --now yum-cron.service

To customize the behavior of the yum-cron interface, edit /etc/yum/yum-cron.conf. You can create alternate configuration files that can be invoked on different schedules, depending on your requirements. Oracle Linux also includes an alternate configuration file at /etc/yum/yum-cron-hourly.conf. By default, when yum-cron runs, it loads its configuration from /etc/yum/yum-cron.conf unless an alternate configuration is offered as an argument when it is run.

Oracle Linux creates two crontab entries, by default, when yum-cron is installed. These are located in /etc/cron.daily/0yum-daily.cron and /etc/cron.hourly/0yum-hourly.cron. The daily crontab entry runs yum-cron using the default configuration in /etc/yum/yum-cron.conf. The hourly crontab entry invokes yum-cron to run with the alternate configuration at /etc/yum/yum-cron-hourly.conf. By creating multiple configuration entries and crontab entries, you can control the frequency that different yum update operations are performed. For instance, you may wish to update yum repository metadata on an hourly schedule, while applying critical security updates on a daily schedule. You could also create a configuration to apply all remaining updates on a weekly or monthly schedule.

Configuration files allow you to configure different parameters to control the kinds of updates that are managed by yum-cron; whether updates are applied or only downloaded; and how to provide notification of updates. The default configuration files are commented to provide explanations for each setting. The following settings are notable:

  • update_cmd

    This option controls the types of updates that are either downloaded or applied by yum-cron. The following options are available:

    default

    Fetch all updates.

    security

    Fetch only security updates.

    security-severity:Critical

    Fetch only security updates marked with "Critical" severity.

    minimal

    Fetch package errata version updates only.

    minimal-security

    Fetch package errata versions marked as security updates only.

    minimal-security-severity:Critical

    Fetch package errata versions marked as security updates with "Critical" severity.

    For mission-critical systems that require a scheduled downtime to apply updates, you can direct yum-cron to only install minimal security updates by specifying the Critical severity, for example: 

    update_cmd = minimal-security-severity:Critical

    Consider also using Oracle Ksplice if you wish to minimize scheduled downtime for kernel patches and updates. See About Ksplice in Oracle Linux: Ksplice User's Guide for more information.

  • apply_updates

    By default, the yum-cron interface downloads updates when the download_updates setting is specified. However, it does not apply them. You can change this behaviour by modifying the apply_updates setting as follows: 

    apply_updates = yes

  • exclude

    To avoid updating specific packages, use a wildcard with the exclude setting. For example, to exclude kernel updates set this value as follows: 

    exclude = kernel*

  • update_messages

    To control whether you receive notifications of new updates, you can set this value as follows: 

    update_messages = yes

  • emit_via

    By default, yum-cron is configured to output notifications to stdio, which means that messages are printed into /var/log/cron. You can disable any notifications, by setting this value to None or by leaving it empty. If you wish to receive email notifications, you can set this value to email, but you must also configure the [email] settings later in the configuration.

  • [email]

    yum-cron can provide email notifications for software updates using SMTP. You can enable this by setting the emit_via configuration value. The configuration includes a section where you can specify email parameters including the From and To addresses used in the email notification, and the SMTP server that yum-cron should use to sent the mail. For example, you could configure this as follows: 

    [email]
email_from = server@example.com
email_to = admin@example.com
email_host = smtp.example.com

For more information about yum-cron, refer to the yum-cron(8) manual page and to the comments within the default configuration file.