De nos jours, il est crucial de profiter dès leur sortie des mises à jours afin de se protéger des éventuelles attaques pouvant profiter de failles de sécurité récemment découvertes. La mise à jour automatique d'un serveur permet d'appliquer dès leur sortie les correctifs de sécurité. Nous allons voir comment configurer cette fonction sur un serveur Cent0S 7.
Installation du service
Nous devons commencer par installer le service qui va prendre en charge les mises à jour automatiques.
sudo yum -y install yum-cron
Configuration du service
Le fichier de configuration qu'il faut modifier est : /etc/yum/yum-cron.conf.
Le premier paramètre permet de choisir le type de mise à jour que l'on souhaite effectuer automatiquement. Par défaut, un yum upgrade est exécuté, mais vous pouvez choisir d'effectuer uniquement les mises à jour de sécurité considérées comme critiques si vous ne voulez pas risquer de compromettre la stabilité de votre système en mettant à jour systématiquement tous les paquets.
# What kind of update to use: # default = yum upgrade # security = yum --security upgrade # security-severity:Critical = yum --sec-severity=Critical upgrade # minimal = yum --bugfix upgrade-minimal # minimal-security = yum --security upgrade-minimal # minimal-security-severity:Critical = --sec-severity=Critical upgrade-minimal update_cmd = default
Vous pouvez ensuite choisir si un message doit figurer dans la log lorsqu'une mise à jour est disponible, a été téléchargée ou a été appliquée.
# Whether a message should be emitted when updates are available, # were downloaded, or applied. update_messages = yes
Vous devez ensuite approuver le téléchargement des paquets lorsqu'ils sont disponibles.
# Whether updates should be downloaded when they are available. download_updates = yes
Contrairement aux paramètres précédents, la mise à jour automatique n'est pas activée par défaut. Si vous souhaitez que les mises à jours téléchargées soient appliquées automatiquement, vous devez mettre à "yes" le paramètre ci-dessous.
# Whether updates should be applied when they are available. Note # that download_updates must also be yes for the update to be applied. apply_updates = yes
Le paramètre suivant est assez intéressant. Dans l'hypothèse ou vous avez plusieurs systèmes à mettre à jour de manière automatique, il ne serait pas souhaitable de faire ces mises à jour exactemement au même moment. Le paramètre random_sleep vous permet donc de préciser un temps d'attente aléatoire avant de déclencher la recherche de mise à jour. Ce temps est exprimé en minutes.
# Maximum amout of time to randomly sleep, in minutes. The program # will sleep for a random amount of time between 0 and random_sleep # minutes before running. This is useful for e.g. staggering the # times that multiple systems will access update servers. If # random_sleep is 0 or negative, the program will run immediately. # 6*60 = 360 random_sleep = 360
In my opinion the first it’s the most interesting, while on rhel/centos 6 we were unable to choose which kind of update do in automatic we are plenty of options in rhel/centos 7.
As you can see the default it’s to upgrade all your packages, the same you’d obtain with the command yum upgrade, but there are also other options and now you can decide to just do security upgrade or even just the most critical security, this add a lot of flexibility and options.
As example you can now do full upgrades on your development machines and just the minimum to stay security safe on your production servers, this make sense and it’s good to be finally able to specify this.
How to have an output of the results
There are 2 setup that you can tweak to get feedbacks from this procedure:
1) As first option you can decide to send messages to standard output or via email with the option emit_via
# How to send messages. Valid options are stdio and email. If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages. If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via is None or left blank, no messages will be sent.
emit_via = stdio
2) If you choose to send the output via email you have some option available to set the most common options for an email:
[email]
# The address to send email messages from.
email_from = root@localhost
# List of addresses to send messages to.
email_to =
# Name of the host to connect to to send email messages.
email_host = localhost
Verify that the service is running
Once installed the service should be enabled by default, but to be sure you can verify it with the command systemctl status yum-cron.service that should give an output similar to this one:
sudo systemctl status yum-cron.service
yum-cron.service - Run automatic yum updates as a cron job
Loaded: loaded (/usr/lib/systemd/system/yum-cron.service; enabled)
Active: active (exited) since sab 2014-08-09 00:37:16 CEST; 16h ago
Process: 830 ExecStart=/bin/touch /var/lock/subsys/yum-cron (code=exited, status=0/SUCCESS)
Main PID: 830 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/yum-cron.service
If you see that the service is stopped you can start it with the command
sudo systemctl start yum-cron.service
Conclusions
By default this package is not present and so, unless you have a tight schedule and care of updating your servers, I strongly suggest to install and enable it, and keep the most “wide” upgrade option that should not break your services.
As example I’ve a server with apache and php, I know the application and everything is installed from the repositories, I’m “quiet” sure that a full upgrade of the system will not broke anything and so I’ve choose to keep the default option and upgrade all the packages.
On the other way on systems where I don’t know well the applications, or something is installed from the sources I’d keep the automatic upgrades only for security reasons.