As part of your server hardening process, you need to make sure that your operating system is always up to date. Linux distros like CentOS 7 are constantly making changes, and patching security holes. Moreover, each update is flagged with an indicator that shows the kind of update it is. For example, we have regular updates, security updates, critical security updates, bug fix updates, and so on and so forth.
In this tutorial, we’ll look at the following steps:
- How to manually update CentOS;
- How to Automatically update CentOS 7.
Manual CentOS 7 Updates
The package manager for Red-Hat Enterprise Linux (RHEL) systems like CentOS is yum. Updating the server OS with yum is super easy. Just type the following command into your CLI with the proper permissions:
This will generate an output like this if there’s any update pending:
In the example above, I had an earlier version of CentOS 7 and the system updated it automatically with a 225 MB download. As you can see, it doesn’t get any easier. Here’s the screen after the update is complete:
You can also choose to use “yum upgrade” instead of “yum update”. They’re almost the same. The difference is that “update” will keep older packages, while “upgrade” will delete them.
Automatic CentOS 7 Updates
Making the leap from manual updates to automatic can involve messy cron job configurations. Which is why it’s much easier to install a package that does the work for you and allows you to make modifications in a configuration file. Luckily, we have a great package called “yum-cron” that does this for us. First check and see if it’s not already installed via:
rpm -q yum-cron
If it isn’t, use yum to install it via this command:
yum install yum-cron
Yum-cron is a package that takes care of the heavy lifting for you. It allows you to precisely control the kind of automatic updates you want.
Ensuring that yum-cron Runs Automatically
To make sure that the package is running, enter the following commands:
systemctl enable yum-cron systemctl start yum-cron systemctl status yum-cron
This will initiate yum-cron and ensure that it’s running:
You can see that the service was “dead” before. After the commands, it now shows as active in green.
The configurations for yum-cron are located in this file:
Opening it up in a text editor, allows you to make the following modifications:
Kind of Updates you want Installed:
Opening up /etc/yum/yum-cron.conf, you can see that the first variable is called “update_cmd”. The default is to run the “yum upgrade” command, which is what we did in the initial manual update. However, many people might have version sensitive software running, and don’t want the OS to be upgraded in its entirely. In which case, there are a variety of options. The file is well documented, and you can choose from the following updates:
These are all self explanatory, and setting the “update_cmd” variable in the above file will update CentOS 7 with the appropriate parameters.
Schedule of Updates:
The updates will run once daily. Previous versions of “yum-cron” had a feature where you could set the exact day of the week when you want updates to run. There was a file called “/etc/sysconfig/yum-cron” that held detailed configurations for this. However, they removed this functionality for some reason, and now we’re left with only daily updates.
However, you have some leeway. There is a variable called “random_sleep”. If set to a number, the program will randomly sleep for the number of minutes specified in the variable. This is more useful for multiple systems that need to stagger our their update process, rather than a single machine.
The configuration file has a number of other options such as whether or not you want the updates to be applied automatically, e-mail settings etc. Each system will have a different set of requirements, and you can use the options to craft an upgrade program that is uniquely suited to your server.