In enterprises, automating the systematic updating of your RHEL systems is very important. You want to stay ahead of hackers or, in general, people trying to hurt you by exploiting the weaknesses in your environment.
Although I do not recommend applying this recipe to all systems in an enterprise, this is quite useful to ensure that certain systems are kept up to date as the patches and bugfixes are applied to the RPMs in Red Hat's (and other) repositories.
In order for this recipe to work, you'll need to be sure that the repositories you are using are set up correctly and you have valid mail setup (using Postfix or Sendmail, for example).
We'll set up yum to autoupdate your system once a week (at 03:00 ) and reboot if necessary through the following steps:
~]# yum install -y yum-cron
~]# echo > /etc/cron.dhourly/0yum-hourly.cron ~]# echo > /etc/cron.daily/0yum-daily.cron
~]# cp /etc/yum/yum-cron.conf /etc/yum/yum-cron-weekly.conf
apply_updates = yes emit_via = email email_to = <your email address>
/etc/cron.weekly/yum-weekly.cron
:#!/bin/bash # Only run if this flag is set. The flag is created by the yum-cron init # script when the service is started -- this allows one to use chkconfig and # the standard "service stop|start" commands to enable or disable yum-cron. if [[ ! -f /var/lock/subsys/yum-cron ]]; then exit 0 fi # Action! exec /usr/sbin/yum-cron /etc/yum/yum-cron-weekly.conf if test "$(yum history info |egrep 'skernel'|wc -l)" != "0"; then /sbin/shutdown --reboot +5 "Kernel has been upgraded, rebooting the server in 5 minutes. Please save your work." fi
~]# chmod +x /etc/cron.weekly/yum-weekly.cron
By default, yum-cron
sets up a cron job that is run every hour (/etc/cron.dhourly/0yum-hourly.cron
) and every day (/etc/cron.daily/0yum-daily.cron
).
This recipe will upgrade all your packages when there's an update available. If you just want to apply security fixes, modify the update_cmd
value of your yum cron configuration file in the following way:
update_cmd = security
Alternatively, you can even use the following configuration if you only want critical fixes:
update_cmd = security-severity:Critical