Automatic updates are highly recommended. Configuring your systems to update their packages automatically improves stability, performance, and most importantly the security of those systems. The unfortunate nature of software development is that exploits can be discovered or bugs found after release. Updates allow developers to correct these bugs and close exploits, which is why they are highly recommended. Setting up automatic updates means the system will update periodically and not need you to check for and install updates manually, ensuring you are kept up to date during an OS’s life-cycle.
Automatic updates on CentOS via yum-cron
On CentOS one of the easiest ways to enable automatic updates is via the yum-cron package. Install this package with the following command.
yum -y install yum-cron
You should also start the service and enable it to start on boot as well. You can do so with the following.
systemctl start yum-cron systemctl enable yum-cron
You can also configure yum-cron by editing the configuration file. It should be located at etc/yum/yum-cron.conf. The main option to look at in this file is the update_cmd value. Recommended settings are default, which essentially runs ‘yum upgrade’, or security, which essentially runs ‘yum -security upgrade’ when the automation runs. On an initial install, the value should be the default.
You should also make sure download_updates and apply_updates are set to ‘yes’. This ensures the packages discovered by the yum command specified in the update_cmd field are both downloaded from the repo and applied to the server.
You can also exclude packages from automated updates, which may be useful if you need to freeze at a specific version for compatibility reasons. This is not recommended and steps should be taken to allow updated packages to be installed, but in the meantime, you can exclude packages by adding them to the exclude line in the yum-cron.conf configuration file. If multiple packages should be excluded separately them with space. An example showing Apache and MySQL excluded is provided below.
exclude = mysql* httpd*
If you make any changes to the configuration file, make sure to restart the service so that the new configuration is applied.
systemctl restart yum-cron