How to Install Yum-cron – Security Updates Automatically in CentOS 7

Installing Yum-cron Utility in CentOS 7

To install "yum-cron" run the following command,

yum install yum-cron

Output:

[root@vps ~]# yum install yum-cron
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirror.hostduplex.com
 * extras: mirror.sfo12.us.leaseweb.net
 * updates: mirror.hostduplex.com
base                                                     | 3.6 kB     00:00
extras                                                   | 2.9 kB     00:00
updates                                                  | 2.9 kB     00:00
(1/4): base/7/x86_64/group_gz                              | 165 kB   00:00
(2/4): extras/7/x86_64/primary_db                          | 164 kB   00:00
(3/4): updates/7/x86_64/primary_db                         | 7.5 MB   00:00
(4/4): base/7/x86_64/primary_db                            | 6.0 MB   00:00
Resolving Dependencies
--> Running transaction check
---> Package yum-cron.noarch 0:3.4.3-163.el7.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package         Arch          Version                        Repository   Size
================================================================================
Installing:
 yum-cron        noarch        3.4.3-163.el7.centos           base         64 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 64 k
Installed size: 51 k
Is this ok [y/d/N]: y

Once the installation is complete, Check if yum-cron is installed or not.

rpm -qa | grep yum-cron

Output:

[root@vps ~]# rpm -qa | grep yum-cron
yum-cron-3.4.3-163.el7.centos.noarch
[root@vps ~]#

Configuring Automatic Security Updates in CentOS 7

Next, we configure the system to automatically receive security updates. Here we edit the yum-cron.conf file,

vi /etc/yum/yum-cron.conf

Locate the string "update_cmd" and set the value to security.

update_cmd = security

Locate the string "apply_updates" and set the value to yes.

apply_updates = yes

Your configuration should be as shown below,

[commands]
#  What kind of update to use:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix update-minimal
# minimal-security                   = yum --security update-minimal
# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
update_cmd = security

# Whether a message should be emitted when updates are available,
# were downloaded, or applied.
update_messages = yes

# Whether updates should be downloaded when they are available.
download_updates = yes

# Whether updates should be applied when they are available.  Note
# that download_updates must also be yes for the update to be applied.
apply_updates = yes

Save and exit the file,

Once the changes are made, enable yum-cron (to start automatically upon system boot) and verify the status using the commands below,

systemctl start yum-cron
systemctl enable yum-cron
systemctl status yum-cron

Output:

[root@vps ~]# systemctl start yum-cron
[root@vps ~]# systemctl enable yum-cron
[root@vps ~]# systemctl status yum-cron
● yum-cron.service - Run automatic yum updates as a cron job
     Loaded: loaded (/usr/lib/systemd/system/yum-cron.service; enabled; vendor preset: disabled)
     Active: active (exited) since Fri 2020-03-20 15:06:42 EDT; 11s ago
 Main PID: 12769 (code=exited, status=0/SUCCESS)

How to Exclude Packages from Updating in Yum

Sometimes, you may need to maintain the version of a package and not update it due to compatibility issues that may arise with other applications that depend on the package.

Here, We take an example of 2 packages -- mysql and php

Edit the yum-cron.conf file.

vi /etc/yum/yum-cron.conf

At the bottom, in the [base] section, append a line with the ‘exclude’ parameter and define the packages you want to exclude from updating,

exclude = mysql* php*

Your configuration should now look as shown below,

[base]
exclude = mysql* php*

# This section overrides yum.conf
# Use this to filter Yum core messages
# -4: critical

Save and exit the file.

Restart yum-cron to load the changes made,

systemctl restart yum-cron

Checking yum-cron Logs

The yum-cron logs are stored in the file /var/log/yum.log, To view the packages that have been updated run the command,

cat /var/log/yum.log | grep -i updated

To check the logs for the daily cron job run,

cat /var/log/cron | grep -i yum-daily