Previous Page
Next Page

5.5. Automating Updates

One of the main reasons that packages are updated is to correct newly discovered security vulnerabilities. It's important to keep a system up-to-date so that these security vulnerabilities are eliminated as soon as fixes are made available.

Automating system updates makes this easy. Fedora is configured to perform updates automatically; all you need to do is turn this feature on.

5.5.1. How Do I Do That?

Before turning on automatic updates, it's important to verify that yum is configured with the right options:

  1. Repackaging should be enabled (see Lab 5.4, "Rolling Back a Package Installation, Upgrade, or Removal") so that you can recover from a bad update. Make sure you have plenty of disk space for the repackage repository!

  2. Ensure that yum is enabled only for the repositories that you wish to automatically update (see Lab 5.3, "Using Repositories").

  3. Exclude any packages that you do not wish to update automatically. In particular, think carefully about whether you want the kernel to be updated without your knowledge; such a change won't take effect until the next time the system boots, but changing the kernel can cause some software or services to fail until kernel modules are updated to match the new kernel.

Once you have yum configured the way you want, configure yum-updatesd to automatically apply updates. The configuration file /etc/yum-updatesd.conf initially looks like this:

# how often to check for new updates (in seconds)
run_interval = 3600
# how often to allow checking on request (in seconds)
updaterefresh = 600

# how to send notifications (valid: dbus, email, syslog)
emit_via = dbus

# automatically install updates
do_update = no
# automatically download updates
do_download = no
# automatically download deps of updates
do_download_deps = no

Change the do_update line to enable the automatic installation of updates:

do_update = yes

Reload the yum-updatesd configuration to activate your changes, either though the services GUI tool or by entering this command:

# service yum-updatesd reload
Stopping yum-updatesd:                                     [  OK  ]
Starting yum-updatesd:                                     [  OK  ]

Don't change the emit_via option, or puplet will not work.

5.5.2. How Does It Work?

The yum-updatesd service polls your configured repositories at regular intervals to determine if updates are available for any of your installed packages. By altering the configuration file, you instruct yum-updatesd to install the updated packages that it finds (effectively performing a yum -y update at regular intervals).

5.5.3. What About... ...downloading but not installing updates?

By enabling the do_download and do_download_deps options, you can configure yum-updatesd to download available updates and related dependencies without installing them. This enables you to review the list of updates using Pup and then install selected updates without further download delay.

To set this up, configure /etc/yum/yum-updatesd.conf with these options:

# automatically install updates
do_update = no
# automatically download updates
do_download = yes
# automatically download deps of updates
do_download_deps = yes ...updating a machine when it's booted?

The yum-updateonboot package can be used to update a machine whenever it is turned on. This ensures that security patches are automatically applied before the system is used. yum-updateonboot can be activated in addition to the automatic 4 a.m. update.

You can install and configure yum-updateonboot with these commands:

# yum install yum-updateonboot
Setting up Install Process
...(Lines snipped)...
 Package                 Arch       Version          Repository   Size
 yum-updateonboot        noarch     0.3.1-1.fc4      extras       5.1 k

Transaction Summary
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)
Total download size: 5.1 k
Is this ok [y/N]: y
...(Lines snipped)...
Installed: yum-updateonboot.noarch 0:0.3.1-1.fc4
# chkconfig --add yum-updateonboot
# chkconfig --level 2345 yum-updateonboot on

You can configure yum-updateonboot to reboot the system if any of the updates involve the kernel. Edit /etc/sysconfig/yum-updateonboot and activate the line highlighted here by removing the pound sign (#) at the start of the line:

# IF any of these rpms are updated, the yum-updateonboot init script will
# reboot immediately after the yum update.  To keep yum-updateonboot from
# rebooting the system, comment this line out.
REBOOT_RPMS="kernel kernel-smp"

# A list of groups that should be updated at boot.  For each group mentioned
# yum-updateonboot will call 'yum -y groupupdate'  Since group names tend to
# have spaces in them, used a semi-colon to separate the group names
#GROUPLIST="My Group;MyOtherGroup;Some_Group;My Group 4"

5.5.4. Where Can I Learn More?

Previous Page
Next Page