Scheduling updates in Linux using yum-cron

Every time I set up a new script for the automation of some task, I have to look at a cron example, or I have to Google for one. I can't seem to remember crontab's syntax. And it's been that way for me for the past 20 years. I have some pathological cron block. That's why when I discovered the yum-cron package, I was pretty happy. The yum-cron package takes care of the scheduling for me. I only have to make one change to the config file and then everything just works. Here's a short tutorial to get those automatic updates rolling in today without creating your own script or wrestling with cron.

yum-cron - an interface to conveniently call yum from cron

Installation

There's nothing special you have to do to install yum-cron because it's part of the base repository, so just grab it via dnf.

$ sudo dnf -y yum-cron

The yum-cron command is actually a Python script that you can examine. It installs to /sbin, if you want to check it out.

Configuration and first run

Once installed, you need to edit the default configuration file, which is /etc/yum/yum-cron.conf. This file sets up the daily cron run, but I'm going to show you how to run it immediately too. Open /etc/yum/yum-cron.conf with your favorite editor and change the following two lines from:

apply_updates = no
...
random_sleep = 360

To:

apply_updates = yes
...
random_sleep = 0

Changing the random_sleep parameter causes yum-cron to run immediately. The reason the random_sleep parameter exists is so that you don't chew up a lot of bandwidth for updates occurring all at the same time.

[ Free online course: Red Hat Enterprise Linux technical overview. ]

Set yum-cron to run now and at system start

Next, enable yum-cron to automatically run at system boot and then start it.

$ sudo systemctl start yum-cron

$ sudo systemctl enable yum-cron

After a few minutes, check the yum.log to see if any updates have been downloaded and applied to your system. The appearance of updates might take a bit longer depending on how many updates your system requires.

$ sudo tail -10 /var/log/yum.log

Aug 04 10:59:54 Installed: libmodman-2.0.1-8.el7.x86_64
Aug 04 10:59:54 Installed: libproxy-0.4.11-11.el7.x86_64
Aug 04 10:59:54 Installed: glib-networking-2.56.1-1.el7.x86_64
Aug 04 10:59:54 Installed: cockpit-bridge-195.6-1.el7.centos.x86_64
Aug 04 10:59:55 Installed: cockpit-system-195.6-1.el7.centos.noarch
Aug 04 10:59:55 Installed: cockpit-ws-195.6-1.el7.centos.x86_64
Aug 04 10:59:55 Installed: cockpit-195.6-1.el7.centos.x86_64
Aug 04 16:47:55 Installed: python-chardet-2.2.1-3.el7.noarch
Aug 04 16:47:55 Installed: python-kitchen-1.1.1-5.el7.noarch
Aug 04 16:47:55 Installed: yum-utils-1.1.31-54.el7_8.noarch

In the above screenshot, you can see that I had several updates. I only looked at the last ten to see if it had happened at all. It did.

Reconfiguration

After the initial run, you should edit the /etc/yum/yum-cron.conf file again and restore the random_sleep parameter to its original value of 360 if you have more than a handful of servers.

Random stuff you might want to know

Although you installed and set up yum-cron as root, the schedule doesn't affect root's crontab. In other words, it's not listed there. You will find the schedule cleverly hidden under /etc/cron.daily in a file named 0yum-daily.cron. You can also configure the /etc/yum/yum-cron-hourly.conf to run hourly. Similar to the daily run, the hourly schedule file resides under /etc/cron.hourly as 0yum-hourly.cron.

If you only want to install security updates via yum-cron, change the update_cmd parameter in /etc/yum/yum-cron.conf to "security" or other values as follows:

[commands]
#  What kind of update to use:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix update-minimal
# minimal-security                   = yum --security update-minimal
# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
update_cmd = default

The yum-cron man page is almost useless except to tell you that you can create and use different configuration files that must be specified in the /sbin/yum-cron Python script as default_config_file. Adding a new repository, such as EPEL, doesn't require any extra configuration of yum-cron. It will attempt to update from all repositories regardless of when you added them and without restarting the yum-cron service.

If I were still managing hundreds, or even dozens, of Linux systems, I'd use yum-cron. I'd also install yum-cron and distribute yum-cron.conf files via Ansible to avoid individually touching every single system.

Wrap up

The yum-cron package is an easy-to-install and use utility for me. As a system administrator, I need automation and "step-saving" applications to help administer Linux systems. I also like that the program is lightweight and is essentially a Python script. It has configuration files that I can alter to meet my needs. Honestly, yum-cron is going into my toolbox as one of the essential sysadmin utilities that I will continue to use throughout my career and on every system that I manage.

[ Free download: Advanced Linux commands cheat sheet. ]