how to install just delivered packages

[antonio1]

Hi,

I installed and configured yum-cron to perform update for security packages. For this I have a repository declared in local network which have all updated packages.
Beside the automation above I want to declare a new repository which has just few rpms, some packages from update selected by me.
The question is how to add a yum-cron for my few rpms to be updated when they are available in repository but to not update them from first repository.

I was thinking to make these few rpms part of a private group in my second repository and to configure the yum-cron in such way to update anytime the rpms part of the private group. But how to do this?
My problem is to update just delivered rpms, tested, not all packages on hundred machines.

thank you.

[jlehtone]

The yum-cron essentially runs 'yum update' periodically.

The 'yum update' installs available updates for packages. That is, what is on known, enabled repositories.

Disable other repositories and leave only the ones, whose content you want to get installed.

[antonio1]

I understand your explanations, yum-cron is little bit limited to update not very customizable. I can't disable one repo and enable another one daily because this should be automatic update. The OS should be updated any time new security packages are available and also anytime when new custom packages are available in custom depot.
I was thinking to something like groups. If repository has packages under a custom group name and if I make a cron to install packages from that group anytime they are available, is it possible?

Or is it any idea to deliver custom packages through repository and also the security to be updated permanently?

[jlehtone]

CentOS does not have "security tags" in its repo. All the yum-repo can do is install all available updates; there is no "security" subset. In other words, you either update everything that is available, or you cherry-pick content into "your repo" and update everything that is available in your repo.

How about config management tools? For examble: ansible, chef, puppet.
I know that you can run 'ansible-pull' via cron and it can run a "play" that does series of updates (and can enable/disable repos for each subtask). Rather than copying packages to your repo, you would maintain a list of packages that the "play" should update from the main repo. You could have thousand machines all "pulling" the same play, reading the same list.

[antonio1]

Sorry but there is security part in updating by using yum-cron, see below one option from yum-cron:
# security = yum --security upgrade
So this part is already solved and work but I would like to work this together with a custom repo. I just heard something about ansible and puppet but I have no idea how they work, I will look for them to see the possibilities.

Thank you for advising to use config management tools.

[jlehtone]

Sorry but there is security part in updating by using yum-cron, see below one option from yum-cron:
# security = yum --security upgrade

The '--security' works only if repository metadata has flagged some packages as security updates. CentOS does not.

If you had RHEL 7, then that option would do something.

[antonio1]

I didn't know this, interesting to know. Do you have any idea why metadata is not flagged for Centos and how this flagging is done?

[jlehtone]

I don't know how the "errata information" is generated. CentOS project has never done that. Perhaps it was judged too much work compared to benefit. After all, the users do already get plenty for what they pay for ...

However, both AlmaLinux and Rocky Linux do provide errata. (They derive from sources of RHEL 8.)