yum-cron problem

Issues related to applications and software problems
Post Reply
gostal
Posts: 39
Joined: 2019/09/23 15:26:45

yum-cron problem

Post by gostal » 2020/07/24 14:20:29

I have for some time had in mind to set up automatic updates using crond but I find:

1 yum-cron is the recommended way
2 my sysadmins have taken control of the yum-cron configuration file. (Well. I do have root access but I like to be a good boy and cooperate)

The thing is that the sysadmins have opted for security updates only and I want bugfix updates etc. also but not as often as once a day which is what you get out of the box from yum-cron. So how fix say, weekly bugfix etc, updates?

One idea I have is to add files for a weekly yum-cron run:

1 Create the file

Code: Select all

/etc/yum/yum-cron-weekly.conf
with essentially the same content as

Code: Select all

/etc/yum/yum-cron.conf
but having

Code: Select all

update_cmd = default
instead
2 Create the file

Code: Select all

/etc/cron.weekly/0yum-weekly.cron
with essentially the same content as

Code: Select all

/etc/cron.daily/0yum-daily.cron
but having the command line:

Code: Select all

exec /usr/sbin/yum-cron /etc/yum/yum-cron-weekly.conf
3 Restart yum-cron.service

WIll this work or is yum-cron coded in such a way as to ignore anything but the shipped stuff?

My sysadmins are on holiday so I can't get any help from them. For the time being I have created a bash-script that I run once a week via root's crontab. The main content of the script is:

Code: Select all

/usr/bin/yum update -y -d 1 -e 0 --skip-broken
The problem is that root doesn't get any mail with the output from the command but the command is evidently run as /var/log/cron confirms so where does the output go? Down the cyber drain? As I do want to know if there have been any changes this situation is no good. One way of solving it is if the weekly yum-cron idea works because I, as a user, do get mail whenever there has been a security update. Another way is to get crond to mail the output but I don't know how to fix that. Root's crontab is OK. I guess:

Code: Select all

SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
0 7 * * mon /home/gostal/bin/yum_weekly_update
yum_weekly_update is the bash-script mentioned above. I found this thread
http://centos.1050465.n5.nabble.com/Cen ... 58961.html
regarding crond not sending mails in CentOS 8 but it didn't help me to disable sssd, as root still didn't get any output mail. So for the moment I have the least satisfactory solution of redirecting the output of the update command to a logfile so the actual command that I have in the bash-script is this:

Code: Select all

/usr/bin/yum update -y -d 1 -e 0 --skip-broken  >> /path-to-logfile 2>&1
Ideas, anyone?
Desktop Dell T5810 Intel(R) Xeon(R) CPU E5-1650 v4 @ 3.60GHz, 72 GB RAM, Radeon Pro WX 7100
CentOS 7.8.2003

User avatar
TrevorH
Forum Moderator
Posts: 29051
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: yum-cron problem

Post by TrevorH » 2020/07/24 18:47:51

The thing is that the sysadmins have opted for security updates only
That's handy because CentOS does not supply the necessary metadata for the security plugin to function at all. So by restricting it to security updates only, they are effectively stopping all updates completely except those few from EPEL which is the only repo to provide security metadata on CentOS.

So, on CentOS, even running yum update --security does 100% of nothing. Yum-cron is similarly affected as there just isn't the info there for it to know if an update is security related or not. If you run it then there will be NO updates AT ALL.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

gostal
Posts: 39
Joined: 2019/09/23 15:26:45

Re: yum-cron problem

Post by gostal » 2020/07/25 11:34:29

That's handy because CentOS does not supply the necessary metadata for the security plugin to function at all.
Do I detect an undertone of irony or do my sysadmins simply not know what they are doing?

As far as effectively stopping updates you are certainly right. Since September last year there have been only 2 or 3 that have been installed by means of yum-cron but I have done manual updates about once a week and I simply wonder what would be the best way to make them automatic and still know what's going on. Once a day is way too much, though. Weekly is about right, I think. Would it be better to use dnf and dnf-automatic, do you think?
Desktop Dell T5810 Intel(R) Xeon(R) CPU E5-1650 v4 @ 3.60GHz, 72 GB RAM, Radeon Pro WX 7100
CentOS 7.8.2003

User avatar
TrevorH
Forum Moderator
Posts: 29051
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: yum-cron problem

Post by TrevorH » 2020/07/25 11:42:27

One CentOS 7 the package manager is yum not dnf so yum-cron is the correct tool for the job.

However, the problem you have is entirely due to the lack of security metadata and nothing else. Since there is no metadata, the packages that are for security purposes are not marked that way so when you use the security option/plugin, it will select no updates as none are marked as being for security reasons. The solution is to stop trying to use --security as it just does not work and in fact leaves you far far less secure than just taking all updates (which is the correct solution).
do my sysadmins simply not know what they are doing?
Well, they may know what they are doing but they apparently don't know this. Trying to work the way they are now is leaving all your systems out of date and backlevel. That needs to be fixed and the easy way to fix it is to stop trying to use the security plugin.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

gostal
Posts: 39
Joined: 2019/09/23 15:26:45

Re: yum-cron problem

Post by gostal » 2020/07/25 14:35:56

Thanks, Trevor!

I will certainly let my sysadmins know about the lack of security meta data. In the mean time I have now a good excuse for tweaking the setup myself.

Cheers
Desktop Dell T5810 Intel(R) Xeon(R) CPU E5-1650 v4 @ 3.60GHz, 72 GB RAM, Radeon Pro WX 7100
CentOS 7.8.2003

Post Reply

Return to “CentOS 7 - Software Support”