mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-28 14:56:35 +00:00
479 lines
16 KiB
Text
479 lines
16 KiB
Text
|
= AutoUpdates
|
|||
|
|
|||
|
'''
|
|||
|
|
|||
|
[NOTE]
|
|||
|
======
|
|||
|
|
|||
|
This page was automatically converted from https://fedoraproject.org/wiki/AutoUpdates
|
|||
|
|
|||
|
It is probably
|
|||
|
|
|||
|
* Badly formatted
|
|||
|
* Missing graphics and tables that do not covert well from mediawiki
|
|||
|
* Out-of-date
|
|||
|
* In need of other love
|
|||
|
|
|||
|
Please fix it, remove this notice, and then add to `_topic_map.yml`
|
|||
|
|
|||
|
Pull requests accepted at https://pagure.io/fedora-docs/fedora-howto
|
|||
|
|
|||
|
Once that is live, go to the original wiki page and add an `{{old}}`
|
|||
|
tag, followed by a note like
|
|||
|
|
|||
|
....
|
|||
|
{{admon/note|This page has a new home!|
|
|||
|
This wiki page is no longer maintained. Please find the up-to-date
|
|||
|
version at: https://docs.fedoraproject.org/whatever-the-url
|
|||
|
}}
|
|||
|
....
|
|||
|
|
|||
|
======
|
|||
|
|
|||
|
'''
|
|||
|
|
|||
|
|
|||
|
[[automatic-updates]]
|
|||
|
Automatic Updates
|
|||
|
-----------------
|
|||
|
|
|||
|
You must decide whether to use automatic link:dnf[DNF] or link:yum[YUM]
|
|||
|
updates on each of your machines. There are a number of arguments both
|
|||
|
for and against automatic updates to consider. However, there is no
|
|||
|
single answer to this question: It is up to the system administrator or
|
|||
|
owner of each machine to decide whether automatic updates are desirable
|
|||
|
or not for that machine. One of the things which makes one a good system
|
|||
|
administrator is the ability to evaluate the facts and other people's
|
|||
|
suggestions, and then decide for onesself what one should do.
|
|||
|
|
|||
|
A general rule that applies in most cases is as follows:
|
|||
|
|
|||
|
_If the machine is a critical server, for which unplanned downtime of a
|
|||
|
service on the machine can not be tolerated, then you should not use
|
|||
|
automatic updates. Otherwise, you *may* choose to use them._
|
|||
|
|
|||
|
Even the general rule above has exceptions, or can be worked around.
|
|||
|
Some issues might be resolved through a special setup on your part. For
|
|||
|
example, you could create your own dnf|yum repository on a local server,
|
|||
|
and only put in it tested or trusted updates. Then use the automatic
|
|||
|
updates from only your own repository. Such setups, while perhaps more
|
|||
|
difficult to setup and maintain, can remove a large amount of risk
|
|||
|
otherwise inherent in automatic updates.
|
|||
|
|
|||
|
[[how-are-automatic-updates-done]]
|
|||
|
How are automatic updates done?
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
You can use a service to automatically download and install any new
|
|||
|
updates (for example security updates).
|
|||
|
|
|||
|
[[fedora-22-or-later-versions]]
|
|||
|
Fedora 22 or later versions
|
|||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|||
|
|
|||
|
The http://dnf.readthedocs.org/en/latest/automatic.html[dnf-automatic]
|
|||
|
RPM package as a link:dnf[DNF] component provides a service which is
|
|||
|
started automatically.
|
|||
|
|
|||
|
[[install-and-settings-of-dnf-automatic]]
|
|||
|
Install and settings of dnf-automatic
|
|||
|
+++++++++++++++++++++++++++++++++++++
|
|||
|
|
|||
|
On a fresh install of Fedora 22 with default options the dnf-automatic
|
|||
|
RPM is not installed, the first command below installs this RPM.
|
|||
|
|
|||
|
....
|
|||
|
dnf install dnf-automatic
|
|||
|
....
|
|||
|
|
|||
|
Though, you have to change a configuration file. In order to do this,
|
|||
|
run as the root user (or become root via su -) from a terminal window.
|
|||
|
|
|||
|
....
|
|||
|
env EDITOR='gedit -w' sudoedit /etc/dnf/automatic.conf
|
|||
|
....
|
|||
|
|
|||
|
Detailed description of dnf-automatic settings is provided on
|
|||
|
http://dnf.readthedocs.org/en/latest/automatic.html[dnf-automatic] page.
|
|||
|
|
|||
|
[[run-dnf-automatic]]
|
|||
|
Run dnf-automatic
|
|||
|
+++++++++++++++++
|
|||
|
|
|||
|
Once you are finished with configuration, execute:
|
|||
|
|
|||
|
`systemctl enable dnf-automatic.timer && systemctl start dnf-automatic.timer`
|
|||
|
|
|||
|
to enable and start the systemd timer.
|
|||
|
|
|||
|
Check status of dnf-automatic:
|
|||
|
|
|||
|
`# systemctl list-timers *dnf-*`
|
|||
|
|
|||
|
[[changes-as-of-fedora-26]]
|
|||
|
Changes as of Fedora 26
|
|||
|
|
|||
|
As of Fedora 26 there are now three timers that control dnf-automatic.
|
|||
|
|
|||
|
* dnf-automatic-download.timer - Only download
|
|||
|
* dnf-automatic-install.timer - Download and install
|
|||
|
* dnf-automatic-notifyonly.timer - Only notify via configured emitters
|
|||
|
in _/etc/dnf/automatic.conf_
|
|||
|
|
|||
|
You can still use _download_updates_ and _apply_updates_ settings from
|
|||
|
inside _/etc/dnf/automatic.conf_.
|
|||
|
|
|||
|
[[fedora-21-or-earlier-versions]]
|
|||
|
Fedora 21 or earlier versions
|
|||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|||
|
|
|||
|
The yum-cron RPM package provides a service which is started
|
|||
|
automatically. Though, you have to change a configuration file. In order
|
|||
|
to do this, run as the root user (or become root via su -) from a
|
|||
|
terminal window. On a fresh install of Fedora 20 with default options
|
|||
|
the yum-cron RPM is not installed, the first command below installs this
|
|||
|
RPM.
|
|||
|
|
|||
|
....
|
|||
|
yum install -y yum-cron
|
|||
|
env EDITOR='gedit -w' sudoedit /etc/yum/yum-cron.conf"
|
|||
|
....
|
|||
|
|
|||
|
and enter your password. After, change the line
|
|||
|
|
|||
|
....
|
|||
|
apply_updates = no
|
|||
|
....
|
|||
|
|
|||
|
to
|
|||
|
|
|||
|
....
|
|||
|
apply_updates = yes
|
|||
|
....
|
|||
|
|
|||
|
Save the file. You are now done. Yum-cron updates your system every time
|
|||
|
when there are new updates available.
|
|||
|
|
|||
|
[[can-we-trust-dnf-or-yum-updates]]
|
|||
|
Can we trust dnf or yum updates?
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Dnf and Yum in Fedora has the GPG key checking enabled by default.
|
|||
|
Assuming that you have imported the correct GPG keys, and still have
|
|||
|
gpgcheck=1 in your for dnf or for yum, then we can at least assume that
|
|||
|
any automatically installed updates were not corrupted or modified from
|
|||
|
their original state. Using the GPG key checks, there is no way for an
|
|||
|
attacker to generate packages that your system will accept as valid
|
|||
|
(unless they have a copy of the *private* key corresponding to one you
|
|||
|
installed) and any data corruption during download would be caught.
|
|||
|
|
|||
|
However, the question would also apply to the question of update
|
|||
|
quality. Will the installation of the package cause problems on your
|
|||
|
system? This we can not answer. Each package goes through a QA process,
|
|||
|
and is assumed to be problem free. But, problems happen, and QA can not
|
|||
|
test all possible cases. It is always possible that any update may cause
|
|||
|
problems during or after installation.
|
|||
|
|
|||
|
[[why-use-automatic-updates]]
|
|||
|
Why use Automatic updates?
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
The main advantage of automating the updates is that machines are likely
|
|||
|
to get updated more quickly, more often, and more uniformly than if they
|
|||
|
updates are done manually. We see too many compromised machines on the
|
|||
|
internet which would have been safe if the latest updates where
|
|||
|
installed in a timely way.
|
|||
|
|
|||
|
So while you should still be cautious with any automated update
|
|||
|
solution, in particular on production systems, it is definitely worth
|
|||
|
considering, at least in some situations.
|
|||
|
|
|||
|
[[reasons-for-using-automatic-updates]]
|
|||
|
Reasons FOR using automatic updates
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
While no one can determine for you if your machine is a good candidate
|
|||
|
for automatic updates, there are several things which tend to make a
|
|||
|
machine a better candidate for automatic updates.
|
|||
|
|
|||
|
Some things which might make your machine a good candidate for automatic
|
|||
|
updates are:
|
|||
|
|
|||
|
* You are unlikely to apply updates manually for whatever reason(s).
|
|||
|
* The machine is not critical and occasional unplanned downtime is
|
|||
|
acceptable.
|
|||
|
* You can live without remote access to the machine until you can get to
|
|||
|
its physical location to resolve problems.
|
|||
|
* You do not have any irreplaceable data on the machine, or have proper
|
|||
|
backups of such data.
|
|||
|
|
|||
|
If all of the above apply to your machine(s), then automatic updates may
|
|||
|
be your best option to help secure your machine. If not all of the above
|
|||
|
apply, then you will need to weigh the risks and decide for yourself if
|
|||
|
automatic updates are the best way to proceed.
|
|||
|
|
|||
|
[[reasons-against-using-automatic-updates]]
|
|||
|
Reasons AGAINST using automatic updates
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
While no one can determine for you if your machine is a bad candidate
|
|||
|
for automatic updates, there are several things which tend to make a
|
|||
|
machine a worse candidate for automatic updates.
|
|||
|
|
|||
|
Some things which might make your machine be a bad candidate for
|
|||
|
automatic updates are:
|
|||
|
|
|||
|
* It provides a critical service that you don't want to risk having
|
|||
|
unscheduled downtime.
|
|||
|
* You installed custom software, compiled software from source, or use
|
|||
|
third party software that has strict package version requirements.
|
|||
|
* You installed a custom kernel, custom kernel modules, third party
|
|||
|
kernel modules, or have a third party application that depends on kernel
|
|||
|
versions (this may not be a problem if you exclude kernel updates, which
|
|||
|
is the default in Fedora dnf.conf or yum.conf files). (But see also
|
|||
|
https://bugzilla.redhat.com/show_bug.cgi?id=870790[bug #870790] - you
|
|||
|
may need to modify in Fedora 22 or later versions in base section to add
|
|||
|
exclude=kernel*. or in Fedora 21 or earlier versions to
|
|||
|
exclude=kernel*.)
|
|||
|
* Your enviroment requires meticulous change-control procedures.
|
|||
|
* You update from other third party yum|dnf repositories besides Fedora
|
|||
|
(core, extras, legacy ) repositories which may conflict in versioning
|
|||
|
schemes for the same packages.
|
|||
|
|
|||
|
There are also some other reasons why installing automatic updates
|
|||
|
without testing may be a bad idea. A few such reasons are:
|
|||
|
|
|||
|
* The need to back up your configuration files before an update. Even
|
|||
|
the best package spec files can have mistakes. If you have modified a
|
|||
|
file which is not flagged as a configuration file, then you might lose
|
|||
|
your configuration changes. Or an update may have a different format of
|
|||
|
configuration file, requiring a manual reconfiguration. It is often best
|
|||
|
to backup your configuration files before doing updates on critical
|
|||
|
packages such as mail, web, or database server packages.
|
|||
|
* Unwanted side effects. Some packages can create annoying side effects,
|
|||
|
particularly ones which have cron jobs. Updates to base packages like
|
|||
|
openssl, openldap, sql servers, etc. can have an effect on many other
|
|||
|
seemingly unrelated packages.
|
|||
|
* Bugs. Many packages contain buggy software or installation scripts.
|
|||
|
The update may create problems during or after installation. Even
|
|||
|
cosmetic bugs like those found in previous Mozilla updates (causing the
|
|||
|
user's icons to be removed or break) can be annoying or problematic.
|
|||
|
* Automatic updates may not complete the entire process needed to make
|
|||
|
the system secure. For example, dnf or yum can install a kernel update,
|
|||
|
but until the machine is rebooted (which dnf or yum will not do
|
|||
|
automatically) the new changes won't take effect. The same may apply to
|
|||
|
restarting daemons. This can leave the user feeling that he is secure
|
|||
|
when he is not.
|
|||
|
|
|||
|
[[best-practices-when-using-automatic-updates]]
|
|||
|
Best practices when using automatic updates
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
If you decide to use automatic updates, you should at least do a few
|
|||
|
things to make sure you are up-to-date.
|
|||
|
|
|||
|
Check for package updates which have been automatically performed, and
|
|||
|
note if they need further (manual) intervention. You can monitor what
|
|||
|
dnf or yum has updated via its log file (usually or ).
|
|||
|
|
|||
|
[[fedora-22-or-later-versions-1]]
|
|||
|
Fedora 22 or later versions
|
|||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|||
|
|
|||
|
You can monitor updates availability automatically by email after
|
|||
|
modifying dnf-automatic configuration file (usually ).
|
|||
|
|
|||
|
....
|
|||
|
[emitters]
|
|||
|
emit_via = email
|
|||
|
|
|||
|
[email]
|
|||
|
# The address to send email messages from.
|
|||
|
email_from = root@localhost.com
|
|||
|
|
|||
|
# List of addresses to send messages to.
|
|||
|
email_to = root
|
|||
|
|
|||
|
# Name of the host to connect to to send email messages.
|
|||
|
email_host = localhost
|
|||
|
....
|
|||
|
|
|||
|
You would replace root with a actual email address to which you want to
|
|||
|
report sent, and localhost with a actual address of SMTP server. This
|
|||
|
change will mean that after dnf-automatic runs, it will email you
|
|||
|
information you about available updates, or log about downloaded
|
|||
|
packages, or installed updates according to settings in .
|
|||
|
|
|||
|
[[fedora-21-or-earlier-versions-1]]
|
|||
|
Fedora 21 or earlier versions
|
|||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|||
|
|
|||
|
You can monitor this automatically by email by modifying the cron job to
|
|||
|
mail you the last part of the log file. For example, edit
|
|||
|
/etc/cron.daily/yum.cron so that it looks like the following:
|
|||
|
|
|||
|
....
|
|||
|
#!/bin/sh
|
|||
|
|
|||
|
if [ -f /var/lock/subsys/yum ] ; then
|
|||
|
/usr/bin/yum -R 10 -e 0 -d 0 -y update yum
|
|||
|
/usr/bin/yum -R 120 -e 0 -d 0 -y update
|
|||
|
/usr/bin/tail /var/log/yum.log | /bin/mail -s yum-report youremail@yourdmain
|
|||
|
fi
|
|||
|
....
|
|||
|
|
|||
|
You would replace youremail@yourdomain with a actual email address to
|
|||
|
which you want to report sent. This change will mean that after yum runs
|
|||
|
every night, it will email you the tail end of the log file showing what
|
|||
|
happened. (Note this assumes you have a working mail setup on your
|
|||
|
machine.)
|
|||
|
|
|||
|
[[alternative-methods]]
|
|||
|
Alternative methods
|
|||
|
~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
As an alternative to dnf-automatic or yum-cron,
|
|||
|
https://github.com/rackerlabs/auter[auter] can be used. This operates in
|
|||
|
a similar way to yum-cron, but provides more flexibility in scheduling,
|
|||
|
and some additional options including running custom scripts before or
|
|||
|
after updates, and automatic reboots. This comes at the expensive of
|
|||
|
more complexity to configure.
|
|||
|
|
|||
|
....
|
|||
|
dnf install auter
|
|||
|
....
|
|||
|
|
|||
|
Edit the configuration. Descriptions of the options are contained in the
|
|||
|
conf file:
|
|||
|
|
|||
|
....
|
|||
|
/etc/auter/auter.conf
|
|||
|
....
|
|||
|
|
|||
|
Auter is not scheduled by default. Add a schedule for "--prep" (if you
|
|||
|
want to pre-download updates) and "--apply" (install updates). The
|
|||
|
installed cron job contains lots of examples:
|
|||
|
|
|||
|
....
|
|||
|
/etc/cron.d/auter
|
|||
|
....
|
|||
|
|
|||
|
To make auter run immediately without waiting for the cron job to run,
|
|||
|
for example for testing or debugging, you can simply run it from the
|
|||
|
command line:
|
|||
|
|
|||
|
....
|
|||
|
auter --apply
|
|||
|
....
|
|||
|
|
|||
|
If you want to disable auter from running, including from any cron job:
|
|||
|
|
|||
|
....
|
|||
|
auter --disable
|
|||
|
....
|
|||
|
|
|||
|
[[alternatives-to-automatic-updates]]
|
|||
|
Alternatives to automatic updates
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
[[notifications]]
|
|||
|
Notifications
|
|||
|
^^^^^^^^^^^^^
|
|||
|
|
|||
|
[[fedora-22-or-later-versions-2]]
|
|||
|
Fedora 22 or later versions
|
|||
|
+++++++++++++++++++++++++++
|
|||
|
|
|||
|
Instead of automatic updates, dnf-automatic can only download new
|
|||
|
updates and can alert your via email of available updates which you
|
|||
|
could then install manually. It can be set by editing of file.
|
|||
|
|
|||
|
[[fedora-21-or-earlier-versions-2]]
|
|||
|
Fedora 21 or earlier versions
|
|||
|
+++++++++++++++++++++++++++++
|
|||
|
|
|||
|
Instead of automatic updates yum can alert your via email of available
|
|||
|
updates which you could then install manually. You could accomplish such
|
|||
|
a setup with a cron job such as that listed below. Simply put this in
|
|||
|
/etc/cron.daily with a suitable filename (such as
|
|||
|
yum-check-updates.cron).
|
|||
|
|
|||
|
....
|
|||
|
#!/bin/sh
|
|||
|
|
|||
|
/usr/bin/yum check-update 2>&1 | /bin/mail -s "yum check-update output" root
|
|||
|
....
|
|||
|
|
|||
|
You can of course change the email address it sends to, etc. to meet
|
|||
|
your own needs.
|
|||
|
|
|||
|
[[scheduling-updates]]
|
|||
|
Scheduling updates
|
|||
|
^^^^^^^^^^^^^^^^^^
|
|||
|
|
|||
|
Another common problem is having automatic updates run when it isn't
|
|||
|
desired (holidays, weekends, vacations, etc). If there are times that no
|
|||
|
one will be around to fix any problem arising the from the updates, it
|
|||
|
may be best to avoid doing updates on those days.
|
|||
|
|
|||
|
[[fedora-22-or-later-versions-3]]
|
|||
|
Fedora 22 or later versions
|
|||
|
+++++++++++++++++++++++++++
|
|||
|
|
|||
|
This problem can be fixed by modification of the timer of dnf-automatic
|
|||
|
using the description on
|
|||
|
https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units[Use
|
|||
|
Systemctl] page.
|
|||
|
|
|||
|
[[fedora-21-or-earlier-versions-3]]
|
|||
|
Fedora 21 or earlier versions
|
|||
|
+++++++++++++++++++++++++++++
|
|||
|
|
|||
|
One method is to use a crontab entry instead of the
|
|||
|
/etc/cron.daily/yum.conf provided by default. For example, to only run
|
|||
|
updates from Monday through Friday mornings (avoiding weekends), you
|
|||
|
might use a crontab entry such as the following:
|
|||
|
|
|||
|
....
|
|||
|
0 7 * * 1-5 /usr/bin/yum -y update
|
|||
|
....
|
|||
|
|
|||
|
If you need more control over when it runs, you could create a file
|
|||
|
called, for example, /usr/local/etc/no-yum-update.conf, which contains a
|
|||
|
list of dates not to update on. What dates go in this file is up to you
|
|||
|
to decide (vacations, holidays, etc). The dates would be in the format
|
|||
|
YYYY-MM-DD (e.g. 2005-03-31). Then create a
|
|||
|
/etc/cron.daily/yum-update.cron script something like the following:
|
|||
|
|
|||
|
....
|
|||
|
#!/bin/sh
|
|||
|
|
|||
|
today=$(date +%Y-%m-%d)
|
|||
|
|
|||
|
while read banned; do
|
|||
|
[ "$today" == "$banned" ] && exit 0
|
|||
|
done < /usr/local/etc/no-yum-update.conf
|
|||
|
yum -y update
|
|||
|
....
|
|||
|
|
|||
|
[[other-methods-of-protection]]
|
|||
|
Other methods of protection
|
|||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|||
|
|
|||
|
Yet another thing to consider if not using automatic updates is to
|
|||
|
provide your machine with some other forms of protection to help defend
|
|||
|
any attacks that might occur before updates are in place. This might
|
|||
|
include an external firewall, a host-based firewall (like iptables,
|
|||
|
ipchains, and/or tcp wrappers), not performing dangerous tasks on the
|
|||
|
computer (like browsing the web, reading e-mail, etc), and monitoring
|
|||
|
the system for instrusions (with system log checkers, IDS systems,
|
|||
|
authentication or login monitoring, etc).
|
|||
|
|
|||
|
'''''
|
|||
|
|
|||
|
Category:Documentation
|
|||
|
'''
|
|||
|
|
|||
|
See a typo, something missing or out of date, or anything else which can be
|
|||
|
improved? Edit this document at https://pagure.io/fedora-docs/fedora-howto.
|