| |
@@ -1,37 +1,5 @@
|
| |
= AutoUpdates
|
| |
|
| |
- '''
|
| |
-
|
| |
- [IMPORTANT]
|
| |
- ======
|
| |
-
|
| |
- This page was automatically converted from https://fedoraproject.org/wiki/AutoUpdates
|
| |
-
|
| |
- It is probably
|
| |
-
|
| |
- * Badly formatted
|
| |
- * Missing graphics and tables that do not convert well from mediawiki
|
| |
- * Out-of-date
|
| |
- * In need of other love
|
| |
-
|
| |
- Pull requests accepted at https://pagure.io/fedora-docs/quick-docs
|
| |
-
|
| |
- Once you've fixed this page, remove this notice, and update
|
| |
- [filename]`modules/ROOT/nav.adoc`.
|
| |
-
|
| |
- Once the document is live, go to the original wiki page and replace its text
|
| |
- with the following macro:
|
| |
-
|
| |
- ....
|
| |
- {{#fedoradocs: https://docs.fedoraproject.org/whatever-the-of-this-new-page}}
|
| |
- ....
|
| |
-
|
| |
- ======
|
| |
-
|
| |
- '''
|
| |
-
|
| |
- include::{partialsdir}/unreviewed-message.adoc[]
|
| |
-
|
| |
[[automatic-updates]]
|
| |
Automatic Updates
|
| |
-----------------
|
| |
@@ -43,9 +11,9 @@
|
| |
owner of each machine to decide whether automatic updates are desirable
|
| |
or not for that machine. One of the things which makes one a good system
|
| |
administrator is the ability to evaluate the facts and other people's
|
| |
- suggestions, and then decide for onesself what one should do.
|
| |
+ suggestions, and then decide for oneself what one should do.
|
| |
|
| |
- A general rule that applies in most cases is as follows:
|
| |
+ The general rule that applies in most cases is as follows:
|
| |
|
| |
_If the machine is a critical server, for which unplanned downtime of a
|
| |
service on the machine can not be tolerated, then you should not use
|
| |
@@ -53,8 +21,8 @@
|
| |
|
| |
Even the general rule above has exceptions, or can be worked around.
|
| |
Some issues might be resolved through a special setup on your part. For
|
| |
- example, you could create your own dnf|yum repository on a local server,
|
| |
- and only put in it tested or trusted updates. Then use the automatic
|
| |
+ example, you could create your own DNF or yum repository on a local server,
|
| |
+ and only put in tested or trusted updates. Then use the automatic
|
| |
updates from only your own repository. Such setups, while perhaps more
|
| |
difficult to setup and maintain, can remove a large amount of risk
|
| |
otherwise inherent in automatic updates.
|
| |
@@ -64,29 +32,28 @@
|
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| |
|
| |
You can use a service to automatically download and install any new
|
| |
- updates (for example security updates).
|
| |
+ updates (for example, security updates).
|
| |
|
| |
[[fedora-22-or-later-versions]]
|
| |
Fedora 22 or later versions
|
| |
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
| |
|
| |
The http://dnf.readthedocs.org/en/latest/automatic.html[dnf-automatic]
|
| |
- RPM package as a link:dnf[DNF] component provides a service which is
|
| |
+ RPM package as a xref:dnf.adoc[DNF] component provides a service which is
|
| |
started automatically.
|
| |
|
| |
[[install-and-settings-of-dnf-automatic]]
|
| |
Install and settings of dnf-automatic
|
| |
+++++++++++++++++++++++++++++++++++++
|
| |
|
| |
- On a fresh install of Fedora 22 with default options the dnf-automatic
|
| |
- RPM is not installed, the first command below installs this RPM.
|
| |
+ On a fresh install of Fedora 22 or later with default options, the dnf-automatic
|
| |
+ RPM is not installed. The first command below installs this RPM.
|
| |
|
| |
....
|
| |
- dnf install dnf-automatic
|
| |
+ sudo dnf install dnf-automatic
|
| |
....
|
| |
|
| |
- Though, you have to change a configuration file. In order to do this,
|
| |
- run as the root user (or become root via su -) from a terminal window.
|
| |
+ By default, the dnf-automation runs from the configurations in `/etc/dnf/automation.conf` file. These configurations only download, but do not apply any of the packages. In order to change or add any configurations, open the `.conf` file as the root user (or become root via su -) from a terminal window.
|
| |
|
| |
....
|
| |
env EDITOR='gedit -w' sudoedit /etc/dnf/automatic.conf
|
| |
@@ -101,18 +68,23 @@
|
| |
|
| |
Once you are finished with configuration, execute:
|
| |
|
| |
- `systemctl enable dnf-automatic.timer && systemctl start dnf-automatic.timer`
|
| |
+ ....
|
| |
+ systemctl enable dnf-automatic.timer && systemctl start dnf-automatic.timer
|
| |
+ ....
|
| |
|
| |
to enable and start the systemd timer.
|
| |
|
| |
Check status of dnf-automatic:
|
| |
|
| |
- `# systemctl list-timers *dnf-*`
|
| |
+ ....
|
| |
+ systemctl list-timers dnf-*
|
| |
+ ....
|
| |
|
| |
[[changes-as-of-fedora-26]]
|
| |
Changes as of Fedora 26
|
| |
+ +++++++++++++++++++++++
|
| |
|
| |
- As of Fedora 26 there are now three timers that control dnf-automatic.
|
| |
+ As of Fedora 26 there are now three timers that can be enabled to control dnf-automatic.
|
| |
|
| |
* dnf-automatic-download.timer - Only download
|
| |
* dnf-automatic-install.timer - Download and install
|
| |
@@ -127,14 +99,12 @@
|
| |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
| |
|
| |
The yum-cron RPM package provides a service which is started
|
| |
- automatically. Though, you have to change a configuration file. In order
|
| |
- to do this, run as the root user (or become root via su -) from a
|
| |
- terminal window. On a fresh install of Fedora 20 with default options
|
| |
+ automatically by enabling it in the configuration file. Run as the root user (or become root via su -) from a terminal window. On a fresh install of Fedora 20 with default options
|
| |
the yum-cron RPM is not installed, the first command below installs this
|
| |
RPM.
|
| |
|
| |
....
|
| |
- yum install -y yum-cron
|
| |
+ sudo yum install -y yum-cron
|
| |
env EDITOR='gedit -w' sudoedit /etc/yum/yum-cron.conf"
|
| |
....
|
| |
|
| |
@@ -154,13 +124,12 @@
|
| |
when there are new updates available.
|
| |
|
| |
[[can-we-trust-dnf-or-yum-updates]]
|
| |
- Can we trust dnf or yum updates?
|
| |
+ Can we trust DNF or yum updates?
|
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| |
|
| |
- Dnf and Yum in Fedora has the GPG key checking enabled by default.
|
| |
- Assuming that you have imported the correct GPG keys, and still have
|
| |
- gpgcheck=1 in your for dnf or for yum, then we can at least assume that
|
| |
- any automatically installed updates were not corrupted or modified from
|
| |
+ DNF and Yum in Fedora has the GPG key checking enabled by default.
|
| |
+ Assuming you have imported the correct GPG keys, and still have
|
| |
+ gpgcheck=1 in `/etc/dnf/dnf.conf` for DNF or `/etc/yum.conf` for yum, then we can at least assume that any automatically installed updates were not corrupted or modified from
|
| |
their original state. Using the GPG key checks, there is no way for an
|
| |
attacker to generate packages that your system will accept as valid
|
| |
(unless they have a copy of the *private* key corresponding to one you
|
| |
@@ -169,7 +138,7 @@
|
| |
However, the question would also apply to the question of update
|
| |
quality. Will the installation of the package cause problems on your
|
| |
system? This we can not answer. Each package goes through a QA process,
|
| |
- and is assumed to be problem free. But, problems happen, and QA can not
|
| |
+ and is assumed to be problem free. But problems happen, and QA can not
|
| |
test all possible cases. It is always possible that any update may cause
|
| |
problems during or after installation.
|
| |
|
| |
@@ -183,9 +152,9 @@
|
| |
internet which would have been safe if the latest updates where
|
| |
installed in a timely way.
|
| |
|
| |
- So while you should still be cautious with any automated update
|
| |
+ While you should still be cautious with any automated update
|
| |
solution, in particular on production systems, it is definitely worth
|
| |
- considering, at least in some situations.
|
| |
+ considering. At least in some situations.
|
| |
|
| |
[[reasons-for-using-automatic-updates]]
|
| |
Reasons FOR using automatic updates
|
| |
@@ -229,13 +198,13 @@
|
| |
* You installed a custom kernel, custom kernel modules, third party
|
| |
kernel modules, or have a third party application that depends on kernel
|
| |
versions (this may not be a problem if you exclude kernel updates, which
|
| |
- is the default in Fedora dnf.conf or yum.conf files). (But see also
|
| |
+ is the default in Fedora `dnf.conf` or `yum.conf` files). (But see also
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=870790[bug #870790] - you
|
| |
may need to modify in Fedora 22 or later versions in base section to add
|
| |
exclude=kernel*. or in Fedora 21 or earlier versions to
|
| |
exclude=kernel*.)
|
| |
- * Your enviroment requires meticulous change-control procedures.
|
| |
- * You update from other third party yum|dnf repositories besides Fedora
|
| |
+ * Your environment requires meticulous change-control procedures.
|
| |
+ * You update from other third party yum or DNF repositories besides Fedora
|
| |
(core, extras, legacy ) repositories which may conflict in versioning
|
| |
schemes for the same packages.
|
| |
|
| |
@@ -255,11 +224,11 @@
|
| |
seemingly unrelated packages.
|
| |
* Bugs. Many packages contain buggy software or installation scripts.
|
| |
The update may create problems during or after installation. Even
|
| |
- cosmetic bugs like those found in previous Mozilla updates (causing the
|
| |
- user's icons to be removed or break) can be annoying or problematic.
|
| |
+ cosmetic bugs, like those found in previous Mozilla updates causing the
|
| |
+ user's icons to be removed or break, can be annoying or problematic.
|
| |
* Automatic updates may not complete the entire process needed to make
|
| |
- the system secure. For example, dnf or yum can install a kernel update,
|
| |
- but until the machine is rebooted (which dnf or yum will not do
|
| |
+ the system secure. For example, DNF or yum can install a kernel update,
|
| |
+ but until the machine is rebooted (which DNF or yum will not do
|
| |
automatically) the new changes won't take effect. The same may apply to
|
| |
restarting daemons. This can leave the user feeling that he is secure
|
| |
when he is not.
|
| |
@@ -273,14 +242,14 @@
|
| |
|
| |
Check for package updates which have been automatically performed, and
|
| |
note if they need further (manual) intervention. You can monitor what
|
| |
- dnf or yum has updated via its log file (usually or ).
|
| |
+ DNF or yum has updated via its log file.
|
| |
|
| |
[[fedora-22-or-later-versions-1]]
|
| |
Fedora 22 or later versions
|
| |
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
| |
|
| |
You can monitor updates availability automatically by email after
|
| |
- modifying dnf-automatic configuration file (usually ).
|
| |
+ modifying dnf-automatic configuration file (usually).
|
| |
|
| |
....
|
| |
[emitters]
|
| |
@@ -309,7 +278,7 @@
|
| |
|
| |
You can monitor this automatically by email by modifying the cron job to
|
| |
mail you the last part of the log file. For example, edit
|
| |
- /etc/cron.daily/yum.cron so that it looks like the following:
|
| |
+ `/etc/cron.daily/yum.cron` so that it looks like the following:
|
| |
|
| |
....
|
| |
#!/bin/sh
|
| |
@@ -324,8 +293,8 @@
|
| |
You would replace youremail@yourdomain with a actual email address to
|
| |
which you want to report sent. This change will mean that after yum runs
|
| |
every night, it will email you the tail end of the log file showing what
|
| |
- happened. (Note this assumes you have a working mail setup on your
|
| |
- machine.)
|
| |
+ happened (note: this assumes you have a working mail setup on your
|
| |
+ machine).
|
| |
|
| |
[[alternative-methods]]
|
| |
Alternative methods
|
| |
@@ -339,7 +308,7 @@
|
| |
more complexity to configure.
|
| |
|
| |
....
|
| |
- dnf install auter
|
| |
+ sudo dnf install auter
|
| |
....
|
| |
|
| |
Edit the configuration. Descriptions of the options are contained in the
|
| |
@@ -429,7 +398,7 @@
|
| |
+++++++++++++++++++++++++++++
|
| |
|
| |
One method is to use a crontab entry instead of the
|
| |
- /etc/cron.daily/yum.conf provided by default. For example, to only run
|
| |
+ `/etc/cron.daily/yum.conf` provided by default. For example, to only run
|
| |
updates from Monday through Friday mornings (avoiding weekends), you
|
| |
might use a crontab entry such as the following:
|
| |
|
| |
@@ -438,11 +407,11 @@
|
| |
....
|
| |
|
| |
If you need more control over when it runs, you could create a file
|
| |
- called, for example, /usr/local/etc/no-yum-update.conf, which contains a
|
| |
+ called, for example, `/usr/local/etc/no-yum-update.conf`, which contains a
|
| |
list of dates not to update on. What dates go in this file is up to you
|
| |
to decide (vacations, holidays, etc). The dates would be in the format
|
| |
YYYY-MM-DD (e.g. 2005-03-31). Then create a
|
| |
- /etc/cron.daily/yum-update.cron script something like the following:
|
| |
+ `/etc/cron.daily/yum-update.cron` script something like the following:
|
| |
|
| |
....
|
| |
#!/bin/sh
|
| |
@@ -465,13 +434,5 @@
|
| |
include an external firewall, a host-based firewall (like iptables,
|
| |
ipchains, and/or tcp wrappers), not performing dangerous tasks on the
|
| |
computer (like browsing the web, reading e-mail, etc), and monitoring
|
| |
- the system for instrusions (with system log checkers, IDS systems,
|
| |
+ the system for intrusion (with system log checkers, IDS systems,
|
| |
authentication or login monitoring, etc).
|
| |
-
|
| |
- '''''
|
| |
-
|
| |
- Category:Documentation
|
| |
- '''
|
| |
-
|
| |
- See a typo, something missing or out of date, or anything else which can be
|
| |
- improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.
|
| |
I expanded on a few sections about configuration, but otherwise it matches the current documentation and my experimentation. Also added a few grammar, spelling, and punctuation changes.