dnf-automatic: Enable Automatic Updates for RHEL-based distributions

There are new vulnerabilities being disclosed every day that put your server at a security risk. This stress of updating your system for the latest security patch or application update can be relieved by automating the update process using the dnf-automatic command.

The dnf-automatic is a command-line tool for RHEL-based distributions such as Fedora, AlmaLinux, Rocky Linux, etc., for automating the update process using systemd timers. It will periodically check the system for the latest release or security update and update them without your interaction as a background process.

This will ease your concern about the security risk involved on your server and allow you to focus more on the product, but remember there are some flaws using this method, which we will discuss later on.

Install dnf-automatic in RHEL-based distributions

The first step will be to install the dnf-automatic package on your system using the below command.

$ sudo dnf install dnf-automatic

Below is the output of the above command.

Installing dnf-automatic package in rhel-based distributions
Installing the dnf-automatic package in the rhel-based distribution

Press “Y” to start the installation process, and once it is finished, run the following code to verify the installation.

$ dnf-automatic --help

Below is the output of the above command.

Verify the installation of dnf-automatic package
Verify the installation of dnf-automatic package

Now you can easily move on to the configuration part.

Configuring dnf-automatic in RHEL-based distributions

The configuration file for the dnf-automatic package is automatic.conf located on the /etc/dnf/automatic.conf path. Simply open it with your choice of text editor.

$ sudo nano /etc/dnf/automatic.conf

Below is the output of the above command.

dnf-automatic configuration file
dnf-automatic configuration file

For the upgrade_type=default, I would suggest using the upgrade_type=security setting. To know more, check the FAQ at the end. Next, make sure to set apply_updates=yes otherwise dnf-automatic will only download the packages without applying them.

How do you want to get notified when a package update is applied? This can be done using the emit_via option from its three emitters.

  • email emitter will send the report via email.
  • stdio emitter will show system notification.
  • motd sends the result to /etc/motd file.

The stdio and motd emitters do not require any extra changes. For the email, emitter you need to change the below settings.

emit_via = email                 # Define the type of emitter in use
email_from = [email protected]    # The address to send email messages from.
email_to = root                  # List of addresses to send messages to.
email_host = localhost           # Name of the host/ip(smtp) to connect to send email messages.

After making the changes, save and close the configuration file.

Start and Enable dnf-automatic in RHEL-based distributions

The last setup is to start the dnf-automatic daemon service to start scheduling automatic updates in RHEL-based distributions.

$ sudo systemctl enable --now dnf-automatic.timer

Below is the output of the above command.

Start automatic scheduling
Start automatic scheduling

Use the below command to check the status of the dnf-automatic.

$ systemctl list-timers *dnf-*

Below is the output of the above command.

Status of the dnf-automatic
Status of the dnf-automatic

In future, when there is an update available from the repository of the packages you have installed, it will automatically download and apply those updates without any interaction from you and notify you accordingly, depending upon the emit_via emitter.


Why you should keep your system up to date?

The package maintainer/developer always tries to provide fast updates for vulnerabilities such as Spring4Shell, Log4Shell, Shellshock, etc. You don’t have to worry if your system automatically downloads and applies updates, but manually updating your system can leave loopholes for a while. It also depends upon the size of the organization or the popularity of the product. The bigger the size, the greater chance of being exploited.

When should I not use automatic updates?

Automatic updates are good for security purposes but also leave the misconception that your system will be well and good. For example, if you running web services on your systems such as Apache, PHP, and MySQL, updating those packages might break them and leave downtime for a period. In such a case, it is recommended to manually update packages or test them first in the development environment.

Should I use dnf-automatic to automatically update packages?

The dnf-automatic provides two types of updates: default and security. By default, upgrade_type is set to default. I suggest using upgrade_type=security. It will only download and apply security updates and patches without breaking your packages.

I hope this guide will be useful for you. If you have any queries, let us know in the comment section.

This Post Has One Comment

  1. Dela

    Does this require setting up a mail server?

Leave a Reply