There are new vulnerabilities being disclosed every day that put your server at a security risk. This stress of updating your system for the latest security patch or application update can be relieved by automating the update process using the dnf-automatic
command.
The dnf-automatic
is a command-line tool for RHEL-based distributions such as Fedora, AlmaLinux, Rocky Linux, etc., for automating the update process using systemd timers. It will periodically check the system for the latest release or security update and update them without your interaction as a background process.
Also Read: How to Exclude Packages from Update using DNF in RHEL Linux
This will ease your concern about the security risk involved on your server and allow you to focus more on the product, but remember there are some flaws using this method, which we will discuss later on.
Table of Contents
Install dnf-automatic in RHEL-based distributions
The first step will be to install the dnf-automatic
package on your system using the below command.
$ sudo dnf install dnf-automatic
Below is the output of the above command.
Press “Y” to start the installation process, and once it is finished, run the following code to verify the installation.
$ dnf-automatic --help
Below is the output of the above command.
Now you can easily move on to the configuration part.
Configuring dnf-automatic in RHEL-based distributions
The configuration file for the dnf-automatic
package is automatic.conf
located on the /etc/dnf/automatic.conf
path. Simply open it with your choice of text editor.
$ sudo nano /etc/dnf/automatic.conf
Below is the output of the above command.
For the upgrade_type=default
, I would suggest using the
setting. To know more, check the FAQ at the end. Next, make sure to set upgrade_type=
securityapply_updates=yes
otherwise dnf-automatic
will only download the packages without applying them.
How do you want to get notified when a package update is applied? This can be done using the emit_via
option from its three emitters.
email
emitter will send the report via email.stdio
emitter will show system notification.motd
sends the result to/etc/motd
file.
The stdio
and motd
emitters do not require any extra changes. For the email, emitter
you need to change the below settings.
emit_via = email # Define the type of emitter in use
email_from = [email protected] # The address to send email messages from.
email_to = root # List of addresses to send messages to.
email_host = localhost # Name of the host/ip(smtp) to connect to send email messages.
After making the changes, save and close the configuration file.
Start and Enable dnf-automatic in RHEL-based distributions
The last setup is to start the dnf-automatic
daemon service to start scheduling automatic updates in RHEL-based distributions.
$ sudo systemctl enable --now dnf-automatic.timer
Below is the output of the above command.
Use the below command to check the status of the dnf-automatic
.
$ systemctl list-timers *dnf-*
Below is the output of the above command.
Also read:How to Install and Configure Mutt Command-Line Email Client
In future, when there is an update available from the repository of the packages you have installed, it will automatically download and apply those updates without any interaction from you and notify you accordingly, depending upon the emit_via
emitter.
FAQ
The package maintainer/developer always tries to provide fast updates for vulnerabilities such as Spring4Shell, Log4Shell, Shellshock, etc. You don’t have to worry if your system automatically downloads and applies updates, but manually updating your system can leave loopholes for a while. It also depends upon the size of the organization or the popularity of the product. The bigger the size, the greater chance of being exploited.
Automatic updates are good for security purposes but also leave the misconception that your system will be well and good. For example, if you running web services on your systems such as Apache, PHP, and MySQL, updating those packages might break them and leave downtime for a period. In such a case, it is recommended to manually update packages or test them first in the development environment.
The dnf-automatic provides two types of updates: default
and security
. By default, upgrade_type
is set to default
. I suggest using upgrade_type=security
. It will only download and apply security updates and patches without breaking your packages.
I hope this guide will be useful for you. If you have any queries, let us know in the comment section.
Innovative tech mind with 12 years of experience working as a computer programmer, web developer, and security researcher. Capable of working with a variety of technology and software solutions, and managing databases.
Does this require setting up a mail server?