We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
[HowTo] Setup Automatic Security / VestaCP Updates on CentOS 7
[HowTo] Setup Automatic Security / VestaCP Updates on CentOS 7
Install yum-cron on CentOS 7
Yum-cron is a command-line tool to manage system and package updates on CentOS systems.
The utility is available in the CentOS 7 repository. You can install it using the command below.
After the installation is complete, start the yum-cron service, and then make sure it starts automatically at system boot from now on. All this can be done using the following commands:
That's it. Yum-cron is now properly installed on your CentOS 7 server.
Configure Yum-Cron for automatic updates
After installing the yum-cron package, we need to configure it for automatic updates. By default, yum-cron provides three kinds of updates: default update using yum upgrade command, minimal update, and security update.
Note that in this tutorial, we will configure yum-cron for security updates (related to both system and packages). So let's begin.
As a first step, go to the 'yum' configuration directory and edit the 'yum-cron.conf' file using the Vim editor.
Note: Of course, you can use any other editor of your choice. And for those who want to learn Vim, check out our comprehensive tutorial here.
In the file, head to the line beginning with the string 'update_cmd', and define the kind of update you want to use. For example, in this tutorial, we are focusing only on security updates, so change the value from 'default' to 'security'.
update_cmd = security
Similarly, head to the line beginning with the 'update_messages' string, and make sure its value is 'yes'.
update_messages = yes
Then do the same for 'download_updates' and 'apply_updates' lines.
download_updates = yes
apply_updates = yes
So whenever there's a security update available, the system will now automatically download the required packages and then apply all the updates.
Next up is message notification configuration. Basically, Yum-cron provides two ways: either you can have notifications displayed on STDIO, or have them sent to an email address. For this tutorial, we will be going with the second option, which is email.
So change the value of 'emit_via' to 'email' as shown below.
emit_via = email
There are a handful of other related changes that you have to do, including specifying from and to email addresses and email host. Here're the values that we've set:
email_from = root@servername
email_to = [email protected]
email_host = server
That's it. Now save the file and exit the editor.
The final step is to restart the yum-cron service, which you can do using the following command:
At this stage, any security updates on the system will be automatically downloaded and applied using yum-cron on daily basis.
Configure exclude packages
Sometimes, for whatever reason, we don't want to apply automatic updates on some packages, including kernel. In this step, we will discuss the configuration that'll let you disable updates for select packages.
So the first step here is to edit the configuration file yum-cron.conf, which resides in the yum configuration directory.
Towards the bottom of the file, you will see the '[base]' section. Add the a new line under this section containing names of packages you want to exclude. For example, something similar to the following:
exclude = mysql* kernel*
Now just save the changes and exit.
Yeah, you guessed it right, now you'll have to restart the yum-cron service.
So in our case, all packages with names beginning with 'mysql' or 'kernel' will be disabled for automatic updates.
Check yum-cron logs
Yum-cron uses a cronjob for automatic security updates, and all logs for this cron is available under the '/var/log' directory.
So you need to head to the '/var/log' directory to access the 'cron' log file.
And in case you want to see the packages that have been updated, you can check the yum.log file.
Yum-cron is a command-line tool to manage system and package updates on CentOS systems.
The utility is available in the CentOS 7 repository. You can install it using the command below.
Code: Select all
yum -y install yum-cron
Code: Select all
systemctl start yum-cron
systemctl enable yum-cron
Configure Yum-Cron for automatic updates
After installing the yum-cron package, we need to configure it for automatic updates. By default, yum-cron provides three kinds of updates: default update using yum upgrade command, minimal update, and security update.
Note that in this tutorial, we will configure yum-cron for security updates (related to both system and packages). So let's begin.
As a first step, go to the 'yum' configuration directory and edit the 'yum-cron.conf' file using the Vim editor.
Code: Select all
cd /etc/yum/
vim yum-cron.conf
In the file, head to the line beginning with the string 'update_cmd', and define the kind of update you want to use. For example, in this tutorial, we are focusing only on security updates, so change the value from 'default' to 'security'.
update_cmd = security
Similarly, head to the line beginning with the 'update_messages' string, and make sure its value is 'yes'.
update_messages = yes
Then do the same for 'download_updates' and 'apply_updates' lines.
download_updates = yes
apply_updates = yes
So whenever there's a security update available, the system will now automatically download the required packages and then apply all the updates.
Next up is message notification configuration. Basically, Yum-cron provides two ways: either you can have notifications displayed on STDIO, or have them sent to an email address. For this tutorial, we will be going with the second option, which is email.
So change the value of 'emit_via' to 'email' as shown below.
emit_via = email
There are a handful of other related changes that you have to do, including specifying from and to email addresses and email host. Here're the values that we've set:
email_from = root@servername
email_to = [email protected]
email_host = server
That's it. Now save the file and exit the editor.
The final step is to restart the yum-cron service, which you can do using the following command:
Code: Select all
systemctl restart yum-cron
Configure exclude packages
Sometimes, for whatever reason, we don't want to apply automatic updates on some packages, including kernel. In this step, we will discuss the configuration that'll let you disable updates for select packages.
So the first step here is to edit the configuration file yum-cron.conf, which resides in the yum configuration directory.
Code: Select all
cd /etc/yum/
vim yum-cron.conf
exclude = mysql* kernel*
Now just save the changes and exit.
Yeah, you guessed it right, now you'll have to restart the yum-cron service.
Code: Select all
systemctl restart yum-cron
Check yum-cron logs
Yum-cron uses a cronjob for automatic security updates, and all logs for this cron is available under the '/var/log' directory.
So you need to head to the '/var/log' directory to access the 'cron' log file.
Code: Select all
cd /var/log/
cat cron | grep yum-daily
Code: Select all
cat yum.log | grep Updated