The CentOS 7 system can be updated in three ways −
- Manually
- Automatically
- Update manually for major security issues and configure automatic updates
In a production environment, it is recommended to update manually for production servers. Or at least establish an update plan so the administrator can assure services vital to business operations.
It is plausible a simple security update can cause recursive issues with common application that requires upgrading and reconfiguration by an Administrator. So, be weary of scheduling automatic updates in production before testing in development servers and desktops first.
Manually Update CentOS 7
To update CentOS 7, we will want to become familiar with the yum command. yum is used to deal with package repositories in CentOS 7. yum is the tool commonly used to −
- Update the CentOS 7 Linux System
- Search for packages
- Install packages
- Detect and install required dependencies for packages
In order to use yum for updates, your CentOS server will need to be connected to the Internet. Most configurations will install a base system, then use yum to query the main CentOS repository for additional functionality in packages and apply system updates.
We have already made use of yum to install a few packages. When using yum you will always need to do so as the root user. Or a user with root access. So let's search for and install an easy to use text-editor called nano.
[root@centos rdc]# yum search nano Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror.rackspace.com * epel: mirror.chpc.utah.edu * extras: repos.forethought.net * updates: repos.forethought.net ====================================================================== N/S matched: nano ====================================================================== nano.x86_64 : A small text editor nodejs-nano.noarch : Minimalistic couchdb driver for Node.js perl-Time-Clock.noarch : Twenty-four hour clock object with nanosecond precision Name and summary matches only, use "search all" for everything. [root@centos rdc]#
Now, let's install the nano text editor.
[root@centos rdc]# yum install nano Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror.keystealth.org * epel: pubmirror1.math.uh.edu * extras: centos.den.host-engine.com * updates: repos.forethought.net Resolving Dependencies --> Running transaction check ---> Package nano.x86_64 0:2.3.1-10.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: nano x86_64 2.3.1-10.el7 base 440 k Transaction Summary Install 1 Package Total download size: 440 k Installed size: 1.6 M Is this ok [y/d/N]: y Downloading packages: nano-2.3.1-10.el7.x86_64.rpm | 440 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : nano-2.3.1-10.el7.x86_64 1/1 Verifying : nano-2.3.1-10.el7.x86_64 1/1 Installed: nano.x86_64 0:2.3.1-10.el7 Complete! [root@centos rdc]#
We have installed the nano text editor. This method, IMO, is a lot easier than searching for utilities on websites and manually running the installers. Also, repositories use digital signatures to validate packages assuring they are coming from a trusted source with yum. It is up to the administrator to validate authenticity when trusting new repositories. This is why it is considered a best practice to be weary of third party repositories.
Yum can also be used to remove a package.
[root@centos rdc]# yum remove nano Loaded plugins: fastestmirror, langpacks Resolving Dependencies --> Running transaction check ---> Package nano.x86_64 0:2.3.1-10.el7 will be erased --> Finished Dependency Resolution Dependencies Resolved
Now let's check for updates.
[root@centos rdc]# yum list updates Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror.keystealth.org * epel: pubmirror1.math.uh.edu * extras: centos.den.host-engine.com * updates: repos.forethought.net Updated Packages NetworkManager.x86_64 1:1.4.0-17.el7_3 updates NetworkManager-adsl.x86_64 1:1.4.0-17.el7_3 updates NetworkManager-glib.x86_64 1:1.4.0-17.el7_3 updates NetworkManager-libnm.x86_64 1:1.4.0-17.el7_3 updates NetworkManager-team.x86_64 1:1.4.0-17.el7_3 updates NetworkManager-tui.x86_64 1:1.4.0-17.el7_3 updates NetworkManager-wifi.x86_64 1:1.4.0-17.el7_3 updates audit.x86_64 2.6.5-3.el7_3.1 updates audit-libs.x86_64 2.6.5-3.el7_3.1 updates audit-libs-python.x86_64
As depicted, we have a few dozen updates pending to install. Actually, there are about 100 total updates since we have not yet configured automatic updates. Thus, let's install all pending updates.
[root@centos rdc]# yum update Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirrors.usc.edu * epel: pubmirror1.math.uh.edu * extras: repos.forethought.net * updates: repos.forethought.net Resolving Dependencies --> Running transaction check ---> Package NetworkManager.x86_64 1:1.4.0-14.el7_3 will be updated ---> Package NetworkManager.x86_64 1:1.4.0-17.el7_3 will be an update selinux-policy noarch 3.13.1102.el7_3.15 updates 414 k selinux-policy-targeted noarch 3.13.1102.el7_3.15 updates 6.4 M systemd x86_64 21930.el7_3.7 updates 5.2 M systemd-libs x86_64 21930.el7_3.7 updates 369 k systemd-python x86_64 21930.el7_3.7 updates 109 k systemd-sysv x86_64 21930.el7_3.7 updates 63 k tcsh x86_64 6.18.01-13.el7_3.1 updates 338 k tzdata noarch 2017a1.el7 updates 443 k tzdata-java noarch 2017a1.el7 updates 182 k wpa_supplicant x86_64 1:2.021.el7_3 updates 788 k Transaction Summary =============================================================================== Install 2 Packages Upgrade 68 Packages Total size: 196 M Total download size: 83 M Is this ok [y/d/N]:
After hitting the "y" key, updating of CentOS 7 will commence. The general process that yum goes through when updating is −
- Checks the current packages
- Looks in the repository for updated packages
- Calculates dependencies needed for updated packages
- Downloads updates
- Installs updates
Now, let's make sure our system is up to date −
[root@centos rdc]# yum list updates Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * updates: mirror.compevo.com [root@centos rdc]#
As you can see, there are no updates listed.
Configure Automatic Updates for YUM
In an Enterprise environment, as mentioned earlier, automatic updates may or may not be the preferred method of installation. Let's go over the steps for configuring automatic updates with yum.
First, we install a package called yum-cron.
[root@centos rdc]# yum -y install yum-cron Install 1 Package Total download size: 61 k Installed size: 51 k Downloading packages: yum-cron-3.4.3-150.el7.centos.noarch.rpm | 61 kB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : yum-cron-3.4.3-150.el7.centos.noarch 1/1 Verifying : yum-cron-3.4.3-150.el7.centos.noarch 1/1 Installed: yum-cron.noarch 0:3.4.3-150.el7.centos Complete! [root@centos rdc]#
By default, yum-cron will only download updates and not install them. Whether to install updates automatically is on the Administrator. The biggest caveat is: some updates will require a system reboot. Also, some updates may require a configuration change before services are again operational.
Updating dependencies can possibly create a recursive problem in the following situation −
An update is recommended by yum for a certain library
The library only supports Apache Server 2.4, but we have server 2.3
Our commerce site relies on a certain version of PHP
The new version of Apache installed for the library requires upgrading PHP
Our production web applications have not yet been tested with the newer PHP version
Yum may go ahead and automatically upgrade Apache and PHP without notice unless configured not to.
If all 5 scenarios play out, it can result in anything from a big headache in the morning to a possible security compromise exposing the user data. While the aforementioned example is a perfect storm of sorts, we never want such a scenario to play out.
It is up to the Administrator for accessing possible scenarios of potential revenue loss from time needed to restore services due to possible downtime from update reboots and reconfigurations. This practice may not be conservative enough for, say, a multi-million dollar per day ecommerce site with millions of customers.
Now let's configure yum-cron to automatically install system updates.
[root@centos rdc]# vim /etc/yum/yum-cron.conf # Whether updates should be applied when they are available. Note # that download_updates must also be yes for the update to be applied. apply_updates = yes
We want to change apply_updates = no to apply_updates = yes. Now let's configure the update interval for yum-cron.
Again, whether to use automatic updates and install updates on demand can be a double edged sword and needs to be considered by an administrator for each unique situation.
No comments:
Post a Comment