CentOS yum-cron updates stability

kos asked:

I have a CMS website that I’m taking over hosting that has been set up with CentOS 7.9. It is running on the VM and I want to keep that VM up to date with minimal manual intervention.

I have done a bit of similar work with Amazon Linux 2 and Debian Stable before where I had these triggered weekly. yum update --security on the Red Hat-based AL2 seemed to work without unintended side-effects for me.

But I am new to CentOS and cannot find much documentation on how stable that would be. Say using yum-cron to trigger security updates only (yum --security update-minimal) without a restart. Is that good practice? Could it force some unintended upgrades or other side effects?

My answer:


I wouldn’t touch Amazon Linux 2 for anything requiring stability, or for any other reason, in fact. Amazon Linux (both 1 and 2) were built primarily for Amazon’s needs and to run Amazon’s services and they only share it publicly as a convenience. It gets upgraded on Amazon’s schedule, not yours. AL2 was forked from CentOS 7 and then Amazon diverges from that distro, often so much that many packages built for CentOS 7 (like EPEL) do not work any more. So compatibility is gone too.


With that out of the way:

A time when you are switching distros for your public facing (or at least intranet facing) web site is the second best time to get your distro up to the latest major release available. (The first being when that distro is released.) At the moment that means RHEL 8.4 or CentOS 8.4. But as CentOS seems to be going away at the end of the year, probably best to switch to Rocky Linux if you don’t qualify for free RHEL subscriptions (up to 16 physical or virtual machines, and production is allowed); that appears to be what most people are choosing instead of Alma Linux.

Finally, as for automatic updates, I run a few dozen public facing web sites and their servers are all on automatic updates. (They are activated a bit differently on RHEL 8 though, as yum-cron is gone, using the dnf-automatic package.) I have been doing so for a few years, and I cannot remember the last time there was a problem related to updates.

As for security updates on CentOS: They have never tagged their updates as security updates, so the yum --security ... commands have never really worked. Rocky Linux has begun doing this, so equivalent commands in <distro> 8 (e.g. `dnf –security …) work as expected on RHEL or Rocky Linux. (Though I don’t install just security updates, but everything available, and it runs daily.)

That said, I do have monitoring on all of the servers, so if something did break I would be notified and could wake up and fix it. For public facing sites I have analyzed the sites and their purpose and I believe the risk of external compromise, especially on day 0 or earlier, is far higher than the risk of a site breaking due to a bug in an update. Which is why I also have SELinux configured and enforcing.


So my recommendation for you would be to go to RHEL 8.4 if you qualify for the free subscription and Rocky Linux 8.4 if you do not. Remember to take an AWS snapshot before the upgrade. In case something does go wrong, you can either fix it quickly or roll back to the AWS snapshot.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.