5

With Amazon Linux 2 I would automatically apply security updates using yum-cron and something like:

# turn on automatic security updates
set -ex
sudo yum update -y
sudo yum install yum-cron -y
sudo sed -i 's/update_cmd = default/update_cmd = security/' /etc/yum/yum-cron.conf
sudo sed -i "s/apply_updates = no/apply_updates = yes/" /etc/yum/yum-cron.conf
sudo service yum-cron start
sudo systemctl enable yum-cron

yum-cron is intentionally not available on al2023 and it sounds like automatic security updates are not a thing either? How should 0-day exploits be fixed? We do not have the resources to monitor and rebuild every system from a fresh AMI every month.

YoungDinosaur
  • 155
  • 1
  • 5

2 Answers2

5

My recipe (/etc/cron.daily/dnf-updates):

#!/bin/bash
readonly V=$(/usr/bin/dnf check-release-update --latest-only --version-only 2>&1)
[ -n "$V" ] && /usr/bin/dnf upgrade --security --assumeyes --releasever=$V

Shortcut:

/usr/bin/dnf upgrade --security --assumeyes --releasever=latest
ggrandes
  • 255
4

systemd timers replaced cron in AL2023, so ggrandes' answer did not work for me.

I was able to set up a systemd timer quite easily though.

First create /etc/systemd/system/dnf-security-upgrade.service with the following contents:

[Unit]
Description=Automatic security upgrades for dnf packages

[Service]
Type=oneshot
ExecStart=/usr/bin/dnf upgrade --security --assumeyes --releasever=latest

Then create /etc/systemd/system/dnf-security-upgrade.timer with the following contents:

[Unit]
Description=Timer for automatic security upgrades for dnf packages

[Timer]
OnCalendar=daily
Persistent=true


[Install]
WantedBy=timers.target

Now, reload the systemd daemon with:

systemctl daemon-reload

Finally, run the following command to start the timer:

systemctl enable --now dnf-security-upgrade.timer
Andy
  • 201