As security is a major concern, we have enabled automatic security upgrades to our Nectar official images.
This configuration is enabled starting with the following images:
- Fedora 37 (all)
- Fedora 38 (all)
- CentOS 7 (build 100)
- Debian 10 (build 10)
- Debian 11 (all)
- Ubuntu 20.04 LTS (build 10)
- Ubuntu 22.04 (all)
- Rocky Linux (all)
- Alma Linux (all)
All future versions of these distributions will include automatic upgrades.
For all distributions excluding CentOS, only packages designated as 'security' upgrades will be installed.
CentOS repositories do not include the classification of security patches in the repository metadata that would normally be available in their RedHat Enterprise Linux counterparts, so they are configured differently. See the notes on CentOS below.
Images with automatic security updates configured will have an 'automatic_updates' property applied to the image. The value of this property will be either 'security' for automatic security updates, 'all' in the case of the CentOS images where all package updates will be applied or 'none' if automatic security upgrades are disabled.
Debian and Ubuntu Linux
Debian and Ubuntu use the APT package manager which can apply automatic updates via the unattended-upgrades package.
See the Debian Wiki page on Unattended Upgrades or Ubuntu's Documentation on enabling Automatic Security Upgrades for details on how to configure the service.
For Debian and Ubuntu, we have enabled automatic updates only for packages coming from the 'security' repository, which is configured in the /etc/apt/apt.conf.d/50unattended-upgrades file. This can be modified to include all packages, as can be found in the above links.
Information about what has been upgraded can be found in the log file /var/log/unattended-upgrades/unattended-upgrades.log
For example, on an Ubuntu 18.04 LTS (Bionic) instance:
INFO Starting unattended upgrades script INFO Allowed origins are: o=Ubuntu,a=bionic-security INFO Packages that will be upgraded: curl libcurl3-gnutls libcurl4 INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log INFO All upgrades installed
Fedora
Fedora uses the dnf-automatic package for automatic upgrades with the DNF package manager. A comprehensive guide for configuring DNF Automatic can be found in the DNF Automatic documentation.
The service is configured via the /etc/dnf/automatic.conf, which you can customise. We have pre-configured this file to automatically install packages classified as 'security' updates. You can change this value from the commands/upgrade_type option, or disable it completely by setting the commands/apply_updates key to 'no'.
To see that the service has done, look in the systemd journal for the dnf-automatic-install.service unit
# journalctl -u dnf-automatic-install.service systemd[1]: Starting dnf automatic install updates... dnf-automatic[191700]: Last metadata expiration check: 1:56:46 ago on Sun 11 Apr 2021 04:45:45. dnf-automatic[191700]: Transaction check succeeded. dnf-automatic[191700]: Running transaction test dnf-automatic[191700]: Transaction test succeeded. dnf-automatic[191700]: Running transaction dnf-automatic[191700]: The following updates have been applied on 'fedora': dnf-automatic[191700]: ================================================================================ dnf-automatic[191700]: Package Arch Version Repository Size dnf-automatic[191700]: ================================================================================ dnf-automatic[191700]: Upgrading: dnf-automatic[191700]: grub2-common noarch 1:2.06~rc1-1.fc33 updates 932 k dnf-automatic[191700]: grub2-pc x86_64 1:2.06~rc1-1.fc33 updates 17 k dnf-automatic[191700]: grub2-pc-modules noarch 1:2.06~rc1-1.fc33 updates 912 k dnf-automatic[191700]: grub2-tools x86_64 1:2.06~rc1-1.fc33 updates 1.9 M dnf-automatic[191700]: grub2-tools-minimal x86_64 1:2.06~rc1-1.fc33 updates 611 k dnf-automatic[191700]: Installing dependencies: dnf-automatic[191700]: freetype x86_64 2.10.4-1.fc33 updates 390 k dnf-automatic[191700]: grub2-tools-efi x86_64 1:2.06~rc1-1.fc33 updates 550 k dnf-automatic[191700]: grub2-tools-extra x86_64 1:2.06~rc1-1.fc33 updates 855 k dnf-automatic[191700]: libpng x86_64 2:1.6.37-6.fc33 updates 119 k dnf-automatic[191700]: Transaction Summary dnf-automatic[191700]: ================================================================================ dnf-automatic[191700]: Install 4 Packages dnf-automatic[191700]: Upgrade 5 Packages dnf-automatic[191700]: Updates completed at Sun 11 Apr 2021 06:42:43 systemd[1]: dnf-automatic-install.service: Succeeded. systemd[1]: Finished dnf automatic install updates. systemd[1]: dnf-automatic-install.service: Consumed 7.014s CPU time.
CentOS/Rocky/Alma Linux
CentOS repositories do not include the classification of security patches in the repository metadata that would normally be available in their RedHat Enterprise Linux counterparts. For this reason we apply ALL available updates.
CentOS 7 and 8 use different methods for automatic updates.
CentOS 7
CentOS 7 uses the yum-cron package for providing automatic updates functionality. A good overview of it can be found at https://www.redhat.com/sysadmin/using-yum-cron
The service is configured by the /etc/yum/yum-cron.conf and it triggered to run daily through CRON by the script /etc/cron.daily/0yum-daily.cron. There is also a systemd unit yum-cron.service which acts as a switch to enable or disable the service.
You'll be able to see what has been updated by looking in the /var/log/yum.log log file.
CentOS Stream, Rocky Linux and Alma Linux
CentOS Stream, Rocky Linux use DNF Automatic for automatic updates. Please to refer to the Fedora documentation above for details on DNF Automatic.
CentOS Stream
CentOS Stream is expected to be a 'rolling' distribution, so we expect that package updates might be less tested than the classic versions of CentOS we were used to. Due to this and the lack of security classification of packages in the CentOS repository metadata, we have decided to disable automatic upgrades for CentOS Stream.
