Automatic security updates

Modified on Thu, 14 Dec, 2023 at 8:44 AM

As security is a major concern, we have enabled automatic security upgrades to our Nectar official images.

This configuration is enabled starting with the following images:

  • Fedora 37 (all)
  • Fedora 38 (all)
  • CentOS 7 (build 100)
  • Debian 10 (build 10)
  • Debian 11 (all)
  • Ubuntu 20.04 LTS (build 10)
  • Ubuntu 22.04 (all)
  • Rocky Linux (all)
  • Alma Linux (all)


All future versions of these distributions will include automatic upgrades.

For all distributions excluding CentOS, only packages designated as 'security' upgrades will be installed.

CentOS repositories do not include the classification of security patches in the repository metadata that would normally be available in their RedHat Enterprise Linux counterparts, so they are configured differently. See the notes on CentOS below.

Images with automatic security updates configured will have an 'automatic_updates' property applied to the image. The value of this property will be either 'security' for automatic security updates, 'all' in the case of the CentOS images where all package updates will be applied or 'none' if automatic security upgrades are disabled.


Debian and Ubuntu Linux

Debian and Ubuntu use the APT package manager which can apply automatic updates via the unattended-upgrades package.

See the Debian Wiki page on Unattended Upgrades or Ubuntu's Documentation on enabling Automatic Security Upgrades for details on how to configure the service.

For Debian and Ubuntu, we have enabled automatic updates only for packages coming from the 'security' repository, which is configured in the /etc/apt/apt.conf.d/50unattended-upgrades file. This can be modified to include all packages, as can be found in the above links.

Information about what has been upgraded can be found in the log file /var/log/unattended-upgrades/unattended-upgrades.log


For example, on an Ubuntu 18.04 LTS (Bionic) instance:

INFO Starting unattended upgrades script
INFO Allowed origins are: o=Ubuntu,a=bionic-security
INFO Packages that will be upgraded: curl libcurl3-gnutls libcurl4
INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
INFO All upgrades installed


Fedora

Fedora uses the dnf-automatic package for automatic upgrades with the DNF package manager. A comprehensive guide for configuring DNF Automatic can be found in the DNF Automatic documentation.

The service is configured via the /etc/dnf/automatic.conf, which you can customise. We have pre-configured this file to automatically install packages classified as 'security' updates. You can change this value from the commands/upgrade_type option, or disable it completely by setting the commands/apply_updates key to 'no'.

To see that the service has done, look in the systemd journal for the dnf-automatic-install.service unit

# journalctl -u dnf-automatic-install.service
systemd[1]: Starting dnf automatic install updates...
dnf-automatic[191700]: Last metadata expiration check: 1:56:46 ago on Sun 11 Apr 2021 04:45:45.
dnf-automatic[191700]: Transaction check succeeded.
dnf-automatic[191700]: Running transaction test
dnf-automatic[191700]: Transaction test succeeded.
dnf-automatic[191700]: Running transaction
dnf-automatic[191700]: The following updates have been applied on 'fedora':
dnf-automatic[191700]: ================================================================================
dnf-automatic[191700]:  Package                  Arch        Version                Repository    Size
dnf-automatic[191700]: ================================================================================
dnf-automatic[191700]: Upgrading:
dnf-automatic[191700]:  grub2-common             noarch      1:2.06~rc1-1.fc33      updates      932 k
dnf-automatic[191700]:  grub2-pc                 x86_64      1:2.06~rc1-1.fc33      updates       17 k
dnf-automatic[191700]:  grub2-pc-modules         noarch      1:2.06~rc1-1.fc33      updates      912 k
dnf-automatic[191700]:  grub2-tools              x86_64      1:2.06~rc1-1.fc33      updates      1.9 M
dnf-automatic[191700]:  grub2-tools-minimal      x86_64      1:2.06~rc1-1.fc33      updates      611 k
dnf-automatic[191700]: Installing dependencies:
dnf-automatic[191700]:  freetype                 x86_64      2.10.4-1.fc33          updates      390 k
dnf-automatic[191700]:  grub2-tools-efi          x86_64      1:2.06~rc1-1.fc33      updates      550 k
dnf-automatic[191700]:  grub2-tools-extra        x86_64      1:2.06~rc1-1.fc33      updates      855 k
dnf-automatic[191700]:  libpng                   x86_64      2:1.6.37-6.fc33        updates      119 k
dnf-automatic[191700]: Transaction Summary
dnf-automatic[191700]: ================================================================================
dnf-automatic[191700]: Install  4 Packages
dnf-automatic[191700]: Upgrade  5 Packages
dnf-automatic[191700]: Updates completed at Sun 11 Apr 2021 06:42:43
systemd[1]: dnf-automatic-install.service: Succeeded.
systemd[1]: Finished dnf automatic install updates.
systemd[1]: dnf-automatic-install.service: Consumed 7.014s CPU time.


CentOS/Rocky/Alma Linux

CentOS repositories do not include the classification of security patches in the repository metadata that would normally be available in their RedHat Enterprise Linux counterparts. For this reason we apply ALL available updates.

CentOS 7 and 8 use different methods for automatic updates.


CentOS 7

CentOS 7 uses the yum-cron package for providing automatic updates functionality. A good overview of it can be found at https://www.redhat.com/sysadmin/using-yum-cron

The service is configured by the /etc/yum/yum-cron.conf and it triggered to run daily through CRON by the script /etc/cron.daily/0yum-daily.cron. There is also a systemd unit yum-cron.service which acts as a switch to enable or disable the service.

You'll be able to see what has been updated by looking in the /var/log/yum.log log file.

CentOS Stream, Rocky Linux and Alma Linux

CentOS Stream, Rocky Linux use DNF Automatic for automatic updates. Please to refer to the Fedora documentation above for details on DNF Automatic.

CentOS Stream

CentOS Stream is expected to be a 'rolling' distribution, so we expect that package updates might be less tested than the classic versions of CentOS we were used to. Due to this and the lack of security classification of packages in the CentOS repository metadata, we have decided to disable automatic upgrades for CentOS Stream.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article