Patching On CentOS 7

[zeyaul.haque]

Dear Community,

I am using centos 7 and implemented seafile cloud file server which is working perfectly. but I am thinking about Centos security updates patching. How I will come to know about new security updates and how to install it. I read somewhere if I run yum update on a regular basis then I will automatically get security updates. But yum update will update all the packages including seafile file server required packages python, Memcached , Mariadb , Nginix etc. which might impact seafile file server services. isn't so ? I am new in Centos, Pls guide me how I can do security patching without impacting application services. isn't possible to updates only security updates ?

can I follow the below given link guide ? is this process authentic for patching in centso 7?
https://www.techrepublic.com/article/ho ... -yum-cron/

Best Regards,

[jlehtone]

yum update will update all the packages including seafile file server required packages python, Memcached , Mariadb , Nginix etc. which might impact seafile file server services. isn't so ?

No.

Yes, all packages get updated, if there are updates for them (in enabled repositories).

No, an update to, say python, is very unlikely to lose compatibility. Too many system packages depend on it. That is the upstream policy; if you set up a system with brand new major release, it could run a decade (with updates).

Feature updates on point (e.g 7.4->7.5, 7.5->7.6) updates do occasionally rebase some packages (e.g. Gnome, Firefox) with interface changes, but (a) those are rarely "libraries" that others depend on, (b) the point updates are not frequent, and (c) you should definitely study the release notes in order to be prepared. Fire-and-Forget is a bad way to admin a system.

Yes, a security fix of a package has a positive impact on everything that depends on that package.


The yum-cron? Looks ok.

[zeyaul.haque]

@jlehtone , Thanks a lot, Below are enable repos in my centos 7 server. is it ok ? or I should only enable EPEL repo for update the security patches and disable other?


t]# yum repolist enabled
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.kw.zain.com
* epel: epel.mirror.angkasa.id
* extras: centos.kw.zain.com
* updates: centos.kw.zain.com
repo id repo name status
base/7/x86_64 CentOS-7 - Base 9,911
*epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 12,719
extras/7/x86_64 CentOS-7 - Extras 434
updates/7/x86_64 CentOS-7 - Updates 1,614
repolist: 24,678

[TrevorH]

You always want the CentOS base and updates and probably extras repos enabled. If using yum-priorities those should be assigned the highest priority, 1.

[avij]

A note on that article -- it's otherwise OK, but the core point is wrong. You can't use yum-cron to install only CentOS security updates, because the CentOS repodata does not contain information if the update is a security update or not.

Code: Select all

#  What kind of update to use:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix update-minimal
# minimal-security                   = yum --security update-minimal
# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
update_cmd = default

Of those, only default works as intended.