eResearch Tips

Configuring Nectar instances to auto update

By Jason Bell, QCIF eResearch Analyst at CQU

As you will most likely be aware, security is a vital aspect of server deployments. But maintaining, updating and patching servers, virtual machines and “Nectar instances” can be a mundane and arduous task. It is very easy to forget, unless you set up some sort of reminder system.

This eResearch Tip will provide you with instructions on how to set up automatic updates through the deployment of cron-yum and cron-apt (depending on the operating system you are running). By installing updates on a regular basis (hourly or daily), this will ensure your server is less likely to be compromised.
 
Before auto updates are configured, it is suggested that you:

Once you have installed all of the updates, check that everything is still working as expected. If not, you may need to roll back the updates or rebuild the instance using the “snapshot” taken before applying the updates.
 
The following provides instructions on how to set up automatic updates:

  • If you are using a Debian or Ubuntu Linux system, it is suggested that you can use the apt-cron package for configuring automatic updates. See https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo for instructions on how to do this.
  • If you are running CentOS 7 on your Nectar instance (in which it should be similar for Fedora or Scientific Linux, as well as older versions of CentOS), then you can use the yum-cron package for configuring automatic updates. The following instructions will provide the basic steps on how to implement this:
    • To install the yum-cron software, simply issue the command: sudo yum install yum-cron
    • You will then need to modify the configuration file so that updates are installed by default. Use your preferred editor, in this example vi will be used: sudo vi /etc/yum/yum-cron.conf
      • Make sure updates should be applied when they are available, thus change the value from apply_updates to yesapply_updates = yes
      • You may wish to modify what type of update is performed by changing the value of “update_cmd”.  You may wish to select one of the following options:
        • default = yum upgrade
        • security = yum --security upgrade
        • security-severity: Critical = yum --sec-severity=Critical upgrade
        • minimal = yum --bugfix update-minimal
        • minimal-security = yum --security update-minimal
        • minimal-security-severity: Critical = --sec-severity=Critical update-minimal\
      • The default is to update everything: update_cmd = default
      • Please note, due to the fact that Centos does not provide the security information within its repositories, the “security” arguments within yum will not work. Thus to ensure the system is actually being updated on a regular basis, it is suggested to just use the “default” value for the “update_cmd”.  It should be noted that security settings actually works on RHEL systems, just not CentOS (which is a derivative of RHEL).
      • repositories, the “security” arguments within yum will not work.  Thus to ensure the system is
      • This configuration file modifies the behaviour of the daily update service.  If you wish, you can modify the /etc/yum/yum-cron-hourly.conf file so that the updates occur on an hourly basis.
    • Once the configuration file has been modified, we need to turn on and enable the service.
      • To enable the service (so that it starts if the system is ever restarted), issue the command: sudo systemctl enable yum-cron.service
      • To start the service, issue the command: sudo systemctl start yum-cron.service
      • To check that the service is running, you can run the command: sudo systemctl status yum-cron.service
    • You can see what packages, and when the packages were updated, by looking at the /var/log/yum.log file.
    • If you have the package “yum-utils” installed, you may wish to check out the “needs-restarting” application, which will inform you if you need to reboot the system for some of the updates to come into effect.
      As an example:
      $ needs-restarting -r
      Core libraries or services have been updated:
        systemd -> 219-57.el7
        linux-firmware -> 20180220-62.2.git6d51311.el7_5
        kernel -> 3.10.0-862.2.3.el7
        kernel -> 3.10.0-693.21.1.el7
        openssl-libs -> 1:1.0.2k-12.el7
        kernel -> 3.10.0-862.3.2.el7
        glibc -> 2.17-222.el7
        dbus -> 1:1.10.24-7.el7
      Reboot is required to ensure that your system benefits from these updates.
      More information:
      https://access.redhat.com/solutions/27943
      At this stage it is debatable whether automatically rebooting a system after applying updates to packages that require a reboot is preferable or not. Therefore this document will only suggest to regularly check whether you need to do a restart and then deciding whether to do so or not.

Hopefully by following the above instructions, your Nectar instance is now being regularly updated and thus will be more secure!
 
Any queries, please contact Jason Bell: This email address is being protected from spambots. You need JavaScript enabled to view it..