AlmaLinuxRHEL Based

How to Set up Automatic Updates on AlmaLinux

r00t

Set up Automatic Updates on AlmaLinux

Maintaining an up-to-date Linux system is crucial for ensuring optimal security, performance, and stability. AlmaLinux, as a stable and RHEL-compatible distribution, offers robust tools for automating the update process, reducing manual intervention while keeping your system protected against vulnerabilities. This comprehensive guide will walk you through setting up automatic updates on AlmaLinux using dnf-automatic, from installation to troubleshooting.

Understanding the Importance of Automatic Updates

Keeping your AlmaLinux system updated is not just a recommendation—it’s a necessity for maintaining system security. Outdated software often contains vulnerabilities that malicious actors can exploit to gain unauthorized access or disrupt your services. Regular updates provide critical security patches, bug fixes, and sometimes performance improvements that enhance your system’s overall stability.

Manual updates, while effective, have drawbacks:

  • They require consistent administrator attention
  • Updates might be delayed or forgotten during busy periods
  • Human error might result in incomplete update processes

Automating updates addresses these challenges by ensuring regular, systematic application of patches with minimal human intervention. This approach is particularly valuable for server environments where consistent maintenance is essential, but also useful for any AlmaLinux installation requiring reliable operation.

Prerequisites Before Setting Up Automatic Updates

Before proceeding with automatic update configuration, ensure your system meets these requirements:

  • An AlmaLinux installation (this guide applies to versions 8 and 9)
  • Root or sudo privileges for installing and configuring system packages
  • A stable internet connection to access repositories
  • Basic familiarity with terminal commands and text editors

Additionally, it’s highly recommended to:

  • Create a backup or system snapshot before making significant changes
  • Schedule initial update tests during maintenance windows to avoid disrupting critical services
  • Review your system’s current update status with sudo dnf check-update

Understanding DNF-Automatic

DNF-Automatic is the primary tool for automating updates on AlmaLinux. It functions as an alternative command-line interface to the standard DNF package manager but is specifically designed for automatic and regular execution.

Unlike manual dnf update commands, dnf-automatic integrates with systemd timers, allowing scheduled operation at specified intervals. The tool performs several key functions:

  • Synchronizes package metadata repositories
  • Checks for available updates
  • Depending on configuration, can download updates, install them, or simply notify administrators
  • Provides notification options for update activities

Understanding these capabilities is essential for configuring the right automatic update strategy for your specific needs.

Installing DNF-Automatic on AlmaLinux

The installation process for dnf-automatic is straightforward. Follow these steps to install the package on your AlmaLinux system:

  1. First, ensure your system’s package database is up to date: 
    sudo dnf update -y
  2. Install the dnf-automatic package: 
    sudo dnf install dnf-automatic -y
  3. Verify successful installation: 
    rpm -qi dnf-automatic

    This command displays detailed information about the installed package.

The installation process is minimal and doesn’t make any changes to your system’s update behavior until you configure and enable the service in subsequent steps.

Configuring Basic DNF-Automatic Settings

After installation, the next step is configuring dnf-automatic to match your update requirements. The main configuration file is located at /etc/dnf/automatic.conf. Open this file in your preferred text editor:

sudo nano /etc/dnf/automatic.conf

The configuration file contains several sections, with the most critical settings in the [commands] section:

Essential Configuration Options:

  • download_updates: Set to yes to download updates (default is already yes)
  • apply_updates: Change to yes if you want updates to be automatically installed after downloading (default is no)
  • upgrade_type: Can be set to default for all updates or security for security-only updates

A basic configuration that automatically downloads and installs updates would look like:

[commands]
download_updates = yes
apply_updates = yes
upgrade_type = default

Save and close the file after making your changes. These settings determine whether dnf-automatic merely downloads updates or proceeds to install them automatically.

Advanced Configuration Options

DNF-Automatic offers several advanced configuration options that can be tailored to specific requirements:

Notification Settings

In the [emitters] section, configure how you receive update notifications:

[emitters]
emit_via = stdio

Options include:

  • stdio: Prints to standard output
  • email: Sends email notifications
  • motd: Updates the system’s message of the day

Email Notification Configuration

If you choose email notifications, configure the email settings in the [email] section:

[email]
email_from = auto-updates@yourdomain.com
email_to = admin@yourdomain.com
email_host = localhost

This setup is particularly useful for server environments where administrators need regular reports on update activities.

Bandwidth Management

For systems with limited bandwidth, configure download controls in the [base] section:

[base]
bandwidth = 500k

This setting limits the download speed to conserve bandwidth during update operations.

Package Exclusions

You can exclude specific packages from automatic updates by configuring the exclude option in the [base] section:

[base]
exclude = kernel* mysql*

This prevents critical services or applications from unexpected updates that might require special handling.

Setting Up the Update Schedule

DNF-Automatic uses systemd timers to schedule update operations. The default timer typically runs daily, but you can customize this schedule according to your needs.

To view the current timer configuration:

sudo systemctl list-timers dnf-automatic.timer

To modify the schedule, create a custom override file:

sudo systemctl edit dnf-automatic.timer

This opens an editor where you can add your custom schedule. For example, to set updates to run at 3:30 AM with a random delay of up to 60 minutes:

[Timer]
OnCalendar=*-*-* 03:30:00
RandomizedDelaySec=60m

Common scheduling patterns include:

  • Daily updates during off-hours: OnCalendar=*-*-* 02:00:00
  • Weekly updates on Sundays: OnCalendar=Sun 04:00:00
  • Monthly updates on the first day: OnCalendar=*-*-01 01:00:00

After saving your changes, restart the timer to apply the new schedule:

sudo systemctl restart dnf-automatic.timer

This customization allows you to balance timely updates with minimizing service disruption.

Enabling and Managing the Service

Once configured, you need to enable and start the dnf-automatic timer to activate automatic updates:

sudo systemctl enable --now dnf-automatic.timer

This command both enables the timer to start at boot and activates it immediately.

To verify the timer’s status and check when the next update is scheduled:

sudo systemctl status dnf-automatic.timer

For more detailed information about scheduled timers:

sudo systemctl list-timers | grep dnf-automatic

If you need to temporarily disable automatic updates (such as during critical operations or maintenance):

sudo systemctl stop dnf-automatic.timer
sudo systemctl disable dnf-automatic.timer

To re-enable after the maintenance period:

sudo systemctl enable --now dnf-automatic.timer

These commands give you complete control over when and how the automatic update service operates.

Monitoring Update Activities

Monitoring update activities is essential to ensure your automatic update system is functioning correctly and to troubleshoot any issues that arise.

Checking Update Logs

The primary method to review update activities is through the system journal:

journalctl -u dnf-automatic

This displays detailed logs of all dnf-automatic operations, including update checks, downloads, and installations.

For a more condensed view of recent activity:

journalctl -u dnf-automatic --since yesterday

Additionally, you can check the DNF transaction history to see what packages were updated:

sudo dnf history

This command lists all DNF transactions, including those performed by dnf-automatic, helping you track changes to your system.

Setting Up Log Rotation

To prevent logs from consuming excessive disk space, ensure proper log rotation is configured:

sudo nano /etc/logrotate.d/dnf

A typical configuration might rotate logs weekly and keep four weeks of history:

/var/log/dnf.log {
    weekly
    rotate 4
    compress
    missingok
    notifempty
}

Proper monitoring ensures you can verify updates are being applied correctly and troubleshoot any issues that arise.

Post-Update Actions and Considerations

Some updates, particularly kernel updates, require system reboots to take effect. Since dnf-automatic doesn’t handle reboots automatically, you need to consider how to manage this aspect.

Identifying Reboot Requirements

To check if your system needs a reboot after updates:

sudo needs-restarting -r

This command will indicate if a system reboot is required based on updated packages.

Handling Service Restarts

For services that need restarting after updates but don’t require a full system reboot, you can create a simple script to handle them automatically:

#!/bin/bash
# Script to restart services after updates
# Add to /etc/dnf/plugins/post-transaction-actions.d/

systemctl restart httpd
systemctl restart nginx
# Add other services as needed

Ensure the script is executable:

sudo chmod +x /etc/dnf/plugins/post-transaction-actions.d/restart-services.sh

Safe Reboot Automation

For systems that can tolerate occasional reboots, you might consider a scheduled reboot script that only runs if updates require it:

#!/bin/bash
if needs-restarting -r | grep -q "Reboot is required"; then
    # Log the reboot event
    logger "Automatic reboot triggered after system updates"
    # Schedule a reboot in 10 minutes to allow current operations to complete
    shutdown -r +10 "System will reboot to complete updates"
fi

Configure this script to run periodically after your update window to ensure updated components are properly activated.

Troubleshooting Common Issues

Even with careful configuration, automatic updates can occasionally encounter issues. Here are solutions to some common problems:

Repository Errors

If updates fail due to repository errors, try cleaning the DNF cache:

sudo dnf clean all
sudo dnf makecache

This refreshes your repository metadata and often resolves access issues.

Dependency Conflicts

When updates fail due to dependency problems:

sudo dnf --best --allowerasing update

This command resolves conflicts by selecting the best possible package combination, potentially removing conflicting packages.

Modular Metadata Errors

If you encounter “No Available Modular Metadata” errors:

  1. Check the affected module: 
    dnf module list <module-name>
  2. Reset and re-enable the module: 
    sudo dnf module reset <module-name>
sudo dnf module enable <module-name>:<stream>

This resolves issues with modular package updates.

Notification Failures

If email notifications aren’t working:

  1. Check that the mail service is running: 
    sudo systemctl status postfix
  2. Verify your mail configuration: 
    sudo dnf install mailx
echo "Test" | mail -s "Testing mail" admin@yourdomain.com
  3. Ensure your email settings in automatic.conf are correct.

For persistent problems, reviewing logs with journalctl -u dnf-automatic will often reveal the specific error messages needed to diagnose and resolve issues.

Security Best Practices

Implementing automatic updates improves security, but should be part of a comprehensive security strategy:

Balance Automation with Testing:

  • Consider using a staging environment to test updates before applying them to production systems
  • For critical systems, configure dnf-automatic to download but not apply updates, allowing manual verification

Create Exception Lists:

  • Exclude mission-critical applications from automatic updates and handle them manually during maintenance windows
  • Use exclude in your configuration to prevent automatic updates for sensitive packages

Implement Monitoring and Alerts:

  • Configure alerts for failed updates
  • Regularly review update logs to ensure systems are being maintained properly

Combine with Other Security Measures:

  • Use automatic updates alongside regular vulnerability scans
  • Implement intrusion detection systems to identify potential compromises
  • Follow the principle of least privilege for all system access

These practices help ensure that automatic updates enhance rather than compromise your system’s security posture.

Use Cases and Specific Scenarios

Different environments have different requirements for automatic updates. Here are recommendations for specific scenarios:

Server Environments:

  • Configure security-only updates for production servers
  • Schedule updates during low-traffic periods
  • Consider clustering for high-availability services to allow rolling updates

Workstations:

  • Configure full automatic updates for non-critical workstations
  • Use download-only mode for developer workstations where unexpected updates might disrupt work

Database Servers:

  • Exclude database packages from automatic updates
  • Schedule updates during established maintenance windows
  • Always back up databases before any update procedure

Web Servers:

  • Consider load balancer configurations that allow updating servers one at a time
  • Test web applications after updates to ensure compatibility
  • Configure automatic service restarts for web services after updates

Tailoring your automatic update strategy to your specific environment ensures you get the security benefits without disrupting critical operations.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button