--- docs/yum-cron.8 | 1 + etc/Makefile | 1 + etc/yum-cron-security.conf | 82 +++++++++++++++++++++++++++++++++++++++++ etc/yum-cron.conf | 6 ++- yum-cron/Makefile | 1 + yum-cron/yum-security.cron.sh | 11 +++++ yum.spec | 63 ++++++++++++++++++++++++++++++- 7 files changed, 160 insertions(+), 5 deletions(-) create mode 100644 etc/yum-cron-security.conf create mode 100644 yum-cron/yum-security.cron.sh
diff --git a/docs/yum-cron.8 b/docs/yum-cron.8 index db50fc2..7ce1aef 100644 --- a/docs/yum-cron.8 +++ b/docs/yum-cron.8 @@ -29,6 +29,7 @@ just once each day. .nf /etc/yum/yum-cron.conf /etc/yum/yum-cron-hourly.conf +/etc/yum/yum-cron-security.conf .fi .PP diff --git a/etc/Makefile b/etc/Makefile index 49f1d81..7c023af 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -32,4 +32,5 @@ install: install -m 644 yum.bash $(DESTDIR)/$(compdir)/yum ln -s yum $(DESTDIR)/$(compdir)/yummain.py install -m 644 yum-cron.conf $(YUMETC) + install -m 644 yum-cron-security.conf $(YUMETC) install -m 644 yum-cron-hourly.conf $(YUMETC) diff --git a/etc/yum-cron-security.conf b/etc/yum-cron-security.conf new file mode 100644 index 0000000..b0edd9d --- /dev/null +++ b/etc/yum-cron-security.conf @@ -0,0 +1,82 @@ +[commands] +# What kind of update to use: +# default = yum upgrade +# security = yum --security upgrade +# security-severity:Critical = yum --sec-severity=Critical upgrade +# minimal = yum --bugfix upgrade-minimal +# minimal-security = yum --security upgrade-minimal +# minimal-security-severity:Critical = --sec-severity=Critical upgrade-minimal +update_cmd = security + +# Whether a message should emitted when updates are available. +update_messages = yes + +# Whether updates should be downloaded when they are available. Note +# that updates_messages must also be yes for updates to be downloaded. +download_updates = yes + +# Whether updates should be applied when they are available. Note +# that both update_messages and download_updates must also be yes for +# the update to be applied +apply_updates = yes + +# Maximum amout of time to randomly sleep, in minutes. The program +# will sleep for a random amount of time between 0 and random_sleep +# minutes before running. This is useful for e.g. staggering the +# times that multiple systems will access update servers. If +# random_sleep is 0 or negative, the program will run immediately. +# NOTE this runs after yum-cron-daily, if that is installed, +# so we will have already waited for that (default 2 hours, 120 mins). +# Also security updates should be smaller than all updates, anyway. +random_sleep = 60 + + +[emitters] +# Name to use for this system in messages that are emitted. If +# system_name is None, the hostname will be used. +system_name = None + +# How to send messages. Valid options are stdio and email. If +# emit_via includes stdio, messages will be sent to stdout; this is useful +# to have cron send the messages. If emit_via includes email, this +# program will send email itself according to the configured options. +# If emit_via is None or left blank, no messages will be sent. +emit_via = stdio + +# The width, in characters, that messages that are emitted should be +# formatted to. +ouput_width = 80 + + +[email] +# The address to send email messages from. +email_from = root + +# List of addresses to send messages to. +email_to = root + +# Name of the host to connect to to send email messages. +email_host = localhost + + +[groups] +# List of groups to update +group_list = None + +# The types of group packages to install +group_package_types = mandatory, default + +[base] +# This section overrides yum.conf + +# Use this to filter Yum core messages +# -4: critical +# -3: critical+errors +# -2: critical+errors+warnings (default) +debuglevel = -2 + +# skip_broken = True +mdpolicy = group:main + +# Uncomment to auto-import new gpg keys (dangerous) +# assumeyes = True diff --git a/etc/yum-cron.conf b/etc/yum-cron.conf index b0f7839..bd26d0c 100644 --- a/etc/yum-cron.conf +++ b/etc/yum-cron.conf @@ -24,8 +24,10 @@ apply_updates = no # minutes before running. This is useful for e.g. staggering the # times that multiple systems will access update servers. If # random_sleep is 0 or negative, the program will run immediately. -# 6*60 = 360 -random_sleep = 360 +# NOTE that we hold up all the other things in cron.daily as we wait, +# so while waiting for 6+ hours is fine for us it might not be nice +# for logrotate (so wait for 2 hours by default). +random_sleep = 120 [emitters] diff --git a/yum-cron/Makefile b/yum-cron/Makefile index cd3ff5f..3997b4a 100644 --- a/yum-cron/Makefile +++ b/yum-cron/Makefile @@ -20,5 +20,6 @@ install-common: # Install as 0yum-*.cron so it runs before items like # manpage update, mlocate, and prelink install -D -m 755 yum-daily.cron.sh $(DESTDIR)/etc/cron.daily/0yum-daily.cron + install -D -m 755 yum-security.cron.sh $(DESTDIR)/etc/cron.daily/0yum-security.cron install -D -m 755 yum-hourly.cron.sh $(DESTDIR)/etc/cron.hourly/0yum-hourly.cron install -D -m 755 yum-cron.py $(DESTDIR)/usr/sbin/yum-cron diff --git a/yum-cron/yum-security.cron.sh b/yum-cron/yum-security.cron.sh new file mode 100644 index 0000000..2937e20 --- /dev/null +++ b/yum-cron/yum-security.cron.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +# Only run if this flag is set. The flag is created by the yum-cron init +# script when the service is started -- this allows one to use chkconfig and +# the standard "service stop|start" commands to enable or disable yum-cron. +if [[ ! -f /var/lock/subsys/yum-cron ]]; then + exit 0 +fi + +# Action! +exec /usr/sbin/yum-cron /etc/yum/yum-cron-security.conf diff --git a/yum.spec b/yum.spec index a3e9bcf..0a6278c 100644 --- a/yum.spec +++ b/yum.spec @@ -161,9 +161,11 @@ yum-updatesd provides a daemon which checks for available updates and can notify you when they are available via email, syslog or dbus. %package cron -Summary: Files needed to run yum updates as a cron job +Summary: RPM package installer/updater/manager cron service Group: System Environment/Base Requires: yum >= 3.4.3-84 cronie crontabs findutils +Requires: yum-cron-BE = %{version}-%{release} +# We'd probably like a suggests for yum-cron-daily here. %if %{yum_cron_systemd} BuildRequires: systemd-units Requires(post): systemd @@ -178,8 +180,48 @@ Requires(postun): /sbin/service %endif %description cron -These are the files needed to run yum updates as a cron job. -Install this package if you want auto yum updates nightly via cron. +These are the files needed to run any of the yum-cron update services. + +%package cron-daily +Summary: Files needed to run yum updates as a daily cron job +Group: System Environment/Base +Provides: yum-cron-BE = %{version}-%{release} +Requires: yum-cron > 3.4.3-131 + +%description cron-daily +This is the configuration file for the daily yum-cron update service, which +lives %{_sysconfdir}/yum/yum-cron.conf. +Install this package if you want auto yum updates nightly via cron (or something +else, via. changing the configuration). +By default this just downloads updates and does not apply them. + +%package cron-hourly +Summary: Files needed to run yum updates as an hourly cron job +Group: System Environment/Base +Provides: yum-cron-BE = %{version}-%{release} +Requires: yum-cron > 3.4.3-131 + +%description cron-hourly +This is the configuration file for the daily yum-cron update service, which +lives %{_sysconfdir}/yum/yum-cron-hourly.conf. +Install this package if you want automatic yum metadata updates hourly via +cron (or something else, via. changing the configuration). + +%package cron-security +Summary: Files needed to run security yum updates as once a day +Group: System Environment/Base +Provides: yum-cron-BE = %{version}-%{release} +Requires: yum-cron > 3.4.3-131 + +%description cron-security +This is the configuration file for the security yum-cron update service, which +lives here: %{_sysconfdir}/yum/yum-cron-security.conf +Install this package if you want automatic yum security updates once a day +via. cron (or something else, via. changing the configuration -- this will be +confusing if it's not security updates anymore though). +By default this will download and _apply_ the security updates, unlike +yum-cron-daily which will just download all updates by default. +This runs after yum-cron-daily, if that is installed. %prep @@ -415,6 +457,21 @@ exit 0 %{_sbindir}/yum-cron %{_mandir}/man*/yum-cron.* +%files cron-daily +%defattr(-,root,root) +%{_sysconfdir}/cron.daily/0yum-daily.cron +%config(noreplace) %{_sysconfdir}/yum/yum-cron.conf + +%files cron-hourly +%defattr(-,root,root) +%{_sysconfdir}/cron.hourly/0yum-hourly.cron +%config(noreplace) %{_sysconfdir}/yum/yum-cron-hourly.conf + +%files cron-security +%defattr(-,root,root) +%{_sysconfdir}/cron.hourly/0yum-security.cron +%config(noreplace) %{_sysconfdir}/yum/yum-cron-security.conf + %if %{yum_updatesd} %files updatesd %defattr(-, root, root) -- 1.7.7.6 _______________________________________________ Yum-devel mailing list Yum-devel@lists.baseurl.org http://lists.baseurl.org/mailman/listinfo/yum-devel