Paranoid Penguin - Using Yum for RPM Updates

You can eliminate most known security risks by removing unused software and keeping your system up to date. Here's how to do it with the new tool chosen by three of the most popular Linux distributions.

where http://your.distro.homepage/GPGsignature should be replaced with a real URL.

This may seem like a hassle, but it's worth it. Several intrusions on Linux distributors' sites over the years have resulted in trojaned or otherwise compromised software packages being downloaded by unsuspecting users. Taking advantage of RPM's support for GnuPG signatures is the best defense against such skulduggery.

The other notable change in Listing 2 is that I've specified failovermethod=priority, which tells Yum to try the URLs on this list in order, starting with the one at the top. The default behavior, failovermethod=roundrobin, is for Yum to choose one of the listed URLs at random. Personally, I prefer the priority method because it lets me prioritize faster, closer mirrors over my distribution's primary site.

Running Yum Automatically

Now we come to the easy part, using the yum command. There are two ways to run Yum, manually from a command prompt or automatically by way of the /etc/init.d/yum startup script. If enabled, which you must do manually by issuing a chkconfig --add yum command, this script simply touches a runfile, /var/lock/subsys/yum, which the cron.daily job yum.cron checks for. If the script is enabled, that is, if the runfile exists, this cron job runs the Yum command first to check for and install an updated Yum package and then to check for and install updates for all other system packages. In so doing, Yum automatically and transparently resolves any relevant dependencies. If an updated package depends on another package, even if it didn't previously, Yum retrieves and installs the other package.

For most users, this script is powerful and useful stuff. If your environment demands meticulous change-control procedures, however, and you don't want any new software installed automatically, you should run Yum manually.

Running Yum Manually

To see a list of available updates without installing anything, use yum check-update (Listing 3).

To install a single update, plus any other updates necessary to resolve dependencies, use yum update packagename, for example: yum update yum.

This example actually updates Yum itself. If indeed an updated version of the package Yum is available, you are prompted to go ahead and install it. If you're invoking Yum from a script and you want all such prompts to be answered y automatically, use the -y option:

yum -y update yum

The check-update command, the Yum command that is, isn't mandatory before installing updates. If you prefer, you can use yum update directly—it performs the same checks as yum check-update.

In the last sample command, we specified a single package to update, yum. To initiate a complete update session for all installed packages on your system, you simply can omit the last argument, the package specification: yum update.

After Yum checks for all available updates and calculates dependencies, it presents you with a list of all updates it intends to download. Unless you used the -y option, it asks you whether to download and install each of them.

For the sake of completeness here's a bonus tip: you also can install new packages with Yum—you probably figured that out already. For any package contained in the sources you've defined in /etc/yum.conf, you can use the command yum install packagename to install the latest version of that package, plus anything it depends on. For example, to install the FTP server package vsftpd, you'd issue this command: yum install vsftpd.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

The comment "Garrick, use rea

Anonymous's picture

The comment "Garrick, use really small font in Listing 1 (or make wider than one column) to keep the lines from breaking"
Appears above the listing at the begining of the article, and there are a few times where there are font and other editing/publishing instructions for 'garrick' to follow. Thiis is an old article, but I figure I should make note of it so if anyone monitors this still they can correct it.

Re: Paranoid Penguin: Using Yum for RPM Updates

Anonymous's picture

Thanks I have just started using Yellow Dog Linux this aricle couldn't have been better timed than if you wrote it just for me.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix