How To Keep Rocky Linux 9 Servers Updated Securely
In this tutorial, you’ll explore some best practices for keeping your Rocky Linux 9 server stack up to date. Just as with network security hardening, there are many steps you can take to ensure your servers. So they will continue to work securely without future intervention.
There are a number of tools and configurations that you can apply to most Rocky Linux servers beyond what is configured for you automatically. If you’re doing your own server administration, it can be quite disruptive and error-prone to patch all of your environments manually.
This Tutorial Will Cover:
- Testing graceful reboots following best practices for application management, to minimize any complications from maintenance updates
- Configuring automatic updates for most of the packages and libraries running on your machine
- Live kernel patching, and other best practices around kernel updates
Prerequisites
A Rocky Linux 9 server and a non-root user with sudo privileges.
Step 1 – Following Best Practices for Application Management
A fundamental part of configuring your server for automatic upgrades is ensuring that all of the applications running on the server are able to restart correctly after unplanned downtime or a reboot. Linux package managers are designed to run non-disruptively in the background so that necessary maintenance does not come with any additional overhead. Despite this, one of the most common reasons for not having a good update strategy in place is being concerned about how your server will behave after being restarted.
Wherever possible, the applications in your stack should be managed by your server’s init system, which on most modern Linux distributions including Rocky Linux is systemd. Systemd provides the systemctl command for interacting with your running services and automatically restarting them as needed. Virtually all software that is installed via your package manager and designed to run in the background should automatically provide a systemd service and a configuration unit file as a best practice.
When running your own software, or software deployed from Git repositories, it is not a bad idea to write your own unit files to integrate with systemd. As a lightweight alternative, you may prefer to use a tool like supervisor. You can also use your system’s cron scheduler with the @reboot syntax.
Reboot
After your configuration is in place, make sure to test it through reboots. You can reboot by running:
sudo shutdown now -r
You can also specify a time in hh:mm, or a number of minutes from now, instead of now to schedule a reboot in the future. Production deployments should generally not require your attention after any unplanned outages, and all necessary services and endpoints should come back up automatically.
Now that you’ve ensured that your environment won’t have any trouble persisting through maintenance reboots, in the next step, you’ll learn how to schedule automatic upgrades.
Step 2 – Configuring Automatic Upgrades
Rocky’s package manager, dnf, has two main ways of performing a full system upgrade. You can run dnf upgrade without specifying a package to upgrade every package on your system. You can also run dnf upgrade-minimal to upgrade every package only to the latest bugfix or security patch release, which will perform necessary maintenance while avoiding any potential breaking changes upstream. You can read more about dnf commands from the dnf documentation.
Rocky also provides a unique tool called dnf-automatic to automatically retrieve and install security patches and other essential upgrades for your server. You can install it using dnf:
sudo dnf install dnf-automatic -y
dnf-automatic is not enabled automatically after installation. Instead, it provides several different services that you can register with Systemd to customize its behavior. These are:
- dnf-automatic – this service follows the
dnf-automaticconfiguration file options in/etc/dnf/automatic. - dnf-automatic-notifyonly – this overrides the configuration file by only notifying you of available updates and not installing them.
- dnf-automatic-download – this overrides the configuration file by only downloading packages and not installing them.
- dnf-automatic-install – this overrides the configuration file by always installing downloaded packages.
For this tutorial, you will be enabling the dnf-automatic-install service, but first, you’ll make one change to the dnf-automatic configuration file. Open the file using vi or your favorite text editor:
sudo vi /etc/dnf/automatic
Edit the configuration file as shown:
[commands]
# What kind of upgrade to perform:
# default = all available upgrades
# security = only the security upgrades
upgrade_type = security
random_sleep = 0
# Maximum time in seconds to wait until the system is on-line and able to
# connect to remote repositories.
network_online_timeout = 60
# Whether updates should be downloaded when they are available.
download_updates = yes
# Whether updates should be applied when they are available.
apply_updates = no
Now you can enable the service using systemctl:
sudo systemctl enable dnf-automatic-install.timer
Verify the service is running correctly:
sudo systemctl status dnf-automatic-install
Expected Output:
● dnf-automatic-install.service - dnf automatic install updates
Loaded: loaded (/usr/lib/systemd/system/dnf-automatic-install.service; static; vendor preset: disabled)
Active: inactive (dead)
Jul 14 21:01:03 droplet-name dnf-automatic[40103]: No security updates needed, but 154 updates available
Step 3 – Updating and Livepatching the Kernel
To avoid downtime during kernel upgrades, you can use a feature called live patching. Install the kpatch-dnf package:
sudo dnf install kpatch-dnf
Then run the following to subscribe to live patching:
sudo dnf kpatch auto
Conclusion for How To Keep Rocky Linux 9 Servers Updated Securely
You now have solutions in place to ensure all of the packages on your server receive essential security updates automatically. Additionally, live patching allows you to apply kernel updates without rebooting, improving your server’s uptime and security.
