Yum basic tunables
tune the metadata expiry or rather turn it off and use cron to keep it updated out of band
yum makecache / cron
yum makecache fast
fetch regular quick updates to make good use of cache yum-cron can also be asked to play well?
yum self update
lesson from apt/apk/pkg
rpmdb health check
Yum update management
mind you this has no data in centos, and will simply report "everything is fine", no matter if you have some outstanding security patches. mind you it will also not tell you if any of your packages have an open vulnerability there is no patch for.
Other OS (RHEL, OEL)
plugin for check_mk to alert works.
They'll be happy once you patched, but you'll likely need to do more. kernel: reboot to update your kernel, or the hole stays in place. glibc: need to restart all affected services ssl: need to restart all affected services systemd: normally a systemctl daemon-reload is enough, but there have been bugs with poisonous results to be aware of. applications:
Will only fetch the minimal version to get of an update need, not the most recent version possible. Can be useful, but comes with a small risk of not 100% identical patch results if different systems have different software installed and so certain dependency packages are patched at different times.
yum post-transaction hooks
go here, still missing
- clustered software
Advice on handling reboots
defer reboots so you don't end up with random reboots of everything :)
yum LVM filesystem snapshots
automatic snapshots when software is installed. needs sed scripting to make sure only the core filesystems (i.e. /, /usr, /var) are snapshotted.
A plugin that safely commits /etc changes to git if you install packages - or nightly.
[root@cobbler yum]# ls -l total 16 drwxr-xr-x 3 root root 95 Oct 27 2015 history drwxr-xr-x 3 root root 19 Oct 27 2015 repos drwxr-xr-x 2 root root 80 Apr 13 15:32 rpmdb-indexes -rw-r--r-- 1 root root 1690 Feb 17 2016 transaction-all.2016-02-17.00:06.24 -rw-r--r-- 1 root root 740 Feb 17 2016 transaction-done.2016-02-17.00:06.24 -rw-r--r-- 1 root root 36 Oct 27 2015 uuid drwxr-xr-x 34 root root 4096 Nov 4 2015 yumdb
-> use file age / file groups check to monitor for any unfinished transaction older than a day.