Skip to content

Instantly share code, notes, and snippets.



Last active May 21, 2017
What would you like to do?
yum patch management

Yum basic tunables


tune the metadata expiry or rather turn it off and use cron to keep it updated out of band

yum makecache / cron

yum makecache fast

fetch regular quick updates to make good use of cache yum-cron can also be asked to play well?

Yum maintenance

yum self update

lesson from apt/apk/pkg

rpmdb health check


Yum update management




CentOS warning

mind you this has no data in centos, and will simply report "everything is fine", no matter if you have some outstanding security patches. mind you it will also not tell you if any of your packages have an open vulnerability there is no patch for.

Other OS (RHEL, OEL)

plugin for check_mk to alert works.


They'll be happy once you patched, but you'll likely need to do more. kernel: reboot to update your kernel, or the hole stays in place. glibc: need to restart all affected services ssl: need to restart all affected services systemd: normally a systemctl daemon-reload is enough, but there have been bugs with poisonous results to be aware of. applications:

(LSOF magic)


Will only fetch the minimal version to get of an update need, not the most recent version possible. Can be useful, but comes with a small risk of not 100% identical patch results if different systems have different software installed and so certain dependency packages are patched at different times.

important excludes

yum post-transaction hooks

example hooks

go here, still missing

  1. kernel
  2. openssl
  3. clustered software

Advice on handling reboots

defer reboots so you don't end up with random reboots of everything :)

yum LVM filesystem snapshots

automatic snapshots when software is installed. needs sed scripting to make sure only the core filesystems (i.e. /, /usr, /var) are snapshotted.


A plugin that safely commits /etc changes to git if you install packages - or nightly.

transaction plugin

[root@cobbler yum]# ls -l
total 16
drwxr-xr-x  3 root root   95 Oct 27  2015 history
drwxr-xr-x  3 root root   19 Oct 27  2015 repos
drwxr-xr-x  2 root root   80 Apr 13 15:32 rpmdb-indexes
-rw-r--r--  1 root root 1690 Feb 17  2016 transaction-all.2016-02-17.00:06.24
-rw-r--r--  1 root root  740 Feb 17  2016 transaction-done.2016-02-17.00:06.24
-rw-r--r--  1 root root   36 Oct 27  2015 uuid
drwxr-xr-x 34 root root 4096 Nov  4  2015 yumdb

-> use file age / file groups check to monitor for any unfinished transaction older than a day.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment