blog/source/_posts/dnf-automatic-centos-stream.md

6.7 KiB

title excerpt date tags
CentOS Stream does not support dnf-automatic security updates The repository lacks updateinfo to provide errata 2024-07-15
centos

If you have configured dnf-automatic to only apply security updates on CentOS Stream, it will not install any updates.

[commands]
upgrade_type = security

Background

I discovered this limitation when attempting to patch openssh against CVE-2024-6387 (regreSSHion). Here's a brief timeline of patch availability on CentOS Stream 9:

While waiting for the patch availability, I enabled dnf-automatic and configured it to apply security updates only. When the patch openssh-8.7p1-42.el9 was finally available, I checked whether it has been applied using dnf info openssh. It showed the installed version is still 8.7p1-41 and 8.7p1-42 is available. That did not look good. Did I forgot to enable dnf-automatic? systemctl status dnf-automatic.timer showed it is enabled. Did it trigger dnf-automatic.service?

Jul 9 06:15:03 localhost dnf-automatic[12345]: No security updates needed, but 3 updates available

Not only dnf-automatic did not install 8.7p1-42, it also did not see the version as a security update. Before I went on to search for answer, I applied the patch first dnf upgrade openssh.

updateinfo.xml

RedHat documentation mentions installed security updates can be listed through dnf updateinfo list security --installed, however it returned empty on CentOS Stream 9. To check if the command actually works, I ran it on an AlmaLinux box and it returned similar output as the RedHat documentation.

I then learned that dnf depends on errata to be able to detect whether a package version is a security update. From this post (archived), I discovered errata is published on the repository in the form of updateinfo.xml, which is related to dnf updateinfo.

I remembered when dnf attempts to refresh a repository, the first thing it looks for is /repodata/repomd.xml. So, I tried to look for updateinfo.xml in /repodata/ but could not find it. This explained the empty output of dnf updateinfo but I wasn't convinced yet. I searched it in AlmaLinux and found {sha256sum-hash}-updateinfo.xml.gz. Since the content is updated constantly, how does dnf know which updateinfo.xml to grab? I opened up the repomd.xml and noticed

  <data type="updateinfo">
    <location href="repodata/{sha256sum-hash}-updateinfo.xml.gz"/>
  </data>

I also searched and discovered updateinfo is also available on Rocky Linux and Fedora. Looking at Fedora's [repomd.xml], I learned that the updateinfo.xml is available in gzip, xzip and zchunk (updateinfo_zck) formats. By then, I was sure that dnf cannot apply security (nor bugfix/feature)-specific updates in CentOS Stream.

Enable automatic updates

Automatic updates only works in CentOS Stream with this config:

[commands]
upgrade_type = default
apply_updates = yes

Automatic security updates are available on RHEL, AlmaLinux, Rocky Linux and Fedora. Fedora's updateinfo does not include a CVE reference (e.g. <reference href="https://access.redhat.com/security/cve/CVE-2024-6387" id="CVE-2024-6387" type="cve" title="CVE-2024-6387"/>), thus unable to filter by CVE ID (dnf updateinfo list --cve CVE-2024-6387 --installed).

Unattended upgrades in Debian/Ubuntu

Automatic updates is provided by the unattended-upgrades package which is installed by default, but not enabled. It can be configured through "/etc/apt/apt.conf.d/50unattended-upgrades".

Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}";
	"${distro_id}:${distro_codename}-security";
};

Each allowed origin refers to a distribution/component; in Ubuntu 24.04, those two lines refer to 24.04:noble and 24.04:noble-security. The default config effectively applies security updates only, though it is not obvious at first. noble is the base repository of Ubuntu 24.04 once it reached general availability. Security updates are available in noble-security while bugfix updates are available in noble-updates instead.

In Debian, the config is different.

Unattended-Upgrade::Allowed-Origins {
  "origin=Debian,codename=${distro_codename},label=Debian";
  "origin=Debian,codename=${distro_codename},label=Debian-Security";
};

Security updates are published to a different uri debian-security instead of the primary uri debian. A notable implication is that not every Debian mirror mirrors debian-security.

To enable unattended upgrades, dpkg-reconfigure --priority=low unattended-upgrades, select yes and it will create "/etc/apt/apt.conf.d/20auto-upgrades".

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";