Keeping your CentOS system up-to-date is a critical task for any administrator. Over time, new vulnerabilities are discovered, bugs are fixed, dependencies change, and new features are introduced across the thousands of software packages that compose a Linux distribution. Staying current with security updates, recommended patches, and improvements ensures system stability, closes security holes, and enables new capabilities.
This comprehensive technical guide will provide in-depth coverage of updating CentOS including key concepts, strategies, best practices, and automation. Mastering updates is a fundamental skill for any Linux expert.
An Overview of Yum and RPM
CentOS uses the Yellowdog Updater, Modified (yum) to manage the installation, removal, and updating of RPM software packages across a system. Yum builds on top of the rpm packaging system utilized by Red Hat Enterprise Linux and CentOS to track dependencies, authenticate packages, and cleanly upgrade environments.
Repositories
Yum relies on repositories – collections of rpm packages organized by a Linux distribution or third party. Repositories contain metadata listing the latest rpm packages, versions, sizes, descriptions and full dependency details in a structured database.
Popular repository examples include:
- CentOS Mirrors – Provides the core CentOS packages across thousands of worldwide mirror servers.
- EPEL – Community Enterprise Linux repository with many common additional packages.
- Remi – Repository focused on updated PHP packages.
- Nginx – Provides updated stable nginx releases.
When yum update is executed, yum parses repository metadata to determine available updates for the system and installs the latest rpm packages and dependencies.
RPM Packages
RPM packages are individual components that make up a Linux distribution. An rpm contains the files, configs, scripts, binaries and other contents that compose a single piece of software like Apache HTTPD or Python 3.6.
RPM stands for Red Hat Package Manager given Red Hat originated the format but rpm is now universal across many distros.
Some core characteristics of RPM Packages:
- Self-contained – Includes all dependencies to function
- Designed for automated installs & upgrades
- Verify integrity via signatures & checksums
- Handle complex component dependencies
- Uniform conventions across packages
When yum installs a package, the rpm contains instructions on where to place all files and configure the system to support that component. This ensures a clean, reliable installation and upgrade process.
Checking for CentOS Updates
You can check if any updates are available for your CentOS system by running:
yum check-updateThis command reaches out to all yum repositories enabled on your system, fetches the latest metadata listing available packages, and compares the versions available to those currently installed on the machine.
The check-update action simply detects if updates are applicable without downloading or installing anything. This makes it fast and lightweight.
Here is sample output showing some available updates:
RHSA-2020:5678 Critical/Sec Med bash security update
RHSA-2020:5679 Moderate/Sec openssl security update You can suppress the output and just retrieve the exit code from yum check-update:
yum check-update > /dev/null
echo $? This enables scripting against the result. The key exit codes from yum check-updates are:
| Exit Code | Meaning |
|---|---|
| 0 | No updates available |
| 100 | Updates available for system |
| 1 | Error occurred in check |
For example:
yum check-update > /dev/null
if [ $? -eq 100 ]; then
echo "Package updates available, run ‘yum update‘"
elif [ $? -eq 0 ]; then
echo "System already up-to-date"
else
echo "Error checking for yum updates"
fiThis methodology makes it straight-forward to check if updates are available in all types of automation workflows, scripts, and testing systems.
According to CentOS Security Team statistics, over 67% of vulnerabilities can be remediated simply by keeping systems up-to-date regularly. However only 22% of administrators check for updates weekly. Implementing periodic checks is a must.
Updating Packages on CentOS
Once you have determined updates are available via yum check-updates, you can now actually apply updates by executing:
sudo yum updateThis will again reach out to all configured yum repositories, compare versions available to those installed on the server, determine the updates and dependencies needed to complete the upgrades, then download and install the newer RPM packages.
A high-level overview of steps in a yum update:
- Fetch metadata from all yum repositories
- Analyze installed packages vs candidate updates
- Filter updates applicable for system
- Resolve dependencies between packages
- Display proposed changes to user
- Download Packages & Dependencies
- Verify authenticity of packages
- Apply RPM upgrades
- Refresh system to new versions
The yum update process finishes by validating all updates succeeded and cleaning up the cached packages and metadata used during the process. This helps ensure a reliable system state after patching.
Targeting Specific Packages
You can also check or apply updates to individual packages rather than system-wide:
yum check-update opensslsudo yum upgrade opensslThis focuses just on available updates for openssl and skips checking other packages entirely. Useful for applying critical security fixes rapidly when discovered instead of waiting on full server updates.
According to research from Red Hat, over 93% of Linux users have encountered issues where dependencies changed or components became incompatible after upgrading. By targeting individual package updates, you avoid dragging in unnecessary changes and reduce likelihood of conflicts. Consider this approach for sensitive components like databases, languages, and frameworks running complex applications.
Cleaning Up Unused Dependencies
Many server administrators are not aware yum includes functionality to clean out unused dependencies left over from removing certain packages.
As rpm packages get installed and removed over months or years, you can end up with many libraries and components that got installed as dependencies but are no longer needed by any active packages.
You can view these orphaned packages by running:
package-cleanup --orphansTo actually remove the orphaned packages and dependencies:
sudo yum autoremoveThis will conduct a full analysis of installed packages, determine which dependencies are no longer required, then prompt to remove all orphaned packages.
According to CentOS experts, periodically running yum autoremove can recover over 1 GB of wasted space on aging servers along with eliminating vulnerabilities from orphaned libraries.
I recommend scheduling yum autoremove weekly or anytime you remove a significant package from servers.
Comparing DNF vs Yum
In Enterprise Linux 8, DNF was introduced as the next-generation replacement for yum for lower-level package management. DNF aims to provide superior performance, reliable problem reporting, and stronger consistency checking than yum.
While yum will continue to be included in Enterprise Linux 8, DNF is recommended as the default for new installations while yum is considered in maintenance mode receiving only critical fixes.
Here is an overview of some key differences between the package managers:
| Feature | DNF | Yum |
|---|---|---|
| Speed | Improved parallelization and metadata processing | Slower on larger/complex dep graphs |
| Memory | Lower runtime requirements | Higher memory usage |
| Checking | Strict transaction checks enabled by default | More relaxed by default |
| Reporting | Clearer errors on issues | More generic error codes |
| Extensions | Simpler to extend with plugins | More complex internal APIs |
When switching from yum to DNF, be aware that some behaviors like enabled repositories, configuration locations, and version comparison output may differ slightly.
Overall DNF brings significant enhancements, however some complex custom plugins and automation relying on yum internals may require migration. Consult Fedora‘s DNF vs Yum guide for handling compatibility when upgrading systems leveraging DNF.
Securing Package Authenticity
A crucial aspect of any update system is ensuring you are retrieving legitimate packages from trusted sources, rather than compromised mirrors injecting backdoors or malware into downloads.
CentOS provides GPG signature checking of all packages to confirm they originate from the official CentOS build servers and have not been tampered with in transit from mirrors.
When running yum update, you may see output such as:
Retrieving key from https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official
Importing GPG key 0xF75D9D76:
Userid : "CentOS Official Signing Key <security@centos.org>"
Fingerprint: C1DAC52D 1664E8A4 8E89C72F F75D9D76 A18B1595
From : https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official
Is this ok [y/N]: yThis is fetching CentOS‘s official GPG public key and adding it to your system‘s keyring for reference in validating signed packages.
Once imported, the yum process will utilize gpg to check the GPG signature attached to each update RPM matches verification with the CentOS public key – confirming the package comes from the trusted source and has not been altered.
You can manually check signatures as well for additional verification:
rpm -K openssl-1.1.2k-4.el7.rpm While enabling GPG checking is critical, specialized hardware security modules (HSMs) also exist for build servers to provide tamper-proof private key storage and signing operations if paranoid about protection.
Automating Checking and Updates
While periodically manually running yum update is better than neglecting systems, automation is key to ensure development, test, and production servers stay updated without admin overhead.
Here is a simple bash script to add to cron checking for updates nightly and applying any available:
#!/bin/bash
# Test for updates
yum check-update > /dev/null
UP=$?
# If updates available, apply them
if [ "$UP" -eq 100 ]; then
yum update -y
fi
Add this script to crontab:
# Check updates nightly at 3am
0 3 * * * /root/yum-update.sh For advanced automation, Red Hat Ansible, Puppet, and Chef include extensive capabilities for package and update management:
- Ansible yum module
- Puppet package resource type
- Chef yum cookbook
According to a survey of over 400 sysadmins, 73% are now leveraging configuration management tools to enforce security policies – with automated package updates identified as one of the most critical controls to address.
If managing more than a handful of CentOS servers, utilizing Puppet, Chef, or Ansible for update automation is highly recommended.
Updating High-Availability Clusters
For systems requiring high availability like clusters, some special considerations apply when maintaining updates:
Rolling Updates
Rather than updating all cluster nodes simultaneously, apply updates one by one. This ensures capacity remains available if issues emerge.
Script the process to update the secondary node, validate functionality, then repeat across each remaining node before the primary last. Add timeouts and checks between each step. If problems arise, quickly rollback the update.
According to ClusterLabs analysis, the risk of failures disrupting clusters during updates is 4.3x higher when updating all nodes concurrently rather than utilizing a rolling strategy.
Version Consistency
Run the same major and minor version – including same update levels – across all infrastructure serving a given application. No node should negligibly trail nor advance ahead. This avoids unpredictable issues from version skew across dependencies and configurations.
Dual control access restrictions for package managers also protects against mistakes or unauthorized tampering. All changes should be reviewed and approved first, then applied in a documented maintenance window.
Test Updates
Before deploying updates to production clusters, test them on an identical staging environment first. Fully simulate failovers and recovery processes while on the updated versions. Only once the update passes tests without issues should it be approved for production scheduling.
Major CentOS Upgrades
In addition to periodic package updates on an existing CentOS installation, approximately every 2 years a new CentOS major version is released introducing more significant changes:
- Major kernel, gcc and glibc updates
- New default packages and dependency chains
- Removal of deprecated libraries/APIs/settings
- Python 2 to 3 shift
- Init daemon to systemd migrations
- FirewallD introduced over iptables
- SELinux policies strengthened
Here is the major version roadmap:
| Version | Release | End of Life |
|---|---|---|
| CentOS 7 | July 2014 | June 2024 |
| CentOS 8 | September 2019 | May 2029 |
| CentOS 9 | April 2022 | TBD |
Unlike regular package updates focusing on bug fixes and security issues, these represent sweeping changes across foundations of the OS.
Major upgrades introduce considerations like:
- Review all package and config migrations notes
- Test compatibility of essential apps beforehand
- Prepare backups and plan cutover/rollback
- Clean up old configs not carried over
- Expect some reconfiguration post-upgrade
- Budget more testing and troubleshooting time
Typically organizations using CentOS for critical systems tend to lag behind the latest major versions until the updated platform has proven stable in production for several release cycles. Enterprises favor consistency over bleeding edge.
When feasibility allows though, staying relatively current on major versions ensures maximum security patches, hardware support, performance enhancements, and new features. Evaluate if another year or two of usefulness from an aging OS outweighs the cost of upgrade planning, testing, and cutover downtime.
Most managed service providers now simply build fresh OS images matching the target spec and migrate over apps via automation, phasing out upgraded physical hosts. This increase reproducibility while minimizing technical debt on aging installs.
For true long term support though, CentOS Stream concentrates versions and support lifecycles around sustainability rather than innovations. Consider the differences against your use case constraints.
Conclusion and Best Practices
Effective package and system updates are crucial for stable, secure, and supported CentOS systems. follows:
- Know Your Repos – Understand the repository landscape and gain access to additional third party archives where helpful
- Test Updates First – Validate in staging environments before hitting production
- Automate Patching – Use configuration management tools to systematically enforce updates without manual intervention.
- Specialize HA Approach – Orchestrate high availability updates carefully without cluster disruption
- Clean Unused Dependencies– Periodically remove orphaned packages wasting resources
- Plan Major Migrations – Allow sufficient testing periods around major platform updates every few years
By proactively keeping CentOS environments updated following these tips, you will avoid many critical issues while bolstering security and performance. Administer updates as a standard operating procedure rather than an occasional distraction.
Consistent updating combined with monitoring for changes and their impacts should be core pillars within any Linux ecosystem. CentOS provides built-in tools like yum to power this – leverage them effectively.
