The small handful of Red Hat servers in my home lab live in a ‘boom-and-bust’ world. At times, when motivation and free time are abundant, they work very hard as I tinker with them at all hours of the night. At other times, when work and life are more demanding, they sit unused. They go on about their business with little interaction, sometimes for weeks.
But even though I’m not paying attention to them, I still care about them. I want them to patch and be happy, and I want them to let me know when they do, so I can be happy knowing that they’re happy. I want to know what packages were updated, and that they’re getting the care and feeding they need. And it’s not just for my lab, the same goes for servers at work that live on networks where Ansible can’t reach them.
Enter DNF-Automatic.
DNF-Automatic does exactly what it says – it runs DNF automatically. In this post, I’ll walk through setting it up to automatically install patches every Friday morning, and you can adjust the configuration to use any interval you choose. For the email notification, I use a simple Python script that connects to the SendGrid API, but there are dozens of other ways to achieve this. I just happen to have a SendGrid account, and have used it for years to send automated email alerts.
REFERENCE LINKS
There are two packages required. You can set up automated patching without the second one, but this one is necessary for the after-patching alerts.
- dnf-automatic
- python3-dnf-plugin-post-transaction-actions
Here are some reference links for both:
- Red Hat official docs for dnf-automatic
- More dnf-automatic documentation
- How to use dnf post-transaction actions (Red Hat account needed)
- Overview of dnf post-transaction actions
SETUP DNF-AUTOMATIC
The DNF-Automatic package has these main components:
FILES:
- /etc/dnf/automatic.conf
- Main configuration file
- Choose upgrade type (e.g. all updates or security only)
- Choose whether to always reboot, or only when needed
- /etc/systemd/system/dnf-automatic.timer.d/override.conf
- Override file (automatically created during ‘systemctl edit dnf-automatic.timer’)
- Main configuration file
In the automatic.conf file, the [commands] section is the most important one. I have it set to install all updates, and reboot every time dnf changes the system (my lab servers benefit from period reboots anyways). It also waits 600s (10 minutes) after the server comes online, for example if it were rebooted just before the timer triggered.
[commands]
upgrade_type = default
random_sleep = 0
network_online_timeout = 600
apply_updates = true
reboot = when-changed
SYSTEMD TIMERS:
- dnf-automatic.timer
- dnf-automatic-notifyonly.timer (disabled for this setup)
- dnf-autoatic-download.timer (disabled for this setup)
- dnf-automatic-install.timer (disabledfor this setup)
The screenshot below shows the services and their associated timers that are shipped with dnf-automatic. I am only using the dnf-automatic.timer on this lab server. The dnf actions it performs are controlled by /etc/dnf/automatic.conf. The timer file, when edited with ‘systemctl edit,’ creates the override.conf file at /etc/systemd/system/dnf-automatic.timer.d/.
For the timer file, I am using the following to trigger the dnf-automatic service at 0600 on Fridays:
[Unit]
Description=Weekly dnf updates
[Timer]
OnCalendar=
OnCalendar=Fri 6:00:00
Persistent=true
RandomizedDelaySec=0
[Install]
WantedBy=timers.target SETUP POST-TRANSACTION ACTIONS
The post-transactions plugin has just one main configuration file:
- /etc/dnf/plugins/post-transaction-actions.conf
- Important elements:
- Enabled = 1
- actiondir = /etc/dnf/plugins/post-transaction-actions.d/
- Important elements:
Whatever script you want to run after DNF finishes a transaction must be placed in the ‘actiondir’ and given a ‘.action’ file extension.
This ‘after-patch-msg.action’ file is just a bash script.
The script activates a Python virtual environment that has the SendGrid pip packages installed, and then fires off the Python script. The script uses a .env file that contains the SendGrid API key. For a production environment, you could certainly do this better.
And that’s it. My lab servers patch on their own, without any outside intervention, and let me know when they do.