[PATCH 1/2] Split cron-daily and cron-hourly into separate packages. Add cron-security.

James Antill james at and.org
Tue Jan 21 21:34:02 UTC 2014


---
 docs/yum-cron.8               |    1 +
 etc/Makefile                  |    1 +
 etc/yum-cron-security.conf    |   82 +++++++++++++++++++++++++++++++++++++++++
 etc/yum-cron.conf             |    6 ++-
 yum-cron/Makefile             |    1 +
 yum-cron/yum-security.cron.sh |   11 +++++
 yum.spec                      |   63 ++++++++++++++++++++++++++++++-
 7 files changed, 160 insertions(+), 5 deletions(-)
 create mode 100644 etc/yum-cron-security.conf
 create mode 100644 yum-cron/yum-security.cron.sh

diff --git a/docs/yum-cron.8 b/docs/yum-cron.8
index db50fc2..7ce1aef 100644
--- a/docs/yum-cron.8
+++ b/docs/yum-cron.8
@@ -29,6 +29,7 @@ just once each day.
 .nf
 /etc/yum/yum-cron.conf
 /etc/yum/yum-cron-hourly.conf
+/etc/yum/yum-cron-security.conf
 .fi 
 
 .PP
diff --git a/etc/Makefile b/etc/Makefile
index 49f1d81..7c023af 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -32,4 +32,5 @@ install:
 	install -m 644 yum.bash $(DESTDIR)/$(compdir)/yum
 	ln -s yum $(DESTDIR)/$(compdir)/yummain.py
 	install -m 644 yum-cron.conf $(YUMETC)
+	install -m 644 yum-cron-security.conf $(YUMETC)
 	install -m 644 yum-cron-hourly.conf $(YUMETC)
diff --git a/etc/yum-cron-security.conf b/etc/yum-cron-security.conf
new file mode 100644
index 0000000..b0edd9d
--- /dev/null
+++ b/etc/yum-cron-security.conf
@@ -0,0 +1,82 @@
+[commands]
+#  What kind of update to use:
+# default                            = yum upgrade
+# security                           = yum --security upgrade
+# security-severity:Critical         = yum --sec-severity=Critical upgrade
+# minimal                            = yum --bugfix upgrade-minimal
+# minimal-security                   = yum --security upgrade-minimal
+# minimal-security-severity:Critical =  --sec-severity=Critical upgrade-minimal
+update_cmd = security
+
+# Whether a message should emitted when updates are available.
+update_messages = yes
+
+# Whether updates should be downloaded when they are available. Note
+# that updates_messages must also be yes for updates to be downloaded.
+download_updates = yes
+
+# Whether updates should be applied when they are available.  Note
+# that both update_messages and download_updates must also be yes for
+# the update to be applied
+apply_updates = yes
+
+# Maximum amout of time to randomly sleep, in minutes.  The program
+# will sleep for a random amount of time between 0 and random_sleep
+# minutes before running.  This is useful for e.g. staggering the
+# times that multiple systems will access update servers.  If
+# random_sleep is 0 or negative, the program will run immediately.
+#  NOTE this runs after yum-cron-daily, if that is installed,
+# so we will have already waited for that (default 2 hours, 120 mins).
+# Also security updates should be smaller than all updates, anyway.
+random_sleep = 60
+
+
+[emitters]
+# Name to use for this system in messages that are emitted.  If
+# system_name is None, the hostname will be used.
+system_name = None
+
+# How to send messages.  Valid options are stdio and email.  If
+# emit_via includes stdio, messages will be sent to stdout; this is useful
+# to have cron send the messages.  If emit_via includes email, this
+# program will send email itself according to the configured options.
+# If emit_via is None or left blank, no messages will be sent.
+emit_via = stdio
+
+# The width, in characters, that messages that are emitted should be
+# formatted to.
+ouput_width = 80
+
+
+[email]
+# The address to send email messages from.
+email_from = root
+
+# List of addresses to send messages to.
+email_to = root
+
+# Name of the host to connect to to send email messages.
+email_host = localhost
+
+
+[groups]
+# List of groups to update
+group_list = None
+
+# The types of group packages to install
+group_package_types = mandatory, default
+
+[base]
+# This section overrides yum.conf
+
+# Use this to filter Yum core messages
+# -4: critical
+# -3: critical+errors
+# -2: critical+errors+warnings (default)
+debuglevel = -2
+
+# skip_broken = True
+mdpolicy = group:main
+
+# Uncomment to auto-import new gpg keys (dangerous)
+# assumeyes = True
diff --git a/etc/yum-cron.conf b/etc/yum-cron.conf
index b0f7839..bd26d0c 100644
--- a/etc/yum-cron.conf
+++ b/etc/yum-cron.conf
@@ -24,8 +24,10 @@ apply_updates = no
 # minutes before running.  This is useful for e.g. staggering the
 # times that multiple systems will access update servers.  If
 # random_sleep is 0 or negative, the program will run immediately.
-# 6*60 = 360
-random_sleep = 360
+#  NOTE that we hold up all the other things in cron.daily as we wait,
+# so while waiting for 6+ hours is fine for us it might not be nice
+# for logrotate (so wait for 2 hours by default).
+random_sleep = 120
 
 
 [emitters]
diff --git a/yum-cron/Makefile b/yum-cron/Makefile
index cd3ff5f..3997b4a 100644
--- a/yum-cron/Makefile
+++ b/yum-cron/Makefile
@@ -20,5 +20,6 @@ install-common:
 # Install as 0yum-*.cron so it runs before items like
 # manpage update, mlocate, and prelink
 	install -D -m 755 yum-daily.cron.sh $(DESTDIR)/etc/cron.daily/0yum-daily.cron
+	install -D -m 755 yum-security.cron.sh $(DESTDIR)/etc/cron.daily/0yum-security.cron
 	install -D -m 755 yum-hourly.cron.sh $(DESTDIR)/etc/cron.hourly/0yum-hourly.cron
 	install -D -m 755 yum-cron.py $(DESTDIR)/usr/sbin/yum-cron
diff --git a/yum-cron/yum-security.cron.sh b/yum-cron/yum-security.cron.sh
new file mode 100644
index 0000000..2937e20
--- /dev/null
+++ b/yum-cron/yum-security.cron.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Only run if this flag is set. The flag is created by the yum-cron init
+# script when the service is started -- this allows one to use chkconfig and
+# the standard "service stop|start" commands to enable or disable yum-cron.
+if [[ ! -f /var/lock/subsys/yum-cron ]]; then
+  exit 0
+fi
+
+# Action!
+exec /usr/sbin/yum-cron /etc/yum/yum-cron-security.conf
diff --git a/yum.spec b/yum.spec
index a3e9bcf..0a6278c 100644
--- a/yum.spec
+++ b/yum.spec
@@ -161,9 +161,11 @@ yum-updatesd provides a daemon which checks for available updates and
 can notify you when they are available via email, syslog or dbus. 
 
 %package cron
-Summary: Files needed to run yum updates as a cron job
+Summary: RPM package installer/updater/manager cron service
 Group: System Environment/Base
 Requires: yum >= 3.4.3-84 cronie crontabs findutils
+Requires: yum-cron-BE = %{version}-%{release}
+# We'd probably like a suggests for yum-cron-daily here.
 %if %{yum_cron_systemd}
 BuildRequires: systemd-units
 Requires(post): systemd
@@ -178,8 +180,48 @@ Requires(postun): /sbin/service
 %endif
 
 %description cron
-These are the files needed to run yum updates as a cron job.
-Install this package if you want auto yum updates nightly via cron.
+These are the files needed to run any of the yum-cron update services.
+
+%package cron-daily
+Summary: Files needed to run yum updates as a daily cron job
+Group: System Environment/Base
+Provides: yum-cron-BE = %{version}-%{release}
+Requires: yum-cron > 3.4.3-131
+
+%description cron-daily
+This is the configuration file for the daily yum-cron update service, which
+lives %{_sysconfdir}/yum/yum-cron.conf.
+Install this package if you want auto yum updates nightly via cron (or something
+else, via. changing the configuration).
+By default this just downloads updates and does not apply them.
+
+%package cron-hourly
+Summary: Files needed to run yum updates as an hourly cron job
+Group: System Environment/Base
+Provides: yum-cron-BE = %{version}-%{release}
+Requires: yum-cron > 3.4.3-131
+
+%description cron-hourly
+This is the configuration file for the daily yum-cron update service, which
+lives %{_sysconfdir}/yum/yum-cron-hourly.conf.
+Install this package if you want automatic yum metadata updates hourly via
+cron (or something else, via. changing the configuration).
+
+%package cron-security
+Summary: Files needed to run security yum updates as once a day
+Group: System Environment/Base
+Provides: yum-cron-BE = %{version}-%{release}
+Requires: yum-cron > 3.4.3-131
+
+%description cron-security
+This is the configuration file for the security yum-cron update service, which
+lives here: %{_sysconfdir}/yum/yum-cron-security.conf
+Install this package if you want automatic yum security updates once a day
+via. cron (or something else, via. changing the configuration -- this will be
+confusing if it's not security updates anymore though).
+By default this will download and _apply_ the security updates, unlike
+yum-cron-daily which will just download all updates by default.
+This runs after yum-cron-daily, if that is installed.
 
 
 %prep
@@ -415,6 +457,21 @@ exit 0
 %{_sbindir}/yum-cron
 %{_mandir}/man*/yum-cron.*
 
+%files cron-daily
+%defattr(-,root,root)
+%{_sysconfdir}/cron.daily/0yum-daily.cron
+%config(noreplace) %{_sysconfdir}/yum/yum-cron.conf
+
+%files cron-hourly
+%defattr(-,root,root)
+%{_sysconfdir}/cron.hourly/0yum-hourly.cron
+%config(noreplace) %{_sysconfdir}/yum/yum-cron-hourly.conf
+
+%files cron-security
+%defattr(-,root,root)
+%{_sysconfdir}/cron.hourly/0yum-security.cron
+%config(noreplace) %{_sysconfdir}/yum/yum-cron-security.conf
+
 %if %{yum_updatesd}
 %files updatesd
 %defattr(-, root, root)
-- 
1.7.7.6



More information about the Yum-devel mailing list