In this guide we’ll talk about hot to schedule automatic updates with Plesk and CentOS. This guide can be used for updates to various different platforms and is not limited to CentOS or Plesk. There are some specific exclusions that need to be included for Plesk so that we don’t break things.

Preface

System updates are very important and it’s crucial that you keep your Linux system up-to-date at all times. Knowing when and how to update the system so that it doesn’t break things is also important. We’ll go through how to setup yum-cron to automatically provide updates and we’ll go over some common exclusions for Plesk to prevent updates that may create problems.

Is it safe to update system packages using an operating system package manager

Yes, it is safe, and moreover, we recommend using package managers (for example, “yum” on RedHat-based systems, or “apt-get” on Debian-based systems) to keep the system up-to-date.

Install Yum-Cron or unattended-upgrades

The first thing we need to do is install yum-cron for RedHat variants or unattended-upgrades for Debian variants. It’s fairly simple and only requires one command.

On RedHat Variants (Including CentOS) run:

yum install yum-cron

On Debian Variants run:

apt-get install unattended-upgrades bsd-mailx

With Debian Variants you need to install bsd-mailx along with the unattended upgrades if you want to receive email notifications.

Configure the Service (RedHat)

Edit the configuration file by running the following command:

nano /etc/sysconfig/yum-cron

Once in the config file edit whichever lines you want. The config file has great support documentation included. By default we leave this file as it is. Modification of the YUM_PARAMETER and MAILTO are the only couple things that we ever modify.

Once you have saved the configuration file run the following to start the service:

/etc/init.d/yum-cron start

After a day or so you should be able to see activity in the yum log which you can check by running the following command:

tail -f /var/log/yum.log

Configure the Service (Debian)

Edit the configuration file by running the following command:

nano /etc/apt/apt.conf.d/50unattended-upgrades

Once in the config file edit whichever lines you want. The config file has great support documentation included. The only thing we modify here is the email notification by removing the comment out “//” and putting the email address for notifications into the line.

After a day or so check the logs to make sure things are running by issuing the following command:

tail -f /var/log/unattended-upgrades/unattended-upgrades.log

Plesk specific settings for CentOS

If Plesk is installed inside a container, the kernel updates are not necessary — the kernel should be upgraded from the Hardware Node. If Plesk is installed on a hardware server, the kernel updates are recommended if there are only vendor’s repositories configured. Otherwise, if the custom repositories provide new kernels, it is better to have the kernel manually updated from the vendor’s repository. The reason is simple: major troubles are caused by kernels with GRSecurity patches applied. Plesk is not designed for working with such configurations.

To ensure that these aren’t upgrade edit the yum-cron configuration file and change the YUM_PARAMETER to the following:

YUM_PARAMETER="-x kernel* -x sendmail* -x bind-chroot* -x caching-nameserver*"

If you would like to exclude php and mod_sec as we do you would change the parameter to the following:

YUM_PARAMETER="-x kernel* -x php* -x sendmail* -x bind-chroot* -x caching-nameserver* -x mod_security*"

As an added precaution we also recommend editing the yum.conf file by issuing the following:

nano /etc/yum.conf

And modifying the exclude line to include whichever you wish to exclude like so:

exclude=kernel* sendmail bind-chroot caching-nameserver centos-yumconf

Conclusion

Once you have everything setup Automatic System Updates with Plesk and Centos should be working like a charm!