Don’t Let Manual Updates Get in Your Way
After over two years of using Fedora as my primary workstation, I’m incredibly impressed with the distro’s package refresh speed. However, opening a terminal every morning to manually type sudo dnf upgrade is a real time-sink, even if you speed up DNF with plugins. Sometimes, caught up in coding, I completely forget to update for a whole week, leaving the system exposed to unpatched security vulnerabilities.
Many users rely on cron jobs to automate updates. This approach carries significant risks because cron doesn’t know how to handle package conflicts or DNF metadata errors. That’s why dnf-automatic exists. It’s an official Fedora tool that allows you to check for, download, and install updates in a much more structured and safer way.
Quick Start: 5 Minutes to an Autonomous System
If you want your system to start running automatically without a deep dive, follow these three quick steps:
Step 1: Install the package
sudo dnf install dnf-automaticStep 2: Enable automatic installation
By default, this tool only downloads updates without installing them. You need to modify the configuration file:
sudo nano /etc/dnf/automatic.confFind and change apply_updates = no to yes as follows:
[commands]
upgrade_type = default
download_updates = yes
apply_updates = yesStep 3: Enable the Systemd Timer
Instead of running as a heavy background service, dnf-automatic uses a Timer to save resources:
sudo systemctl enable --now dnf-automatic.timerYour system is now set to automatically check for and install updates once a day.
Demystifying the automatic.conf Configuration File
All the most important settings are located in /etc/dnf/automatic.conf. Here are the parameters you should keep in mind to customize based on your needs:
1. upgrade_type (Select Update Type)
default: Updates all packages (equivalent todnf upgrade).security: Only installs security patches. This is the gold standard for production servers that require absolute stability while staying safe from zero-day vulnerabilities.
2. emit_via (Notification Method)
To know what the system did while you were asleep, you can choose how to receive reports:
stdio: Only displays output when running the command manually.email: Sends detailed reports via email (requires a server configured with postfix or sendmail).motd: Displays the update status as soon as you log into the server via SSH.
[emitters]
emit_via = motdServer Strategy: Security Updates Only with Email Reports
For servers running critical services, automatically updating everything can lead to application errors due to breaking changes in package versions. The safest solution is to only automate security patches.
Configure the /etc/dnf/automatic.conf file as follows:
[commands]
upgrade_type = security
apply_updates = yes
[email]
email_from = [email protected]
email_to = [email protected]
email_host = localhostThen, enable the dedicated security timer to ensure this configuration is executed correctly:
sudo systemctl enable --now dnf-automatic-install.timerMonitoring and Checking History
Even if you trust automation, you should still check in periodically. To see if dnf-automatic is working, inspect the systemd logs with the following command:
# View the most recent operation logs
sudo journalctl -u dnf-automatic.service
# Check the next scheduled update
systemctl list-timers *dnf-automatic*Since dnf-automatic shares the same backend as DNF, you can monitor all changes through the command history:
sudo dnf historyIf an automatic update causes an issue, simply use the sudo dnf history undo <ID> command to roll the system back to its previous state in seconds, similar to the safety provided by using Btrfs snapshots.
Pro Tips to Avoid Trouble
Handling Reboot Requirements
Kernel updates or system libraries like glibc require a reboot to take effect. Fortunately, dnf-automatic will not reboot your machine on its own. To check if a restart is needed, install the needs-restarting tool:
sudo dnf install yum-utils
sudo needs-restarting -rIf this command returns a reboot request, proactively schedule a suitable maintenance window.
Customizing Update Schedules
By default, the timer runs at random intervals to avoid overloading mirror servers. If you want the server to update exactly at 2:00 AM, use the override command:
sudo systemctl edit dnf-automatic.timerAdd the following configuration to the file:
[Timer]
OnCalendar=*-*-* 02:00:00
RandomizedDelaySec=0Caution with Database Servers
For servers running MySQL, PostgreSQL, or Redis, updating packages may occasionally restart the service. While the risk is low, it can cause abrupt disconnections. For these servers, I usually set download_updates = yes only. The next morning, I review the list and install them manually to ensure safety.
Automation frees up our time, but understanding how it works is the mark of a professional engineer. Wishing you many peaceful nights without worrying about security flaws!
