CentOS Stream does not support dnf-automatic security updates

The repository lacks updateinfo to provide errata

  1. Background
  2. updateinfo.xml
  3. Enable automatic updates
  4. Unattended upgrades in Debian/Ubuntu

If you have configured dnf-automatic to only apply security updates on CentOS Stream, it will not install any updates.

/etc/dnf/automatic.conf
[commands] upgrade_type = security

Background §

I discovered this limitation when attempting to patch openssh against CVE-2024-6387 (regreSSHion). Here’s a brief timeline of patch availability on CentOS Stream 9:

While waiting for the patch availability, I enabled dnf-automatic and configured it to apply security updates only. When the patch openssh-8.7p1-42.el9 was finally available, I checked whether it has been applied using dnf info openssh. It showed the installed version is still 8.7p1-41 and 8.7p1-42 is available. That did not look good. Did I forgot to enable dnf-automatic? systemctl status dnf-automatic.timer showed it is enabled. Did it trigger dnf-automatic.service?

journalctl -r -u dnf-automatic.service
Jul 9 06:15:03 localhost dnf-automatic[12345]: No security updates needed, but 3 updates available

Not only dnf-automatic did not install 8.7p1-42, it also did not see the version as a security update. Before I went on to search for answer, I applied the patch first dnf upgrade openssh.

updateinfo.xml §

RedHat documentation mentions installed security updates can be listed through dnf updateinfo list security --installed, however it returned empty on CentOS Stream 9. To check if the command actually works, I ran it on an AlmaLinux box and it returned similar output as the RedHat documentation.

I then learned that dnf depends on errata to be able to detect whether a package version is a security update. From this post (archived), I discovered errata is published on the repository in the form of updateinfo.xml, which is related to dnf updateinfo.

I remembered when dnf attempts to refresh a repository, the first thing it looks for is /repodata/repomd.xml. So, I tried to look for updateinfo.xml in /repodata/ but could not find it. This explained the empty output of dnf updateinfo but I wasn’t convinced yet. I searched it in AlmaLinux and found {sha256sum-hash}-updateinfo.xml.gz. Since the content is updated constantly, how does dnf know which updateinfo.xml to grab? I opened up the repomd.xml and noticed

<data type="updateinfo">
  <location href="repodata/{sha256sum-hash}-updateinfo.xml.gz"/>
</data>

I also searched and discovered updateinfo is also available on Rocky Linux, Oracle Linux and Fedora. Looking at Fedora’s [repomd.xml], I learned that the updateinfo.xml can be available in gzip, xzip and zchunk (updateinfo_zck) formats. By then, I was sure that dnf cannot apply security (nor bugfix/feature)-specific updates in CentOS Stream.

CentOS used to have updateinfo prior to CentOS 7; after it was removed in CentOS 7, there was a third-party repository that filled the gap but it never supported CentOS Stream.

Enable automatic updates §

Automatic updates only works in CentOS Stream with this config:

/etc/dnf/automatic.conf
[commands] upgrade_type = default apply_updates = yes

Automatic security-only updates are available on RHEL, AlmaLinux, Rocky Linux, Oracle Linux and Fedora. Fedora’s updateinfo does not include a CVE reference (e.g. <reference href="https://access.redhat.com/security/cve/CVE-2024-6387" id="CVE-2024-6387" type="cve" title="CVE-2024-6387"/>), thus unable to filter by CVE ID (dnf updateinfo list --cve CVE-2024-6387 --installed).

Unattended upgrades in Debian/Ubuntu §

Automatic updates is provided by the unattended-upgrades package which is installed by default, but not enabled. It can be configured through “/etc/apt/apt.conf.d/50unattended-upgrades”.

/etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; };

Each allowed origin refers to a distribution/component; in Ubuntu 24.04, those two lines refer to 24.04:noble and 24.04:noble-security. The default config effectively applies security updates only, though it is not obvious at first. noble is the base repository of Ubuntu 24.04 once it reached general availability. Security updates are available in noble-security while bugfix updates are available in noble-updates instead.

In Debian, the config is different.

/etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins { "origin=Debian,codename=${distro_codename},label=Debian"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; };

Security updates are published to a different uri debian-security instead of the primary uri debian. A notable implication is that not every Debian mirror mirrors debian-security.

To enable unattended upgrades, dpkg-reconfigure --priority=low unattended-upgrades, select yes and it will create “/etc/apt/apt.conf.d/20auto-upgrades”.

/etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";