Keeping your AlmaLinux systems updated is crucial for security, stability, and performance. Effective patch management protects against vulnerabilities, ensures compatibility, and provides access to new features. This comprehensive guide covers everything from basic update procedures to enterprise-grade patch management strategies, helping you maintain a secure and reliable AlmaLinux infrastructure.
Understanding AlmaLinux Updates
๐ฆ Update Categories
AlmaLinux updates fall into several categories, each serving different purposes:
# Update types and their importance
Security Updates: Critical patches for vulnerabilities
Bug Fixes: Corrections for software defects
Enhancement: New features and improvements
Performance: Optimization updates
Dependencies: Required library updates๐ Update Lifecycle
Upstream (RHEL) โ AlmaLinux Build โ Testing โ Repository โ Your System
โ โ โ โ
Build System QA Testing Mirror Sync Local Install๐ Update Priority Matrix
# Priority levels for updates
cat << EOF
โโโโโโโโโโโโโโโโโฆโโโโโโโโโโโโฆโโโโโโโโโโโโโฆโโโโโโโโโโโโโโโโ
โ Update Type โ Priority โ Timeframe โ Testing Need โ
โ โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฃ
โ Critical Sec. โ Immediate โ < 24 hours โ Minimal โ
โ Important Sec.โ High โ < 7 days โ Basic โ
โ Moderate Sec. โ Medium โ < 30 days โ Standard โ
โ Bug Fixes โ Medium โ < 30 days โ Standard โ
โ Enhancements โ Low โ Quarterly โ Comprehensive โ
โโโโโโโโโโโโโโโโโฉโโโโโโโโโโโโฉโโโโโโโโโโโโโฉโโโโโโโโโโโโโโโโ
EOFDNF Package Manager Basics
๐ ๏ธ DNF Configuration
# Main configuration file
sudo nano /etc/dnf/dnf.conf
# Essential configuration options
[main]
gpgcheck=1 # Verify package signatures
installonly_limit=3 # Keep 3 kernels
clean_requirements_on_remove=True
best=True # Install best version available
skip_if_unavailable=False # Fail if package unavailable๐ DNF Commands Overview
# Basic DNF commands
dnf help # Show help
dnf list # List packages
dnf search <keyword> # Search packages
dnf info <package> # Package information
dnf provides <file> # Find package providing file
dnf history # Transaction history
dnf clean all # Clean cache๐ง DNF Plugins
# Install useful DNF plugins
sudo dnf install dnf-plugins-core dnf-utils
# Install additional plugins
sudo dnf install \
dnf-automatic \
dnf-plugin-versionlock \
dnf-plugin-system-upgrade \
dnf-plugin-config-manager
# List installed plugins
dnf list installed dnf-plugin*Checking for Available Updates
๐ Basic Update Checks
# Check for all available updates
sudo dnf check-update
# Count available updates
sudo dnf check-update | grep -v "^$" | wc -l
# Check specific package updates
sudo dnf check-update kernel
sudo dnf check-update httpd
# List only security updates
sudo dnf updateinfo list security
# Show update details
sudo dnf updateinfo info๐ Detailed Update Analysis
# Create update summary script
cat << 'EOF' > /usr/local/bin/update-summary.sh
#!/bin/bash
echo "๐ฆ System Update Summary"
echo "======================="
echo "Date: $(date)"
echo
# System information
echo "๐ฅ๏ธ System Information:"
echo " Hostname: $(hostname)"
echo " Kernel: $(uname -r)"
echo " AlmaLinux: $(cat /etc/redhat-release)"
echo
# Update statistics
echo "๐ Update Statistics:"
total=$(dnf check-update 2>/dev/null | grep -v "^$" | tail -n +3 | wc -l)
security=$(dnf updateinfo list security 2>/dev/null | grep -c "ALMA")
bugfix=$(dnf updateinfo list bugfix 2>/dev/null | grep -c "ALMA")
enhancement=$(dnf updateinfo list enhancement 2>/dev/null | grep -c "ALMA")
echo " Total updates available: $total"
echo " Security updates: $security"
echo " Bug fixes: $bugfix"
echo " Enhancements: $enhancement"
echo
# Critical updates
echo "๐จ Critical Updates:"
dnf updateinfo list security --sec-severity=Critical 2>/dev/null | tail -n +3
# Important updates
echo -e "\nโ ๏ธ Important Updates:"
dnf updateinfo list security --sec-severity=Important 2>/dev/null | tail -n +3 | head -10
EOF
chmod +x /usr/local/bin/update-summary.sh๐ Security Update Details
# Show security advisory information
sudo dnf updateinfo info --security
# List updates by severity
sudo dnf updateinfo list --sec-severity=Critical
sudo dnf updateinfo list --sec-severity=Important
sudo dnf updateinfo list --sec-severity=Moderate
sudo dnf updateinfo list --sec-severity=Low
# Show CVE information
sudo dnf updateinfo list --cve
sudo dnf updateinfo info --cve=CVE-2024-1234Installing System Updates
๐พ Basic Update Installation
# Update all packages
sudo dnf update -y
# Update with confirmation
sudo dnf update
# Update specific package
sudo dnf update httpd
# Update multiple packages
sudo dnf update httpd php mariadb
# Exclude packages from update
sudo dnf update -y --exclude=kernel*
sudo dnf update -y --exclude=postgresql*๐ฏ Selective Updates
# Security updates only
sudo dnf update --security
# Specific severity updates
sudo dnf update --sec-severity=Critical
sudo dnf update --sec-severity=Important
# Bug fixes only
sudo dnf update --bugfix
# Enhancement updates
sudo dnf update --enhancement
# Update to specific version
sudo dnf update-to httpd-2.4.51-1.el9๐ Update with Logging
# Create update wrapper script
cat << 'EOF' > /usr/local/bin/system-update.sh
#!/bin/bash
LOG_DIR="/var/log/system-updates"
LOG_FILE="$LOG_DIR/update-$(date +%Y%m%d-%H%M%S).log"
# Create log directory
mkdir -p "$LOG_DIR"
# Function to log messages
log_message() {
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}
# Start update process
log_message "Starting system update"
log_message "Current kernel: $(uname -r)"
# Check for updates
log_message "Checking for available updates..."
UPDATE_COUNT=$(dnf check-update 2>/dev/null | grep -v "^$" | tail -n +3 | wc -l)
log_message "Found $UPDATE_COUNT updates"
if [ "$UPDATE_COUNT" -eq 0 ]; then
log_message "System is up to date"
exit 0
fi
# List updates
log_message "Updates to be installed:"
dnf check-update 2>&1 | tee -a "$LOG_FILE"
# Perform update
log_message "Installing updates..."
dnf update -y 2>&1 | tee -a "$LOG_FILE"
# Check result
if [ $? -eq 0 ]; then
log_message "โ
Update completed successfully"
else
log_message "โ Update failed with error code: $?"
exit 1
fi
# Check if reboot required
if needs-restarting -r &>/dev/null; then
log_message "โ ๏ธ System reboot required"
else
log_message "No reboot required"
fi
# List services needing restart
log_message "Services requiring restart:"
needs-restarting -s 2>&1 | tee -a "$LOG_FILE"
log_message "Update process completed"
EOF
chmod +x /usr/local/bin/system-update.shSecurity Updates Management
๐ Security-First Update Strategy
# Create security update script
cat << 'EOF' > /usr/local/bin/security-updates.sh
#!/bin/bash
echo "๐ Security Update Management"
echo "============================"
echo
# Check for security updates
echo "๐ Checking for security updates..."
SECURITY_UPDATES=$(dnf updateinfo list security 2>/dev/null | tail -n +3)
if [ -z "$SECURITY_UPDATES" ]; then
echo "โ
No security updates available"
exit 0
fi
# Categorize by severity
echo "๐จ Critical Security Updates:"
dnf updateinfo list security --sec-severity=Critical 2>/dev/null | tail -n +3
echo -e "\nโ ๏ธ Important Security Updates:"
dnf updateinfo list security --sec-severity=Important 2>/dev/null | tail -n +3
echo -e "\n๐ Moderate Security Updates:"
dnf updateinfo list security --sec-severity=Moderate 2>/dev/null | tail -n +3
# Prompt for installation
read -p "Install security updates now? (y/n): " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
sudo dnf update --security -y
echo "โ
Security updates installed"
else
echo "โธ๏ธ Security updates postponed"
fi
EOF
chmod +x /usr/local/bin/security-updates.sh๐ก๏ธ CVE Tracking
# CVE monitoring script
cat << 'EOF' > /usr/local/bin/cve-check.sh
#!/bin/bash
echo "๐ก๏ธ CVE Vulnerability Check"
echo "========================"
echo
# Get list of installed packages
PACKAGES=$(rpm -qa --qf "%{NAME}\n" | sort -u)
# Check for CVEs
echo "Checking for known CVEs..."
for pkg in $PACKAGES; do
CVES=$(dnf updateinfo list --cve 2>/dev/null | grep "$pkg" | awk '{print $3}')
if [ -n "$CVES" ]; then
echo "โ ๏ธ $pkg: $CVES"
fi
done
# Summary
echo -e "\n๐ Summary:"
TOTAL_CVES=$(dnf updateinfo list --cve 2>/dev/null | tail -n +3 | wc -l)
echo "Total CVEs affecting system: $TOTAL_CVES"
if [ "$TOTAL_CVES" -gt 0 ]; then
echo "โ System has known vulnerabilities"
echo "Run 'sudo dnf update --security' to patch"
else
echo "โ
No known CVEs detected"
fi
EOF
chmod +x /usr/local/bin/cve-check.shKernel Updates and Management
๐ง Kernel Update Strategy
# Check current kernel
uname -r
# List installed kernels
rpm -qa kernel
# List available kernel updates
dnf list available kernel
# Install latest kernel
sudo dnf update kernel
# Install specific kernel version
sudo dnf install kernel-5.14.0-162.el9
# Set default kernel
sudo grubby --set-default /boot/vmlinuz-5.14.0-162.el9.x86_64
# View kernel changelog
rpm -q --changelog kernel | head -50๐ง Kernel Management
# Configure kernel retention
sudo nano /etc/dnf/dnf.conf
# Set: installonly_limit=3
# Remove old kernels manually
sudo package-cleanup --oldkernels --count=2
# Prevent kernel updates
sudo dnf versionlock kernel
# List version locks
sudo dnf versionlock list
# Remove version lock
sudo dnf versionlock delete kernel๐ Kernel Update Testing
# Kernel testing script
cat << 'EOF' > /usr/local/bin/kernel-test.sh
#!/bin/bash
echo "๐ง Kernel Update Testing"
echo "======================"
echo
# Current kernel
CURRENT=$(uname -r)
echo "Current kernel: $CURRENT"
# Latest installed kernel
LATEST=$(rpm -qa kernel | sort -V | tail -1 | sed 's/kernel-//')
echo "Latest installed: $LATEST"
if [ "$CURRENT" != "$LATEST" ]; then
echo "โ ๏ธ Not running latest kernel"
echo "Reboot required to activate: $LATEST"
else
echo "โ
Running latest kernel"
fi
# Check for newer kernels
echo -e "\n๐ฆ Available kernel updates:"
dnf list available kernel 2>/dev/null | tail -n +3
# Module compatibility check
echo -e "\n๐ Kernel module status:"
for mod in $(lsmod | tail -n +2 | awk '{print $1}'); do
if modinfo -k "$LATEST" "$mod" &>/dev/null; then
echo " โ
$mod: Compatible"
else
echo " โ ๏ธ $mod: Check compatibility"
fi
done 2>/dev/null | head -10
EOF
chmod +x /usr/local/bin/kernel-test.shAutomated Update Strategies
๐ค DNF Automatic Configuration
# Install dnf-automatic
sudo dnf install dnf-automatic
# Configure automatic updates
sudo nano /etc/dnf/automatic.confConfiguration for security updates only:
[commands]
upgrade_type = security
random_sleep = 3600
download_updates = yes
apply_updates = yes
[emitters]
emit_via = stdio,email,motd
system_name = None
[email]
email_from = root@localhost
email_to = [email protected]
email_host = localhost
[command_email]
email_from = root@localhost
email_to = [email protected]
[base]
debuglevel = 1โฐ Scheduling Automatic Updates
# Enable dnf-automatic timer
sudo systemctl enable dnf-automatic.timer
sudo systemctl start dnf-automatic.timer
# Check timer status
systemctl status dnf-automatic.timer
systemctl list-timers dnf-automatic.timer
# Customize update schedule
sudo systemctl edit dnf-automatic.timer
# Add custom schedule:
[Timer]
OnCalendar=
OnCalendar=Sun 03:00
RandomizedDelaySec=1h๐ Custom Automation Script
# Advanced automation script
cat << 'EOF' > /usr/local/bin/auto-update.sh
#!/bin/bash
# Configuration
APPLY_UPDATES="yes"
SECURITY_ONLY="yes"
REBOOT_IF_NEEDED="no"
EMAIL_REPORT="[email protected]"
LOG_FILE="/var/log/auto-updates.log"
# Functions
log_message() {
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1" >> "$LOG_FILE"
}
send_report() {
if [ -n "$EMAIL_REPORT" ]; then
mail -s "Update Report - $(hostname)" "$EMAIL_REPORT" < "$LOG_FILE"
fi
}
# Main process
log_message "Starting automatic update process"
# Check for updates
if [ "$SECURITY_ONLY" = "yes" ]; then
UPDATE_CMD="dnf update --security -y"
UPDATE_CHECK="dnf updateinfo list security"
else
UPDATE_CMD="dnf update -y"
UPDATE_CHECK="dnf check-update"
fi
# Count available updates
UPDATE_COUNT=$($UPDATE_CHECK 2>/dev/null | tail -n +3 | wc -l)
log_message "Found $UPDATE_COUNT updates"
if [ "$UPDATE_COUNT" -eq 0 ]; then
log_message "No updates available"
exit 0
fi
# Apply updates if configured
if [ "$APPLY_UPDATES" = "yes" ]; then
log_message "Applying updates..."
$UPDATE_CMD >> "$LOG_FILE" 2>&1
if [ $? -eq 0 ]; then
log_message "Updates applied successfully"
else
log_message "Update failed!"
send_report
exit 1
fi
fi
# Check if reboot needed
if needs-restarting -r &>/dev/null; then
log_message "System reboot required"
if [ "$REBOOT_IF_NEEDED" = "yes" ]; then
log_message "Scheduling reboot in 5 minutes"
shutdown -r +5 "System will reboot for updates"
fi
fi
# Send report
send_report
log_message "Update process completed"
EOF
chmod +x /usr/local/bin/auto-update.sh
# Add to crontab
echo "0 3 * * * /usr/local/bin/auto-update.sh" | sudo tee -a /etc/crontabUpdate Rollback and Recovery
โฉ๏ธ DNF History and Rollback
# View transaction history
sudo dnf history
# View specific transaction details
sudo dnf history info 42
# Undo last transaction
sudo dnf history undo last
# Undo specific transaction
sudo dnf history undo 42
# Redo transaction
sudo dnf history redo 42
# Rollback to specific point
sudo dnf history rollback 40๐ธ System Snapshots
# Using LVM snapshots for rollback
# Create snapshot before updates
sudo lvcreate -L 5G -s -n root_snapshot /dev/almalinux/root
# Perform updates
sudo dnf update -y
# If issues occur, rollback
sudo lvconvert --merge /dev/almalinux/root_snapshot
# Remove snapshot if update successful
sudo lvremove /dev/almalinux/root_snapshot๐ง Package Downgrade
# Downgrade specific package
sudo dnf downgrade httpd
# Downgrade to specific version
sudo dnf downgrade httpd-2.4.51-1.el9
# List available versions
dnf --showduplicates list httpd
# Downgrade multiple packages
sudo dnf downgrade httpd php mariadbRepository Management
๐ Repository Configuration
# List enabled repositories
dnf repolist
# List all repositories
dnf repolist all
# Enable repository
sudo dnf config-manager --enable powertools
# Disable repository
sudo dnf config-manager --disable epel-testing
# Add new repository
sudo dnf config-manager --add-repo https://example.com/repo.repo๐ Repository Security
# Import GPG key
sudo rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux
# Verify GPG keys
rpm -qa gpg-pubkey*
rpm -qi gpg-pubkey-xxxxxxxx
# Configure GPG checking
sudo nano /etc/dnf/dnf.conf
# Ensure: gpgcheck=1๐ Mirror Management
# Install fastest mirror plugin
sudo dnf install dnf-plugin-fastestmirror
# Configure mirror list
sudo nano /etc/yum.repos.d/almalinux.repo
# Test mirror speed
curl -o /dev/null -s -w "%{time_total}\n" http://mirror.example.com/almalinux/
# Create local mirror
sudo dnf install createrepo
sudo mkdir -p /var/www/html/almalinux
sudo reposync -g -l -d -m --repoid=baseos --download_path=/var/www/html/almalinux
sudo createrepo /var/www/html/almalinux/baseosEnterprise Patch Management
๐ข Centralized Update Server
# Set up Katello/Foreman for patch management
# Install Katello
sudo dnf install https://yum.theforeman.org/releases/3.4/el8/x86_64/foreman-release.rpm
sudo dnf install katello
# Configure content views
hammer content-view create --name "AlmaLinux-9-Base" --organization "MyOrg"
hammer repository create --name "AlmaLinux-9-BaseOS" --content-type yum --url "https://repo.almalinux.org/almalinux/9/BaseOS/x86_64/os/"๐ Patch Compliance Reporting
# Compliance reporting script
cat << 'EOF' > /usr/local/bin/patch-compliance.sh
#!/bin/bash
echo "๐ Patch Compliance Report"
echo "========================="
echo "Generated: $(date)"
echo "Hostname: $(hostname)"
echo
# System information
echo "System Information:"
echo " OS: $(cat /etc/redhat-release)"
echo " Kernel: $(uname -r)"
echo " Last update: $(rpm -qa --last | head -1 | awk '{print $3, $4, $5}')"
echo
# Update status
echo "Update Status:"
TOTAL=$(dnf check-update 2>/dev/null | tail -n +3 | wc -l)
SECURITY=$(dnf updateinfo list security 2>/dev/null | tail -n +3 | wc -l)
CRITICAL=$(dnf updateinfo list security --sec-severity=Critical 2>/dev/null | tail -n +3 | wc -l)
echo " Pending updates: $TOTAL"
echo " Security updates: $SECURITY"
echo " Critical updates: $CRITICAL"
echo
# Compliance status
echo "Compliance Status:"
if [ "$CRITICAL" -gt 0 ]; then
echo " โ NON-COMPLIANT: Critical updates pending"
elif [ "$SECURITY" -gt 5 ]; then
echo " โ ๏ธ AT RISK: Multiple security updates pending"
elif [ "$TOTAL" -gt 20 ]; then
echo " โ ๏ธ NEEDS ATTENTION: Many updates pending"
else
echo " โ
COMPLIANT: System is up to date"
fi
# Recent update history
echo -e "\nRecent Update History:"
dnf history | head -10
EOF
chmod +x /usr/local/bin/patch-compliance.sh๐ Staged Deployment
# Environment-based update strategy
cat << 'EOF' > /usr/local/bin/staged-update.sh
#!/bin/bash
ENVIRONMENT=$(cat /etc/environment-type) # dev, test, prod
case "$ENVIRONMENT" in
dev)
echo "๐ง Development environment - applying all updates"
sudo dnf update -y
;;
test)
echo "๐งช Test environment - applying security updates"
sudo dnf update --security -y
;;
prod)
echo "๐ญ Production environment - manual approval required"
dnf check-update
echo "Run 'sudo dnf update' to apply updates after approval"
;;
*)
echo "โ Unknown environment type"
exit 1
;;
esac
EOF
chmod +x /usr/local/bin/staged-update.shTesting and Staging Updates
๐งช Update Testing Framework
# Create test environment
cat << 'EOF' > /usr/local/bin/update-test.sh
#!/bin/bash
echo "๐งช Update Testing Framework"
echo "========================="
echo
# Create test snapshot
echo "Creating system snapshot..."
sudo lvcreate -L 10G -s -n test_snapshot /dev/almalinux/root
# Apply updates in test mode
echo "Simulating updates..."
dnf update --assumeno
# Run test suite
echo "Running system tests..."
# Add your test commands here
systemctl status | grep failed
journalctl -p err -n 50
# Cleanup
read -p "Keep changes? (y/n): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo "Rolling back..."
sudo lvconvert --merge /dev/almalinux/test_snapshot
else
echo "Removing snapshot..."
sudo lvremove -f /dev/almalinux/test_snapshot
fi
EOF
chmod +x /usr/local/bin/update-test.sh๐ฏ Service-Specific Testing
# Service validation after updates
cat << 'EOF' > /usr/local/bin/service-check.sh
#!/bin/bash
CRITICAL_SERVICES="sshd httpd mariadb firewalld"
echo "๐ฏ Service Validation Check"
echo "========================="
echo
for service in $CRITICAL_SERVICES; do
if systemctl is-active "$service" &>/dev/null; then
echo "โ
$service: Running"
else
echo "โ $service: Not running"
systemctl status "$service" | head -5
fi
done
# Check for failed services
FAILED=$(systemctl --failed --no-legend | wc -l)
if [ "$FAILED" -gt 0 ]; then
echo -e "\nโ ๏ธ Failed services detected:"
systemctl --failed
fi
EOF
chmod +x /usr/local/bin/service-check.shMonitoring and Reporting
๐ Update Monitoring Dashboard
# Create monitoring script
cat << 'EOF' > /usr/local/bin/update-monitor.sh
#!/bin/bash
clear
echo "๐ System Update Monitoring Dashboard"
echo "===================================="
echo "Last refresh: $(date)"
echo
# Update metrics
echo "๐ Update Metrics:"
echo " Available updates: $(dnf check-update 2>/dev/null | tail -n +3 | wc -l)"
echo " Security updates: $(dnf updateinfo list security 2>/dev/null | tail -n +3 | wc -l)"
echo " Last update: $(rpm -qa --last | head -1 | awk '{print $3, $4, $5}')"
echo " Auto-updates: $(systemctl is-enabled dnf-automatic.timer 2>/dev/null)"
echo
# System health
echo "๐ฅ System Health:"
echo " Uptime: $(uptime -p)"
echo " Load average: $(uptime | awk -F'load average:' '{print $2}')"
echo " Failed services: $(systemctl --failed --no-legend | wc -l)"
echo " Disk usage: $(df -h / | awk 'NR==2 {print $5}')"
echo
# Recent activity
echo "๐ Recent Update Activity:"
dnf history | head -6
# Pending reboots
echo -e "\n๐ Reboot Status:"
if needs-restarting -r &>/dev/null; then
echo " โ ๏ธ Reboot required"
echo " Services needing restart:"
needs-restarting -s | head -5
else
echo " โ
No reboot required"
fi
EOF
chmod +x /usr/local/bin/update-monitor.sh๐ง Email Notifications
# Email notification script
cat << 'EOF' > /usr/local/bin/update-notify.sh
#!/bin/bash
RECIPIENT="[email protected]"
HOSTNAME=$(hostname)
REPORT="/tmp/update-report-$(date +%Y%m%d).txt"
# Generate report
{
echo "Update Report for $HOSTNAME"
echo "Generated: $(date)"
echo "================================"
echo
echo "Available Updates:"
dnf check-update 2>/dev/null | tail -n +3
echo -e "\nSecurity Updates:"
dnf updateinfo list security 2>/dev/null | tail -n +3
echo -e "\nSystem Status:"
echo "Kernel: $(uname -r)"
echo "Uptime: $(uptime -p)"
if needs-restarting -r &>/dev/null; then
echo "โ ๏ธ REBOOT REQUIRED"
fi
} > "$REPORT"
# Send email
mail -s "Update Report - $HOSTNAME" "$RECIPIENT" < "$REPORT"
# Cleanup
rm -f "$REPORT"
EOF
chmod +x /usr/local/bin/update-notify.sh
# Add to crontab for weekly reports
echo "0 8 * * MON /usr/local/bin/update-notify.sh" | sudo tee -a /etc/crontabTroubleshooting Update Issues
๐ Common Issues and Solutions
# Dependency conflicts
sudo dnf update --best --allowerasing
# Transaction check errors
sudo dnf clean all
sudo rpm --rebuilddb
sudo dnf update
# GPG key issues
sudo dnf update --nogpgcheck # Temporary, not recommended for production
# Repository errors
sudo dnf clean expire-cache
sudo dnf clean metadata
# Package conflicts
sudo package-cleanup --problems
sudo package-cleanup --dupes
sudo package-cleanup --cleandupes๐ ๏ธ Advanced Troubleshooting
# Debug mode update
sudo dnf update --debuglevel=10
# Skip broken packages
sudo dnf update --skip-broken
# Force reinstall
sudo dnf reinstall <package>
# Check package integrity
sudo rpm -Va
# Fix RPM database
sudo rm -f /var/lib/rpm/__db*
sudo rpm --rebuilddb๐ Diagnostic Script
# Comprehensive diagnostic
cat << 'EOF' > /usr/local/bin/update-diagnose.sh
#!/bin/bash
echo "๐ Update System Diagnostics"
echo "==========================="
echo
# Check DNF status
echo "๐ฆ Package Manager Status:"
if dnf check &>/dev/null; then
echo " โ
DNF database OK"
else
echo " โ DNF database issues detected"
dnf check
fi
# Repository connectivity
echo -e "\n๐ Repository Connectivity:"
for repo in $(dnf repolist | tail -n +2 | awk '{print $1}'); do
if dnf repository-packages "$repo" info &>/dev/null; then
echo " โ
$repo: Accessible"
else
echo " โ $repo: Connection failed"
fi
done
# Disk space
echo -e "\n๐พ Disk Space:"
df -h /var /boot
# Package problems
echo -e "\nโ ๏ธ Package Problems:"
package-cleanup --problems
# Duplicate packages
DUPES=$(package-cleanup --dupes | wc -l)
if [ "$DUPES" -gt 0 ]; then
echo " Found $DUPES duplicate packages"
package-cleanup --dupes
fi
# Orphaned packages
echo -e "\n๐ฆ Orphaned Packages:"
package-cleanup --orphans | head -10
EOF
chmod +x /usr/local/bin/update-diagnose.shBest Practices and Policies
โ Update Policy Template
cat << 'EOF' > /etc/update-policy.md
# System Update Policy
## Update Schedule
- **Production Systems**: Monthly, second Tuesday, 02:00-06:00
- **Test Systems**: Weekly, Sunday, 03:00-05:00
- **Development Systems**: Daily, automated
## Update Priority
1. Critical Security: Within 24 hours
2. Important Security: Within 7 days
3. Moderate Security: Within 30 days
4. Bug Fixes: Monthly cycle
5. Enhancements: Quarterly
## Testing Requirements
- All updates tested in development first
- Critical updates: 1 day test minimum
- Kernel updates: 1 week test minimum
- Major updates: 2 week test cycle
## Rollback Procedures
- Snapshot before major updates
- Maintain 2 previous kernels
- Document rollback procedures
- Test rollback quarterly
## Responsibilities
- System Admin: Execute updates
- Security Team: Review security updates
- Application Team: Validate functionality
- Management: Approve maintenance windows
EOF๐ Pre-Update Checklist
# Pre-update checklist script
cat << 'EOF' > /usr/local/bin/pre-update-check.sh
#!/bin/bash
echo "๐ Pre-Update Checklist"
echo "======================"
echo
READY=true
# Check disk space
echo "๐พ Checking disk space..."
BOOT_SPACE=$(df /boot | awk 'NR==2 {print int($4/1024)}')
ROOT_SPACE=$(df / | awk 'NR==2 {print int($4/1024/1024)}')
if [ "$BOOT_SPACE" -lt 100 ]; then
echo " โ Insufficient /boot space: ${BOOT_SPACE}MB"
READY=false
else
echo " โ
/boot space OK: ${BOOT_SPACE}MB"
fi
if [ "$ROOT_SPACE" -lt 2 ]; then
echo " โ Insufficient root space: ${ROOT_SPACE}GB"
READY=false
else
echo " โ
Root space OK: ${ROOT_SPACE}GB"
fi
# Check backup status
echo -e "\n๐พ Checking backups..."
if [ -f /var/log/backup.log ]; then
LAST_BACKUP=$(stat -c %Y /var/log/backup.log)
CURRENT=$(date +%s)
DAYS_OLD=$(( ($CURRENT - $LAST_BACKUP) / 86400 ))
if [ "$DAYS_OLD" -gt 7 ]; then
echo " โ ๏ธ Last backup $DAYS_OLD days old"
else
echo " โ
Recent backup available"
fi
else
echo " โ No backup log found"
READY=false
fi
# Check running services
echo -e "\n๐ฏ Checking critical services..."
for service in sshd firewalld; do
if systemctl is-active "$service" &>/dev/null; then
echo " โ
$service running"
else
echo " โ $service not running"
READY=false
fi
done
# Final status
echo -e "\n๐ Pre-Update Status:"
if [ "$READY" = true ]; then
echo " โ
System ready for updates"
exit 0
else
echo " โ Issues detected - resolve before updating"
exit 1
fi
EOF
chmod +x /usr/local/bin/pre-update-check.sh๐ Post-Update Validation
# Post-update validation script
cat << 'EOF' > /usr/local/bin/post-update-check.sh
#!/bin/bash
echo "๐ Post-Update Validation"
echo "======================="
echo
SUCCESS=true
# Check system status
echo "๐ฅ System Health Check:"
# Check for failed services
FAILED=$(systemctl --failed --no-legend | wc -l)
if [ "$FAILED" -eq 0 ]; then
echo " โ
No failed services"
else
echo " โ $FAILED failed services detected"
systemctl --failed
SUCCESS=false
fi
# Check critical services
echo -e "\n๐ฏ Critical Services:"
for service in sshd httpd mariadb firewalld; do
if systemctl is-enabled "$service" &>/dev/null; then
if systemctl is-active "$service" &>/dev/null; then
echo " โ
$service: Active"
else
echo " โ $service: Inactive"
SUCCESS=false
fi
fi
done
# Check connectivity
echo -e "\n๐ Network Connectivity:"
if ping -c 1 8.8.8.8 &>/dev/null; then
echo " โ
Internet connectivity OK"
else
echo " โ No internet connectivity"
SUCCESS=false
fi
# Check for kernel issues
echo -e "\n๐ง Kernel Status:"
if dmesg | grep -i "error\|fail" | tail -5; then
echo " โ ๏ธ Kernel errors detected"
fi
# Reboot requirement
echo -e "\n๐ Reboot Status:"
if needs-restarting -r &>/dev/null; then
echo " โ ๏ธ Reboot required"
needs-restarting -s | head -5
else
echo " โ
No reboot required"
fi
# Final validation
echo -e "\n๐ Validation Result:"
if [ "$SUCCESS" = true ]; then
echo " โ
Post-update validation PASSED"
exit 0
else
echo " โ Post-update validation FAILED"
echo " Review issues and take corrective action"
exit 1
fi
EOF
chmod +x /usr/local/bin/post-update-check.shConclusion
Effective system update and patch management is essential for maintaining secure, stable, and performant AlmaLinux systems. By implementing the strategies and tools covered in this guide, you can establish a robust update management framework that balances security needs with operational stability.
Key takeaways:
- ๐ Regular updates are crucial for security and stability
- ๐ Security updates should be prioritized and applied promptly
- ๐ค Automation reduces manual effort while maintaining control
- ๐งช Testing prevents update-related issues in production
- ๐ Monitoring provides visibility into update status and compliance
- โฉ๏ธ Rollback capabilities ensure quick recovery from problems
- ๐ Clear policies and procedures ensure consistent management
Remember to adapt these practices to your specific environment, maintain proper documentation, test thoroughly before production deployment, and always have a rollback plan. With proper update management, your AlmaLinux infrastructure will remain secure, compliant, and reliable for years to come.
