CentOS yum-cron updates stability

centos yum

Solution 1:

I wouldn't touch Amazon Linux 2 for anything requiring stability, or for any other reason, in fact. Amazon Linux (both 1 and 2) were built primarily for Amazon's needs and to run Amazon's services and they only share it publicly as a convenience. It gets upgraded on Amazon's schedule, not yours. AL2 was forked from CentOS 7 and then Amazon diverges from that distro, often so much that many packages built for CentOS 7 (like EPEL) do not work any more. So compatibility is gone too.

With that out of the way:

A time when you are switching distros for your public facing (or at least intranet facing) web site is the second best time to get your distro up to the latest major release available. (The first being when that distro is released.) At the moment that means RHEL 8.4 or CentOS 8.4. But as CentOS seems to be going away at the end of the year, probably best to switch to Rocky Linux if you don't qualify for free RHEL subscriptions (up to 16 physical or virtual machines, and production is allowed); that appears to be what most people are choosing instead of Alma Linux.

Finally, as for automatic updates, I run a few dozen public facing web sites and their servers are all on automatic updates. (They are activated a bit differently on RHEL 8 though, as yum-cron is gone, using the dnf-automatic package.) I have been doing so for a few years, and I cannot remember the last time there was a problem related to updates.

As for security updates on CentOS: They have never tagged their updates as security updates, so the yum --security ... commands have never really worked. Rocky Linux has begun doing this, so equivalent commands in <distro> 8 (e.g. `dnf --security ...) work as expected on RHEL or Rocky Linux. (Though I don't install just security updates, but everything available, and it runs daily.)

That said, I do have monitoring on all of the servers, so if something did break I would be notified and could wake up and fix it. For public facing sites I have analyzed the sites and their purpose and I believe the risk of external compromise, especially on day 0 or earlier, is far higher than the risk of a site breaking due to a bug in an update. Which is why I also have SELinux configured and enforcing.

So my recommendation for you would be to go to RHEL 8.4 if you qualify for the free subscription and Rocky Linux 8.4 if you do not. (And choose the correct region; you don't want to be serving from us-east-* if all your visitors are in Europe, for instance.)

Remember to take an AWS snapshot before the upgrade. In case something does go wrong, you can either fix it quickly or roll back to the AWS snapshot.

Related

How do I restrict WebSphere to just localhost requests?
Windows AD with external DNS
Checking the issued and expiry dates for the certificates involved a certificate chain
When does a windows client notice that certificate is revoked?
Can two users on an 802.11n network with WPA/WPA2 intercept each other's traffic?
Create a /tmp partition that uses filesystem type of tmpfs in kickstart?
Kubernetes ingress 502 bad gateway on DigitalOcean
Postfix cannot load Certification Authority data error
Setting up Rsnapshot for casual manual backup?
WSUS is downloading hundreds of old declined updates
Allow a div to cover the whole page instead of the area within the container
ORA-28040: No matching authentication protocol exception