CentOS yum-cron updates stability

Solution 1:

I wouldn't touch Amazon Linux 2 for anything requiring stability, or for any other reason, in fact. Amazon Linux (both 1 and 2) were built primarily for Amazon's needs and to run Amazon's services and they only share it publicly as a convenience. It gets upgraded on Amazon's schedule, not yours. AL2 was forked from CentOS 7 and then Amazon diverges from that distro, often so much that many packages built for CentOS 7 (like EPEL) do not work any more. So compatibility is gone too.


With that out of the way:

A time when you are switching distros for your public facing (or at least intranet facing) web site is the second best time to get your distro up to the latest major release available. (The first being when that distro is released.) At the moment that means RHEL 8.4 or CentOS 8.4. But as CentOS seems to be going away at the end of the year, probably best to switch to Rocky Linux if you don't qualify for free RHEL subscriptions (up to 16 physical or virtual machines, and production is allowed); that appears to be what most people are choosing instead of Alma Linux.

Finally, as for automatic updates, I run a few dozen public facing web sites and their servers are all on automatic updates. (They are activated a bit differently on RHEL 8 though, as yum-cron is gone, using the dnf-automatic package.) I have been doing so for a few years, and I cannot remember the last time there was a problem related to updates.

As for security updates on CentOS: They have never tagged their updates as security updates, so the yum --security ... commands have never really worked. Rocky Linux has begun doing this, so equivalent commands in <distro> 8 (e.g. `dnf --security ...) work as expected on RHEL or Rocky Linux. (Though I don't install just security updates, but everything available, and it runs daily.)

That said, I do have monitoring on all of the servers, so if something did break I would be notified and could wake up and fix it. For public facing sites I have analyzed the sites and their purpose and I believe the risk of external compromise, especially on day 0 or earlier, is far higher than the risk of a site breaking due to a bug in an update. Which is why I also have SELinux configured and enforcing.


So my recommendation for you would be to go to RHEL 8.4 if you qualify for the free subscription and Rocky Linux 8.4 if you do not. (And choose the correct region; you don't want to be serving from us-east-* if all your visitors are in Europe, for instance.)

Remember to take an AWS snapshot before the upgrade. In case something does go wrong, you can either fix it quickly or roll back to the AWS snapshot.