From abf127614d69775d069f21ee53c11ff3e49b6710 Mon Sep 17 00:00:00 2001
From: Antoine Le Morvan <alemorvan@vivalto-sante.com>
Date: Fri, 6 May 2022 12:24:12 +0200
Subject: [PATCH 1/2] Feat: dns_autoupdate

---
 docs/guides/security/dns_autoupdate.md | 117 +++++++++++++++++++++++++
 1 file changed, 117 insertions(+)
 create mode 100644 docs/guides/security/dns_autoupdate.md

diff --git a/docs/guides/security/dns_autoupdate.md b/docs/guides/security/dns_autoupdate.md
new file mode 100644
index 0000000000..0168474649
--- /dev/null
+++ b/docs/guides/security/dns_autoupdate.md
@@ -0,0 +1,117 @@
+---
+title: Patching servers with dnf-automatic
+author: Antoine Le Morvan
+contributors: Steven Spencer
+update: 05-may-2022
+tags:
+  - security
+  - dnf
+  - updates
+---
+
+# Patching servers with `dnf-automatic`
+
+Managing the installation of security updates is an important matter for the system administrator.
+
+The process of providing software updates is a well-trodden path that ultimately causes few problems.
+
+For these reasons, it is reasonable to automate the download and application of updates daily and automatically on the Rocky servers.
+
+The security of your information system will be strengthened.
+
+The `dnf-automatic` software is an additional tool that will allow you to achieve this.
+
+## Installation
+
+You can install `dnf-automatic` from the rocky repositories:
+
+```
+sudo dnf install dnf-automatic
+```
+
+## configuration
+
+By default, the update process will start at 6am, with a random extra time delta to avoid all your machines updating at the same time.
+
+To change this behavior, you must override the timer configuration associated with the application service.
+
+```
+sudo systemctl edit dnf-automatic.timer
+
+[Unit]
+Description=dnf-automatic timer
+# See comment in dnf-makecache.service
+ConditionPathExists=!/run/ostree-booted
+Wants=network-online.target
+
+[Timer]
+OnCalendar=*-*-* 6:00
+RandomizedDelaySec=10m
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+```
+
+The previous configuration allows to reduce the start-up delay between 6:00 and 6:10 am. A server that would be shut down at this time would be automatically patched after its restart.
+
+And then activate the timer associated to the service (not the service itself):
+
+```
+$ sudo systemctl enable --now dnf-automatic.timer
+```
+
+## What about CentOS 7 servers ?
+
+The process under centos 7 is almost similar but uses a different software: `yum-cron`.
+
+```
+$ sudo yum install yum-cron
+```
+
+The configuration of the service is done this time in the file `/etc/yum/yum-cron.conf`.
+
+Set configuration as needed:
+
+```
+[commands]
+#  What kind of update to use:
+# default                            = yum upgrade
+# security                           = yum --security upgrade
+# security-severity:Critical         = yum --sec-severity=Critical upgrade
+# minimal                            = yum --bugfix update-minimal
+# minimal-security                   = yum --security update-minimal
+# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
+update_cmd = default
+
+# Whether a message should be emitted when updates are available,
+# were downloaded, or applied.
+update_messages = yes
+
+# Whether updates should be downloaded when they are available.
+download_updates = yes
+
+# Whether updates should be applied when they are available.  Note
+# that download_updates must also be yes for the update to be applied.
+apply_updates = yes
+
+# Maximum amout of time to randomly sleep, in minutes.  The program
+# will sleep for a random amount of time between 0 and random_sleep
+# minutes before running.  This is useful for e.g. staggering the
+# times that multiple systems will access update servers.  If
+# random_sleep is 0 or negative, the program will run immediately.
+# 6*60 = 360
+random_sleep = 30
+```
+
+The comments in the configuration file speak for themselves.
+
+You can now enable the service and start it:
+
+```
+$ sudo systemctl enable --now yum-cron
+```
+
+## Conclusion
+
+The automatic update of packages is easily activated and considerably increases the security of your information system.

From ce7ea20338665324ab502509c050a3ba6cef4e25 Mon Sep 17 00:00:00 2001
From: Steven Spencer <sspencerwire@gmail.com>
Date: Fri, 6 May 2022 10:18:45 -0500
Subject: [PATCH 2/2] Editing pass dnf-automatic PR 692

* added admonition for the explanation on automatically applying updates
and the risk
* added admonition for the CentOS 7 section
* changed some minor wording
* changed the title meta to better fit in the left-hand menu
* added the tag: "automation"
* changed the filename from dns_autoupdate.md to dnf_automatic.md
---
 .../{dns_autoupdate.md => dnf_automatic.md}   | 34 +++++++++++--------
 1 file changed, 19 insertions(+), 15 deletions(-)
 rename docs/guides/security/{dns_autoupdate.md => dnf_automatic.md} (57%)

diff --git a/docs/guides/security/dns_autoupdate.md b/docs/guides/security/dnf_automatic.md
similarity index 57%
rename from docs/guides/security/dns_autoupdate.md
rename to docs/guides/security/dnf_automatic.md
index 0168474649..aae430e2c7 100644
--- a/docs/guides/security/dns_autoupdate.md
+++ b/docs/guides/security/dnf_automatic.md
@@ -1,25 +1,27 @@
 ---
-title: Patching servers with dnf-automatic
+title: Patching with dnf-automatic
 author: Antoine Le Morvan
 contributors: Steven Spencer
-update: 05-may-2022
+tested with: 8.5
 tags:
   - security
   - dnf
+  - automation
   - updates
 ---
 
 # Patching servers with `dnf-automatic`
 
-Managing the installation of security updates is an important matter for the system administrator.
+Managing the installation of security updates is an important matter for the system administrator. The process of providing software updates is a well-trodden path that ultimately causes few problems.
+For these reasons, it is reasonable to automate the download and application of updates daily and automatically on Rocky servers.
 
-The process of providing software updates is a well-trodden path that ultimately causes few problems.
+The security of your information system will be strengthened. `dnf-automatic` is an additional tool that will allow you to achieve this.
 
-For these reasons, it is reasonable to automate the download and application of updates daily and automatically on the Rocky servers.
+!!! hint "If you are worried..."
 
-The security of your information system will be strengthened.
+    Years ago, applying updates automatically like this would have been a recipe for disaster. There were many times where an update applied might cause issues. That still happens rarely, when an update of a package removes a deprecated feature that is being used on the server, but for the most part, this simply isn't an issue these days. That said though, if you still feel uncomfortable letting `dnf-automatic` handle the updates, consider using it to download and/or notify you that updates are available. That way your server doesn't remain unpatched for long. These features are `dnf-automatic-notifyonly` and `dnf-automatic-download`
 
-The `dnf-automatic` software is an additional tool that will allow you to achieve this.
+    For more on these features, take a look at the [official documentation](https://dnf.readthedocs.io/en/latest/automatic.html).
 
 ## Installation
 
@@ -29,11 +31,9 @@ You can install `dnf-automatic` from the rocky repositories:
 sudo dnf install dnf-automatic
 ```
 
-## configuration
+## Configuration
 
-By default, the update process will start at 6am, with a random extra time delta to avoid all your machines updating at the same time.
-
-To change this behavior, you must override the timer configuration associated with the application service.
+By default, the update process will start at 6am, with a random extra time delta to avoid all your machines updating at the same time. To change this behavior, you must override the timer configuration associated with the application service:
 
 ```
 sudo systemctl edit dnf-automatic.timer
@@ -53,17 +53,21 @@ Persistent=true
 WantedBy=timers.target
 ```
 
-The previous configuration allows to reduce the start-up delay between 6:00 and 6:10 am. A server that would be shut down at this time would be automatically patched after its restart.
+This configuration reduces the start-up delay between 6:00 and 6:10 am. (A server that would be shut down at this time would be automatically patched after its restart.)
 
-And then activate the timer associated to the service (not the service itself):
+Then activate the timer associated to the service (not the service itself):
 
 ```
 $ sudo systemctl enable --now dnf-automatic.timer
 ```
 
-## What about CentOS 7 servers ?
+## What about CentOS 7 servers?
+
+!!! tip
+
+    Yes, this is Rocky Linux documentation, but if you are a system or network administrator, you may have some CentOS 7 machines still in play. We get that, and that is why we are including this section.
 
-The process under centos 7 is almost similar but uses a different software: `yum-cron`.
+The process under CentOS 7 is similar but uses: `yum-cron`.
 
 ```
 $ sudo yum install yum-cron