Automating Security Updates on openSUSE: How to Set Up zypper-cron

Keeping your Linux system secure and up-to-date is crucial, not just for functionality but also to patch security vulnerabilities that could be exploited by attackers. openSUSE, a popular Linux distribution, uses the zypper command-line tool as its package manager for installing, updating, and managing packages. To simplify the update process—ensuring it happens regularly without manual intervention—you can set up zypper-cron, a cron-based background service that automatically runs zypper update operations.

In this blog post, we'll guide you through setting up zypper-cron on openSUSE and touch upon how to manage updates in other Linux distributions like those using apt and dnf.

Setting up zypper-cron on openSUSE

Step 1: Installation

First, you need to install the zypper-cron package. Open your terminal and execute the following command:

sudo zypper install zypper-cron

Step 2: Configuration

After installing zypper-cron, it’s time to configure it to suit your preferences for how often and what types of updates it should handle.

Edit the main configuration file: Open /etc/sysconfig/zypp-cron in your preferred text editor with superuser privileges:
```
sudo vim /etc/sysconfig/zypp-cron
```
Modify settings: You can adjust settings such as whether to auto-update, auto-clean the cache, and which types of updates to apply (security updates, patches, all updates, etc.).
Set the cron schedule: By default, zypper-cron will add its own entries to the root’s crontab. You can tweak the actual schedule by editing these cron entries:
```
sudo crontab -e
```
Look for entries that start with comments # zypp-cron. Adjust the schedule using the standard cron format.

Step 3: Enable and Start the Service

Enable zypper-cron to start at boot and then start the service:

sudo systemctl enable zypper-cron.service
sudo systemctl start zypper-cron.service

Step 4: Testing

Test if zypper-cron is working by checking the logs:

journalctl -u zypper-cron.service

This will show you the service logs, where you can verify that updates are being applied automatically as configured.

Managing Updates on Other Distributions

While zypper-cron is specific to openSUSE and SUSE Linux Enterprise, other distributions use different tools for automated updates. Here’s a quick overview:

Debian/Ubuntu Systems (APT)

On Debian-based distributions, automatic updates can be managed with the unattended-upgrades package.

Install unattended-upgrades:
```
sudo apt install unattended-upgrades
```
Configure the package:

Configuration files are located in /etc/apt/apt.conf.d/. The primary configuration file is 50unattended-upgrades, where you can specify which updates to automatically apply.
Enable and start the service:

Debian and Ubuntu typically enable this package by default upon installation, but you can always check and modify its settings to best fit your needs.

Fedora, CentOS/RHEL Systems (DNF)

For distributions using dnf, such as Fedora and RHEL-based systems, the dnf-automatic package is used.

Install dnf-automatic:
```
sudo dnf install dnf-automatic
```
Configure automatic updates:

Edit /etc/dnf/automatic.conf to set your preferences regarding the automatic update behaviors.

Enable and start the service:

sudo systemctl enable --now dnf-automatic.timer

Each of these tools and configurations help maintain the security and stability of your system by ensuring that it remains updated with the latest patches and fixes. Although the exact setup differs per package manager, the underlying principle of automating software updates is consistent and critical across all Linux distributions.