Every system administrator faces the same question: when and how should security patches be applied? For a handful of servers, manual patching is manageable. For fleets of servers (or even just the machines you manage personally), automatic updates start to make sense for at least the security patch category.
The debate about automatic updates is well-covered elsewhere: Fedora maintains an opinionated list of reasons to use them and an equally opinionated list of reasons not to. The short version: automatic updates are appropriate for non-mission-critical systems where the cost of an unpatched vulnerability exceeds the risk of an update breaking something. For critical production systems, a proper patch management pipeline with testing is the right answer.
Here’s how to enable security-only automatic updates on the major Linux families.
openSUSE Link to heading
openSUSE uses Automatic Online Update, configured via YaST.
Install the configuration module:
zypper install yast2-online-update-configuration
Configure it:
yast2 online_update_configuration

Set it to check and install only Security updates weekly, and skip Interactive Patches (patches that require administrator confirmation, such as updates that restart critical services). Also enable delta RPMs to reduce bandwidth.
Updated 2026: If you’re running openSUSE Leap or Tumbleweed with transactional updates (e.g., on MicroOS or any immutable variant), use automatic transactional updates instead.
rebootmgrhandles automatic reboots when transactional updates are installed.
CentOS 7 / RHEL 7 Link to heading
Install yum-cron:
yum -y install yum-cron
Edit /etc/yum/yum-cron.conf to install only security updates:
update_cmd = security
apply_updates = yes
Enable and start the service:
systemctl enable --now yum-cron.service
Updated 2026: CentOS 8 reached end-of-life in December 2021. CentOS Stream, AlmaLinux, and Rocky Linux are the current successors.
yum-cronis not available on EL8+; usednf-automaticinstead (see below).
Fedora and CentOS 8+ / RHEL 8+ / AlmaLinux / Rocky Linux Link to heading
Install dnf-automatic:
dnf install -y dnf-automatic
Edit /etc/dnf/automatic.conf to install security updates only:
upgrade_type = security
Enable the systemd timer:
systemctl enable --now dnf-automatic.timer
Debian and Ubuntu Link to heading
Install unattended-upgrades:
apt install unattended-upgrades
Enable automatic list updates and upgrades in /etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Configure the allowed repositories in /etc/apt/apt.conf.d/50unattended-upgrades. For security-only updates on Debian:
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
For Ubuntu, the default configuration already includes the security repository, so you may not need to change anything beyond enabling the package.
Final notes Link to heading
Each distribution offers additional options worth exploring: email notifications when updates are applied, package exclusion lists, and scheduling controls. The examples above are a starting point; read the documentation for your distribution to tune them to your situation.