Automating OS Security Updates on RHEL 9 / Rocky Linux 9

Self-hosted Nanitor instances run on a server you own and maintain. This means OS-level security patching is your responsibility. RHEL 9 provides dnf-automatic for this purpose — it applies security-classified updates automatically on a schedule.

This is independent of Nanitor Server upgrades. For upgrading the Nanitor Server package itself, see Upgrading Nanitor Server on RHEL 9 / Rocky Linux 9.

Install and Configure dnf-automatic

dnf install -y dnf-automatic

Edit /etc/dnf/automatic.conf and set:

upgrade_type = security
download_updates = yes
apply_updates = yes

Enable the Timer

systemctl enable --now dnf-automatic-install.timer

Verify

systemctl list-timers | grep dnf-automatic

You should see the timer listed with its next scheduled run time.

Check Logs

journalctl -u dnf-automatic-install.service -n 100 --no-pager

Kernel updates may require a reboot

If security updates include a new kernel, the server will continue running the old kernel until the next reboot. Plan reboots according to your maintenance policy.

Two timers, two purposes

If you have also set up the Nanitor-specific systemd timer for automated Nanitor Server upgrades, both timers coexist safely — they operate independently and serve different scopes.