I am using rocky8.10 and configured to pull security updates through dnf. I see nd flog is printing “Automatic No security updates needed, but 123 updates available”, I am bit confused why dnf is not installing those security patches/updates as it see there are some updates available? I am missing anything?
systemctl list-timers --all | grep dnf-automaticWed 2026-01-14 06:55:23 UTC 12h left Tue 2026-01-13 06:05:26 UTC 12h ago dnf-automatic.timer dnf-automatic.service
dnf.log
grep "security updates" /var/log/dnf.*
/var/log/dnf.log:2025-12-30T06:45:58+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2025-12-31T06:04:58+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-01T06:16:35+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-02T06:48:58+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-03T06:51:31+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-04T06:23:33+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-05T06:27:59+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-06T06:34:59+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-07T06:02:00+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-08T06:20:08+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-09T06:34:26+0000 WARNING No security updates needed, but 124 updates available
/var/log/dnf.log:2026-01-11T06:27:36+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-12T06:37:00+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log:2026-01-13T06:05:34+0000 WARNING No security updates needed, but 123 updates available
/var/log/dnf.log.1:2025-12-09T06:32:06+0000 WARNING No security updates needed, but 105 updates available
/var/log/dnf.log.1:2025-12-10T06:17:57+0000 WARNING No security updates needed, but 105 updates available
Not all updates are security updates. Not all updates are tagged as security updates in the errata though there has been work to correct a lot of this.
IMO: You are recommended to update your system fully using dnf update. I would not fully rely on the security only updates feature of dnf.
OK. Thank you. But dnf updateinfo list security should only list security right ? and if your automatic config only enable security it should only look for security updates?
I also observed this, there are security patches available from cloud-kernal repo but dnf automatic is not installing them. This is in GCP (google cloud)
sudo dnf check-update --security
Last metadata expiration check: 0:00:21 ago on Tue 27 Jan 2026 07:45:02 PM UTC.
kernel.x86_64 4.18.0-553.51.1.el8_10.cloud.0.1 cloud-kernel
kernel-core.x86_64 4.18.0-553.51.1.el8_10.cloud.0.1 cloud-kernel
kernel-headers.x86_64 4.18.0-553.51.1.el8_10.cloud.0.1 cloud-kernel
kernel-modules.x86_64 4.18.0-553.51.1.el8_10.cloud.0.1 cloud-kernel
kernel-tools.x86_64 4.18.0-553.51.1.el8_10.cloud.0.1 cloud-kernel
kernel-tools-libs.x86_64 4.18.0-553.51.1.el8_10.cloud.0.1 cloud-kernel
Obsoleting Packages
kernel-headers.x86_64 4.18.0-553.51.1.el8_10.cloud.0.1 cloud-kernel
kernel-headers.x86_64 4.18.0-553.16.1.el8_10.cloud.0.1 @cloud-kernel
seems to state that this is not responsible for installing packages. There is another item called dnf-automatic-install.timer
which is responsible for downloading and installing. So just wondering if the correct ones are actually enabled or not? Now, when I just installed dnf-automatic, this is how it looks:
root@rhel8:/var/log# systemctl list-timers --all | grep -i dnf
Tue 2026-01-27 21:57:06 CET 40min left Tue 2026-01-27 20:22:53 CET 53min ago dnf-makecache.timer dnf-makecache.service
so nothing by default, but now when I enable the appropriate timer:
root@rhel8:/var/log# systemctl list-timers --all | grep -i dnf
Tue 2026-01-27 22:09:05 CET 52min left Tue 2026-01-27 20:22:53 CET 54min ago dnf-makecache.timer dnf-makecache.service
n/a n/a n/a n/a dnf-automatic-install.timer dnf-automatic-install.service
now you can see I have enabled the timer to take care of downloading and installing.
sudo systemctl list-timers --all | grep -i dnf
Wed 2026-01-28 00:32:30 UTC 1h 16min left Tue 2026-01-27 22:56:30 UTC 19min ago dnf-makecache.timer dnf-makecache.service
Wed 2026-01-28 06:05:36 UTC 6h left Tue 2026-01-27 06:27:44 UTC 16h ago dnf-automatic.timer dnf-automatic.service
the timer I enabled ran about 06:00 this morning, so when I now check my server with the same command:
root@rhel8:~# dnf check-update --security
Updating Subscription Management repositories.
Last metadata expiration check: 1:53:46 ago on Wed 28 Jan 2026 07:23:48 AM CET.
No security updates needed, but 1 update available
Security: kernel-core-4.18.0-553.97.1.el8_10.x86_64 is an installed security update
Security: kernel-core-4.18.0-553.94.1.el8_10.x86_64 is the currently running version
suggests that it works. The only change I made to /etc/dnf/automatic.conf was to choose only security updates. Then I left it to enabling the appropriate timer to ensure updates were downloaded and installed.
When I run a standard dnf update command, the remaining updates are:
root@rhel8:~# dnf update
Updating Subscription Management repositories.
Last metadata expiration check: 1:55:00 ago on Wed 28 Jan 2026 07:23:48 AM CET.
Dependencies resolved.
========================================================================================================================
Package Architecture Version Repository Size
========================================================================================================================
Upgrading:
shim-x64 x86_64 15.8-6.el8_10 rhel-8-for-x86_64-baseos-rpms 467 k
Transaction Summary
========================================================================================================================
Upgrade 1 Package
Total download size: 467 k
so would suggest that when using dnf-automatic-install.timer it works correctly. I haven’t tried the one you enabled, but perhaps it would be better for you to try the one I used.
I’d have to repeat this on Rocky 8, since this is RHEL8, but assuming both are the same in terms of marking the appropriate update packages correctly as security updates, then it should work just the same as my above example.
As per rhel doc - `dnf-automatic.timer: Downloads, downloads and installs, or reports available updates.` so just enabling should do the download and install not sure the necessity of enabling install timer but any way i will try to enable that and see if it works.
Yes, in theory it should - unless something is broken with it. Hence the reason for asking to use the other timer and see if there is any difference in behaviour.
But I still didnt see it installed the security updates.
DNF logs:
2026-01-28T18:34:27+0000 DEBUG Started dnf-automatic.
2026-01-28T18:34:27+0000 DEBUG Sleep for 0 seconds
2026-01-28T18:34:27+0000 DEBUG Unknown configuration option: http_caching = none in /etc/yum.repos.d/ops.repo
2026-01-28T18:34:27+0000 DEBUG Unknown configuration option: http_caching = none in /etc/yum.repos.d/ops.repo
2026-01-28T18:34:27+0000 DEBUG Waiting for internet connection...
2026-01-28T18:34:27+0000 DEBUG User-Agent: constructed: 'libdnf (Rocky Linux 8.10; generic; Linux.x86_64)'
2026-01-28T18:34:27+0000 DEBUG repo: using cache for: cloud-kernel
2026-01-28T18:34:27+0000 DEBUG cloud-kernel: using metadata from Mon 09 Jun 2025 04:59:53 PM UTC.
2026-01-28T18:34:27+0000 DEBUG reviving: 'opsbase' can be revived - repomd matches.
2026-01-28T18:34:27+0000 DEBUG opsbase: using metadata from Tue 10 Dec 2024 12:31:48 AM UTC.
2026-01-28T18:34:27+0000 DEBUG repo: using cache for: ops-thirdparty
2026-01-28T18:34:27+0000 DEBUG ops-thirdparty: using metadata from Tue 18 Nov 2025 12:00:06 PM UTC.
2026-01-28T18:34:27+0000 DEBUG repo: using cache for: ops-repo
2026-01-28T18:34:27+0000 DEBUG ops-repo: using metadata from Wed 28 Jan 2026 05:26:34 PM UTC.
2026-01-28T18:34:27+0000 DEBUG repo: using cache for: appstream
2026-01-28T18:34:27+0000 DEBUG appstream: using metadata from Sat 24 Jan 2026 03:02:41 AM UTC.
2026-01-28T18:34:27+0000 DEBUG repo: using cache for: baseos
2026-01-28T18:34:28+0000 DEBUG baseos: using metadata from Sat 24 Jan 2026 03:02:54 AM UTC.
2026-01-28T18:34:28+0000 DEBUG repo: using cache for: extras
2026-01-28T18:34:28+0000 DEBUG extras: using metadata from Fri 23 Jan 2026 10:27:37 PM UTC.
2026-01-28T18:34:28+0000 DEBUG repo: using cache for: ops-integration
2026-01-28T18:34:28+0000 DEBUG ops-integration: using metadata from Wed 28 Jan 2026 05:26:34 PM UTC.
2026-01-28T18:34:28+0000 DEBUG repo: using cache for: epel
2026-01-28T18:34:28+0000 DEBUG epel: using metadata from Tue 27 Jan 2026 06:50:01 AM UTC.
2026-01-28T18:34:28+0000 DEBUG repo: using cache for: google-compute-engine
2026-01-28T18:34:28+0000 DEBUG google-compute-engine: using metadata from Fri 26 Nov 1982 08:12:17 AM UTC.
2026-01-28T18:34:28+0000 DEBUG repo: using cache for: google-cloud-sdk
2026-01-28T18:34:28+0000 DEBUG google-cloud-sdk: using metadata from Thu 19 Oct 1978 12:02:11 PM UTC.
2026-01-28T18:34:28+0000 DEBUG repo: using cache for: google-cloud-cli
2026-01-28T18:34:28+0000 DEBUG google-cloud-cli: using metadata from Fri 15 Jul 2022 03:24:15 PM UTC.
2026-01-28T18:34:28+0000 DDEBUG timer: sack setup: 1261 ms
2026-01-28T18:34:28+0000 WARNING No security updates needed, but 137 updates available
2026-01-28T18:34:29+0000 DDEBUG timer: depsolve: 135 ms
2026-01-28T18:34:29+0000 DDEBUG Cleaning up.
2026-01-28T18:34:29+0000 DDEBUG Plugins were unloaded.
It works in RHEL8, which would suggest that this is a bug in Rocky 8 if it’s not behaving the same. In one of my previous posts here, I checked the list of packages before and after, and they were all installed, including the kernel. With the exception of one package because it wasn’t a security update.
