RPM is the package manager tool in Linux. YUM is a repository management tool to fetch appropriate package for the particular version of Linux. YUM performs automatic dependency resolution when updating, installing or removing packages, and thus is able to automatically determine, fetch and install all available dependent packages. This posting is about common commands used for package management. Then we walk through the step to set up a local yum repository. Lastly, we summarize the best practice for patch management.
Tools
In addition to the basic yum install, update and remove commands, here are some more tools for repository management:
## check for installed packages with updates available
yum check-update
## search for packages
yum search package.name
## check for dependency
yum deplist package.name
## list installed or available packages:
yum list installed package.name
yum list available package.name
## list all available packages of a repo:
yum --disablerepo=* --enablerepo=repo.name list available
## display package info
yum info package.name
## list all repositories
yum repolist
yum repoinfo
## list all transactions
yum history list all
## display history of a package or transaction id
yum history package-list package.name
yum history info package.name
yum history info transaction.id
## undo or redo a transaction
yum history undo transaction.id
yum history redo transaction.id
RHEL provides a more complete cheatsheet for yum commands.
In addition to single package, YUM also manages package groups, and works with plugins. For example, you may enable security related packages only by using the yum-plugin-security. For security, YUM repositories can enable GPG check (based on public key cryptography).
Local Repo configuration
Now we configure a YUM repository server and reference that from a client to update packages. To begin with, we collect all RPM packages in /home/dhunch/upgrade/downloads/, then we install createrepo package and use it to create metadata:
yum install createrepo yum-utils
createrepo /home/dhunch/upgrade/downloads/
Examine the directory and you will find a new repodata directory created. Now we can configure nginx with the following configuration:
server {
listen 8088;
server_name rpmsource.digihunch.com;
root /home/dhunch/upgrade/downloads/;
location / {
autoindex on; #enable listing of directory index
}
}
Restart nginx and browse to server name at port 8088, you should see the directory in html. If you’re getting 403 error, most likely nginx has issues accessing the directory. Nginx process should be able to traverse each level of directory to serve the files. The parent directories should have executable permission for others. For example:
chmod o+x /home/dhunch/
Here is a reference to nginx permission requirement. Now we can continue to configure the client.
On the client, we need to add a file in /etc/repos.d/yum
[digirepo]
name=Local YUM Repository
baseurl=http://rpmsource.digihunch.com:8088/
enabled=1
gpgcheck=0
Last we can check the available packages from the client:
yum --disablerepo=* --enablerepo=digirepo list available
Note that in order to keep the local repo up-to-date, there is additional maintenance work on the server. You may need to sync from official source, such as:
reposync -g -l -d -m --repoid=base-source --newest-only --download-metadata --download_path=/home/dhunch/upgrade/downloads/
You may also need to set up a daily job with yum-cron service so this is automated.
Sometimes the server is locked down and you need HTTP proxy to allow YUM to access repo. You may configure proxy in /etc/yum.conf in the proxy, proxy_username, and proxy_password entries. Also, you may export environment variable http_proxy. Here are more information.
Sometimes yum cache may introduce issues. To clean cache before installing, run:
yum clean all && yum -y install python3
Python packages
Python3 is not installed by default on CentOS 7. So it needs to be installed with YUM. Do not replace the existing python2 with python3 by changing where symbolic link /bin/python points to, because YUM is dependent on python2.
For python3 use pip3 as package management. If the server does not have a public route, then you need to install pip3 package offline. For example, on a server with Internet, run
pip3 download -d ~/Downloads javaobj-py3
Then SCP the file to the offline server (e.g. to /home/dhunch/javaobj/), from which you can run:
pip3 install --no-index --find-links=/home/dhunch/javaobj/ javaobj-py3 --user
This will install the pip3 package offline. Note it is recommended to not run pip3 installer as root user. The switch –user allows you to run as non-root user.
Best Practices
To configure a patch management environment, we assume that the servers do not have access to the Internet, not even through proxy. This should be part of the security guideline anyways.
This requires a local repository server to be setup. Administrators may use createrepo tool as outline above to create such repo, use reposync to synchronize local source from official source, or yum-cron to automate this for daily task.
On the clients, administrators should manage the repo file in /etc/yum.repo.d, to ensure they are pointing to the correct source, using gpg check, etc. A local script to enable and disable different repos are also helpful. Otherwise, the enabelrepo and disablerepo switch can be used per command.
It is important to catalogue the state of operating system, before and after each patching activity, for verification and auditing purposes. This usually requires scripting work using yum history or package-cleanup tools.
The actual patch work can be done either manually or automatically (e.g. with Ansible’s yum module). RPM is also a good tool for troubleshooting. If the scope of patching is only for security, use the yum-plugin-security to limit the packages to only security related ones.
Roll-back should be prepared in case of inadvertent outcome. Roll-back scripting relies heavily on yum history commands. If the OS needs to boot with a previous kernel, use the grubby tool.
Happy Patching!