Linux Home Server HOWTO

Chapter 7 - Package Management

Yum Update Manager
Changing Your Mirror

One of the worst thoughts any system administrator can have is the possibility of unauthorised individuals gaining privileged access to their information systems. It doesn't matter how detailed and complex the security system is, but if they're running applications that have known bugs and vulnerabilities, then there is a risk.

A 'bug' is the term used to define when an application or system does not perform the way it was expected to against known criteria, like when a program crashes with a system error message after you pressed the print button (normally just before you saved it). A 'vulnerability' is the term used when that bug can be exploited in a particular way, that it is possible to affect the host system. By only running the desired applications needed for the host computer to achieve its task, and by ensuring these packages are updated against known vulnerabilities, then the chances of system exploitation can be greatly reduced.

Although your favourite Linux distribution may have just released its latest version, it is likely that by the time you are ready to install the operating system that there are already updated packages available. It is therefore good practice to update your packages before you continue configuring your systems and then keep them maintained on a regular basis.

Yum Update Manager

Versions:	yum 2.6.1
	yumex 0.99.13 - (Graphical User Interface for YUM)

YUM is a command line application used to update the RPM packages on your Fedora system. With one command yum can update all of the installed applications on the host machine, it can also be configured to operate automatically during the night, ensuring your system stays up to date and vulnerability free.

The update manager will also solve any package dependency problems during the procedure and ask for confirmation before processing, or may automatically install the dependencies as required.

The yum configuration is separated into two main parts; a configuration file for the update manager (/etc/yum.conf) and separate configuration files for each repository that yum can connect to for updates, as seen below:

[bash]# vi /etc/yum.conf

[main]
cachedir=/var/cache/yum
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
pkgpolicy=newest
distroverpkg=redhat-release
tolerant=1
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
metadata_expire=1800
retries=20

The [main] section (above) details the global configuration environment for the yum package manager, while individual repositories (below) are configured in separate files which are located in the "/etc/yum.repos.d/" directory. Activating the following three repositories are the minimum requirements to implement yum effectively; they are activated by default.

The fedora-core.repo file details the [core] configuration, which specifies where to locate the original installation RPMs that shipped with your version of Fedora.

[bash]# vi /etc/yum.repos.d/fedora-core.repo

[core]
name=Fedora Core $releasever - $basearch
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/$releasever/$basearch/os/
mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-core-$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora file:///etc/pki/rpm-gpg/RPM-GPG-KEY

The fedora-updates.repo file details the [updates] configuration, which specifies the location of any updated or newer RPMs than what where originally installed from the [core] repository.

[bash]# vi /etc/yum.repos.d/fedora-updates.repo

[updates]
name=Fedora Core $releasever - $basearch - Updates
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/updates/$releasever/$basearch/
mirrorlist=http://fedora.redhat.com/download/mirrors/updates-released-fc$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora

The fedora-extras.repo file details the [extras] configuration; this is repository of extra "niche" programs and applications that are considered external to the Fedora mainstream base applications, like "xmms" (MP3 Player) and "wine" (Windows API Emulator).

[bash]# vi /etc/yum.repos.d/fedora-extras.repo

[extras]
name=Fedora Extras $releasever - $basearch
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/extras/$releasever/$basearch/
mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-extras-$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras

You should note that by default these repositories are initially configured to use a list of mirrors, this load balances the repositories to ensure that individual servers are not always wearing the full load when remote clients are updating their files. Specific servers can be configured later which may provide a faster download source than a random mirrored server list; see next section.

Some of the specific parameters for the repositories are:

name	Specifies a 'friendly' name for the repository
baseurl	The full URL to the packages. Can be http:// ftp:// or file://
mirrorlist	Details the URL to locate a list of mirror servers
enabled	Sets the repository as (in)active for updates
gpgcheck	Confirms that all packages should be cryptographically verified - highly advisable
gpgkey	Specifies the file and location where the cryptographic signature can be checked for each package being installed.

There may be occasions where it is inconvenient to install or upgrade certain packages (if you have a custom kernel for example), then these packages can be excluded from updating using a 'space separated' exclude parameter in the configuration file. The exclude statement can be located in the main section which stops all updates, or in one of the individual repository sections to stop that server providing the updated package.

[bash]# vi /etc/yum.conf

[main]
exclude=kernel kernel-smp samba*

All Fedora packages downloaded by yum from an authorised mirror site are cryptographically (or digitally) signed by the Red Hat or Fedora Project asymmetric key pairs. What this means is that all the packages contain a digital signature to ensure what you are downloading and installing originally comes from the Fedora Project and should not have been tampered with somewhere out on the Internet. The first time that yum downloads a package from either of the core, update or extras repositories, the cryptograph key that verifies the downloaded package is installed onto the system.

The cryptographic keys can be installed manually prior to use if need be, by executing each of the following commands at the command prompt. You may also wish to check the validity (fingerprint) of the public keys yourself by viewing the Fedora GPG Keys information online (the keys are also available in the root directory of your CD/DVD media).

[bash]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY
[bash]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
[bash]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras

This list details some of the more common yum commands you will most likely require to maintain your system.

Some YUM Commands	Explanations
[base]# yum list	List all available packages
[base]# yum list http*	List all packages starting with "http"
[base]# yum check-update	Check for available updates
[base]# yum update	Update all available packages
[base]# yum update samba*	Update only the samba packages
[base]# yum install httpd	Install the httpd package
[base]# yum install xmms wine	Install both the xmms and wine packages
[base]# yum -y install httpd	Install package (answering yes to all questions)
[base]# yum provides httpd.conf	List package name that provides the "httpd.conf" file
[base]# yum clean all	Removes cached packages and RPM headers from system
[base]# yum remove http*	Uninstalls all packages starting with "http"
[base]# /etc/init.d/yum start	Start the nightly updating service
[base]# chkconfig yum on	Enabling yum service on runlevels

Always take care when using any automated update service. Some updated packages may have different configurations and operating requirements than the ones that are currently installed. Always check which packages you have updated to ensure they function as they were originally configured.

To save time when installing individual packages, yum can be called to install, update or remove whole groups of applications all at once, this can be done using the following group commands.

Some YUM Group Commands	Explanations
[base]# yum grouplist	List all groups which have packages for installation
[base]# yum groupinfo "System Tools"	List all packages in the "System Tools" group
[base]# yum groupinstall "System Tools"	Install all of the default packages in the "System Tools" group
[base]# yum groupupdate "Office/Productivity"	Update all available packages within the "Office/Productivity" group

Changing Your Mirror

Yum is initally configured to use a mirror list, which is a listing of servers that holds a replicated set of the Fedora RPMs. When the update manager uses a mirror list, they select a random server from the list each time the execute an update, this allows many more locations from which to access the available packages, and releases the strain on the master repository servers.

For some reason you may need to use a particular server for your package manager to connect, say if some of the other mirrors are busy or slow, or your local ISP has a mirror allowing for unlimited downloads against your usage quota. There are many reasons why you might wish to assign your own server, and it's relatively easy to do.

The Fedora website maintains a list of all the mirror sites organised by country location. Use the list to locate a mirrored source that is closest to you, and follow the directions below to configure your particular package manager.

Many ISPs provide FTP and other mirror services to their customers. Check your ISP, they may have a locally mirrored repository.

It can sometimes be a little trouble for users to locate the exact baseurl to use when manually configuring a yum mirror, so here is an explanation to assist. The $releasever variable means which release you are using, so Fedora Core 5 would simply be '5'. The $basearch variable refers to the architecture of your physical computer, and will be either i386 or x86_64.

To locate the [core] repository, open up your selected mirror in a browser and follow the file structure similar to "../$releasever/$basearch/os/". Inside that directory you should now see another directory called "headers" - bingo, now cut and paste the URL from your browser into your "fedora-core.repo" file (not including the headers directory).

[bash]# vi /etc/yum.repos.d/fedora-core.repo

[core]
name=Fedora Core $releasever - $basearch
baseurl=http://mirror.pacific.net.au/linux/fedora/linux/core/$releasever/$basearch/os/
http://mirror.optus.net/fedora/core/$releasever/$basearch/os/
#mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-core-$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora file:///etc/pki/rpm-gpg/RPM-GPG-KEY
failovermethod=priority

The [updates] repository is similarly easy to locate, and should follow a file structure similar to "..updates/$releasever/$basearch/". Same as before, locate the "headers" directory then copy the URL from your browser into the "fedora-updates.repo" file (not including the headers directory).

[bash]# vi /etc/yum.repos.d/fedora-updates.repo

[updates]
name=Fedora Core $releasever - $basearch - Updates
baseurl=http://mirror.pacific.net.au/linux/fedora/linux/core/updates/$releasever/$basearch/
http://public.planetmirror.com/pub/fedora/linux/core/updates/$releasever/$basearch/
ftp://ftp.pipenetworks.com/pub/fedora/linux/updates/$releasever/$basearch/
http://mirror.optus.net/fedora/core/updates/$releasever/$basearch/
#mirrorlist=http://fedora.redhat.com/download/mirrors/updates-released-fc$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
failovermethod=priority

The [extras] repositories uses the same naming conventions as the [updates] configuration file, so you should be able to find some locally available mirrors that are easy to configure for your needs. Remember to remove or comment out the "mirrorlist" entry for the baseurl entries will not work.

[bash]# vi /etc/yum.repos.d/fedora-extras.repo

[extras]
name=Fedora Extras $releasever - $basearch
baseurl=http://mirror.pacific.net.au/linux/fedora/linux/extras/$releasever/$basearch/
http://public.planetmirror.com/pub/fedora/linux/extras/$releasever/$basearch/
ftp://ftp.pipenetworks.com/pub/fedora/linux/extras/$releasever/$basearch/
http://mirror.optus.net/fedora/extras/$releasever/$basearch/
#mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-extras-$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras
failovermethod=priority

The above two configurations now use four (baseurl) locally configured mirrors which will be randomly checked for updates. By specifying the "failovermethod=priority" option, it tells yum to query the three mirrors in the order they have been listed for the repository.

Your configured repositories should now resemble the three above examples, be sure to remove the "mirrorlist" entries (or comment them out). You should now save your configuration changes and test your new yum mirrors.

Home