Picture of fiber connected switches and servers

Back to basics – Creating a centralised yum/dnf repository

Posted on Posted in CentOS 7, Fedora, Linux, RHEL 7, System Administration

So far in the “Back to Basics” series (if you can call it that), I’ve covered, setting up a local yum repository, creating a internal DNS server and creating a DHCP server.  Oh, and also then correcting the fact that I had missed the reverse DNS zone for my lab network!  Doh!!!  Now, none of this was by accident (accept the reverse zone mishap).

In an isolated network, access to installation media can be essential, DNS and DHCP a pretty much standard in all environments (there are some exceptions) and all are pretty much mandatory in order to get your network up and running.

The ultimate aim of this series is to end up with a server which can be used to build more servers and/or clients into the lab network that I am setting up.

Before we can reach this goal, there are a few outstanding things to tackle;

  • Making our local repository readable from within our network (this article)
  • Setting up a TFTP server and confirm it works
  • Enable PXE booting functionality via DHCPd
  • Customising our installs using Kickstart

The above will then provide a basic but functional method of deploying more servers and clients into the lab environment, across the network and removes the need for monkeying around with ISO images, USB sticks (if you were to do similar in a real network) and once tested removes the human errors that can be introduced when manually installing an OS multiple times.

So what do we need

  • Apache (a.k.a. httpd)

Installing Apache

Given that I set up a local yum repository based on the installation media, it couldn’t be simpler.

[toby@rhc-server ~]$ sudo yum install httpd<br />
Loaded plugins: fastestmirror<br />
baselocal                                                                                                            | 3.6 kB  00:00:00     <br />
Loading mirror speeds from cached hostfile<br />
Resolving Dependencies<br />
--&gt; Running transaction check<br />
---&gt; Package httpd.x86_64 0:2.4.6-17.el7.centos.1 will be installed<br />
--&gt; Processing Dependency: httpd-tools = 2.4.6-17.el7.centos.1 for package: httpd-2.4.6-17.el7.centos.1.x86_64<br />
--&gt; Processing Dependency: /etc/mime.types for package: httpd-2.4.6-17.el7.centos.1.x86_64<br />
--&gt; Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-17.el7.centos.1.x86_64<br />
--&gt; Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-17.el7.centos.1.x86_64<br />
--&gt; Running transaction check<br />
---&gt; Package apr.x86_64 0:1.4.8-3.el7 will be installed<br />
---&gt; Package apr-util.x86_64 0:1.5.2-6.el7 will be installed<br />
---&gt; Package httpd-tools.x86_64 0:2.4.6-17.el7.centos.1 will be installed<br />
---&gt; Package mailcap.noarch 0:2.1.41-2.el7 will be installed<br />
--&gt; Finished Dependency Resolution</p>
<p>Dependencies Resolved</p>
<p>============================================================================================================================================<br />
 Package                         Arch                       Version                                     Repository                     Size<br />
============================================================================================================================================<br />
Installing:<br />
 httpd                           x86_64                     2.4.6-17.el7.centos.1                       baselocal                     2.7 M<br />
Installing for dependencies:<br />
 apr                             x86_64                     1.4.8-3.el7                                 baselocal                     103 k<br />
 apr-util                        x86_64                     1.5.2-6.el7                                 baselocal                      92 k<br />
 httpd-tools                     x86_64                     2.4.6-17.el7.centos.1                       baselocal                      77 k<br />
 mailcap                         noarch                     2.1.41-2.el7                                baselocal                      31 k</p>
<p>Transaction Summary<br />
============================================================================================================================================<br />
Install  1 Package (+4 Dependent packages)</p>
<p>Total download size: 3.0 M<br />
Installed size: 10 M<br />
Is this ok [y/d/N]: y<br />
Downloading packages:<br />
--------------------------------------------------------------------------------------------------------------------------------------------<br />
Total                                                                                                        12 MB/s | 3.0 MB  00:00:00     <br />
Running transaction check<br />
Running transaction test<br />
Transaction test succeeded<br />
Running transaction<br />
  Installing : apr-1.4.8-3.el7.x86_64                                                                                                   1/5<br />
  Installing : apr-util-1.5.2-6.el7.x86_64                                                                                              2/5<br />
  Installing : httpd-tools-2.4.6-17.el7.centos.1.x86_64                                                                                 3/5<br />
  Installing : mailcap-2.1.41-2.el7.noarch                                                                                              4/5<br />
  Installing : httpd-2.4.6-17.el7.centos.1.x86_64                                                                                       5/5<br />
  Verifying  : mailcap-2.1.41-2.el7.noarch                                                                                              1/5<br />
  Verifying  : httpd-2.4.6-17.el7.centos.1.x86_64                                                                                       2/5<br />
  Verifying  : apr-util-1.5.2-6.el7.x86_64                                                                                              3/5<br />
  Verifying  : apr-1.4.8-3.el7.x86_64                                                                                                   4/5<br />
  Verifying  : httpd-tools-2.4.6-17.el7.centos.1.x86_64                                                                                 5/5 </p>
<p>Installed:<br />
  httpd.x86_64 0:2.4.6-17.el7.centos.1                                                                                                      </p>
<p>Dependency Installed:<br />
  apr.x86_64 0:1.4.8-3.el7   apr-util.x86_64 0:1.5.2-6.el7   httpd-tools.x86_64 0:2.4.6-17.el7.centos.1   mailcap.noarch 0:2.1.41-2.el7  </p>
<p>Complete!

Confirm file and folder permissions

[toby@rhc-server ~]$ ll -Z /software/<br />
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 centos7<br />

One thing to consider here is SELinux.

Before you run for the hills screaming, just take a deep breath and embrace something that by default will make your server more secure, yes it does have a bit of a learning curve but doesn’t everything?

I’m a believer in using the tools available to ensure I end up with a secure and stable environment.  SELinux is one of those things which for many years I avoided like the plague but to be honest, that was due to me not having had the time to properly understand what it does and how it does it.

After spending some time tinkering with it, it didn’t seem half as scary.  For sure, it complicates things a little when you come to troubleshoot permission issues, but then everything is more contained.

Lets make sure that the directory containing the installation media, which is in a none standard location (as far as Apache is concerned), has the correct SELinux permissions assigned to the folder structure.  The easiest way is to copy the existing SELinux contexts from the /var/www/html and here is the command to do that;

[root@rhc-server ~]# cd /var/www/<br />
[root@rhc-server www]# ll -Z<br />
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin<br />
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html<br />
[root@rhc-server www]# chcon -R --reference=/var/www/html/ /software/centos7<br />
[root@rhc-server www]# ll -Z /software/<br />
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 centos7<br />

As you can see we now have the right context associated with the centos7 directory, now we need to make sure the httpd.conf file is updated to present the centos7 directory and it’s contents to the outside world.

Rather than modifying the httpd.conf file itself it is recommended that you create your own .conf files in /etc/httpd/conf.d/ and these will be loaded after the initial httpd.conf file.  I created a single test files as follows;

[toby@rhc-server ~]$ cat /etc/httpd/conf.d/software.conf<br />
Alias &quot;/centos7&quot; &quot;/software/centos7&quot;</p>
<p>&lt;Directory /software/centos7&gt;<br />
Options +Indexes</p>
<p>Order allow,deny<br />
Allow from all<br />
Require all granted<br />
&lt;/Directory&gt;<br />

Screenshot showing successful directory listing from client machine of centos7 media
Screenshot showing successful directory listing from client machine of centos7 media

The Alias allows you to point to a directory which is outside of Apaches’ DocumentRoot, (typically set to /var/www/html).  The Directory block, contains two things of note.  First, for testing I have added the “Options +Indexes” so that when I try to connect from a web browser on my client machine, I can confirm that I can see the contents of the repository directory.  The second chunk of config, starting “Order all,deny…” is there so that Apache will allow connections to this none standard location.

One thing I did have to do, that I haven’t stated above is allow HTTP connections through the firewall.

This was accomplished by way of a simple one liner;

[toby@rhc-server ~]$ sudo firewall-cmd --zone=public --add-service=http

Note.  To make this new firewall rule permanent you need to use the “–permanent” firewall-cmd option on the command line.  I added this afterwards once I was happy that everything was working.

Configuring a yum .repo file to access the centralised software repository

This is very similar in the steps taken when I setup the local yum repository.  The only difference this time will be that I’ll give it a more meaningful name and the file location will be a http:// address rather that a file:///.

So here is what I have put together;

[root@rhc-client yum.repos.d]# cat CentOS-lab-Media.repo<br />
[th_lab_server]<br />
baseurl=http://rhc-server.lab.tobyheywood.com/centos7/<br />
gpgcheck=1<br />
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7<br />

And then, as the saying goes, the proof is in the pudding;

[root@rhc-client yum.repos.d]# yum repolist<br />
Loaded plugins: fastestmirror, langpacks<br />
Repository 'th_lab_server' is missing name in configuration, using id<br />
th_lab_server                                                                                                        | 3.6 kB  00:00:00     <br />
(1/2): th_lab_server/group_gz                                                                                        | 157 kB  00:00:00     <br />
(2/2): th_lab_server/primary_db                                                                                      | 4.9 MB  00:00:00     <br />
Loading mirror speeds from cached hostfile<br />
repo id                                                            repo name                                                          status<br />
th_lab_server                                                      th_lab_server                                                      8,465<br />
repolist: 8,465<br />

Oops, now it would appear I haven’t added a name parameter in the dot repo file.  Let me correct that…

[root@rhc-client yum.repos.d]# cat CentOS-lab-Media.repo<br />
[th_lab_server]<br />
name=&quot;CentOS7 Media on rhc-server.lab.tobyheywood.com&quot;<br />
baseurl=http://rhc-server.lab.tobyheywood.com/centos7/<br />
gpgcheck=1<br />
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7<br />

And now if I run the command “yum repolist” again, it should return the list of enabled repositories without complaining, oh and the repo name column will also show my desired name for my network enabled repository ( a shorter name may be better);

[root@rhc-client yum.repos.d]# yum repolist<br />
Loaded plugins: fastestmirror, langpacks<br />
Loading mirror speeds from cached hostfile<br />
repo id                                          repo name                                                              status<br />
th_lab_server                                    &quot;CentOS7 Media on rhc-server.lab.tobyheywood.com&quot;             8,465<br />
repolist: 8,465

And there we have it a working centralised repository, if you don’t have access to Red Hat Satellite server or if you don’t want to install the open source version Spacewalk.

I guess the final test, would be to install a couple of packages;

[root@rhc-client yum.repos.d]# yum install iostat<br />
Loaded plugins: fastestmirror, langpacks<br />
th_lab_server                                                                                                        | 3.6 kB  00:00:00<br />
Loading mirror speeds from cached hostfile<br />
No package iostat available.<br />
Error: Nothing to do<br />
[root@rhc-client yum.repos.d]# yum whatprovides iostat<br />
Loaded plugins: fastestmirror, langpacks<br />
Loading mirror speeds from cached hostfile<br />
th_lab_server/filelists_db                                                                                           | 5.8 MB  00:00:00<br />
sysstat-10.1.5-4.el7.x86_64 : Collection of performance monitoring tools for Linux<br />
Repo        : th_lab_server<br />
Matched from:<br />
Filename    : /usr/bin/iostat</p>
<p>sysstat-10.1.5-4.el7.x86_64 : Collection of performance monitoring tools for Linux<br />
Repo        : @anaconda<br />
Matched from:<br />
Filename    : /usr/bin/iostat</p>
<p>[root@rhc-client yum.repos.d]# yum install sysstat -y<br />
Loaded plugins: fastestmirror, langpacks<br />
Loading mirror speeds from cached hostfile<br />
Package sysstat-10.1.5-4.el7.x86_64 already installed and latest version<br />
Nothing to do<br />

Ah, I guess a demo is never meant to go really smoothly, but this is probably better as it demonstrates some awesome functionality that yum has.

Line 3, shows that it has found my networked repo, line 5 shows that there is no such package in the repo, line 7 highlights a way to find the right package for the command you want to run, lines 10 through 14 show conclusively that it has connected across the network to the repo, and has found a suitable package called sysstat. In line 21, I’m trying to install the package only to be told in line 24 that it’s already installed.

The really keen eyed of you may have also spotted the @anaconda repo, this should have rung an alarm bell in my head to say, hey!  What are you doing?  Its already installed!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.