Task: Display list of updated software (security fix)
Type the following command at shell prompt:
# yum list updates
Task: Patch up system by applying all updates
To download and install all updates type the following command:
# yum update
Task: List all installed packages
List all installed packages, enter:
# rpm -qa
# yum list installed
Find out if httpd package installed or not, enter:
# rpm -qa | grep httpd*
# yum list installed httpd
Task: Check for and update specified packages
# yum update {package-name-1}
To check for and update httpd package, enter:
# yum update httpd
Task: Search for packages by name
Search httpd and all matching perl packages, enter:
# yum list {package-name}
# yum list {regex}
# yum list httpd
# yum list perl*
Task: Install the specified packages [ RPM(s) ]
Install package called httpd:
# yum install {package-name-1} {package-name-2}
# yum install httpd
Task: Remove / Uninstall the specified packages [ RPM(s) ]
Remove package called httpd, enter:
# yum remove {package-name-1} {package-name-2}
# yum remove httpd
Task: Display the list of available packages
# yum list all
Task: Display list of group software
Type the following command:
# yum grouplist
Task: Install all the default packages by group
Install all 'Development Tools' group packages, enter:
# yum groupinstall "Development Tools"
Task: Update all the default packages by group
Update all 'Development Tools' group packages, enter:
# yum groupupdate "Development Tools"
Task: Remove all packages in a group
Remove all 'Development Tools' group packages, enter:
# yum groupremove "Development Tools"
Task: Install particular architecture package
If you are using 64 bit RHEL version it is possible to install 32 packages:
# yum install {package-name}.{architecture}
# yum install mysql.i386
Task: Display packages not installed via official RHN subscribed repos
Show all packages not available via subscribed channels or repositories i.e show packages installed via other repos:
# yum list extras
Task: Display what package provides the file
You can easily find out what RPM package provides the file. For example find out what provides the /etc/passwd file:
# yum whatprovides /etc/passwd
You can use same command to list packages that satisfy dependencies:
# yum whatprovides {dependency-1} {dependency-2}
Refer yum command man page for more information:
# man yum
How To Download a RPM Package Using yum Command Without Installing On Linux
You need to install plugin called yum-downloadonly. This plugin adds a --downloadonly flag to yum so that yum will only download the packages and not install/update them. Following options supported by this plugin:
[a] --downloadonly : don't update, just download a rpm file
[b] --downloaddir=/path/to/dir : specifies an alternate directory to store packages such as /tmp
# yum install yum-downloadonly
Download httpd package but don't install/update, enter:
# yum update httpd -y --downloadonly
By default package will by downloaded and stored in /var/cache/yum/ directory. But, you can specifies an alternate directory to store packages such as /opt, enter:
# yum update httpd -y --downloadonly --downloaddir=/opt
Method # 2: yum-utils.noarch Package
yum-utils is a collection of utilities and examples for the yum package manager. It includes utilities by different authors that make yum easier and more powerful to use. These tools include: debuginfo-install, package-cleanup, repoclosure, repodiff, repo-graph, repomanage, repoquery, repo-rss, reposync, repotrack, verifytree, yum-builddep, yum-complete-transaction, yumdownloader, yum-debug-dump and yum-groups-manager.
# yum -y install yum-utils.noarch
Now use the yumdownloader command which is a program for downloading RPMs from Yum repositories. Type the following command to download httpd rpm file:
# yumdownloader httpd
Sample outputs:
Loaded plugins: rhnplugin
httpd-2.2.3-31.el5_4.2.x86_64.rpm | 1.2 MB 00:00
How Do I Extract Downloaded RPM File?
Type the command as follows:
# rpm2cpio httpd-2.2.3-31.el5_4.2.x86_64.rpm | cpio -idmv
Howto Setup yum repositories to update or install package from ISO CDROM Image
Creation of yum repositories is handled by a separate tool called createrepo, which generates the necessary XML metadata. If you have a slow internet connection or collection of all downloaded ISO images, use this hack to install rpms from iso images.
Step # 1: Mount an ISO file
Type the following command (replace iso file name with the actual iso file):
# yum install createrepo
# mkdir -p /mnt/iso/{1,2,3}
# mount -o loop /path/to/centos1.iso /mnt/iso/1
Step # 2: Create a repository
Use createrepo to generate the necessary XML metadata. Type the following commands:
# cd /mnt/iso
# createrepo .
Clean repo, enter:
# yum clean all
Step # 3: Create config file
You need to create a repo config file in /etc/yum.repos.d/ directory.
# vi /etc/yum.repos.d/iso.repo
Append following text:
[My ISO Repository]
baseurl=file:///mnt/iso
enabled=1
Save and close the changes.
Now use yum command to install packages from ISO images:
# yum install package-name
RHEL / CentOS: yum Lists / Installs Only Security Updates
You can easily find out security patches related information using yum-security plugin. This plugin adds the options --security, --cve, --bz and --advisory flags to yum and the list-security and info-security commands. The options make it possible to limit list/upgrade of packages to specific security relevant ones. The commands give you the security information.
Install Plugin
Type the following command:
# yum install yum-security
How Do I Display Available Security Updates?
Type the following command:
# yum list-security
Sample Outputs: Loaded plugins: rhnplugin, security
RHSA-2009:1148-1 security httpd-2.2.3-22.el5_3.2.x86_64
RHSA-2009:1148-1 security httpd-devel-2.2.3-22.el5_3.2.i386
RHSA-2009:1148-1 security httpd-manual-2.2.3-22.el5_3.2.x86_64
RHSA-2009:1148-1 security mod_ssl-1:2.2.3-22.el5_3.2.x86_64
list-security done
To list all updates that are security relevant, and get a reutrn code on whether there are security updates use:
# yum --security check-update
To get a list of all BZs that are fixed for packages you have installed use:
# yum list-security bugzillas
To get the information on advisory RHSA-2009:1148-1 use:
# yum info-security RHSA-2009:1148-1
To get an info list of the latest packages which contain fixes for Bugzilla 3595; CVE # CVE-2009-1890 and advisories RHSA-2009:1148-1, use:
# yum --bz 3595 --cve CVE-2009-1890 --advisory RHSA-2009:1148-1 info updates
How Do I Install All The Security Updates Only?
Type the following command to download and install all the available security updates:
# yum update --security
Howto: Add a new yum repository to install software under CentOS / Redhat Linux
Understanding yum repository
yum repository configured using /etc/yum.conf file. Additional configuration files are also read from the directories set by the reposdir option (default is /etc/yum.repos.d and /etc/yum/repos.d.
RPMforge repository
Usually repository carries extra and useful packages. RPMforge is one of such repository. You can easily configure RPMforge repository for RHEL5 just by running following single RPM command:
# rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
For 64 bit RHEL 5 Linux, enter:
# rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
Now you can install software from RPMforge.
Force yum update Command To Exclude Certain Packages
Yum uses a configuration file at /etc/yum/yum.conf or /etc/yum.conf. You need to place exclude directive to define list of packages to exclude from updates or installs. This should be a space separated list. Shell globs using wildcards * and ?) are allowed.
How do I exclude php and kernel packages when I use "yum update"?
Open /etc/yum.conf file:
# vi /etc/yum.conf
Append following line under [main] section, enter:
exclude=php* kernel*
At the end, it should look like as follows:
[main]
cachedir=/var/cache/yum
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
distroverpkg=redhat-release
tolerant=1
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
exclude=php* kernel*
# Note: yum-RHN-plugin doesn't honor this.
metadata_expire=1h
# Default.
# installonly_limit = 3
# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
yum --exclude command line option
Finally, you can skip yum command updates on command line itself using following syntax:
# yum --exclude=package* update
# yum --exclude=php* update
# yum --exclude=kernel* update
Red hat / CentOS / Fedora Send Yum Package Update Notification Via Email
RHEL / Fedora / CentOS has yum-updatesd, which provides notification of updates which are available to be applied to your system. This notification can be done either
via syslog, email or over dbus. Configuration is done via the /etc/yum/yum-updatesd.conf file.
Open /etc/yum/yum-updatesd.conf file, enter:
# vi /etc/yum/yum-updatesd.conf
Setup variables as follows:
emit_via = email
# who to send the email to:
email_to = admin@example.com
# who send the notifications
email_from = adm@staff.example.com
Here is complete working config file:
[main]
# how often to check for new updates (in seconds)
run_interval = 3600
# how often to allow checking on request (in seconds)
updaterefresh = 600
# how to send notifications (valid: dbus, email, syslog)
emit_via = email
# who to send the email
email_to = admin@example.com
# who send the notifications
email_from = adm@staff.example.com
#
# should we listen via dbus to give out update information/check for
# new updates
dbus_listener = yes
# automatically install updates
do_update = no
# automatically download updates
do_download = no
# automatically download deps of updates
do_download_deps = no
Save and close the file. Restart notification yum-updatesd service:
# /etc/init.d/yum-updatesd restart
Sample email sent by yum notification
Hi,
This is the automatic update system on node02.nixcraft.co.in.
There are 2 package updates available. Please run the system updater.
Packages available for update:
device-mapper-multipath
kpartx
Thank You,
Your Computer
Using yum to install unsigned local rpm files
If yum is complaining when you’re trying to install a file you downloaded. Try to temporary change the variable gpgcheck=1 to gpgcheck=0 in the file /etc/yum.conf. This disables the signature checking.
Additional Repositories
http://wiki.centos.org/AdditionalResources/Repositories
epel
· http://fedoraproject.org/wiki/EPEL
· http://download.fedora.redhat.com/pub/epel/5/x86_64/repoview/
Install Repository: Install Key:
rpm --import http://download.fedora.redhat.com/pub/epel/RPM-GPG-KEY-EPEL
Verify repository package: you should get "(sha1) dsa sha1 md5 gpg OK"
rpm -K http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm
Install Repository:
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm
rpmfusion
· http://rpmfusion.org/Configuration
Install epel and enable epel-testing at this time. Most packages are still in rpmfusion testing repository rpm --import
rpm -ivh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm
rpm -ivh http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm
rpmforge
· https://rpmforge.net/
· http://apt.sw.be/redhat/el5/en/
Installing repository:
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
rpm -K http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
rpm -Uvh http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
To seach for a application: Yum will search all your enabled repos and tell you where you can obtain the package from
CentOS / RHEL Configure Yum Automatic Update Retrieval and Installation
The yum command line tool is used to install and update software packages under RHEL / CentOS Linux server. I know how to apply updates using yum update command line, but I'd like to use cron to manually update packages where appropriate. How do I configure yum to install software patches / updates automatically with cron?
You can use yum-updatesd service provided with CentOS / RHEL servers. However, this service provides a few overheads. You can create daily or weekly updates with the following shell script. Create
/etc/cron.daily/yumupdate.sh to apply updates one a day.
/etc/cron.weekly/yumupdate.sh to apply updates once a week.
Sample shell script to update system
A shell script that instructs yum to update any packages it finds via cron:
#!/bin/bash
YUM=/usr/bin/yum
$YUM -y -R 120 -d 0 -e 0 update yum
$YUM -y -R 10 -e 0 -d 0 update
(Code listing -01: /etc/cron.daily/yumupdate.sh)
Where,
First command will update yum itself and next will apply system updates.
-R 120 : Sets the maximum amount of time yum will wait before performing a command
-e 0 : Sets the error level to 0 (range 0 - 10). 0 means print only critical errors about which you must be told.
-d 0 : Sets the debugging level to 0 - turns up or down the amount of things that are printed. (range: 0 - 10).
-y : Assume yes; assume that the answer to any question which would be asked is yes.
Make sure you setup executable permission:
# chmod +x /etc/cron.daily/yumupdate.sh
Yum Check or Install Updates Script
Split into two sections, one script is for all package updates, and the other script is for letting us know if we need to reboot when a new kernel package has been installed.
Script to check for updates:
check-yum-updates.sh
#!/bin/bash
#
# check-yum-updates.sh
#
# checks for yum updates and emails if there are any available
#
#
# Eric Thern
# Zoidial Incorporated
# http://www.zoidial.com
#
# last update:
# Dec 30, 2008
#
#
# change this to your email
#
email="youremail@youremail.com"
#
# no need to change anything below here
#
yumtmp="/tmp/yum-check-update.$"
yum="/usr/bin/yum"
$yum check-update >& $yumtmp
yumstatus="$?"
hostname=$(/bin/hostname)
case $yumstatus in
0)
# no updates!
exit 0
;;
*)
date=$(date)
number=$(cat $yumtmp | egrep '(.i386|.x86_64|.noarch|.src)' | wc -l)
updates=$(cat $yumtmp | egrep '(.i386|.x86_64|.noarch|.src)')
echo "
There are $number updates available on host $hostname at $date
The available updates are:
$updates
" | /bin/mail -s "UPDATE: $number updates available for $hostname" $email
;;
esac
# clean up
rm -f /tmp/yum-check-update.*
Script to check kernel (here we use 'ovzkernel' since we're running with an openvz kernel, if you have a stock centos kernel, change this to 'kernel')
check-yum-kernel.sh
#!/bin/bash
email=youremail@youremail.com
latestkernel=$(rpm -q ovzkernel |tail -n1|sed -e 's/kernel-//')
echo "$latestkernel"
if uname -a | grep -qv "$latestkernel"; then
echo "Running Kernel is" `uname -r` "but latest installed rpm is ${latestkernel}" |\
mail -s "UPDATE: ${HOSTNAME} reboot required" $email
fi;
Crontab entries:
30 21 * * * /root/bin/check-yum-updates.sh >/dev/null 2>&1
30 21 * * * /root/bin/check-yum-kernel.sh >/dev/null 2>&1
Run at 9:30 every night. Change times and paths to suit.
CentOS patching --exclude=kernel,kernel-headers
In my normal everyday job, I am tasked with managing and maintaining about 30-40 production CentOS servers. Being a security guy, I maintain a pretty rigorous patching routine. However, because these servers are customer production servers, one very important caveat is that I need to do everything I can to minimize customer downtime.
Normally when I patch a server, my routine is:
yum check-update (check what updates are available)
yum -y update (update everything)
And if the list produced by check-update shows the kernel or kernel-headers packages in the list, I promptly reboot the server. This translates into about 5 minutes of downtime for the customer as the server reboots.
So that got me thinking. Is every kernel update critical or can they easily be delayed? So then I stumbled across this excellent plug-in for yum.
yum-changelog-1.1.10-9.el5.centos
Name : yum-changelog
Arch : noarch
Version: 1.1.10
Release: 9.el5.centos
Size : 12 k
Repo : installed
Summary: Yum plugin for viewing package changelogs before/after updating
Description:
This plugin adds a command line option to allow viewing package changelog
deltas before or after updating packages.
Perfect! That will allow me to see exactly what is changing with each new version of the kernel. So I install that with:
yum install yum-changelog
Now we can use yum to show us the change log for certain packages. So, if I want to see the change log for the kernel related package, I could run something like:
yum update kernel kernel-headers --changelog
This will produce output similiar to:
Changes in packages about to be updated:
kernel-headers - 2.6.18-92.1.22.el5.x86_64
* Wed Dec 17 06:00:00 2008 Karanbir Singh [2.6.18-92.1.22.el5.centos]
- Roll in CentOS Branding
* Sat Dec 6 06:00:00 2008 Jiri Pirko [2.6.18-92.1.22.el5]
- [misc] hugepages: ia64 stack overflow and corrupt memory (Larry Woodman ) [474347 472802]
- [misc] allow hugepage allocation to use most of memory (Larry Woodman ) [474760 438889]
Ah, ha. As I suspected. Two memory related bugfixes and CentOS branding. Because we are currently not expirencing any memory related issues, this patch does NOT rate as critical and warrent immediate customer downtime. This can be delayed.
So now I can apply the other patches and exclude the kernel upgrades with:
yum update --exclude=kernel,kernel-headers
Now, I have a script that runs nightly on all my CentOS servers. This script gathers nightly statistics, logs entries, etc from my servers and emails it to me. This is pretty much jsut a CentOS port of my old Gentoo Update Script, with some CentOS speficic changes and additional features. The other thing it does, is generate a list (via yum check-update) of all the updates required. So the question now is, now can I get this interactive command to run via an automated script? The easiest way I could come up with is:
echo n | yum update kernel kernel-headers --changelog
Probably not the cleanest way, but does the job very well.
CentOS: Install Packages Via yum Command Using DVD / CD as Repo
CentOS Linux comes with CentOS-Media.repo which is used to mount the default locations for a CDROM / DVD on CentOS-5. You can use this repo and yum to install items directly off the DVD ISO that we release. Open /etc/yum.repos.d/CentOS-Media.repo file, enter:
# vi /etc/yum.repos.d/CentOS-Media.repo
Make sure enabled is set to 1:
enabled=1
Save and close the file. To use repo put your DVD and along with the other repos, enter:
# yum --enablerepo=c5-media install pacakge-name
To only use the DVDmedia repo, do this:
# yum --disablerepo=\* --enablerepo=c5-media install pacakge-name
OR use groupinstall command
# yum --disablerepo=\* --enablerepo=c5-media groupinstall 'Virtualization'
Howto Setup yum repositories to update or install package from ISO CDROM Image
yum (Yellow dog Updater Modified) is a package manager for RPM compatible Linux systems such as CentOS, Fedora core and latest Redhat Enterprise Linux.
So how do you use yum to update / install packages from an ISO of CentOS / FC / RHEL CD?
Creation of yum repositories is handled by a separate tool called createrepo, which generates the necessary XML metadata. If you have a slow internet connection or collection of all downloaded ISO images, use this hack to install rpms from iso images.
Step # 1: Mount an ISO file
Type the following command (replace iso file name with the actual iso file):
# yum install createrepo
# mkdir -p /mnt/iso/{1,2,3}
# mount -o loop /path/to/centos1.iso /mnt/iso/1
Step # 2: Create a repository
Use createrepo to generate the necessary XML metadata. Type the following commands:
# cd /mnt/iso
# createrepo .
Clean repo, enter:
# yum clean all
Step # 3: Create config file
You need to create a repo config file in /etc/yum.repos.d/ directory.
# vi /etc/yum.repos.d/iso.repo
Append following text:
[My ISO Repository]
baseurl=file:///mnt/iso
enabled=1
Save and close the changes.
Now use yum command to install packages from ISO images:
# yum install package-name
No comments:
Post a Comment