Security plugin in Local yum repository

1
votes

I've created a local yum repository for RHEL 7 on a separate server. Then I used the "reposync" command to get the packages from RHN.

reposync --download-metadata --gpgcheck -l --repoid=rhui-REGION-rhel-server-rh-common --download_path=/rhel_security_repo/
reposync --download-metadata --gpgcheck -l --repoid=rhui-REGION-rhel-server-optional --download_path=/rhel_security_repo/
reposync --download-metadata --gpgcheck -l --repoid=rhui-REGION-rhel-server-releases --download_path=/rhel_security_repo/

After that, I executed the following command to create my repo:

createrepo --database /rhel_security_repo/

The repository was created successfully with over than 9000 packages as expected. What I am trying to do now is to have other boxes using this local repository. I've created a yum config file in the other boxes where the baseurl points to this server with the local yum repository.

[security-updates-rhel7]
name=Repository for RHEL7 security updates
baseurl=ip-server
enabled=1
gpgcheck=1

All the servers are able to talk to this server with the local yum repo and they can install packages from it.

The problem is I can't update packages when I run yum update --security:

Example:

yum --disablerepo="*" --enablerepo="security-updates-rhel7" --security update mariadb-libs
Loaded plugins: amazon-id, rhui-lb
 --> 1:mariadb-libs-5.5.37-1.el7_0.x86_64 from @rhui-REGION-rhel-server-releases removed (updateinfo)
 --> 1:mariadb-libs-5.5.40-2.el7_0.x86_64 from security-updates-rhel7 removed (updateinfo)
No packages needed for security; 1 packages available
Resolving Dependencies

However, if I run the command without --security, I can see available updates:

yum --disablerepo="*" --enablerepo="security-updates-rhel7" update mariadb-libs
Loaded plugins: amazon-id, rhui-lb
Resolving Dependencies
--> Running transaction check
---> Package mariadb-libs.x86_64 1:5.5.37-1.el7_0 will be updated
---> Package mariadb-libs.x86_64 1:5.5.40-2.el7_0 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================
 Package                    Arch                 Version                           Repository                            Size
==============================================================================================================================
Updating:
 mariadb-libs               x86_64               1:5.5.40-2.el7_0                  security-updates-rhel7               753 k

Transaction Summary
==============================================================================================================================
Upgrade  1 Package

Total download size: 753 k
Is this ok [y/d/N]:

It seems I lost the security metadata when I did the reposync.

Any ideas what the problem could be?

1
yumrhel7
The security metadata, it appears, lives in the repository metadata files. By creating that yourself you have lost the upstream versions. You could try pulling down the upstream repodata directory and using that directly instead (either by creating three repositories) or by merging the repodata (possibly with modifyrepo.py or similar tool).Etan Reisner

1 Answers

1
votes

Etan has the right idea; those are the two ways we found to get around the issue with RHEL6. You could pull the Redhat metadata straight out of your yum cache and copy it into your local repo, and that works 90% of the time... but 10% it will give you random failures if Redhat happens to be updating a repository while you are syncing it.

Redhat has a guide for how to graft security metadata into your local repo in RHEL5/6, I assume it works similarly in RHEL7. If you have a Redhat Support account, see: https://access.redhat.com/solutions/55654

If you don't, below is my own take on it:

  1. Run your reposync command with --download-metadata and other trimmings, but I would start with one repo at a time and put each one in it's own directory similar to how Redhat does it. ex. mkdir -p /path/to/repo-id && reposync -l -n --download-metadata -r repo-id -p /path/to/repo-id/.
  2. Pull the abcdefghij-updateinfo.xml.gz metadata files from Redhat, which contains security metadata for each repository. Do this by running yum list-sec and then look for it in your local yum cache, under each repository's subdirectory. Probably somewhere in /var/cache/yum/arch/7Server/repo-id.
  3. Run createrepo on just that repository. createrepo -v /path/to/repo-id/
  4. Go into /path/to/repo-id/ and then into the repodata subfolder. Copy in the abcdefghij-updateinfo.xml.gz from your local yum cache into the repodata folder, but rename it to remove the hash at the beginning. Left with a file called updateinfo.xml.gz
  5. Use the modifyrepo command to insert the security metadata into that repo's table of contents (repomd.xml) file. modifyrepo /path/to/repo-id/updateinfo.xml.gz /path/to/repo-id/