Yum
Module description
This module provides helpful definitions for dealing with yum.
Requirements
Module has been tested on:
- Puppet 4.10.9 and newer
- CentOS 7,8
- Amazon Linux 2017
- RHEL 7
- Fedora 35,36
For the official list of all tested distributions, please take a look at the metadata.json.
Usage
Manage global Yum configuration via the primary class
class { 'yum':
keep_kernel_devel => false|true,
clean_old_kernels => false|true,
config_options => {
my_cachedir => {
ensure => '/home/waldo/.local/yum/cache',
key => 'cachedir',
},
gpgcheck => true,
debuglevel => 5,
assumeyes => {
ensure => 'absent',
},
},
},
}
NOTE: The config_options
parameter takes a Hash where keys are the names of
Yum::Config
resources and the values are either the direct ensure
value
(gpgcheck
or debuglevel
in the example above), or a Hash of the resource's
attributes (my_cachedir
or assumeyes
in the example above). Values may be
Strings, Integers, or Booleans. Booleans will be converted to either a 1
or
0
; use a quoted string to get a literal true
or false
.
If installonly_limit
is changed, purging of old kernel packages is triggered
if clean_old_kernels
is true
.
Manage yum.conf entries via defined types
yum::config { 'installonly_limit':
ensure => 2,
}
yum::config { 'debuglevel':
ensure => absent,
}
Manage COPR repositories
This module also supports managing
COPR (Cool Other Package Repo)
repositories via the yum::copr
resource. The resource title specifies
the COPR repository name, and ensure
accepts the values enabled
, disabled
or removed
. Example usage:
yum::copr { 'copart/restic':
ensure => enabled,
}
Please note that repositories added this way are not managed via yumrepo
resources, but enabled and disabled via native package manager commands. As such, they would be purged by a declaration such as:
resources { 'yumrepo':
purge => true,
}
However, you can use modules such as crayfishx-purge to exclude these resources from purging:
purge { 'yumrepo':
unless => [ 'name', '=~', 'copr:.*' ],
}
Manage a custom repo via Hiera data
Using Hiera and automatic parameter lookup (APL), this module can manage
Yumrepos. The repos
parameter takes a hash of hashes, where the first-level
keys are the Yumrepo
resource names and their value hashes contain parameters
and values to feed into the resource definition. On its own, the repos
parameter does nothing. The resource names from the hash must be selected via
the managed_repos
parameter. This example defines a custom repo.
First, include the class.
include 'yum'
In Hiera data, add the name of the repo to the yum::managed_repos
key (an
Array), and define the repo in the yum::repos
key:
---
yum::managed_repos:
- 'example_repo'
yum::repos:
example_repo:
ensure: 'present'
enabled: true
descr: 'Example Repo'
baseurl: 'https://repos.example.com/example/'
gpgcheck: true
gpgkey: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Example'
You can include gpgkeys in yaml as well, and if the key filename matches a gpgkey from a mananged repo, it will be included. For example a gpg key for the repo above could look like:
---
yum::gpgkeys:
/etc/pki/rpm-gpg/RPM-GPG-KEY-Example:
content: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQINBFKuaIQBEAC1UphXwMqCAarPUH/ZsOFslabeTVO2pDk5YnO96f+rgZB7xArB
OSeQk7B90iqSJ85/c72OAn4OXYvT63gfCeXpJs5M7emXkPsNQWWSju99lW+AqSNm
(SNIP SEVERAL LINES)
RjsC7FDbL017qxS+ZVA/HGkyfiu4cpgV8VUnbql5eAZ+1Ll6Dw==
=hdPa
-----END PGP PUBLIC KEY BLOCK-----
... or
---
yum::gpgkeys:
/etc/pki/rpm-gpg/RPM-GPG-KEY-Example:
source: puppet:///repos/RPM-GPG-KEY-Example
Enable management of one of the pre-defined repos
This module includes several pre-defined Yumrepos for easy management. This example enables management of the EPEL repository using its default settings.
NOTE: This only works if the data for the repository is included with the
module. Please see the /data
directory of this module for a list of available
repos.
include 'yum'
---
yum::managed_repos:
- 'epel'
Enable management of one of the pre-defined repos AND modify its settings
Here the Extras repository for CentOS is enabled and its settings are modified.
Because the repos
parameter uses a deep merge strategy when fed via automatic
parameter lookup (APL), only the values requiring modification need be defined.
To clear a value set below (from default repos, or lower in the hierarchy), pass
it the knockout prefix, --
. This will blank out the value.
---
yum::managed_repos:
- 'extras'
yum::repos:
extras:
enabled: true
baseurl: 'https://myrepo.example.com/extras'
gpgcheck: false
gpgkey: '--'
The built-in repos by default have data in mirrorlist
, but baseurl
is
undefined. Using the knockout prefix won't work with mirrorlist
, as it
requires a valid URL or the value absent
.
In case of Puppet 5, you can find more information in the Puppet docs. Since Puppet 6, this resource type has been moved to the puppetlabs/yumrepo_core module.
---
yum::managed_repos:
- 'extras'
yum::repos:
extras:
enabled: true
baseurl: 'https://mirror.example.com/extras'
mirrorlist: 'absent'
Enable managemnt of multiple repos
The managed_repos
parameter uses the unique
Hiera merge strategy, so it's
possible to define repos to be managed at multiple levels of the hierarchy. For
example, given the following hierarchy and the following two yaml files, the
module would receive the array ['base', 'extras', 'debug']
.
---
hierarchy:
- name: 'Common'
paths:
- "%{trusted.certname}"
- 'common.yaml'
---
# node01
yum::managed_repos:
- 'base'
- 'debug'
# common
yum::managed_repos:
- 'base'
- 'extras'
Negate previously enabled repos
The repo_exclusions
parameter is used to exclude repos from management. It
is mainly useful in complex Hiera hierarchies where repos need to be removed
from a baseline. Here we define a baseline set of repos in common.yaml
, but
disable one of them for a specific node.
---
hierarchy:
- name: 'Common'
paths:
- "%{trusted.certname}"
- 'common.yaml'
---
# node01
yum::repo_exclusions:
- 'updates' #yolo
---
# common
yum::managed_repos:
- 'base'
- 'updates'
- 'extras'
Enable management of the default OS Yumrepos
This module includes the boolean helper parameter manage_os_default_repos
easily select select OS repos. It uses module data to add the appropriate repos
to the managed_repos
parameter based on OS facts. Just like adding them
manually, they can be negated via the repo_exclusions
parameter.
NOTE: This only works for operating systems who's Yumrepos are defined in the module's data AND who's default repos are defined in the module's data.
On a CentOS 7 machine these two snippets are functionally equivalent.
class { 'yum':
manage_os_default_repos => true,
}
class { 'yum':
managed_repos => [
'base',
'updates',
'extras',
'centosplus',
'base-source',
'updates-source',
'extras-source',
'base-debuginfo',
'centos-media',
'cr',
]
}
Add/remove a GPG RPM signing key using an inline key block
yum::gpgkey { '/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-smoketest1':
ensure => present,
content => '-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----',
}
Add/remove a GPG RPM signing key using a key stored on a Puppet fileserver
yum::gpgkey { '/etc/pki/rpm-gpg/RPM-GPG-KEY-elrepo.org':
ensure => present,
source => 'puppet:///modules/elrepo/RPM-GPG-KEY-elrepo.org',
}
Install or remove yum plugin
yum::plugin { 'versionlock':
ensure => present,
}
Lock a package with the versionlock plugin
The versionlock
type changed between CentOS 7 and CentOS 8.
CentOS 7 and older
Locks explicitly specified packages from updates. Package name must be precisely
specified in format EPOCH:NAME-VERSION-RELEASE.ARCH
. Wild card in package
name is allowed provided it does not span a field seperator.
yum::versionlock { '0:bash-4.1.2-9.el6_2.*':
ensure => present,
}
Use the following command to retrieve a properly-formated string:
PACKAGE_NAME='bash'
rpm -q "$PACKAGE_NAME" --qf '%|EPOCH?{%{EPOCH}}:{0}|:%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n'
To run a yum clean all
after the versionlock file is updated.
class{'yum::plugin::versionlock':
clean => true,
}
yum::versionlock { '0:bash-4.1.2-9.el6_2.*':
ensure => present,
}
Note the CentOS 8 mechansim can be used if the parameter
version
is also set to anything other than the default undef
. This allows
common code to be used on CentOS 7 and 8 if the new style is used.
CentOS 8 and newer
Specify some of the version, release, epoch and arch values as parameters.
yum::versionlock{'bash':
ensure => present,
version => '4.1.2',
release => '9.el8.2.*',
epoch => 0,
arch => 'x86_64',
}
Run a post transaction command
Specify a command to run after transactions of packages.
yum::post_transaction_action{'touch_file':
key => 'openssh-*',
command => 'touch /tmp/openssh-package-updated',
}
Install or remove yum package group
Install yum package groups. To list groups: yum group list
. Then use
that name in your puppet manifest. With support for install_options (e.g. enable
repos if disabled by default).
yum::group { 'X Window System':
ensure => present,
timeout => 600,
install_options => ['--enablerepo=*'];
}
Install or remove packages via yum install
This is a workaround for PUP-3323. It enables the installation of packages
from non-repo sources while still providing dependency resolution. For example,
say there is a package foo that requires the package bar. bar is in a Yum
repository and foo is stored on a stand-alone HTTP server. Using the standard
providers for the Package
resource type, rpm
and yum
, the rpm
provider
would be required to install foo, because only it can install from a non-repo
source, i.e., a URL. However, since the rpm
provider cannot do dependency
resolution, it would fail on its own unless bar was already installed. This
workaround enables foo to be installed without having to define its
dependencies in Puppet.
From URL:
yum::install { 'package-name':
ensure => present,
source => 'http://example.com/path/to/package/filename.rpm',
}
From local filesystem:
yum::install { 'package-name':
ensure => present,
source => 'file:///path/to/package/filename.rpm',
}
Reinstall if rpm-verify fails:
yum::install { 'package-name':
ensure => present,
source => 'file:///path/to/package/filename.rpm',
require_verify => true,
}
Please note that resource name must be same as installed package name.
Manage DNF modules streams
When changing from one enabled stream to another one, the provider runs
dnf module switch-to <Stream>
, which replaces all installed profiles from the DNF module. Bear the consequences in mind.
Enable default stream
dnf_module_stream { '<Module>':
stream => default,
}
Keep current enabled stream - if there isn't, enable default one
dnf_module_stream { '<Module>':
stream => present,
}
Enable a specific stream
dnf_module_stream { '<Module>':
stream => <Stream name>,
}
Disable stream (reset module)
dnf_module_stream { '<Module>':
stream => absent,
}
dnf_module_stream
resource versus dnfmodule
provider
DNF modules is a feature from yum
successor, dnf
, which allows easier and more robust selections of software versions and collections.
As of Aug 22, 2023, core Puppet package
resource dnfmodule
provider has some support for managing streams and profiles, but it has some issues:
- Setting stream is mandatory when (un)installing profiles - No way of just keeping currently enabled stream
- It only supports installing a single profile, despite the fact
dnf
supports multi-profile installations and there are use cases for that - Managing two things - streams setting and profile (un)installation - in the same resource invocation is inherently messy
One can fix 1 and 2, and add good docs to deal with 3. A compelling reason not to keep 1 and 3 is that a stream is a setting, not something one (un)installs. This makes it unsuitable for the package
resource which, in principle, should only (un)install stuff.
So, while one fix 2, this custom resource aims to fully and better replace dnfmodule
provider stream support.
Puppet tasks
The module has a puppet task that allows to run yum update
or yum upgrade
.
This task needs puppet agent installed on the remote.
Please refer to the Bolt documentation on how to execute a task.
$ bolt task show yum
yum - Allows you to perform yum functions
USAGE:
bolt task run --nodes <node-name> yum action=<value> [quiet=<value>]
PARAMETERS:
- action: Enum['update', 'upgrade']
Action to perform
- quiet: Optional[Boolean]
Run without output
Fedora partial support
Support for fedora is minimal at this time. The yum class can be included
without error and resources such as yum::group
can be managed. No repositories
or GPG keys are managed by default. Old kernel cleanup is known not to work, and
plugins may not work due to different package naming. Pull requests for
additional support would be welcomed.
This module was donated by CERIT Scientific Cloud, support@cerit-sc.cz to Vox Pupuli