Linux Patch Management: Keeping Linux Systems Up To Date
6.3. Special YUM Commands
The yum command is rich and diverse. Run yum from the command line interface, by itself, and you'll get a hint of what it can do for you. Naturally, more information is available from the associated man page. As shown in Figure 6-4, there is a wide variety of switches and options, many of which we'll explore in the following sections. Figure 6-4. A variety of yum commands
As you go through the yum command options and measure its effects on your system, you'll note that as with apt for RPM-based systems, dependent packages that were installed are not always removed. In addition, the first time you use yum, updates to the local header database in /var/spool/up2date take some time. Subsequent updates are faster because they use the headers stored locally to identify any dependencies that need to be installed. 6.3.1. Caching Available Packages by yum
If you insist on using a remote repository, one way to keep your patch management time to a minimum is to use the following command: yum makecache Functionally similar to apt-get update, this command downloads all xml-based file and package data from your repositories, keeping search time to a minimum. On a patch management server, it may be appropriate to keep a local cache of updates from an online mirror. If you do choose to run the yum make-cache command to cache updates, you should make sure this command is run on a daily (or perhaps nightly) basis to ensure that your local cache matches those associated with the remote repositories to which you connect. By default, packages and headers downloaded from yum repositories are stored in the /var/cache/yum directory. You can change these settings in the /etc/yum.conf file. If you want to see what's downloaded on your system, look around in that directory. You'll see subdirectories associated with each repository specified in /etc/yum.conf or different files in the /etc/yum.repos.d directory. For example, downloads from the standard CentOS-4 repository are stored in the base/ subdirectory. In each repository subdirectory, there are packages and headers subdirectories. Any downloaded packages and headers are stored in these directories. Naturally, you can reinstall from those directories. As you'll see shortly, all you need is the -C option. However, caches aren't always up to date. It may be appropriate to run one of the yum clean commands described later in this chapter on a periodic basis. 6.3.2. Checking Available Updates by yum
After you've configured repositories in files in the /etc/yum.repos.d directory, you might want to know which of the available packages are upgrades to what is installed on your system. You can identify those packages with later revision numbers with the following command: yum check-update
If you've configured some of the third-party repositories described earlier, the resulting list may be misleading. By definition, third parties build packages using their own tools and often use different build numbers and conventions. This is equivalent to the following command: yum list updates
As described later, these are the packages that would be installed (along with any dependencies) if you run the yum update command. 6.3.3. Finding a Needed File
Sometimes, you just need a particular file. Perhaps you want to install that special wireless card. You may have noticed online that wireless cards with the Atheros chipset require the ath_pci driver module. You can find the package(s) associated with this module by running the following command: yum provides ath_pci
You can substitute the whatprovides switch for provides. When I ran this command on my CentOS-4 system, the following is an excerpt from the result, which is in package name, version number, repository format, followed by the full location of the file: madwifi-kmdl-2.6.9-5.0.3.EL.i686 0.9.4.12-15.el3.999.at at-stable Matched from: /lib/modules/2.6.9-5.0.3.EL/updates/net/ath_pci.ko
6.3.4. Identifying a Needed Package
If you want to identify a package associated with a specific search term, the yum search command can help. For example, if I wanted to identify those packages associated with the Atheros chipset, I would run the following command: yum search atheros
This command is roughly equivalent to the apt-cache search atheros command described earlier in this book. However, as you can see from the output, this particular yum command may be more useful: madwifi.i386 0.9.4.12-15.el3.999.at at-stable Matched from: A linux device driver for Atheros chipsets (ar5210, ar5211, ar5212). This package contains the Multiband Atheros Driver for WiFi, A linux device driver for 802.11a/b/g universal NIC cards - either Cardbus, PCI or MiniPCI - that use Atheros chipsets (ar5210, ar5211, ar5212).
6.3.5. Listing Available Packages
If you want to create a package database, the yum list command can help. You can limit the scope of any of the commands in this section by adding a package name to the end of the command. In any case, the following command creates a list of all installed and available packages: yum list
This is equivalent to yum list all. If you want to limit the search to those packages that correspond to a certain name, you can specify it. For example, the following command lists the installed version of yum, plus an alternative from the at-stable repository: yum list yum
The command yields output similar to this: Installed Packages yum.noarch 2.2.0-1.centos4.2 installed Available Packages yum.i386 2.2.1-55.el3.999.at at-stable
There are several additional options associated with the yum list command. You can limit the search to installed packages with the following command: yum list installed
Alternatively, you can limit the search to those packages that you can install from configured repositories with the following command: yum list available
As suggested earlier, the following command, equivalent to yum check-updates, lists those packages that may serve as upgrades to those you have installed. yum list updates If you've installed packages from other than your configured yum repositories, your RPM database could be affected. You might need to configure a different repository. You can find a list of installed packages from other sources with the following command: yum list extras If you have a package that might be made obsolete by one you can install from a configured repository, you can identify them with the following command: yum list obsoletes 6.3.6. Getting More Information
You can get more information on any available or installed package from your repositories. By itself, the yum info command is useless, except possibly as a database of package information. However, if you want information on an uninstalled package, you can get more with the yum info packagename command. For example, if you want more information on the madwifi package, and it's available from a configured repository, try the following command: yum info madwifi As you can see from the output in Figure 6-5, this is almost equivalent to a rpm -qi madwifi command. But the package does not have to be installed for yum info to work. Thus, you can get more information about a package you might want to install before actually putting it on your system. Figure 6-5. Getting more information on an uninstalled package
6.3.7. Updates or Installations by yum
Before you start any substantial update from a yum repository, you should confirm that you have the latest version of the yum RPM package. The most straightforward way to confirm is with the following command, which checks your repositories for an update to yum: yum update yum
Naturally, you should consider adding this command to any automated update script that you configure for your computer. If you want to download and install upgrades for every package listed by yum check-update or the yum list updates commands, the following command is for you: yum update It's quite possible that this might upgrade packages before you're ready. As suggested earlier, an upgrade to the Firefox Web browser may cause problems with plugins. If you've configured third-party repositories, it's possible that the list of packages that you don't want upgraded may increase. You can specify the packages you want to update. For example, if you're ready to upgrade the Firefox Web browser, you could run the following command: yum update firefox
Alternatively, you could just use the install option. If the Firefox browser is already installed, the yum command looks for a later version and, if available, the package is downloaded and used to upgrade your system: yum install firefox
Alternatively, if you want to upgrade every package in your yum check-updates list except Firefox, the --exclude switch can help. However, if you haven't yet installed the Firefox Web browser, the update switch will not work. You'll have to install Firefox. 6.3.8. Deletions by yum
If you want to remove a package, the yum command can also take care of dependencies. For example, if you remove the OpenOffice.org suite, yum can help you remove associated dependent libraries. The following command causes the yum system to check dependencies and remove other associated packages, as shown in Figure 6-6: Figure 6-6. Getting more information on an uninstalled package
yum remove
6.3.9. Cleaning yum Caches
As described earlier, the yum system stores downloads in the /var/cache/yum directory by default. With yum, unlike the Red Hat Update Agent, downloaded RPMs are not deleted by default. If your disk or partition space has limits, you may want to clean these caches on occasion. If you want to clean the RPMs from each of the /var/cache/yum subdirectories, you can run the following command: yum clean packages
If you want to clean the headers from the /var/cache/yum subdirectories, you can run the following command: yum clean headers
If you see compressed XML files in each repository subdirectory, that is the metadata associated with the yum cache, which can be used to configure the cache as a yum repository. Metadata can become corrupt or perhaps just too large for available disk space. You can remove the metadata with the following command: yum clean metadata One thing that keeps yum startup times to a minimum is something known as the "pickle cache," which you can find in various /var/cache/yum subdirectories as compressed XML files with the .pickle extension. If these files become corrupt, the benefit is lost until you can clean up this cache with the following command: yum clean cache
Naturally, if you just want to start your cache from scratch, run the following command: yum clean all
You can restore the caches. Assuming your configured repositories are up to date, all you need to do is run the following command, as described earlier: yum makecache
In fact, this is an excellent idea because it can reduce the wait time often associated with yum-based updates. 6.3.10. Group Management by yum
Many RPM-based distributions organize their packages in groups, such as Graphics, GNOME, Kernel Development, and so on. As you may have seen in Chapter 5, you can use the apt commands to manage these groups. You can also use yum to manage RPM package groups. Finding Available Groups
Before you can manage the groups you have available, you need to know their names. You can list them with the following command: yum grouplist | more
I pipe the output to the more command because the list for most RPM-based distributions is fairly long. The following excerpt from the CentOS-4 distribution lists installed groups, along with those available for installation. We illustrate one example in Figure 6-7. Figure 6-7. Getting more information on an available group
Note Not all packages are necessarily part of groups. For example, if you include an Extras repository, you may get an error message related to an inability to read a repomd.xml file. In that case, you would have to disable that repository.
What's in a Group?
You can find the packages associated with each group. You can use the group names defined in the output from the yum grouplist command. Because many of these groups have multi-word names, you may need to use quotes to define the group name. For example, if you want to find the packages in the Administration Tools list, you'd run the following command: yum groupinfo "Administration Tools" The quotes are required; otherwise yum searches for two different groups, named Administration and Tools. You may also note that the group name is case sensitive. Naturally, you can install individual packages from this group, with the following command, as defined in Figure 6-8. As with the apt commands discussed in Chapter 5, if you install a group, you'll install just the default and mandatory packages associated with that group. Figure 6-8. Installing default/mandatory packages from an available group
yum groupinstall "Administration Tools"
6.3.11. The yum Command Options
There is more that you can do with yum. As described earlier, you're free to modify the repositories listed in the /etc/yum.repos.d directory. You can also test a set of defaults other than what is configured in /etc/yum.conf. For example, if you want to test a muy.conf file currently in your home directory, you could run the yum command of your choice with the -c switch: yum -c ~/muy.conf <yum actions>
Typically, yum requests confirmation before installing or removing specific packages. If you're comfortable with what you're doing, you can automate the process. With the -y switch, the yum command automatically answers prompts with a y to confirm changes: yum -y <yum actions>
If you have problems, you may want to do some debugging. By default in /etc/yum.conf, the debuglevel is set to 2. If you need more information about what happens during a specific command, you can increase this variable with the -d switch. For example, the following command sets a much higher debug level for installing the packages associated with the Administration Tools group: yum -d 5 groupinstall "Administration Tools"
You can also revise the level at which errors are reported. The following command sets a minimal level of error reporting: yum -e 2 groupinstall "Administration Tools"
In both cases, a debug or error level of 0 disables reporting. A debug or error level of 1 tells yum to report all debugging messages or errors. A debug level of 2 provides a minimum level of debugging, which goes numerically up to 10. There's one more switch to cover, the -R. It sets a maximum wait time before this particular yum command is run. The actual wait time is random. For example, the following command could be started anytime in the next two minutes: yum -R 2 groupinstall "Administration Tools"
If you're configuring a cron job, you should disable error and debug reporting. If you're confident enough to configure a cron job, you should be sufficiently confident that there will be no problems during the update process. If there are problems, you can still analyze output in the /var/log/yum.log file. If you've already downloaded the packages you need in the yum cache, you can reinstall from that cache. For this book, I've installed and removed the Administration Tools package group several times. After I've downloaded locally, I can reinstall with the following command: yum -C groupinstall "Administration Tools" As described earlier, you can use the --exclude switch to avoid updates of the packages of your choice. Naturally, many administrators will want to avoid updating the kernel; you can add the following switch to the yum command of your choice to avoid updating or downloading all kernel packages: --exclude=kernel* You can also disable the repositories of your choice. For example, if you've configured the ATrpms repositories on your system, you can disable it with the following command: --disablerepo=at-stable The name you use for the repository comes from the label in its stanza; in this case, the atrpms.repo file in the /etc/yum.repos.d directory starts with [at-stable]
|