cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
JohnAdams
Flight Engineer
Flight Engineer
‎07-23-2021 09:33 PM
  • 4,823 Views

Can Ansible's yum/dnf modules specify a repository?

Jump to solution

Hi, folks,

     I'm putting all our packages from non-Red Hat servers into Satellite rather than reach out to external repos, as a small security measure.

     As part of this effort, I'm also getting all the modules currently installed from (say) epel which should be coming from a Red Hat repo. (Certain Satellite packages are downversion from what's on EPEL.)

     To do that, I'd like to be be able to specify that a package is from a specific repo, so when I call it present, it is uninstalled and resinstalled from the proper place.

     Can this be done via ansible, or will it be a more manual process for me?

Thanks,

     John A

Labels (1)
Labels
Tags (1)
Join the discussion
1 Solution

Accepted Solutions
Fran_Garcia
Starfighter Starfighter
Starfighter
‎07-24-2021 07:29 PM
  • 4,807 Views

Jump to solution

I think that's the wrong approach. In the case of Satellite and EPEL, the epel repositories MUST NOT stay enabled at any point as the chances of installing a conflicting / actively harmful package are just too high. (Note that some product installers will not be knowledgeable about your custom process and won't select RPMs from the "right" / "your preferred" repo).

Some ideas that might be more useful:

- Get a list of your types of machines (eg, webservers, databases X/Y/Z, whatever) and what repositories should be enabled in each of them.

- If necessary, periodically run an Ansible job that disables all repos and only enables those that are absolutely required ("subscription-manager disable repo="*" --enable-repo=A --enable-repo=B", etc).

- If you only need some packages from a large repository, consider creating a smaller repository with those that you actually need and are known not to break the systems and/or introduce instability.

 

If using local repos (outide of Satellite) you can tweak the definition under /etc/yum.repos.d/repo.repo with something like:

 

[rhel7-epel-restricted]
name=RHEL7 epel restricted
baseurl=http://example.com/epel-7-mirror/
enabled=0
gpgcheck=0
includepkgs = htop* pv

With the includepkgs setting, you'll only be able to download those maching the setting thus avoiding the unknown/unvetted packages.

Hope this helps

 

 

View solution in original post

3 Replies
Fran_Garcia
Starfighter Starfighter
Starfighter
‎07-24-2021 07:29 PM
  • 4,808 Views

Jump to solution

I think that's the wrong approach. In the case of Satellite and EPEL, the epel repositories MUST NOT stay enabled at any point as the chances of installing a conflicting / actively harmful package are just too high. (Note that some product installers will not be knowledgeable about your custom process and won't select RPMs from the "right" / "your preferred" repo).

Some ideas that might be more useful:

- Get a list of your types of machines (eg, webservers, databases X/Y/Z, whatever) and what repositories should be enabled in each of them.

- If necessary, periodically run an Ansible job that disables all repos and only enables those that are absolutely required ("subscription-manager disable repo="*" --enable-repo=A --enable-repo=B", etc).

- If you only need some packages from a large repository, consider creating a smaller repository with those that you actually need and are known not to break the systems and/or introduce instability.

 

If using local repos (outide of Satellite) you can tweak the definition under /etc/yum.repos.d/repo.repo with something like:

 

[rhel7-epel-restricted]
name=RHEL7 epel restricted
baseurl=http://example.com/epel-7-mirror/
enabled=0
gpgcheck=0
includepkgs = htop* pv

With the includepkgs setting, you'll only be able to download those maching the setting thus avoiding the unknown/unvetted packages.

Hope this helps

 

 

JohnAdams
Flight Engineer
Flight Engineer
‎07-26-2021 02:45 PM
  • 4,796 Views

Jump to solution
Hi, Fran_Garcia,

My approach is very much like your third option. We don't need a lot of
stuff from unvetted repos. I have those turned off and upload good copies
of the packages into a local repo in Satellite.

The thing is that I'd like to replace anything taken directly from (say)
EPEL with what we've gotten and uploaded. I'd rather erase and reinstall
than force install. Thus my wondering if Ansible was smart enough to
uninstall a non-Red Hat version and reinstall either a Red Hat version or a
vetted local version, with the same version number.

Or am I overthinking this?

Should I just let what's there be there--it's been there a while with only
one ill effect, easily controlled--and worry about what gets loaded in the
future?

Thanks,

John A
Deanna
Community Manager
Community Manager
‎07-28-2021 04:52 PM
  • 4,784 Views

Jump to solution

Thank you @Fran_Garcia for the concrete recommendations!

--
Deanna
0 Kudos
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2024 Red Hat, Inc. Privacy policy Terms of use