cancel
Showing results for 
Search instead for 
Did you mean: 
JohnAdams
Flight Engineer
Flight Engineer
  • 4,953 Views

Can Ansible's yum/dnf modules specify a repository?

Jump to solution

Hi, folks,

     I'm putting all our packages from non-Red Hat servers into Satellite rather than reach out to external repos, as a small security measure.

     As part of this effort, I'm also getting all the modules currently installed from (say) epel which should be coming from a Red Hat repo. (Certain Satellite packages are downversion from what's on EPEL.)

     To do that, I'd like to be be able to specify that a package is from a specific repo, so when I call it present, it is uninstalled and resinstalled from the proper place.

     Can this be done via ansible, or will it be a more manual process for me?

Thanks,

     John A

Labels (1)
Tags (1)
1 Solution

Accepted Solutions
Fran_Garcia
Starfighter Starfighter
Starfighter
  • 4,937 Views

I think that's the wrong approach. In the case of Satellite and EPEL, the epel repositories MUST NOT stay enabled at any point as the chances of installing a conflicting / actively harmful package are just too high. (Note that some product installers will not be knowledgeable about your custom process and won't select RPMs from the "right" / "your preferred" repo).

Some ideas that might be more useful:

- Get a list of your types of machines (eg, webservers, databases X/Y/Z, whatever) and what repositories should be enabled in each of them.

- If necessary, periodically run an Ansible job that disables all repos and only enables those that are absolutely required ("subscription-manager disable repo="*" --enable-repo=A --enable-repo=B", etc).

- If you only need some packages from a large repository, consider creating a smaller repository with those that you actually need and are known not to break the systems and/or introduce instability.

 

If using local repos (outide of Satellite) you can tweak the definition under /etc/yum.repos.d/repo.repo with something like:

 

[rhel7-epel-restricted]
name=RHEL7 epel restricted
baseurl=http://example.com/epel-7-mirror/
enabled=0
gpgcheck=0
includepkgs = htop* pv

With the includepkgs setting, you'll only be able to download those maching the setting thus avoiding the unknown/unvetted packages.

Hope this helps

 

 

View solution in original post

3 Replies
Fran_Garcia
Starfighter Starfighter
Starfighter
  • 4,938 Views

I think that's the wrong approach. In the case of Satellite and EPEL, the epel repositories MUST NOT stay enabled at any point as the chances of installing a conflicting / actively harmful package are just too high. (Note that some product installers will not be knowledgeable about your custom process and won't select RPMs from the "right" / "your preferred" repo).

Some ideas that might be more useful:

- Get a list of your types of machines (eg, webservers, databases X/Y/Z, whatever) and what repositories should be enabled in each of them.

- If necessary, periodically run an Ansible job that disables all repos and only enables those that are absolutely required ("subscription-manager disable repo="*" --enable-repo=A --enable-repo=B", etc).

- If you only need some packages from a large repository, consider creating a smaller repository with those that you actually need and are known not to break the systems and/or introduce instability.

 

If using local repos (outide of Satellite) you can tweak the definition under /etc/yum.repos.d/repo.repo with something like:

 

[rhel7-epel-restricted]
name=RHEL7 epel restricted
baseurl=http://example.com/epel-7-mirror/
enabled=0
gpgcheck=0
includepkgs = htop* pv

With the includepkgs setting, you'll only be able to download those maching the setting thus avoiding the unknown/unvetted packages.

Hope this helps

 

 

JohnAdams
Flight Engineer
Flight Engineer
  • 4,926 Views
Hi, Fran_Garcia,

My approach is very much like your third option. We don't need a lot of
stuff from unvetted repos. I have those turned off and upload good copies
of the packages into a local repo in Satellite.

The thing is that I'd like to replace anything taken directly from (say)
EPEL with what we've gotten and uploaded. I'd rather erase and reinstall
than force install. Thus my wondering if Ansible was smart enough to
uninstall a non-Red Hat version and reinstall either a Red Hat version or a
vetted local version, with the same version number.

Or am I overthinking this?

Should I just let what's there be there--it's been there a while with only
one ill effect, easily controlled--and worry about what gets loaded in the
future?

Thanks,

John A
Deanna
Community Manager
Community Manager
  • 4,914 Views

Thank you @Fran_Garcia for the concrete recommendations!

--
Deanna
0 Kudos
Join the discussion
You must log in to join this conversation.