Disable/Enable Yum Update
Hi Team
We setup and use RHEL 6.4 in a stand alone environment. We have got quiet few standalone servers running RHEL 6.4
After registering the server with the RHN, We usually run yum update to ensure that server is updated with all the packages. Once that is done, we would like to stop anyone(even root)from running the yum update command from the Server.
Could someone let me know how is it possible to disable the yum update and enable it back when it is required?
Looking forward for some assistance from the community
Regards
Jo
Responses
You could disable package management altogether by moving the /usr/bin/yum and /bin/rpm binaries elsewhere, or removing the executable flag from them with chmod -x. This isn't something we test for, so definitely try that in development before deploying to production.
You could set exclude=* in /etc/yum.conf so that the package manager excludes every package from installs and updates.
You could disable the yum RHN plugin by setting enabled=0 in the file /etc/yum/pluginconf.d/rhnplugin.conf, however other repositories (/etc/yum.repos.d/*.repo) would continue to work unless you set enabled=0 in them too. It would also be trivial to enable them again, or to add new repositories.
You could use the RHN Classic web interface or API to change your system's Base Channel to None, however other repositories would continue to work here too.
One problem I can see with all of these is that a sysadmin facing a critical issue after-hours may take it upon himself to update the system, and add a repository from a third-party EL Rebuild (eg: CentOS, Scientific Linux) and update the system off that. That's definitely a situation to avoid, as the system will then become unsupported.
You might want to add something to the login banner like a big message in capital letters advising updates are disabled intentionally, and the correct path to follow if someone does need emergency updates.
Another approach (in addition to Jamie's suggestions), you could alias the yum command (either in root's .bash_profile or /etc/profile). The problem with using root's profile is if someone simply su's or even sudo su without using '-' then the alias would not be sourced.
I think the "exclude=*" might be the best option. I wonder if you could rename the /etc/sysconfig/rhn/systemid file to accomplish your goal.
I would anticipate the problem with removing yum or making non-executable is some of the core utilities that might rely on it. Things like sosreport, possibly even rhn-profile-sync?
cd /etc/yum.repos.d/
for FILE in `ls *.repo`; do sed -i -e 's/^enabled=1/enabled=0/g' $FILE; done
sed -i -e 's/enabled=1/enabled=0/g' /etc/yum.conf
The problem with the approach above is knowing which ones to re-enable when you go to roll back ;-)
If... the ONLY repo/channels you are using is at RHN, I wonder if you could lock down the profile or temporarily un-entitile the systems (and then re-entitle them when it's time to update them).
Another thing to consider - is if you utilize one of the methods we have mentioned, whether pushing updates from RHN to patch works. Which is actually a rather awesome idea. No local updates are possible and ALL software management is accomplished from RHN (or Satellite in my case). Perhaps an RFE is in your future ;-)
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
