Disable/Enable Yum Update
Hi Team
We setup and use RHEL 6.4 in a stand alone environment. We have got quiet few standalone servers running RHEL 6.4
After registering the server with the RHN, We usually run yum update to ensure that server is updated with all the packages. Once that is done, we would like to stop anyone(even root)from running the yum update command from the Server.
Could someone let me know how is it possible to disable the yum update and enable it back when it is required?
Looking forward for some assistance from the community
Regards
Jo
Responses
Pro
433 points
During the period where 'yum update' is not working, do you expect other yum commands to work? If so, do you have a list of those requirements?
Active Contributor
110 points
Hi Daryl
Yes, When the Yum update is turned off, I would like to have the permission to install only the individual packages(yum install
Is that possible? If not what would be the best method to proceed?
Red Hat
Guru
7257 points
You could disable package management altogether by moving the /usr/bin/yum and /bin/rpm binaries elsewhere, or removing the executable flag from them with chmod -x. This isn't something we test for, so definitely try that in development before deploying to production.
You could set exclude=* in /etc/yum.conf so that the package manager excludes every package from installs and updates.
You could disable the yum RHN plugin by setting enabled=0 in the file /etc/yum/pluginconf.d/rhnplugin.conf, however other repositories (/etc/yum.repos.d/*.repo) would continue to work unless you set enabled=0 in them too. It would also be trivial to enable them again, or to add new repositories.
You could use the RHN Classic web interface or API to change your system's Base Channel to None, however other repositories would continue to work here too.
One problem I can see with all of these is that a sysadmin facing a critical issue after-hours may take it upon himself to update the system, and add a repository from a third-party EL Rebuild (eg: CentOS, Scientific Linux) and update the system off that. That's definitely a situation to avoid, as the system will then become unsupported.
You might want to add something to the login banner like a big message in capital letters advising updates are disabled intentionally, and the correct path to follow if someone does need emergency updates.
Guru
6863 points
Another approach (in addition to Jamie's suggestions), you could alias the yum command (either in root's .bash_profile or /etc/profile). The problem with using root's profile is if someone simply su's or even sudo su without using '-' then the alias would not be sourced.
I think the "exclude=*" might be the best option. I wonder if you could rename the /etc/sysconfig/rhn/systemid file to accomplish your goal.
I would anticipate the problem with removing yum or making non-executable is some of the core utilities that might rely on it. Things like sosreport, possibly even rhn-profile-sync?
cd /etc/yum.repos.d/
for FILE in `ls *.repo`; do sed -i -e 's/^enabled=1/enabled=0/g' $FILE; done
sed -i -e 's/enabled=1/enabled=0/g' /etc/yum.conf
The problem with the approach above is knowing which ones to re-enable when you go to roll back ;-)
If... the ONLY repo/channels you are using is at RHN, I wonder if you could lock down the profile or temporarily un-entitile the systems (and then re-entitle them when it's time to update them).
Another thing to consider - is if you utilize one of the methods we have mentioned, whether pushing updates from RHN to patch works. Which is actually a rather awesome idea. No local updates are possible and ALL software management is accomplished from RHN (or Satellite in my case). Perhaps an RFE is in your future ;-)
Active Contributor
110 points
As James & Jamie mentioned, I updated the yum.conf with the following entry:
exclude=*
That prevents from any package installation using Yum from the local computer as well as pushing packages from the RHN Classic. However, it allows me to install any RPMs that are downloaded to the local server.
I hope as one of you mentioned it is same as deleting the system from the RHN Classic Subscription. But with that option, we need to re-register the system through RHN registration to get the updates form YUM repository.
I hope for time being this is a good fix that I was looking for. Will get back to you guys for any further assistance.
Regards
Jo
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.