How to create a local mirror of the latest update for Red Hat Enterprise Linux 5, 6, 7, 8 and 9 without using Satellite server?

Solution Verified - Updated -



  • What is reposync utility and how to use it?
  • How to create a local mirror of the latest update for Red Hat Enterprise Linux 5, 6, 7, 8, 8.x or 9 without using Satellite server
  • Need to download all packages / rpms from specific channel locally
  • How to make a local repository



# mkdir /var/repo
# reposync --gpgcheck -l --repoid=rhel-5-server-els-rpms --download_path=/var/repo --downloadcomps
# cd /var/repo/rhel-5-server-els-rpms
# createrepo -v /var/repo/rhel-5-server-els-rpms
# yum clean all
# yum list-sec
# find /var/cache/yum/ -name *updateinfo.xml*
# mv /var/cache/yum/rhel-5-server-els-rpms/365ae03ca85bb9d3bc509ea9129d1d3fb9a18381-updateinfo.xml.gz /tmp
# cd /tmp
# gzip -d 365ae03ca85bb9d3bc509ea9129d1d3fb9a18381-updateinfo.xml.gz
# mv 365ae03ca85bb9d3bc509ea9129d1d3fb9a18381-updateinfo.xml updateinfo.xml
# cp updateinfo.xml /var/repo/rhel-5-server-els-rpms/repodata/
# modifyrepo /var/repo/rhel-5-server-els-rpms/repodata/updateinfo.xml /var/repo/rhel-5-server-els-rpms/repodata/

RHEL 6,7

RHEL 8 & 9

Install the required packages

  • Install the "yum-utils" and "createrepo" packages on the registered system.

    # yum install yum-utils createrepo

Create a basic local repository

Note: Change <repo-id> to the repository you intend to sync

  • Sync all the packages from a specified repository to a specified directory

    # reposync --gpgcheck -l --repoid=<repo-id>
    for example:
    # reposync --gpgcheck -l --repoid=rhel-6-server-rpms --download_path=/var/www/html
  • In the targeted directory, there will be a new directory named after the Repository ID. All the downloaded packages will be inside this directory.

    # cd /var/www/html/<repo-id>
    # createrepo -v /var/www/html/<repo-id>

Create a local repository that allows clients to use groups

How to download all the metadata for the repository that is being synced which will allow the use of various plugins such as 'yum groupinstall'

  • On RHEL6 and later, reposync supports the --download-metadata and --downloadcomps options. For example:

    # reposync --gpgcheck -l --repoid=repo-id --downloadcomps --download-metadata
    for example:
    # reposync --gpgcheck -l --repoid=rhel-6-server-rpms --download_path=/var/www/html --downloadcomps --download-metadata
  • To have access to the group data for the newly synced repo, please run the createrepo command as follows:

    # cd /var/www/html/<repo-id>
    # createrepo -v  /var/www/html/<repo-id>/ -g comps.xml

Modify the repodata to define which packages are security related.

  • These steps require that the createrepo command has already been run.

    # yum clean all
    # yum list-sec
    # find /var/cache/yum/ -name updateinfo.xml            ##For RHEL 5 use '-name *updateinfo.xml*'
  • From the find command above, identify the updateinfo.xml that matches the <repo-id> that you ran reposync against and move that file into your repodata directory.

    # mv updateinfo.xml /var/www/html/<repo-id>/repodata/updateinfo.xml
    # modifyrepo /var/www/html/<repo-id>/repodata/updateinfo.xml /var/www/html/<repo-id>/repodata
  • How to update security Erratas on system which is not connected to internet ?

Create a local repo with Red Hat Enterprise Linux 8/9

  • Only a RHEL 8 system, Red Hat Satellite, or a Capsule can sync RHEL 8 content correctly.
  • While the fetch procedures for RHEL8 and RHEL9 are similar, a RHEL8 system can not fetch RHEL9 streams, and vice versa. If you want to save resources and need to fetch streams for both releases, then for example a RHEL used as hypervisor could host a KVM RHEL8 and a KVM RHEL9 guest, and these guests could fetch into NFS exports offered by the hypervisor. The hypervisor could then offer the directories, for example via HTTP(S).
  • On RHEL8, ensure you have yum-utils-4.0.8-3.el8.noarch or higher installed so reposync correctly downloads all the packages.
  • Sync all enabled repositories and their repodata

    # reposync -p <download-path> --download-metadata --repo=<repo id>

To sync a specific minor release

For systems registered to the CDN or Red Hat Satellite you must release lock the system with subscription-manager

# subscription-manager release --set=8.4 && rm -rf /var/cache/dnf

At this point your system will only have access to content released for RHEL 8.0- 8.4. If you are syncing multiple minor releases, you must keep these separate from each other. For example to sync both 8.4 and 8.5:

# subscription-manager release --set=8.4 && rm -rf /var/cache/dnf
# reposync -p /var/www/html/8.4 --download-metadata --repo=<repo id>
# subscription-manager release --set=8.5 && rm -rf /var/cache/dnf
# reposync -p /var/www/html/8.5 --download-metadata --repo=<repo id>

To sync only the latest content for a specific minor release, you must set the subscription-manager version-lock. Then run reposync with the -n option to specify that you only wish to download the latest content (and not content for older minor release versions as well):

# subscription-manager release --set=8.4 && rm -rf /var/cache/dnf
# reposync -n -p /var/www/html/8.4 --download-metadata --repo=<repo id>

Note: The command createrepo is not required for RHEL 8 or 9. reposync will download everything including the repodata. Any createrepo_c version prior to 0.16.2-1.el8 is not capable to handle module information and hence tends to remove the module data if run on RHEL 8 system. If you have the older version and have run createrepo, check How to add the modules information after cloning the RHEL8 repository


  • To keep the sync current, for example, cronjobs can be used. The createrepo command supports --update to efficiently update existing repositories.
  • The locally created repository is typically used by other RHEL clients via LAN, for example via HTTP/HTTPS (for example provided by the apache webserver which is part of RHEL), via FTP (i.e. vsftpd) or NFS (nfs-utils package). Share this local repository with the offline systems to update the offline systems.
  • reposync utility can only mirror repositories which the system is entitled to.
  • Related information How do I delete old packages in local repository server?
  • For RHEL 7.7+, The Red Hat Customer Portal assumes that if all Red Hat provided CDN repositories are disabled the system lacks access to the latest content, and will not show errata information. If you need/want to see a systems errata information in the Red Hat Customer Portal, subscription manager must have at least one official redhat repository enabled. Note that only the enabled repositories are considered as part of the errata applicability calculation.

Root Cause

Red Hat provides a utility called reposync which can be used to download the packages from the CDN. In order to download all packages from a specific channel, the system should be subscribed to that channel. If the system is not subscribed to the required channel then reposync will not be able to download and sync those packages on local system.

Diagnostic Steps

  • createrepo-0.9.9-26.el6.noarch which is part of RHEL6.9GA has an issue regarding --update, refer to bz1434369 for details.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


Merry Christmas everyone,
I would like to draw your attention to the RHEL 8 version of the Poor Man's RHEL Mirror hosted on Information about what it does and for what it could be used you will find in the

Please feel free to use it and adapt it to your own needs. Feedback is welcome.

Best regards, Joerg

I am trying to reposync an upstream red hat repository server to a downstream red hat repository server. The goal is to have a local copy of the repos so that clients in a private subnet can use the downstream repo to update.

Is there a guide to do this? or is this configuration not supported?

Happy New Year!

If you find the information in this article not sufficient, the following article may help to solve your request:

  1. Creating a Local Repository and Sharing With Disconnected/Offline/Air-gapped Systems [Master Article]

Best regards,

Could you add link to near to "Accessing multiple repositories without the appropriate, active, subscription of RHEL version on 'single' system is not supported and will be considered as abuse of subscription."? The KCS describe consolidation of RHEL 6, 7, 8 reposync processes into one server with container. And it's appropriate use case. Container cannot consolidate different architectures(Power, Z, ARM..), but I expect "RHEL 6, 7, 8 on x86_64" is enough for many users,.

Can we sync package for Rhel6, Rhel7 , Rhel 8 , from Rhel 8 itself ? or do we need different servers for different version of redhat ?

I may have been mislead on this but based on things I had read a while ago elsewhere, in order for the system to be able to download the packages each version of RHEL 5, 6, 7, and 8 need to have separate repo server running the version of the OS of for that specific repo.

It is not supported to synchronize the content through reposync command for every major release version of the single server. It is recommended to use the separate servers for each major release versions for downloading the packages or synchronizing the contents for the respective release versions because for running reposync commands, it is mandatory to enable the respective release version specific repositories on the servers which may not be possible through standard process for enabling the repositories through subscription-manager commands.

Is it supported to synchronize repositories for every release on the single machine through reposync ?

To do that, you should run some containers. Each container should be based on image of version(6,7,8) of RHEL, and bind a directory with host one to share rpm files.
Run reposync in each of them on subscribed RHEL 8 will work to sync RHEL 6,7,8 repositories. This is standard process for subscription-manager in containers.

For reference, following solution uses docker container to access RHEL 6 repositories from RHEL 7, but you can do basically same thing with podman and RHEL 8.


In case of RHEL 8, re-syncing an existing local copy of a repo by using -n flag with reposync will keep the existing packages?



The -n option tells reposync to only download the latest version of each package it finds. Your existing packages will not be affected. If you want the existing packages to be deleted, there is a "--delete" option which, if used with -n, will only keep the latest versions downloaded.

There is currently an open bug for RHEL 8 reposync and using the "-n" option. If you find a package is missing, you should either download it manually and put it in the repository, or use a full reposync to ensure there is no missing content.

Bug 1833074 - reposync --newest-only does not download the latest package

For those who want to sync content for multiple RHEL versions to one (or more) servers, take a look at my Ansible playbook.

Is it okay to export the local repos from our subscribed system to a repo manager like Spacewalk via apache and provide the chanels to our offline systems??

Thanks! Newbie here

IANAL, but I think we are not doing technically anything here which "verifies if a system is entitled to receive the packages", so if you have a proper subscription for the system. This solution here is purely for technically allowing you to mirror and share repos with RPMs on your network. Whether you download a kernel errata package to your LAN and scp it to multiple systems, or whether you use reposync, or Spacewalk/apache, that makes little difference.

In all of these cases you have by other means to ensure that you are entitled to use these packages on other systems, reposync is not taking care of that. Satellite and subscription manager can do that, I think.

I've noticed the Red Hat 8 reposync processes have changed and the man page indicates there is no need to run createrepo.    

Red Hat 7 Example:   * Run reposync to download the files * Run createrepo to create repomd files

Red Hat 8 Example: * Run reposync * No need to run createrepo and the createrepo binary no longer exists

Issue: When simultaneously running reposync on multiple VM's, the md checksum will not be the same on all VM's When using Red Hat 7, we worked around this issue by using the --simple-md-filenames option to the createrepo command. Is there some similar solution for Red Hat 8?

There's a typo in the instructions: "From the find command above, identify the updateinfo.xml that matches the ???? that you ran reposync against and move that file into your repodata directory." Please fix.

Thanks, fixed. The markup code correctly had <repo-id>, but as it was unqoted the parser had eaten that when rendering the page.

How to sync only the src.rpm packages?

Hi, just use the repo-id of repos containing SRPMS. For RHEL 7 you could find those with the following command:

$ egrep '^\[.*source.*\]$' /etc/yum.repos.d/redhat.repo 

Please note that above example is from a host with Red Hat Developer Subscription for Individuals. So you might see fewer repos when using another subscription.


"Create a local repo with Red Hat Enterprise Linux 8/9" implies that I can use one rhel8 host for both versions 8+9, is that correct?

For the fetching part, no: rhel9 is here at my testing not fetching rhel8 repos, and vice versa. You could use 2 KVM guests for the syncing. The plain offering of the fetched directories via NFS/HTTP etc. can then be done by one system for multiple rhel versions.

Thanks. This should probably be clarified in the doc. Currently, the details under the 8/9 header are all for rhel8 specifics

Right, merged that in. Thanks!

Is it feasible to use reposync in a ubi container locked to the specific RHEL version for which you want to run a sync?

For example, say I wanted local mirrors for RHEL 7.6, 7.9, and 8.1. Could I use these 3 ubi containers:

and point repo sync to a directory that is podman mounted from a windows desktop?

I've tried doing this but the results seem mixed because when I later use the local repo I get a lot (but not all) packages failing with "package has incorrect checksum". Any thoughts?

I think the ubi images are 'free to use', they do not carry all packages but a stripped down set of packages. Getting full fledged RHEL virtual guests and registering them with subscription manager should work.

Thanks Christian. Sorry, I didn't provide enough context with my question though.

I am trying to follow the guidance in How can we regularly update a disconnected system (A system without internet connection)? and specifically using approach #5. This is in context of needing Creating a Local Repository and Sharing With Disconnected/Offline/Air-gapped Systems.

So I am trying to automate How to create a local mirror of the latest update for Red Hat Enterprise Linux 5, 6, 7, 8 and 9 without using Satellite server? as much as I possibly can.

However, instead of continuously maintaining or repeatedly building multiple new version-pinned "sync VM"'s for all of the versions I want to provide updates, I was wondering if instead it was possible to build a "sync container" using the specifically versioned ubi containers. For a specific example, can a container built from (with yum-utils installed) use subscription-manager with --register --release=8.1 (yes), enable the additional desired repos (yes), run reposync on all the desired repos (yes) and write the files to the host running podman via volume mount (yes), and then use subscription-manager unregister (yes) so that the host is left with a mirrored copy of the desired packages for later transfer to the disconnected systems? (I inserted yes to reflect that I've done this and it all worked.)

However, I'm not confident that everything was completely successful because in a lot of cases the packages later fail when I tried to use the local repo to update/install in the offline servers. Many packages did completely succeed but many failed with "incorrect checksum" errors and it's not clear why. I am also not certain if this is a viable approach but I need a more automated mechanism to do this sync and it seemed reasonable. I would be interesting to learn if anyone has devised a simple but automated mechanism to do something similar to this?