More Yum Plugins: Security and Package Priority

January 4, 2011 Off By David
Grazed from ServerWatch.  Author: Joe Brockmeier.

Last week we looked at Yum Plugins and how to extend Yum’s functionality. This week, I’ll look at a few of Yum’s plugins, in particular the security plugin and the priorities plugin.

As I mentioned last week, I’m using Fedora 14 in these examples. If you’re on another system using Yum, like CentOS, Red Hat Enterprise Linux (RHEL) or Yellow Dog (the original distro to ship Yum, by the way), the plugin behavior might be slightly different — or the plugin may not be available at all.

Yum Security

Let’s start with the Yum Security plugin. To see if this is installed and enabled, look under /etc/yum/pluginconf.d/security.conf — it should have a line that reads "enabled=1". If not, you’ll want to enable that. If it’s not there at all (though I believe it should be installed by default) then run "yum install yum-plugin-security" as root.

Now that you’ve got the plugin, you can use it to search for security updates or get info about security updates. For example, running yum check-update tells you if you have any updates that can be installed. But what if you want to install only packages that have security updates? Then run yum --security check-update, which will tell you if any packages must be updated for security reasons.

If you have packages that must be installed for security purposes, then you can run yum --security update and get only security updates.

That alone would be useful, but there’s more. What if you want to install a more limited set of updates, like those that fix a bug giving you pain? If it has a bugzilla number, then you can grab the update just for the package or packages affected by the bug. Run yum list-sec bugzillas, and you’ll see all the available updates with their bugzilla numbers. To grab just the packages affected by that bug, run yum --bz XXXXXXX update, where "XXXXXXX" is the number of the bug entry.

You get the idea. Using the Security plugin, you can fine-tune Yum to grab just the packages you need rather than a wholesale update. This is very useful if you don’t want to modify the entire system just to fix a specific bug or security vulnerability. See the yum-security man page for the full syntax and options for this plugin.

Yum Package Priorities

Speaking of fine-tuning, what if you want to tell Yum which repositories to give priority to when installing packages? Simply install the yum-plugin-priorities package. This plugin allows you to give repositories a priority number from 1 to 99, with the lowest priority number being the highest priority. The default is 99; the highest priority is 1.

To assign priorities, add a line to the end of a repository configuration like this:

[repo-name]
name=Repository $releasever - $basearch
failovermethod=priority
...

priority=X

Here, X should be the priority number you want to assign. Obviously, the default update repositories and such should be 1, but third-party repositories should be lower priority unless you’re looking to replace official Fedora packages with those from a third party.

In general, I’ve usually preferred APT to Yum for managing packages, but I do find the collection of Yum plugins to be fairly interesting. If you’re working with Yum-based systems, it’s well worth spending some time testing plugins to see how you can better manage your systems.