Skip to content

voxpupuli/puppet-yum

This branch is 595 commits ahead of CERIT-SC/puppet-yum:master.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

62b73b4 · Dec 12, 2024
Sep 17, 2024
Jun 13, 2023
Dec 16, 2019
Jun 16, 2023
Dec 12, 2024
Dec 8, 2024
Dec 12, 2024
Nov 29, 2023
Feb 25, 2022
Sep 17, 2021
Nov 27, 2021
Apr 15, 2024
Sep 17, 2024
Jun 3, 2024
Sep 17, 2024
Jul 9, 2024
Jan 15, 2024
Jan 15, 2024
Feb 11, 2022
Dec 12, 2024
Sep 17, 2024
May 30, 2016
Apr 4, 2024
Apr 4, 2024
Apr 15, 2023
Jun 17, 2022
Dec 12, 2024

Repository files navigation

Yum

Build Status Release Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores puppetmodule.info docs AGPL v3 License

Module description

This module provides helpful definitions for dealing with yum.

Requirements

Module has been tested on:

  • Puppet 4.10.9 and newer
  • CentOS 7,8
  • Amazon Linux 2017
  • RHEL 7
  • Fedora 35,36

For the official list of all tested distributions, please take a look at the metadata.json.

Usage

Manage global Yum configuration via the primary class

class { 'yum':
  keep_kernel_devel => false|true,
  clean_old_kernels => false|true,
  config_options    => {
      my_cachedir => {
        ensure => '/home/waldo/.local/yum/cache',
        key    => 'cachedir',
      },
      gpgcheck    => true,
      debuglevel  => 5,
      assumeyes   => {
        ensure => 'absent',
      },
    },
  },
}

NOTE: The config_options parameter takes a Hash where keys are the names of Yum::Config resources and the values are either the direct ensure value (gpgcheck or debuglevel in the example above), or a Hash of the resource's attributes (my_cachedir or assumeyes in the example above). Values may be Strings, Integers, or Booleans. Booleans will be converted to either a 1 or 0; use a quoted string to get a literal true or false.

If installonly_limit is changed, purging of old kernel packages is triggered if clean_old_kernels is true.

Manage yum.conf entries via defined types

yum::config { 'installonly_limit':
  ensure => 2,
}

yum::config { 'debuglevel':
  ensure => absent,
}

Manage COPR repositories

This module also supports managing COPR (Cool Other Package Repo) repositories via the yum::copr resource. The resource title specifies the COPR repository name, and ensure accepts the values enabled, disabled or removed. Example usage:

yum::copr { 'copart/restic':
  ensure => enabled,
}

Please note that repositories added this way are not managed via yumrepo resources, but enabled and disabled via native package manager commands. As such, they would be purged by a declaration such as:

resources { 'yumrepo':
   purge => true,
}

However, you can use modules such as crayfishx-purge to exclude these resources from purging:

purge { 'yumrepo':
  unless => [ 'name', '=~', 'copr:.*' ],
}

Manage a custom repo via Hiera data

Using Hiera and automatic parameter lookup (APL), this module can manage Yumrepos. The repos parameter takes a hash of hashes, where the first-level keys are the Yumrepo resource names and their value hashes contain parameters and values to feed into the resource definition. On its own, the repos parameter does nothing. The resource names from the hash must be selected via the managed_repos parameter. This example defines a custom repo.

First, include the class.

include 'yum'

In Hiera data, add the name of the repo to the yum::managed_repos key (an Array), and define the repo in the yum::repos key:

---
yum::managed_repos:
    - 'example_repo'
yum::repos:
    example_repo:
        ensure: 'present'
        enabled: true
        descr: 'Example Repo'
        baseurl: 'https://repos.example.com/example/'
        gpgcheck: true
        gpgkey: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Example'

You can include gpgkeys in yaml as well, and if the key filename matches a gpgkey from a mananged repo, it will be included. For example a gpg key for the repo above could look like:

---
yum::gpgkeys:
    /etc/pki/rpm-gpg/RPM-GPG-KEY-Example:
        content: |
            -----BEGIN PGP PUBLIC KEY BLOCK-----
            Version: GnuPG v1.4.11 (GNU/Linux)

            mQINBFKuaIQBEAC1UphXwMqCAarPUH/ZsOFslabeTVO2pDk5YnO96f+rgZB7xArB
            OSeQk7B90iqSJ85/c72OAn4OXYvT63gfCeXpJs5M7emXkPsNQWWSju99lW+AqSNm
            (SNIP SEVERAL LINES)
            RjsC7FDbL017qxS+ZVA/HGkyfiu4cpgV8VUnbql5eAZ+1Ll6Dw==
            =hdPa
            -----END PGP PUBLIC KEY BLOCK-----

... or

---
yum::gpgkeys:
    /etc/pki/rpm-gpg/RPM-GPG-KEY-Example:
        source: puppet:///repos/RPM-GPG-KEY-Example

Enable management of one of the pre-defined repos

This module includes several pre-defined Yumrepos for easy management. This example enables management of the EPEL repository using its default settings.

NOTE: This only works if the data for the repository is included with the module. Please see the /data directory of this module for a list of available repos.

include 'yum'
---
yum::managed_repos:
    - 'epel'

Enable management of one of the pre-defined repos AND modify its settings

Here the Extras repository for CentOS is enabled and its settings are modified. Because the repos parameter uses a deep merge strategy when fed via automatic parameter lookup (APL), only the values requiring modification need be defined.

To clear a value set below (from default repos, or lower in the hierarchy), pass it the knockout prefix, --. This will blank out the value.

---
yum::managed_repos:
    - 'extras'
yum::repos:
    extras:
        enabled: true
        baseurl: 'https://myrepo.example.com/extras'
        gpgcheck: false
        gpgkey: '--'

The built-in repos by default have data in mirrorlist, but baseurl is undefined. Using the knockout prefix won't work with mirrorlist, as it requires a valid URL or the value absent.

In case of Puppet 5, you can find more information in the Puppet docs. Since Puppet 6, this resource type has been moved to the puppetlabs/yumrepo_core module.

---
yum::managed_repos:
    - 'extras'
yum::repos:
    extras:
        enabled: true
        baseurl: 'https://mirror.example.com/extras'
        mirrorlist: 'absent'

Enable managemnt of multiple repos

The managed_repos parameter uses the unique Hiera merge strategy, so it's possible to define repos to be managed at multiple levels of the hierarchy. For example, given the following hierarchy and the following two yaml files, the module would receive the array ['base', 'extras', 'debug'].

---
hierarchy:
    - name: 'Common'
      paths:
        - "%{trusted.certname}"
        - 'common.yaml'
---
# node01
yum::managed_repos:
    - 'base'
    - 'debug'
# common
yum::managed_repos:
    - 'base'
    - 'extras'

Negate previously enabled repos

The repo_exclusions parameter is used to exclude repos from management. It is mainly useful in complex Hiera hierarchies where repos need to be removed from a baseline. Here we define a baseline set of repos in common.yaml, but disable one of them for a specific node.

---
hierarchy:
    - name: 'Common'
      paths:
        - "%{trusted.certname}"
        - 'common.yaml'
---
# node01
yum::repo_exclusions:
    - 'updates' #yolo
---
# common
yum::managed_repos:
    - 'base'
    - 'updates'
    - 'extras'

Enable management of the default OS Yumrepos

This module includes the boolean helper parameter manage_os_default_repos easily select select OS repos. It uses module data to add the appropriate repos to the managed_repos parameter based on OS facts. Just like adding them manually, they can be negated via the repo_exclusions parameter.

NOTE: This only works for operating systems who's Yumrepos are defined in the module's data AND who's default repos are defined in the module's data.

On a CentOS 7 machine these two snippets are functionally equivalent.

class { 'yum':
  manage_os_default_repos => true,
}
class { 'yum':
  managed_repos => [
    'base',
    'updates',
    'extras',
    'centosplus',
    'base-source',
    'updates-source',
    'extras-source',
    'base-debuginfo',
    'centos-media',
    'cr',
  ]
}

Add/remove a GPG RPM signing key using an inline key block

yum::gpgkey { '/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-smoketest1':
  ensure  => present,
  content => '-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----',
}

Add/remove a GPG RPM signing key using a key stored on a Puppet fileserver

yum::gpgkey { '/etc/pki/rpm-gpg/RPM-GPG-KEY-elrepo.org':
  ensure => present,
  source => 'puppet:///modules/elrepo/RPM-GPG-KEY-elrepo.org',
}

Install or remove yum plugin

yum::plugin { 'versionlock':
  ensure => present,
}

Lock a package with the versionlock plugin

The versionlock type changed between CentOS 7 and CentOS 8.

CentOS 7 and older

Locks explicitly specified packages from updates. Package name must be precisely specified in format EPOCH:NAME-VERSION-RELEASE.ARCH. Wild card in package name is allowed provided it does not span a field seperator.

yum::versionlock { '0:bash-4.1.2-9.el6_2.*':
  ensure => present,
}

Use the following command to retrieve a properly-formated string:

PACKAGE_NAME='bash'
rpm -q "$PACKAGE_NAME" --qf '%|EPOCH?{%{EPOCH}}:{0}|:%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n'

To run a yum clean all after the versionlock file is updated.

class{'yum::plugin::versionlock':
  clean => true,
}
yum::versionlock { '0:bash-4.1.2-9.el6_2.*':
  ensure => present,
}

Note the CentOS 8 mechansim can be used if the parameter version is also set to anything other than the default undef. This allows common code to be used on CentOS 7 and 8 if the new style is used.

CentOS 8 and newer

Specify some of the version, release, epoch and arch values as parameters.

yum::versionlock{'bash':
  ensure => present,
  version => '4.1.2',
  release => '9.el8.2.*',
  epoch   => 0,
  arch    => 'x86_64',
}

Run a post transaction command

Specify a command to run after transactions of packages.

yum::post_transaction_action{'touch_file':
  key     => 'openssh-*',
  command => 'touch /tmp/openssh-package-updated',
}

Install or remove yum package group

Install yum package groups. To list groups: yum group list. Then use that name in your puppet manifest. With support for install_options (e.g. enable repos if disabled by default).

yum::group { 'X Window System':
  ensure          => present,
  timeout         => 600,
  install_options => ['--enablerepo=*'];
}

Install or remove packages via yum install

This is a workaround for PUP-3323. It enables the installation of packages from non-repo sources while still providing dependency resolution. For example, say there is a package foo that requires the package bar. bar is in a Yum repository and foo is stored on a stand-alone HTTP server. Using the standard providers for the Package resource type, rpm and yum, the rpm provider would be required to install foo, because only it can install from a non-repo source, i.e., a URL. However, since the rpm provider cannot do dependency resolution, it would fail on its own unless bar was already installed. This workaround enables foo to be installed without having to define its dependencies in Puppet.

From URL:

yum::install { 'package-name':
  ensure => present,
  source => 'http://example.com/path/to/package/filename.rpm',
}

From local filesystem:

yum::install { 'package-name':
  ensure => present,
  source => 'file:///path/to/package/filename.rpm',
}

Reinstall if rpm-verify fails:

yum::install { 'package-name':
  ensure => present,
  source => 'file:///path/to/package/filename.rpm',
  require_verify => true,
}

Please note that resource name must be same as installed package name.

Manage DNF modules streams

When changing from one enabled stream to another one, the provider runs dnf module switch-to <Stream>, which replaces all installed profiles from the DNF module. Bear the consequences in mind.

Enable default stream

dnf_module_stream { '<Module>':
  stream => default,
}

Keep current enabled stream - if there isn't, enable default one

dnf_module_stream { '<Module>':
  stream => present,
}

Enable a specific stream

dnf_module_stream { '<Module>':
  stream => <Stream name>,
}

Disable stream (reset module)

dnf_module_stream { '<Module>':
  stream => absent,
}

dnf_module_stream resource versus dnfmodule provider

DNF modules is a feature from yum successor, dnf, which allows easier and more robust selections of software versions and collections.

As of Aug 22, 2023, core Puppet package resource dnfmodule provider has some support for managing streams and profiles, but it has some issues:

  1. Setting stream is mandatory when (un)installing profiles - No way of just keeping currently enabled stream
  2. It only supports installing a single profile, despite the fact dnf supports multi-profile installations and there are use cases for that
  3. Managing two things - streams setting and profile (un)installation - in the same resource invocation is inherently messy

One can fix 1 and 2, and add good docs to deal with 3. A compelling reason not to keep 1 and 3 is that a stream is a setting, not something one (un)installs. This makes it unsuitable for the package resource which, in principle, should only (un)install stuff.

So, while one fix 2, this custom resource aims to fully and better replace dnfmodule provider stream support.

Puppet tasks

The module has a puppet task that allows to run yum update or yum upgrade. This task needs puppet agent installed on the remote.

Please refer to the Bolt documentation on how to execute a task.

$ bolt task show yum

yum - Allows you to perform yum functions

USAGE:
bolt task run --nodes <node-name> yum action=<value> [quiet=<value>]

PARAMETERS:
- action: Enum['update', 'upgrade']
    Action to perform
- quiet: Optional[Boolean]
    Run without output

Fedora partial support

Support for fedora is minimal at this time. The yum class can be included without error and resources such as yum::group can be managed. No repositories or GPG keys are managed by default. Old kernel cleanup is known not to work, and plugins may not work due to different package naming. Pull requests for additional support would be welcomed.


This module was donated by CERIT Scientific Cloud, [email protected] to Vox Pupuli