Edition 2
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
smb.conf Fileproc File SystemDHCP, BIND, Apache HTTP Server, Postfix, Sendmail and other enterprise-class servers and software
kdump
NetworkManager daemon, and how to interact with it using the corresponding applet for the notification area.
/etc/sysconfig/network-scripts/ directory. Read this chapter for information how to use these files to configure network interfaces.
sshd service, as well as a basic usage of the ssh, scp, sftp client utilities. Read this chapter if you need a remote access to a machine.
rsyslog daemon, and explains how to locate, view, and monitor log files. Read this chapter to learn how to work with log files.
cron, at, and batch utilities. Read this chapter to learn how to use these utilities to perform automated tasks.
rpm command instead of yum. Read this chapter if you cannot update a kernel package with the Yum package manager.
kdump service in Red Hat Enterprise Linux, and provides a brief overview of how to analyze the resulting core dump using the crash debugging utility. Read this chapter to learn how to enable kdump on your system.
rpm utility. Read this appendix if you need to use rpm instead of yum.
/etc/sysconfig/ directory. Read this appendix if you want to learn more about these files and directories, their function, and their contents.
proc file system (that is, the /proc/ directory). Read this appendix if you want to learn more about this file system.
Mono-spaced Bold
To see the contents of the filemy_next_bestselling_novelin your current working directory, enter thecat my_next_bestselling_novelcommand at the shell prompt and press Enter to execute the command.
Press Enter to execute the command.Press Ctrl+Alt+F2 to switch to the first virtual terminal. Press Ctrl+Alt+F1 to return to your X-Windows session.
mono-spaced bold. For example:
File-related classes includefilesystemfor file systems,filefor files, anddirfor directories. Each class has its own associated set of permissions.
Choose → → from the main menu bar to launch Mouse Preferences. In the Buttons tab, click the Left-handed mouse check box and click to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand).To insert a special character into a gedit file, choose → → from the main menu bar. Next, choose → from the Character Map menu bar, type the name of the character in the Search field and click . The character you sought will be highlighted in the Character Table. Double-click this highlighted character to place it in the Text to copy field and then click the button. Now switch back to your document and choose → from the gedit menu bar.
Mono-spaced Bold ItalicProportional Bold Italic
To connect to a remote machine using ssh, typesshat a shell prompt. If the remote machine isusername@domain.nameexample.comand your username on that machine is john, typessh john@example.com.Themount -o remountcommand remounts the named file system. For example, to remount thefile-system/homefile system, the command ismount -o remount /home.To see the version of a currently installed package, use therpm -qcommand. It will return a result as follows:package.package-version-release
Publican is a DocBook publishing system.
mono-spaced roman and presented thus:
books Desktop documentation drafts mss photos stuff svn books_tests Desktop1 downloads images notes scripts svgs
mono-spaced roman but add syntax highlighting as follows:
package org.jboss.book.jca.ex1; import javax.naming.InitialContext; public class ExClient { public static void main(String args[]) throws Exception { InitialContext iniCtx = new InitialContext(); Object ref = iniCtx.lookup("EchoBean"); EchoHome home = (EchoHome) ref; Echo echo = home.create(); System.out.println("Created Echo"); System.out.println("Echo.echo('Hello') = " + echo.echo("Hello")); } }
doc-Deployment_Guide
6
system-config-date command at a shell prompt (e.g., xterm or GNOME Terminal). Unless you are already authenticated, you will be prompted to enter the superuser password.
~]$ su -
Password:date command allows the superuser to set the system date and time manually:
YYYY with a four-digit year, MM with a two-digit month, and DD with a two-digit day of the month:
~]# date +%D -s YYYY-MM-DD~]# date +%D -s 2010-06-02HH stands for an hour, MM is a minute, and SS is a second, all typed in a two-digit form:
~]# date +%T -s HH:MM:SS~]# date +%T -s HH:MM:SS -u~]# date +%T -s 23:26:00 -udate without any additional argument:
~]$ date
Wed Jun 2 11:58:48 CEST 2010~]# ntpdate -q server_address~]# ntpdate -q 0.rhel.pool.ntp.org~]# ntpdate server_address...~]# ntpdate 0.rhel.pool.ntp.org 1.rhel.pool.ntp.orgdate without any additional arguments as shown in Section 2.2.1, “Date and Time Setup”.
~]# chkconfig ntpdate on/var/log/boot.log system log, try to add the following line to /etc/sysconfig/network:
NETWORKWAIT=1
/etc/ntp.conf in a text editor such as vi or nano, or create a new one if it does not already exist:
~]# nano /etc/ntp.confserver 0.rhel.pool.ntp.org server 1.rhel.pool.ntp.org server 2.rhel.pool.ntp.org
iburst directive at the end of each server line:
server 0.rhel.pool.ntp.org iburst server 1.rhel.pool.ntp.org iburst server 2.rhel.pool.ntp.org iburst
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1
~]# service ntpd restartntpd daemon is started at boot time:
~]# chkconfig ntpd onroot, and access permissions can be changed by both the root user and file owner.
/etc/bashrc file. Traditionally on UNIX systems, the umask is set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's group, are not allowed to make any modifications. However, under the UPG scheme, this “group protection” is not necessary since every user has their own private group.
/etc/passwd file to /etc/shadow, which is readable only by the root user.
/etc/login.defs file to enforce security policies.
/etc/shadow file, any commands which create or modify password aging information do not work. The following is a list of utilities and commands that do not work without first enabling shadow passwords:
chage utility.
gpasswd utility.
usermod command with the -e or -f option.
useradd command with the -e or -f option.
system-config-users at a shell prompt. Note that unless you have superuser privileges, the application will prompt you to authenticate as root.
/home/username/. You can choose not to create the home directory by clearing the Create home directory check box, or change this directory by editing the content of the Home Directory text box. Note that when the home directory is created, default configuration files are copied into it from the /etc/skel/ directory.
| Utilities | Description |
|---|---|
useradd, usermod, userdel
| Standard utilities for adding, modifying, and deleting user accounts. |
groupadd, groupmod, groupdel
| Standard utilities for adding, modifying, and deleting groups. |
gpasswd
|
Standard utility for administering the /etc/group configuration file.
|
pwck, grpck
| Utilities that can be used for verification of the password, group, and associated shadow files. |
pwconv, pwunconv
| Utilities that can be used for the conversion of passwords to shadow passwords, or back from shadow passwords to standard passwords. |
root:
useradd[options]username
options are command line options as described in Table 3.2, “useradd command line options”.
useradd command creates a locked user account. To unlock the account, run the following command as root to assign a password:
passwdusername
| Option | Description |
|---|---|
-c 'comment'
|
comment can be replaced with any string. This option is generally used to specify the full name of a user.
|
-d home_directory
|
Home directory to be used instead of default /home/.
|
-e date
| Date for the account to be disabled in the format YYYY-MM-DD. |
-f days
|
Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.
|
-g group_name
| Group name or group number for the user's default group. The group must exist prior to being specified here. |
-G group_list
| List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here. |
-m
| Create the home directory if it does not exist. |
-M
| Do not create the home directory. |
-N
| Do not create a user private group for the user. |
-p password
|
The password encrypted with crypt.
|
-r
| Create a system account with a UID less than 500 and without a home directory. |
-s
|
User's login shell, which defaults to /bin/bash.
|
-u uid
| User ID for the user, which must be unique and greater than 499. |
useradd juan is issued on a system that has shadow passwords enabled:
juan is created in /etc/passwd:
juan:x:501:501::/home/juan:/bin/bash
juan.
x for the password field indicating that the system is using shadow passwords.
juan is set to /home/juan/.
/bin/bash.
juan is created in /etc/shadow:
juan:!!:14798:0:99999:7:::
juan.
!!) appear in the password field of the /etc/shadow file, which locks the account.
-p flag, it is placed in the /etc/shadow file on the new line for the user.
juan is created in /etc/group:
juan:x:501:
/etc/group has the following characteristics:
juan.
x appears in the password field indicating that the system is using shadow group passwords.
juan in /etc/passwd.
juan is created in /etc/gshadow:
juan:!::
juan.
!) appears in the password field of the /etc/gshadow file, which locks the group.
juan is created in the /home/ directory:
~]# ls -l /home
total 4
drwx------. 4 juan juan 4096 Mar 3 18:23 juanjuan and group juan. It has read, write, and execute privileges only for the user juan. All other permissions are denied.
/etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory:
~]# ls -la /home/juan
total 28
drwx------. 4 juan juan 4096 Mar 3 18:23 .
drwxr-xr-x. 5 root root 4096 Mar 3 18:23 ..
-rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout
-rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile
-rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc
drwxr-xr-x. 2 juan juan 4096 Jul 14 2010 .gnome2
drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozillajuan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines.
root:
groupadd[options]group_name
options are command line options as described in Table 3.3, “groupadd command line options”.
| Option | Description |
|---|---|
-f, --force
|
When used with -g gid and gid already exists, groupadd will choose another unique gid for the group.
|
-g gid
| Group ID for the group, which must be unique and greater than 499. |
-K, --key key=value
|
Override /etc/login.defs defaults.
|
-o, --non-unique
| Allow to create groups with duplicate. |
-p, --password password
| Use this encrypted password for the new group. |
-r
| Create a system group with a GID less than 500. |
chage command.
chage command. For more information, see Section 3.1.2, “Shadow Passwords”.
root:
chage[options]username
options are command line options as described in Table 3.4, “chage command line options”. When the chage command is followed directly by a username (that is, when no command line options are specified), it displays the current password aging values and allows you to change them interactively.
| Option | Description |
|---|---|
-d days
| Specifies the number of days since January 1, 1970 the password was changed. |
-E date
| Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used. |
-I days
|
Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.
|
-l
| Lists current account aging settings. |
-m days
|
Specify the minimum number of days after which the user must change passwords. If the value is 0, the password does not expire.
|
-M days
|
Specify the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account.
|
-W days
| Specifies the number of days before the password expiration date to warn the user. |
root:
passwdusername
passwd-dusername
root:
chage-d0username
root, an unattended login session may pose a significant security risk. To reduce this risk, you can configure the system to automatically log out idle users after a fixed period of time:
root:
yuminstallscreen
root, add the following line at the beginning of the /etc/profile file to make sure the processing of this file cannot be interrupted:
trap "" 1 2 3 15
/etc/profile file to start a screen session each time a user logs in to a virtual console or remotely:
SCREENEXEC="screen" if [ -w $(tty) ]; then trap "exec $SCREENEXEC" 1 2 3 15 echo -n 'Starting session in 10 seconds' sleep 10 exec $SCREENEXEC fi
sleep command.
/etc/screenrc configuration file to close the screen session after a given period of inactivity:
idle 120 quit autodetach off
idle directive.
idle 120 lockscreen autodetach off
/opt/myproject/ directory. Some people are trusted to modify the contents of this directory, but not everyone.
root, create the /opt/myproject/ directory by typing the following at a shell prompt:
mkdir /opt/myprojectmyproject group to the system:
groupadd myproject/opt/myproject/ directory with the myproject group:
chown root:myproject /opt/myprojectchmod 2775 /opt/myprojectmyproject group can create and edit files in the /opt/myproject/ directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:
~]# ls -l /opt
total 4
drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 myproject/etc/group file.
/etc/group file.
/etc/passwd and /etc/shadow files.
Table of Contents
yum to unit content delivery with subscription management. The Subscription Manager handles only the subscription-system associations. yum or other package management tools handle the actual content delivery. Chapter 5, Yum describes how to use yum.
yum plug-ins that come with the Subscription Manager tools.
root because of the nature of the changes to the system. However, Red Hat Subscription Manager connects to the subscription service as a user account for the Customer Service Portal.
firstboot process for configuring content and updates, but the system can be registered at any time through the Red Hat Subscription Manager GUI or CLI. New subscriptions, new products, and updates can be viewed and applied to a system through the Red Hat Subscription Manager tools.
yum service through the Red Hat Subscription Manager yum plug-in.
yum.
yum.
root.
[root@server1 ~]# subscription-manager-gui
subscription-manager tool. This tools has the following format:
[root@server1 ~]# subscription-manager command [options]subscription-manager help and manpage have more information.
| Command | Description |
|---|---|
| register | Registers or identifies a new system to the subscription service. |
| unregister | Unregisters a machine, which strips its subscriptions and removes the machine from the subscription service. |
| subscribe | Allocates a specific subscription to the machine. |
| redeem | Autosubscribes a machine to a pre-specified subscription that was purchased from a vendor, based on its hardware and BIOS information. |
| refresh |
Pulls the latest entitlement data from the server. Normally, the system polls the entitlement server at a set interval (4 hours by default) to check for any changes in the available subscriptions. The refresh command checks with the entitlement server right then, outside the normal interval.
|
| unsubscribe | Removes a specific subscription or all subscriptions from the machine. |
| list | Lists all of the subscriptions that are compatible with a machine, either subscriptions that are actually consumed by the machine or unused subscriptions that are available to the machine. |
| identity | Handles the identity certificate and registration ID for a system. This command can be used to return the current UUID or generate a new identity certificate. |
| facts | Lists the system information, like the release version, number of CPUs, and other architecture information. |
| clean |
Removes all of the subscription and identity data from the local system, without affecting the consumer information in the subscription service. Any of the subscriptions consumed by the system are still consumed and are not available for other systems to use. The clean command is useful in cases where the local entitlement information is corrupted or lost somehow, and the system will be reregistered using the register --consumerid=EXISTING_ID command.
|
| orgs, repos, environments | Lists all of the configured organizations, environments, and content repositories that are available to the given user account or system. These commands are used to view information in a multi-org infrastructure. They are not used to configure the local machine or multi-org infrastructure. |
libvirt-rhsm, checks VMWare, KVM, and Xen processes and then relays that information to Subscription Manager and any configured subscription service. Each guest machine on a host is assigned a guest ID, and that guest ID is both associated with the host and used to generate the identity certificate for the guest when it is registered.
system type of consumer.
system, meaning that each individual server subscribes to its own entitlements for its own use. There is another type of consumer, though, which is available for server groups, the domain type. domain-based entitlements are not allocated to a single system; they are distributed across the group of servers to govern the behavior of that group of servers. (That server group is called a domain.)
system consumer and added to the inventory individually.
domain entitlements apply to the behavior of the entire server group, not to any one system.
domain entitlements using the Red Hat Subscription Manager tools, and the entitlement certificate is replicated between the domain servers.
subscription-manager-gui
rhsm.conf configuration file points to the local subscription service (in the hostname parameter) and the local content server (in the baseurl parameter). The Subscription Manager configuration is described in Section 4.13, “Configuring the Subscription Service”.
subscription-manager-gui
.zip file. Save the file to some kind of portable media, like a flash drive.
certificates.zip file. Unzip the directories until the PEM files for the entitlement certificates are available.
import command. For example:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
cert.pem file directly into the /etc/pki/consumer directory. For example:
cp /tmp/downloads/cert.pem /etc/pki/consumer
register command with the user account information required to authenticate to the Certificate-Based Red Hat Network (the credentials used to access subscription service or the Customer Portal). When the system is successfully authenticated, it echoes back the newly-assigned consumer ID and the user account name which registered it.
register options are listed in Table 4.2, “register Options”.
[root@server1 ~]# subscription-manager register --username admin-example --password secret
7d133d55-876f-4f47-83eb-0ee931cb0a97 admin-example (the new consumer UUID and the account used for registration)--org option in addition to the username and password. The given user must also have the access permissions to add systems to that organization.
[root@server1 ~]# subscription-manager register --username admin-example --password secret--org="IT Department"7d133d55-876f-4f47-83eb-0ee931cb0a97 admin-example(the new consumer UUID and the account used for registration)
[root@server1 ~]# subscription-manager register --username admin-example --password secret --org="IT Department" --environment=Dev1,ITallregister command returns a Remote Server error.
register command has an option, --autosubscribe, which allows the system to be registered to the subscription service and immediately subscribed to the subscription which best matches its architecture in a single step.
[root@server1 ~]# subscription-manager register --username admin-example --password secret --autosubscribe--activationkey option.
--org option, but in multi-org environments, the --org option is required. The organization is not defined as part of the activation key.
# subscription-manager register --activationkey=1234abcd --org="IT Dept"| Options | Description | Required |
|---|---|---|
| --username=name | Gives the content server user account name. | Required |
| --password=password | Gives the password for the user account. | Required |
| --org=name | Gives the organization to which to join the system. | Required, except for hosted environments |
| --environment=name | Registers the consumer to an environment within an organization. | Optional |
| --name=machine_name | Sets the name of the consumer (machine) to register. This defaults to be the same as the hostname. | Optional |
| --autosubscribe | Automatically subscribes this system to the best-matched compatible subscription. This is good for automated setup operations, since the system can be configured in a single step. | Optional |
| --activation_key | Applies existing subscriptions as part of the registration process. The subscriptions are pre-assigned by a vendor or by a systems administrator. | Optional |
| --force | Registers the system even if it is already registered. Normally, any register operations will fail if the machine is already registered. | Optional |
unregister command. This removes the system's entry from the subscription service, unsubscribes it from any subscriptions, and, locally, deletes its identity and entitlement certificates.
unregister.
[root@server1 ~]# subscription-manager unregister
register command. This command passes the original UUID for a system to issue a request to the subscription service to receive a new certificate using the same UUID. This essentially renews its previous registration.
register command uses the original ID to identify itself to the subscription service and restore its previous subscriptions.
[root@server1 ~]# subscription-manager register --username admin-example --password secret --consumerid=7d133d55-876f-4f47-83eb-0ee931cb0a97
| Options | Description | Required |
|---|---|---|
| --consumerid | Gives the consumer UUID used by an existing consumer. The system's consumer entry must exist in the Red Hat subscription service for the reregister operation to succeed. | Required |
| --username=name | Gives the content server user account name. | Optional |
| --password=password | Gives the password for the user account. | Optional |
subscription-manager-gui
subscription-manager-gui
--pool option.
[root@server1 ~]# subscription-manager subscribe --pool=XYZ01234567
subscribe command are listed in Table 4.4, “subscribe Options”.
list command:
[root@server1 ~]# subscription-manager list --available
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName: RHEL for Physical Servers
ProductId: MKT-rhel-server
PoolId: ff8080812bc382e3012bc3845ca000cb
Quantity: 10
Expires: 2011-09-20--auto option (which is analogous to the --autosubscribe option with the register command).
[root@server1 ~]# subscription-manager subscribe --auto
| Options | Description | Required |
|---|---|---|
| --pool=pool-id | Gives the ID for the subscription to subscribe the machine to. |
Required, unless --auto is used
|
| --auto | Automatically subscribes the system to the best-match subscription or subscriptions. | Optional |
| --quantity | Subscribes multiple counts of an entitlement to the system. This is used to cover subscriptions that define a count limit, like using two 2-socket server subscriptions to cover a 4-socket machine. | Optional |
unsubscribe command with the --all unsubscribes the system from every product and subscription pool it is currently subscribed to.
[root@server1 ~]# subscription-manager unsubscribe --all
unsubscribe command to remove only that product subscription.
cert.pem file or by using the list command. For example:
[root@server1 ~]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Product Subscriptions
+-------------------------------------------+
ProductName: High availability (cluster suite)
ContractNumber: 0
SerialNumber: 11287514358600162
Active: True
Begins: 2010-09-18
Expires: 2011-11-18--serial option to specify the certificate.
[root@server1 ~]# subscription-manager unsubscribe --serial=11287514358600162
--quantity option. The quantity taken applies to the product in the --pool option:
[root@server1 ~]# subscription-manager subscribe --pool=XYZ01234567 --quantity=2
.zip file. Save the file to some kind of portable media, like a flash drive.
certificates.zip file. Unzip the directories until the PEM files for the subscription certificates are available.
import command:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
subscription-manager-gui
.pem file of the product certificate.
subscription-manager-gui
redeem command, with an email address to send the redemption email to when the process is complete.
# subscription-manager redeem --email=jsmith@example.com# subscription-manager redeem --email=jsmith@example.com --org="IT Dept"
list command to display different areas of the subscriptions and products on the system.
| Option | Description |
|---|---|
| --installed (or nothing) |
Lists all of the installed and subscribed product on the system. If no option is given with list, it is the same as using the --installed argument.
|
| --consumed | Lists all of the subscriptions allocated to the system. |
| --available [--all] |
Using --available alone lists all of the compatible, active subscriptions for the system. Using --available --all lists all options, even ones not compatible with the system or with no more available quantities.
|
| --ondate=YYYY-MM-DD |
Shows subscriptions which are active and available on the specified date. This is only used with the --available option. If this is not used, then the command uses the current date.
|
| --installed | Lists all of the products that are installed on the system (and whether they have a subscription) and it lists all of the product subscriptions which are assigned to the system (and whether those products are installed). |
list command shows all of the subscriptions that are currently allocated to the system by using the --consumed option.
[root@server1 ~]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Product Subscriptions
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux Server
ContractNumber: 1458961
SerialNumber: 171286550006020205
Active: True
Begins: 2009-01-01
Expires: 2011-12-31list command shows all of the subscriptions that are compatible with and available to the system using the --available option. To include every subscription the organization has — both the ones that are compatible with the system and others for other platforms — use the --all option with the --available. The --ondate option shows only subscriptions which are active on that date, based on their activation and expiry dates.
[root@server1 ~]# subscription-manager list --available --all
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName: RHEL for Physical Servers
ProductId: MKT-rhel-server
PoolId: ff8080812bc382e3012bc3845ca000cb
Quantity: 10
Expires: 2011-09-20
ProductName: RHEL Workstation
ProductId: MKT-rhel-workstation-mkt
PoolId: 5e09a31f95885cc4
Quantity: 10
Expires: 2011-09-20
[snip]--installed option correlates the products that are actually installed on the system (and their subscription status) and the products which could be installed on the system based on the assigned subscriptions (and whether those products are installed).
[root@server1 ~]# subscription-manager list --installed
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux
Status: Not Subscribed
Expires:
Subscription:
ContractNumber:
AccountNumber:
ProductName: Awesome OS Server
Status: Not Installed
Expires: 2012-02-20
Subscription: 54129829316535230
ContractNumber: 39
AccountNumber: 12331131231
yum. Subscription Manager has its own yum plug-ins: product-id for subscription-related information for products and subscription-manager which is used for the content repositories.
baseurl parameter of the rhsm.conf file.
[root@server ~]# yum repolist all repo id repo name status rhel-6-server Red Hat Enterprise Linux 6Server - enabled rhel-6-server-beta Red Hat Enterprise Linux 6Server Be enabled rhel-6-server-optional-rpms Red Hat Enterprise Linux 6Server Op disabled rhel-6-server-supplementary Red Hat Enterprise Linux 6Server Su disabled
rhel-6-server-optional-rpms and rhel-6-server-supplementary, respectively.
yum-config-manager command:
[root@server ~]# yum-config-manager --enable rhel-6-server-optional-rpms
yum. This uses the --enablerepo repo_name option. For example:
# yum install rubygems --enablerepo=rhel-6-server-optional-rpms Loaded plugins:product-id, refresh-packagekit,subscription-managerUpdating Red Hat repositories. ....
yum is described in Chapter 5, Yum.
[root@server ~]# subscription-manager list
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux Server
Status: Not Subscribed
Expires:
SerialNumber:
ContractNumber:
AccountNumber:
rhsmcertd. This daemon checks the certificate validity dates daily. If a subscription is within 24 hours of expiring, then Subscription Manager will check for any available compatible subscriptions and automatically re-subscribes the system, much like auto-subscribing during registration.
autoheal parameter to the Subscription Manager configuration.
vim /etc/rhsm/rhsm.conf
[rhsmcertd] area, add the autoheal line, and set the value to true.
[rhsmcertd]
certFrequency = 240
healFrequency = 1440
autoheal = trueconfig command:
[root@server1 ~]# subscription-manager config --rhsmcertd.autoheal=true
healFrequency parameter to zero means that Subscription Manager simply uses the default time setting.
# vim /etc/rhsm/rhsm.conf
[rhsmcertd] section, set the healFrequency parameter to the time, in minutes, to check for changed subscriptions.
[rhsmcertd] certFrequency = 240 healFrequency = 1440
rhsmcertd daemon to reload the configuration.
# service rhsmcertd start
orgs, environments, and repos commands list the organization, environment, and repository information for the system, depending on the organization and environments it belongs to.
subscription-manager orgs --username=jsmith --password=secret
+-------------------------------------------+
admin Organizations
+-------------------------------------------+
OrgName: Admin Owner
OrgKey: admin
OrgName: Dev East
OrgKey: deveast
OrgName: Dev West
OrgKey: devwest
subscription-manager environments --username=jsmith --password=secret --org=admin
+-------------------------------------------+
Environments
+-------------------------------------------+
Name: Locker
Description: None
Name: Dev
Description:
Name: Prod
Description:
subscription-manager repos --list
+----------------------------------------------------------+
Entitled Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
RepoName: never-enabled-content
RepoId: never-enabled-content
RepoUrl: https://content.example.com/repos/optional
Enabled: 0
RepoName: always-enabled-content
RepoId: always-enabled-content
RepoUrl: https://content.example.com/repos/dev
Enabled: 1
RepoName: content
RepoId: content-label
RepoUrl: https://content.example.com/repos/prod
Enabled: 1
.pem file.
https://access.redhat.com/
certificates.zip file. Unzip the directories until the PEM files for the entitlement certificates are available.
import command:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
refresh command updates all of the subscription information that is available to the consumer. This removes expired subscriptions and adds new subscriptions to the list. This does not subscribe the machine, but it does pull in the newest data for administrators to use.
[root@server1 ~]# subscription-manager refresh
rhsm.conf configuration file. There are other support files that either influence the Red Hat Subscription Manager service or can help administrators better use the Subscription Manager.
| File or Directory | Description |
|---|---|
| /etc/rhsm | The primary Red Hat Subscription Manager configuration directory. |
| /etc/rhsm/rhsm.conf | The Red Hat Subscription Manager configuration file. This is used by both the GUI and the CLI. |
| /etc/rhsm/facts |
Any user-defined JSON files that override or add system facts to determine entitlement compatibility. Any facts files must end in .facts.
|
| /var/lib/rhsm/cache/installed_products.json | A master list of installed products, which is sent by Subscription Manager to a content service. |
| /var/lib/rhsm/facts/facts.facts | The default system facts filed, gathered by the Subscription Manager. |
| /var/lib/rhsm/packages/ | The package profile cache (a list of installed products) which is gathered and periodically updated by the Subscription Manager. |
| /var/log/rhsm | The Red Hat Subscription Manager log directory. |
| /var/log/rhsm/rhsm.log | The log for the Red Hat Subscription Manager tools. |
| /var/log/rhsm/rhsmcertd.log |
The log for the Red Hat Subscription Manager daemon, rhsmcertd.
|
| /etc/pki/consumer | The directory which contains the identity certificates used by the system to identify itself to the subscription service. |
| /etc/pki/consumer/cert.pem | The base-64 consumer identity certificate file. |
| /etc/pki/consumer/key.pem | The base-64 consumer identity key file. |
| /etc/pki/entitlement | The directory which contains the entitlement certificates for the available subscriptions. |
/etc/pki/product/product_serial#.pem
| The product certificates for installed software products. |
| /var/run/subsys/rhsm | Runtime files for Red Hat Subscription Manager |
| /etc/init.d/rhsmcertd | The subscription certificate daemon. |
| /etc/cron.daily/rhsm-complianced and /usr/libexec/rhsm-complianced | Files to run daily checks and notifications for subscription validity. |
| /etc/yum/pluginconf.d/rhsmplugin.conf |
The configuration file to include the Red Hat Subscription Manager plug-in in the yum configuration.
|
| /usr/share/rhsm | All of the Python and script files used by both Red Hat Subscription Manager tool to perform subscription tasks. |
| /usr/share/rhsm/gui | All of the Python script and image files used to render the Red Hat Subscription Manager GUI. |
rhsm.conf. This file configures several important aspects of how Red Hat Subscription Manager interacts with both entitlements and content services:
rhsm.conf file is divided into three sections. Two major sections defined the subscription service ([server]) and content and product delivery ([rhsm]). The third section relates to the rhsmcertd daemon. Each assertion is a simple attribute= value pair. Any of the default values can be edited; all possible attributes are present and active in the default rhsm.conf file.
# Red Hat Subscription Manager Configuration File: # Unified Entitlement Platform Configuration [server] # Server hostname: hostname = subscription.rhn.redhat.com # Server prefix: prefix = /subscription # Server port: port = 443 # Set to 1 to disable certificate validation: insecure = 0 # Set the depth of certs which should be checked # when validating a certificate ssl_verify_depth = 3 # Server CA certificate location: ca_cert_dir = /etc/rhsm/ca/ # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = [rhsm] # Content base URL: baseurl= https://cdn.redhat.com # Default CA cert to use when generating yum repo configs: repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem # Where the certificates should be stored productCertDir = /etc/pki/product entitlementCertDir = /etc/pki/entitlement consumerCertDir = /etc/pki/consumer [rhsmcertd] # Frequency of certificate refresh (in minutes): certFrequency = 240 # Frequency of autoheal check (1440 min = 1 day): healFrequency = 1440
| Parameter | Description | Default Value |
|---|---|---|
| [server] Parameters | ||
| hostname | Gives the IP address or fully-qualified domain name of the subscription service. | subscription.rhn.redhat.com |
| prefix | Gives the directory, in the URL, to use to connect to the subscription service. | /subscription |
| port | Gives the port to use to connect to the subscription service. | 443 |
| insecure | Sets whether to use a secure (0) or insecure (1) connection for connections between the Subscription Manager clients and the subscription service. | 0 |
| ssl_verify_depth | Sets how far back in the certificate chain to verify the certificate. | 3 |
| proxy_hostname | Gives the hostname of the proxy server. This is required. | |
| proxy_port | Gives the port of the proxy server. This is required. | |
| proxy_user | Gives the user account to use to access the proxy server. This may not be required, depending on the proxy server configuration. | |
| proxy_password | Gives the password credentials to access the proxy server. This may not be required, depending on the proxy server configuration. | |
| ca_cert_dir | Gives the location for the CA certificate for the CA which issued the subscription service's certificates. This allows the client to identify and trust the subscription service for authentication for establishing an SSL connection. | /etc/rhsm/ca |
| [rhsm] Parameters | ||
| baseurl | Gives the full URL to access the content delivery system. | https://cdn.redhat.com |
| repo_ca_cert | Identifies the default CA certificate to use to set the yum repo configuration. | %(ca_cert_dir)sredhat-uep.pem |
| showIncompatiblePools |
Sets whether to display subscription pools which are not compatible with the system's architecture but which have been purchased by an organization. By default, Subscription Manager only displays subscriptions which are compatible with, and therefore available to, the system.
This parameter only applies to the Subscription Manager GUI. Incompatible subscriptions can be displayed in the CLI by using the
--all option with the list command.
| 0 |
| productCertDir | Sets the root directory where the product certificates are stored and can be accessed by Subscription Manager. | /etc/pki/product |
| consumerCertDir | Sets the directory where the identity certificate for the system is stored and can be accessed by Subscription Manager. | /etc/pki/consumer |
| entitlementCertDir | Sets the directory where the entitlement certificates for the system are stored and can be accessed by Subscription Manager. Each subscription has its own entitlement certificate. | /etc/pki/entitlement |
| [rhsmcertd] Parameters | ||
| certFrequency | Sets the interval, in minutes, to check and update entitlement certificates used by Subscription Manager. | 240 |
| healFrequency | Sets the interval, in minutes, to check for change subscriptions and installed products and to allocate subscriptions, as necessary, to maintain subscription status for all products. | 240 |
subscription-manager has a subcommand that can change the rhsm.conf configuration file. Almost all of the connection information used by Subscription Manager to access the subscription server, content server, and any proxies is set in the configuration file, as well as general configuration parameters like the frequency Subscription Manager checks for entitlements updates. There are major divisions in the rhsm.conf file, such as [server] which is used to configure the subscription server. When changing the Subscription Manager configuration, the settings are identified with the format section.parameter and then the new value. For example:
server.hostname=newsubscription.example.com
config command:
[root@server1 ~]# subscription-manager config --section.parameter=newValue
[root@server1 ~]# subscription-manager config --server.hostname=subscription.example.com
rhsm.conf file parameters are listed in Table 4.7, “rhsm.conf Parameters”. This is most commonly used to change connection settings:
config command also has a --remove option. This deletes the the current value for the parameter without supplying a new parameter. A blank value tells Subscription Manager to use any default values that are set for that parameter rather than a user-defined value. For example:
[root@server1 ~]# subscription-manager config --remove=rhsm.certFrequency The default value for rhsm.certFrequency will now be used.
[root@server1 ~]# subscription-manager config --remove=server.proxy You have removed the value in section server for parameter proxy.
subscription-manager-gui
rhsm.conf file; this is the same as configuring it in the Subscription Manager GUI. The proxy configuration is stored and used for every connection between the subscription service and the local system.
vim /etc/rhsm/rhsm.conf
[server] section that relate to the HTTP proxy. All parameters are described in Table 4.7, “rhsm.conf Parameters”. There are four parameters directly related to the proxy:
proxy_hostname for the IP address or fully-qualified domain name of the proxy server; this is required.
proxy_hostname argument blank means that no HTTP proxy is used.
proxy_port for the proxy server port.
proxy_user for the user account to connect to the proxy; this may not be required, depending on the proxy server's configuration.
proxy_password for the password for the user account to connect to the proxy; this may not be required, depending on the proxy server's configuration.
[server] # an http proxy server to use proxy_hostname = proxy.example.com # port for http proxy server proxy_port = 443 # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password =
subscription-manager.
| Argument | Description | Required for a Proxy Connection? |
|---|---|---|
| --proxy | Gives the proxy server to connect to, in the format hostname:port. | Yes |
| --proxyuser | Gives the username to use to authenticate. This is only required if user authentication is required. | No |
| --proxypass | Gives the password to use with the user account. This is only required if user authentication is required. | No |
subscription-manager operation. For example:
[root@server1 ~]# subscription-manager subscribe --pool=ff8080812bc382e3012bc3845ca000cb --proxy=proxy.example.com:8443 --proxyuser=jsmith --proxypass=secret
rhsm.conf file. The subscription service connection settings are in the [server] section of the configuration file.
vim /etc/rhsm/rhsm.conf
[server] section that relate to the subscription service connection. All parameters are described in Table 4.7, “rhsm.conf Parameters”. There are three parameters directly related to the connection:
hostname for the IP address or fully-qualified domain name of the machine
prefix for the subscription service directory
port for the subscription service port
[server] hostname=entitlements.server.example.com prefix=/candlepin port=8443
vim /etc/rhsm/rhsm.conf
baseurl directive in the [rhsm] section. This is the full URL to the service.
[rhsm] # Content base URL: baseurl= http://content.example.com/content
vim /etc/rhsm/rhsm.conf
[server] section that relate to a secure connection. All parameters are described in Table 4.7, “rhsm.conf Parameters”. There are three parameters directly related to the connection:
insecure to set whether to use a secure (0) or insecure (1) connection
ca_cert_dir for the directory location for the CA certificate for authentication and verification
port for the subscription service port; this should be an SSL port if a secure connection is required
[server]
port=8443
insecure = 1
ca_cert = /etc/rhsm/carhsmcertd, runs as a service on the system. The daemon, by default, starts with the system, and it can be started, stopped, or checked with the service command.
service rhsmcertd status rhsmcertd (pid 13084) is running...
chkconfig also defines startup settings for different run levels of the server.
chkconfig. By default, the Red Hat Subscription Manager daemon, rhsmcertd, is configured to run at levels 3, 4, and 5, so that the service is started automatically when the server reboots.
chkconfig. For example, to enable run level 2:
chkconfig --level 2345 rhsmcertd on
rhsmcertd from the start list, change the run level settings off:
chkconfig --level 2345 rhsmcertd off
service and chkconfig settings.
system-config-services package must be installed for the wizard to be available.
rhsmcertd item in the list of services on the left, and then edit the service as desired.
/var/log/rhsm directory:
rhsm.log shows every invocation and result of running the Subscription Manager GUI or CLI
rhsmcertd.log shows every time a new certificate is generated, which happens on a schedule defined by the certFrequency parameter in the rhsm.conf file.
rhsm.log log contains the sequence of every Python call for every operation invoked through the Subscription Manager tools. Each entry has this format:
YYYY-MM-DD HH:MM:SS,process_id [MESSAGE_TYPE] call python_script response
rhsm.log relates to the Python script or function that was called, there can be multiple log entries for a single operation.
2010-10-01 17:27:57,874 [INFO] _request() @connection.py:97 - status code: 200 2010-10-01 17:27:57,875 [INFO] perform() @certlib.py:132 - updated: Total updates: 0 Found (local) serial# [] Expected (UEP) serial# [] Added (new) <NONE> Deleted (rogue): <NONE> Expired (not deleted): <NONE> Expired (deleted): <NONE> 2010-10-01 17:27:57,878 [INFO] __init__() @connection.py:193 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/pki/CA/candlepin.pem, insecure = True 2010-10-01 17:27:57,878 [INFO] __init__() @connection.py:196 - Connection Established: host: candlepin1.devlab.phx1.redhat.com, port: 443, handler: /candlepin
rhsmcertd.log file are much simpler. The log only records when the rhsmcertd daemon starts or stops and every time a certificate is updated.
Fri Oct 1 13:27:44 2010: started: interval = 240 minutes Fri Oct 1 13:27:50 2010: certificates updated
--all option:
[root@server1 ~]# subscription-manager list --available --all
rhsm.conf configuration file.
vim /etc/rhsm/rhsm.conf
showIncompatiblePools directive in the [rhsm] section. A value of 0 shows only compatible entitlements.
[rhsm]
# Content base URL:
showIncompatiblePools = 1/etc/redhat-release or /etc/sysconfig. In both the Red Hat Subscription Manager GUI and CLI, the facts are represented as simple attribute: value pairs.
subscription-manager-gui
facts with the --list option.
[root@server1 ~]# subscription-manager facts --list cpu.architecture: i686 cpu.core(s)_per_socket: 4 cpu.cpu(s): 4 cpu.cpu_family: 6 cpu.cpu_mhz: 2000.010 cpu.cpu_op-mode(s): 32-bit, 64-bit cpu.cpu_socket(s): 1 cpu.l1d_cache: 32K cpu.l1i_cache: 32K cpu.l2_cache: 6144K cpu.model: 23 cpu.stepping: 6 cpu.thread(s)_per_core: 1 cpu.vendor_id: GenuineIntel cpu.virtualization: VT-x distribution.id: Santiago distribution.name: Red Hat Enterprise Linux Workstation distribution.version: 6 dmi.baseboard.manufacturer: IBM dmi.baseboard.product_name: Server Blade ... [snip] ...
--update option with the facts command.
[root@server1 ~]# subscription-manager facts --update
/var/lib/rhsm/facts/facts.facts. These facts are stored as attribute: value pairs, in a comma-separated list.
{"fact1": "value1","fact2": "value2"}/etc/rhsm/facts directory. These JSON files can override existing facts or even add new facts to be used by the subscription service.
vim /etc/rhsm/facts/my-example.facts {"uname.machine": "x86","kernel_version": "2.6.32","physical_location": "MTV colo rack 5"}
identity command. Although not required, using the --force option will require the username and password and will cause the Subscription Manager to prompt for the credentials if they are not passed in the command:
[root@server1 ~]# subscription-manager identity --regenerate --force Username: jsmith@example.com Password: Identity certificate has been regenerated.
identity command to return the current UUID. The UUID is the Current identity is value.
[root@server1 ~]# subscription-manager identity Current identity is: 63701087-f625-4519-8ab2-633bb50cb261 name: server1.example.com org name: 6340056 org id: 8a85f981302cbaf201302d89931e059a
list --installed command with the command-line tools.
rhsmcertd, checks the system periodically — once when it is first registered and then when it runs a refresh operation every four hours — to get the most current list of installed products. When the system is registered and then whenever there is a change to the package list, Subscription Manager sends an updated package profile to the subscription service.
/var/lib/rhsm/packages/.
subscription-manager script. Information like the consumer ID or subscription pool ID is pulled up and referenced automatically in the Red Hat Subscription Manager UI, but it has to be entered manually in the command line.
| Information | Description | Operations Used In | Find It In ... |
|---|---|---|---|
| Consumer ID | A unique identifier for each system that is registered to the subscription service. | identity |
The simplest method is to use the identity command to return the current UUID.
[root@server1 ~]# subscription-manager identity Current identity is: 63701087-f625-4519-8ab2-633bb50cb261 name: consumer-1.example.com org name: 6340056 org id: 8a85f981302cbaf201302d89931e059aThe Subject CN element of the identity certificate for the system, /etc/pki/consumer/cert.pem. The UUID can also be returned by using openssl to pretty-print the certificate.
openssl x509 -text -in /etc/pki/consumer/cert.pem Certificate: ... snip ... Subject: CN=7d133d55 876f 4f47 83eb 0ee931cb0a97 |
| Pool ID | An identifier for a specific set of subscriptions. This set is created when subscriptions are purchased. Whenever a system needs to subscribe to a product, it references a pool ID to identify which purchased set of subscriptions to use. | subscribe |
The PoolID value given for a product when listing available subscriptions. For example:
[root@server1 ~]# subscription-manager list --available +----------------------+ Available Subscriptions +----------------------+ ProductName: Red Hat Enterprise Linux, Standard (up to 2 sockets) 3 year ProductId: MCT0346F3 PoolId: ff8080812bc382e3012bc3845ca000cb Quantity: 2 Expires: 2011-02-28 |
| Product certificate serial number | The identification used for a specific, installed product. A certificate with a unique serial number is generated when a product is installed; this serial number is used to identify that specific product installation when managing subscriptions. | unsubscribe |
The SerialNumber line in the product subscription information. This can be returned by running list --consumed.
[root@server1 ~]# subscription-manager list --consumed +-----------------------------+ Consumed Product Subscriptions +-----------------------------+ ProductName: High availability (cluster suite) ContractNumber: 0 SerialNumber: 11287514358600162 .... |
| Product ID | The internal identifier used to identify a type of product. |
The ProductID value given for a product when listing available subscriptions. For example:
[root@server1 ~]# subscription-manager list --available +----------------------+ Available Subscriptions +----------------------+ ProductName: RHEL for Physical Servers ProductId: MKT-rhel-server ... snip ... |
.pem formatted file. This file format stores both keys and certificates in a base-64 blob. For example:
-----BEGIN CERTIFICATE----- MIIDaTCCAtKgAwIBAgICBZYwDQYJKoZIhvcNAQEFBQAwSzEqMCgGA1UEAxMhY2Fu ZGxlcGluMS5kZXZsYWIucGh4MS5yZWRoYXQuY29tMQswCQYDVQQGEwJVUzEQMA4G A1UEBxMHUmFsZWlnaDAeFw0xMDEwMDYxNjMyMDVaFw0xMTEwMDYyMzU5NTlaMC8x LTArBgNVBAMMJDQ4ODFiZDJmLTg2OGItNDM4Yy1hZjk2LThiMWQyODNkYWZmYzCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNyLw6+IMtjY03F7Otxj2GL GTz5VKx1kfWY7q4OD4w+XlBHTkt+2tQV9S+4TFkUZ7XoI80LDL/BONpy/gq5c5cw yKvjv2gjSS/pihgYNXc5zUOIfSj1vb3fHGHOkzdCcZMyWq1z0N/zaLClp/zP/pcM og4NTAg2niNPjFYvkQ+oIl16WmQpefM0y0SY7N7oJd2T8dZjOiuLV2cVZLfwjrwG 9UpkT2J03g+n1ZA9q95ibLD5NVOdTy9+2lfRhdDViZaVoFiQXvg86qBHQ0ieENuF a6bCvGgpTxcBuVXmsnl2+9dnMiwoDqPZp1HB6G2uNmyNe/IvkTOPFJ/ZVbtBTYUC AwEAAaOB8zCB8DARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgSwMHsGA1Ud IwR0MHKAFGiY1N2UtulxcMFy0j6gQGLTyo6CoU+kTTBLMSowKAYDVQQDEyFjYW5k bGVwaW4xLmRldmxhYi5waHgxLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRAwDgYD VQQHEwdSYWxlaWdoggkA1s54sVacN0EwHQYDVR0OBBYEFGbB5fqOzh32g4Wqrwhc /96IupIgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdEQQWMBSkEjAQMQ4wDAYD VQQDDAV4ZW9wczANBgkqhkiG9w0BAQUFAAOBgQANxHRsev4fYfnHO9kYcHo4UeK7 owN+fq92gl76iRHRnhzkPlhWL+uV2tyqGG9zJASOX+qEDOqN5sVAB4iNQTDGiUbK z757igD2hsQ4ewv9Vq3QtnajWnfdaUZH919GgWs09Etg6ucsKwgfx1fqjSRLBbOo lZuvBTYROOX6W2vKXw== -----END CERTIFICATE-----
openssl or pk12util can be used to extract and view information from these certificates, in a pretty-print format. The product- and subscription-related information is extracted and viewable in the Red Hat Subscription Manager GUI or command-line tools.
| Certificate Type | Description | Default Location |
|---|---|---|
| Consumer Identity Certificate | Used to identify the system (consumer) to the subscription service. This contains a unique ID which is assigned to the system when it is registered to the system. The identity certificate itself is generated by the subscription service when the system is registered and then sent to the consumer. | /etc/pki/consumer |
| Entitlement Certificate | Contains a list of products that are available to a system to install, based on the subscriptions that the system has been subscribed to. The entitlement certificate defines the software products, the content delivery location, and validity dates. The presence of an entitlement certificate means that the system has consumed one of the quantities from the subscription. | /etc/pki/entitlement |
| Product Certificate | Contains the information about a product after it has been installed. |
/etc/pki/product/product_serial#.pem
|
| CA Certificate | A certificate for the certificate authority which issued the SSL server certificate used by the subscription service. This must be installed on a system for the system to use SSl to connect to the subscription service. | /etc/rhsm/ca/candlepin-ca.pem |
| Satellite Certificate | An XML-formatted certificate which contains a product list. This is used by local Satellite 5.x systems, not the newer subscription service. |
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1430 (0x596)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=entitlement.server.example.com, C=US, L=Raleigh
Validity
Not Before: Oct 6 16:32:05 2010 GMT
Not After : Oct 6 23:59:59 2011 GMT
Subject: CN=4881bd2f-868b-438c-af96-8b1d283daffc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a3:72:2f:0e:be:20:cb:63:63:4d:c5:ec:eb:71:
8f:61:8b:19:3c:f9:54:ac:75:91:f5:98:ee:ae:0e:
0f:8c:3e:5e:50:47:4e:4b:7e:da:d4:15:f5:2f:b8:
4c:59:14:67:b5:e8:23:cd:0b:0c:bf:c1:38:da:72:
fe:0a:b9:73:97:30:c8:ab:e3:bf:68:23:49:2f:e9:
8a:18:18:35:77:39:cd:43:88:7d:28:f5:bd:bd:df:
1c:61:ce:93:37:42:71:93:32:5a:ad:73:d0:df:f3:
68:b0:a5:a7:fc:cf:fe:97:0c:a2:0e:0d:4c:08:36:
9e:23:4f:8c:56:2f:91:0f:a8:22:5d:7a:5a:64:29:
79:f3:34:cb:44:98:ec:de:e8:25:dd:93:f1:d6:63:
3a:2b:8b:57:67:15:64:b7:f0:8e:bc:06:f5:4a:64:
4f:62:74:de:0f:a7:d5:90:3d:ab:de:62:6c:b0:f9:
35:53:9d:4f:2f:7e:da:57:d1:85:d0:d5:89:96:95:
a0:58:90:5e:f8:3c:ea:a0:47:43:48:9e:10:db:85:
6b:a6:c2:bc:68:29:4f:17:01:b9:55:e6:b2:79:76:
fb:d7:67:32:2c:28:0e:a3:d9:a7:51:c1:e8:6d:ae:
36:6c:8d:7b:f2:2f:91:33:8f:14:9f:d9:55:bb:41:
4d:85
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Authority Key Identifier:
keyid:68:98:D4:DD:94:B6:E9:71:70:C1:72:D2:3E:A0:40:62:D3:CA:8E:82
DirName:/CN=entitlement.server.example.com/C=US/L=Raleigh
serial:D6:CE:78:B1:56:9C:37:41
X509v3 Subject Key Identifier:
66:C1:E5:FA:8E:CE:1D:F6:83:85:AA:AF:08:5C:FF:DE:88:BA:92:20
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
DirName:/CN=admin-example
Signature Algorithm: sha1WithRSAEncryption
0d:c4:74:6c:7a:fe:1f:61:f9:c7:3b:d9:18:70:7a:38:51:e2:
bb:a3:03:7e:7e:af:76:82:5e:fa:89:11:d1:9e:1c:e4:3e:58:
56:2f:eb:95:da:dc:aa:18:6f:73:24:04:8e:5f:ea:84:0c:ea:
8d:e6:c5:40:07:88:8d:41:30:c6:89:46:ca:cf:be:7b:8a:00:
f6:86:c4:38:7b:0b:fd:56:ad:d0:b6:76:a3:5a:77:dd:69:46:
47:f7:5f:46:81:6b:34:f4:4b:60:ea:e7:2c:2b:08:1f:c7:57:
ea:8d:24:4b:05:b3:a8:95:9b:af:05:36:11:38:e5:fa:5b:6b:
ca:5f*.pem file stored in the entitlement certificates directory, /etc/pki/entitlement. The name of the *.pem file is a generated numeric identifier that is generated by the subscription service. This ID is an inventory number that is used to associate a subscription quantity with the system in the software inventory.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:da:6c:06:90:7f:ff
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=candlepin1.devlab.phx1.redhat.com, C=US, L=Raleigh
Validity
Not Before: Oct 8 17:55:28 2010 GMT
Not After : Oct 2 23:59:59 2011 GMT
Subject: CN=8a878c912b875189012b8cfbc3f2264a
... [snip] ...1.3.6.1.4.1.2312.9.2.product_#.config_#: ..config_value
2 indicates that it is a product entry. product_# is a unique ID which identifies the specific product or variant. config_# relates to the installation information for that product, like its content server or the quantity available.
1.3.6.1.4.1.2312.9. The subsequent numbers identify different subscription areas:
.2. is the product-specific information
.1. is the subscription information
.4. contains the contract information, like its ID number and start and end dates
.5. contains the consumer information, like the consumer ID which installed a product
content repository type
1.3.6.1.4.1.2312.9.2.30393.1:
..yum
product
1.3.6.1.4.1.2312.9.2.30393.1.1:
.HRed Hat Enterprise Linux High Availability (for RHEL Entitlement) (RPMs)
channel name
1.3.6.1.4.1.2312.9.2.30393.1.2:
.Dred-hat-enterprise-linux-high-availability-for-rhel-entitlement-rpms
vendor
1.3.6.1.4.1.2312.9.2.30393.1.5:
..Red Hat
download URL
1.3.6.1.4.1.2312.9.2.30393.1.6:
.Q/content/dist/rhel/entitlement/releases/$releasever/$basearch/highavailability/os
key download URL
1.3.6.1.4.1.2312.9.2.30393.1.7:
.2file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
flex quantity
1.3.6.1.4.1.2312.9.2.30393.1.4:
..0
quantity
1.3.6.1.4.1.2312.9.2.30393.1.3:
..25
repo enabled setting
1.3.6.1.4.1.2312.9.2.30393.1.8:
..1*.pem file stored in the entitlement certificates directory, /etc/pki/product/product_serial#.pem. The name of the *.pem file is a generated numeric identifier that is generated by the subscription service. As with entitlement tracking, the generated ID is an inventory number, used to track installed products and associate them with systems within the subscription service.
<rhn-cert-field name="configuration_area">value</rhn-cert-field>
name argument identifies what entity is being configured. This can be the organization which ordered the subscription (name="owner"), the start and end dates for the entitlement (name="issued" and name="expires"), or the entitlement itself. A system entitlement uses the name argument to set the service being entitled; every content entitlement is set as a name="channel-family" type, with the specific product identified in an additional family argument.
name argument, while the value is between the tags. The last lines of the certificate also set metadata for the subscription, including the version of the Satellite and the signature that signs the XML document (and allows the XML file to be used as a certificate).
<rhn-cert-field name="product">RHN-SATELLITE-001</rhn-cert-field> <rhn-cert-field name="owner">Example Corp</rhn-cert-field> <rhn-cert-field name="issued">2009-04-07 10:18:33</rhn-cert-field> <rhn-cert-field name="expires">2009-11-25 00:00:00</rhn-cert-field> ... [snip] ... <rhn-cert-field name="satellite-version">5.3</rhn-cert-field> <rhn-cert-field name="generation">2</rhn-cert-field> <rhn-cert-signature> -----BEGIN PGP SIGNATURE----- Version: Crypt::OpenPGP 1.03 iQBGBAARAwAGBQJJ22C+AAoJEJ5ynaAAAAkyyZ0An18+4hK5Ozt4HWieFvahsTnF aPcaAJ0e5neOfdDZRLOgDE+Tp/Im3Hc3Rg== =gqP7 -----END PGP SIGNATURE----- </rhn-cert-signature>
name="slot" field lists how many total systems are allowed to use this Satellite certificate to receive content. It is a global quantity.
<rhn-cert-field name="slots">119</rhn-cert-field>
name argument and then setting the quantity as the value within the tags.
<rhn-cert-field name="provisioning-slots">117</rhn-cert-field> <rhn-cert-field name="monitoring-slots">20</rhn-cert-field> <rhn-cert-field name="virtualization_host">67</rhn-cert-field>
rhel-server family, while a specific Virtualization Server subscription provides an additional rhel-server-vt family..
<rhn-cert-field name="channel-families" quantity="95" family="rhel-server"/> <rhn-cert-field name="channel-families" quantity="67" family="rhel-server-vt"/>
rhel-* family, because that refers to the platform the product is supported on. In this example, Red Hat Directory Server is in the rhel-rhdirserv family.
<rhn-cert-field name="channel-families" quantity="3" family="rhel-rhdirserv"/>
<rhn-cert-field name="channel-families" quantity="212" family="rhn-tools"/>
yum to install, update or remove packages on your system. All examples in this chapter assume that you have already obtained superuser privileges by using either the su or sudo command.
yumcheck-update
~]# yum check-update
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
PackageKit.x86_64 0.5.8-2.el6 rhel
PackageKit-glib.x86_64 0.5.8-2.el6 rhel
PackageKit-yum.x86_64 0.5.8-2.el6 rhel
PackageKit-yum-plugin.x86_64 0.5.8-2.el6 rhel
glibc.x86_64 2.11.90-20.el6 rhel
glibc-common.x86_64 2.10.90-22 rhel
kernel.x86_64 2.6.31-14.el6 rhel
kernel-firmware.noarch 2.6.31-14.el6 rhel
rpm.x86_64 4.7.1-5.el6 rhel
rpm-libs.x86_64 4.7.1-5.el6 rhel
rpm-python.x86_64 4.7.1-5.el6 rhel
udev.x86_64 147-2.15.el6 rhel
yum.noarch 3.2.24-4.el6 rhelPackageKit — the name of the package
x86_64 — the CPU architecture the package was built for
0.5.8 — the version of the updated package to be installed
rhel — the repository in which the updated package is located
yum and rpm packages), as well as their dependencies (such as the kernel-firmware, rpm-libs, and rpm-python packages), all using yum.
root:
yumupdatepackage_name
~]# yum update udev
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package udev.x86_64 0:147-2.15.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================
Package Arch Version Repository Size
===========================================================================
Updating:
udev x86_64 147-2.15.el6 rhel 337 k
Transaction Summary
===========================================================================
Install 0 Package(s)
Upgrade 1 Package(s)
Total download size: 337 k
Is this ok [y/N]:Loaded plugins: product-id, refresh-packagekit, subscription-manager — yum always informs you which Yum plug-ins are installed and enabled. Here, yum is using the product-id, refresh-packagekit, and subscription-manager plug-ins. Refer to Section 5.4, “Yum Plug-ins” for general information on Yum plug-ins, or to Section 5.4.3, “Plug-in Descriptions” for descriptions of specific plug-ins.
udev.x86_64 — you can download and install new udev package.
yum presents the update information and then prompts you as to whether you want it to perform the update; yum runs interactively by default. If you already know which transactions yum plans to perform, you can use the -y option to automatically answer yes to any questions yum may ask (in which case it runs non-interactively). However, you should always examine which changes yum plans to make to the system so that you can easily troubleshoot any problems that might arise.
yum history command as described in Section 5.2.6, “Working with Transaction History”.
yum always installs a new kernel in the same sense that RPM installs a new kernel when you use the command rpm -i kernel. Therefore, you do not need to worry about the distinction between installing and upgrading a kernel package when you use yum: it will do the right thing, regardless of whether you are using the yum update or yum install command.
rpm -i kernel command (which installs a new kernel) instead of rpm -u kernel (which replaces the current kernel). Refer to Section B.2.2, “Installing and Upgrading” for more information on installing/updating kernels with RPM.
yum update (without any arguments):
yum updateyum command with a set of highly-useful security-centric commands, subcommands and options. Refer to Section 5.4.3, “Plug-in Descriptions” for specific information.
yumsearchterm…
~]# yum search meld kompare
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
============================ Matched: kompare =============================
kdesdk.x86_64 : The KDE Software Development Kit (SDK)
Warning: No matches found for: meldyum search command is useful for searching for packages you do not know the name of, but for which you know a related term.
yum list and related commands provide information about packages, package groups, and repositories.
* (which expands to match any character multiple times) and ? (which expands to match any one character).
yum command, otherwise the Bash shell will interpret these expressions as pathname expansions, and potentially pass all files in the current directory that match the globs to yum. To make sure the glob expressions are passed to yum as intended, either:
yum list glob_expression… ~]# yum list abrt-addon\* abrt-plugin\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Installed Packages
abrt-addon-ccpp.x86_64 1.0.7-5.el6 @rhel
abrt-addon-kerneloops.x86_64 1.0.7-5.el6 @rhel
abrt-addon-python.x86_64 1.0.7-5.el6 @rhel
abrt-plugin-bugzilla.x86_64 1.0.7-5.el6 @rhel
abrt-plugin-logger.x86_64 1.0.7-5.el6 @rhel
abrt-plugin-sosreport.x86_64 1.0.7-5.el6 @rhel
abrt-plugin-ticketuploader.x86_64 1.0.7-5.el6 @rhelyum list all yum list installed ~]# yum list installed "krb?-*"
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Installed Packages
krb5-libs.x86_64 1.8.1-3.el6 @rhel
krb5-workstation.x86_64 1.8.1-3.el6 @rhelyum list available ~]# yum list available gstreamer\*plugin\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Available Packages
gstreamer-plugins-bad-free.i686 0.10.17-4.el6 rhel
gstreamer-plugins-base.i686 0.10.26-1.el6 rhel
gstreamer-plugins-base-devel.i686 0.10.26-1.el6 rhel
gstreamer-plugins-base-devel.x86_64 0.10.26-1.el6 rhel
gstreamer-plugins-good.i686 0.10.18-1.el6 rhelyum grouplist yum repolist yuminfopackage_name…
~]# yum info abrt
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Installed Packages
Name : abrt
Arch : x86_64
Version : 1.0.7
Release : 5.el6
Size : 578 k
Repo : installed
From repo : rhel
Summary : Automatic bug detection and reporting tool
URL : https://fedorahosted.org/abrt/
License : GPLv2+
Description: abrt is a tool to help users to detect defects in applications
: and to create a bug report with all informations needed by
: maintainer to fix it. It uses plugin system to extend its
: functionality.yum info package_name command is similar to the rpm -q --info package_name command, but provides as additional information the ID of the Yum repository the RPM package is found in (look for the From repo: line in the output).
yumdbinfopackage_name
user indicates it was installed by the user, and dep means it was brought in as a dependency). For example, to display additional information about the yum package, type:
~]# yumdb info yum
Loaded plugins: product-id, refresh-packagekit, subscription-manager
yum-3.2.27-4.el6.noarch
checksum_data = 23d337ed51a9757bbfbdceb82c4eaca9808ff1009b51e9626d540f44fe95f771
checksum_type = sha256
from_repo = rhel
from_repo_revision = 1298613159
from_repo_timestamp = 1298614288
installed_by = 4294967295
reason = user
releasever = 6.1yumdb command, refer to the yumdb(8) manual page.
yuminstallpackage_name
yuminstallpackage_namepackage_name…
.arch to the package name. For example, to install the sqlite2 package for i586, type:
~]# yum install sqlite2.i586~]# yum install audacious-plugins-\*yum install. If you know the name of the binary you want to install, but not its package name, you can give yum install the path name:
~]# yum install /usr/sbin/namedyum then searches through its package lists, finds the package which provides /usr/sbin/named, if any, and prompts you as to whether you want to install it.
named binary, but you do not know in which bin or sbin directory is the file installed, use the yum provides command with a glob expression:
~]# yum provides "*bin/named"
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
32:bind-9.7.0-4.P1.el6.x86_64 : The Berkeley Internet Name Domain (BIND)
: DNS (Domain Name System) server
Repo : rhel
Matched from:
Filename : /usr/sbin/namedyum provides "*/file_name" is a common and useful trick to find the package(s) that contain file_name.
yum grouplist -v command lists the names of all package groups, and, next to each of them, their groupid in parentheses. The groupid is always the term in the last pair of parentheses, such as kde-desktop in the following example:
~]# yum -v grouplist kde\*
Loading "product-id" plugin
Loading "refresh-packagekit" plugin
Loading "subscription-manager" plugin
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Config time: 0.123
Yum Version: 3.2.29
Setting up Group Process
Looking for repo options for [rhel]
rpmdb time: 0.001
group time: 1.291
Available Groups:
KDE Desktop (kde-desktop)
Donegroupinstall:
yumgroupinstallgroup_name
yumgroupinstallgroupid
install command if you prepend it with an @-symbol (which tells yum that you want to perform a groupinstall):
yuminstall@group
KDE Desktop group:
~]#yum groupinstall "KDE Desktop"~]#yum groupinstall kde-desktop~]#yum install @kde-desktop
root:
yumremovepackage_name…
~]# yum remove totem rhythmbox sound-juicerinstall, remove can take these arguments:
install syntax:
yumgroupremovegroup
yumremove@group
KDE Desktop group:
~]#yum groupremove "KDE Desktop"~]#yum groupremove kde-desktop~]#yum remove @kde-desktop
yum to remove only those packages which are not required by any other packages or groups by adding the groupremove_leaf_only=1 directive to the [main] section of the /etc/yum.conf configuration file. For more information on this directive, refer to Section 5.3.1, “Setting [main] Options”.
yum history command allows users to review information about a timeline of Yum transactions, the dates and times on when they occurred, the number of packages affected, whether transactions succeeded or were aborted, and if the RPM database was changed between transactions. Additionally, this command can be used to undo or redo certain transactions.
root, either run yum history with no additional arguments, or type the following at a shell prompt:
yumhistorylist
all keyword:
yumhistorylistall
yumhistoryliststart_id..end_id
yumhistorylistglob_expression…
~]# yum history list 1..5
Loaded plugins: product-id, refresh-packagekit, subscription-manager
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
5 | Jaromir ... <jhradilek> | 2011-07-29 15:33 | Install | 1
4 | Jaromir ... <jhradilek> | 2011-07-21 15:10 | Install | 1
3 | Jaromir ... <jhradilek> | 2011-07-16 15:27 | I, U | 73
2 | System <unset> | 2011-07-16 15:19 | Update | 1
1 | System <unset> | 2011-07-16 14:38 | Install | 1106
history listyum history list command produce tabular output with each row consisting of the following columns:
ID — an integer value that identifies a particular transaction.
Login user — the name of the user whose login session was used to initiate a transaction. This information is typically presented in the Full Name <username>System <unset> is used instead.
Date and time — the date and time when a transaction was issued.
Action(s) — a list of actions that were performed during a transaction as described in Table 5.1, “Possible values of the Action(s) field”.
Altered — the number of packages that were affected by a transaction, possibly followed by additional information as described in Table 5.2, “Possible values of the Altered field”.
| Action | Abbreviation | Description |
|---|---|---|
Downgrade
|
D
| At least one package has been downgraded to an older version. |
Erase
|
E
| At least one package has been removed. |
Install
|
I
| At least one new package has been installed. |
Obsoleting
|
O
| At least one package has been marked as obsolete. |
Reinstall
|
R
| At least one package has been reinstalled. |
Update
|
U
| At least one package has been updated to a newer version. |
| Symbol | Description |
|---|---|
<
|
Before the transaction finished, the rpmdb database was changed outside Yum.
|
>
|
After the transaction finished, the rpmdb database was changed outside Yum.
|
*
| The transaction failed to finish. |
#
|
The transaction finished successfully, but yum returned a non-zero exit code.
|
E
| The transaction finished successfully, but an error or a warning was displayed. |
P
|
The transaction finished successfully, but problems already existed in the rpmdb database.
|
s
|
The transaction finished successfully, but the --skip-broken command line option was used and certain packages were skipped.
|
root:
yumhistorysummary
yumhistorysummarystart_id..end_id
yum history list command, you can also display a summary of transactions regarding a certain package or packages by supplying a package name or a glob expression:
yumhistorysummaryglob_expression…
~]# yum history summary 1..5
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Login user | Time | Action(s) | Altered
-------------------------------------------------------------------------------
Jaromir ... <jhradilek> | Last day | Install | 1
Jaromir ... <jhradilek> | Last week | Install | 1
Jaromir ... <jhradilek> | Last 2 weeks | I, U | 73
System <unset> | Last 2 weeks | I, U | 1107
history summaryyum history summary command produce simplified tabular output similar to the output of yum history list.
yum history list and yum history summary are oriented towards transactions, and although they allow you to display only transactions related to a given package or packages, they lack important details, such as package versions. To list transactions from the perspective of a package, run the following command as root:
yumhistorypackage-listglob_expression…
~]# yum history package-list subscription-manager\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
ID | Action(s) | Package
-------------------------------------------------------------------------------
3 | Updated | subscription-manager-0.95.11-1.el6.x86_64
3 | Update | 0.95.17-1.el6_1.x86_64
3 | Updated | subscription-manager-firstboot-0.95.11-1.el6.x86_64
3 | Update | 0.95.17-1.el6_1.x86_64
3 | Updated | subscription-manager-gnome-0.95.11-1.el6.x86_64
3 | Update | 0.95.17-1.el6_1.x86_64
1 | Install | subscription-manager-0.95.11-1.el6.x86_64
1 | Install | subscription-manager-firstboot-0.95.11-1.el6.x86_64
1 | Install | subscription-manager-gnome-0.95.11-1.el6.x86_64
history package-listroot, use the yum history summary command in the following form:
yumhistorysummaryid
root:
yumhistoryinfoid…
id argument is optional and when you omit it, yum automatically uses the last transaction. Note that when specifying more than one transaction, you can also use a range:
yumhistoryinfostart_id..end_id
~]# yum history info 4..5
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Transaction ID : 4..5
Begin time : Thu Jul 21 15:10:46 2011
Begin rpmdb : 1107:0c67c32219c199f92ed8da7572b4c6df64eacd3a
End time : 15:33:15 2011 (22 minutes)
End rpmdb : 1109:1171025bd9b6b5f8db30d063598f590f1c1f3242
User : Jaromir Hradilek <jhradilek>
Return-Code : Success
Command Line : install screen
Command Line : install yum-plugin-fs-snapshot
Transaction performed with:
Installed rpm-4.8.0-16.el6.x86_64
Installed yum-3.2.29-17.el6.noarch
Installed yum-metadata-parser-1.1.2-16.el6.x86_64
Packages Altered:
Install screen-4.0.3-16.el6.x86_64
Install yum-plugin-fs-snapshot-1.1.30-6.el6.noarch
history inforoot:
yumhistoryaddon-infoid
yum history info, when no id is provided, yum automatically uses the latest transaction. Another way to refer to the latest transaction is to use the last keyword:
yumhistoryaddon-infolast
yum history addon-info command would provide the following output:
~]# yum history addon-info 4
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Transaction ID: 4
Available additional history information:
config-main
config-repos
saved_tx
history addon-infoconfig-main — global Yum options that were in use during the transaction. Refer to Section 5.3.1, “Setting [main] Options” for information on how to change global options.
config-repos — options for individual Yum repositories. Refer to Section 5.3.2, “Setting [repository] Options” for information on how to change options for individual repositories.
saved_tx — the data that can be used by the yum load-transaction command in order to repeat the transaction on another machine (see below).
root:
yumhistoryaddon-infoidinformation
yum history command provides means to revert or repeat a selected transaction. To revert a transaction, type the following at a shell prompt as root:
yumhistoryundoid
root, run the following command:
yumhistoryredoid
last keyword to undo or repeat the latest transaction.
yum history undo and yum history redo commands merely revert or repeat the steps that were performed during a transaction: if the transaction installed a new package, the yum history undo command will uninstall it, and vice versa. If possible, this command will also attempt to downgrade all updated packages to their previous version, but these older packages may no longer be available. If you need to be able to restore the system to the state before an update, consider using the fs-snapshot plug-in described in Section 5.4.3, “Plug-in Descriptions”.
root:
yum-qhistoryaddon-infoidsaved_tx>file_name
root:
yumload-transactionfile_name
rpmdb version stored in the file must by identical to the version on the target system. You can verify the rpmdb version by using the yum version nogroups command.
root:
yumhistorynew
/var/lib/yum/history/ directory. The old transaction history will be kept, but will not be accessible as long as a newer database file is present in the directory.
yum and related utilities is located at /etc/yum.conf. This file contains one mandatory [main] section, which allows you to set Yum options that have global effect, and may also contain one or more [repository] sections, which allow you to set repository-specific options. However, best practice is to define individual repositories in new or existing .repo files in the /etc/yum.repos.d/directory. The values you define in the [main] section of the /etc/yum.conf file may override values set in individual [repository] sections.
[main] section of the /etc/yum.conf configuration file;
[repository] sections in /etc/yum.conf and .repo files in the /etc/yum.repos.d/ directory;
/etc/yum.conf and files in the /etc/yum.repos.d/ directory so that dynamic version and architecture values are handled correctly;
/etc/yum.conf configuration file contains exactly one [main] section, and while some of the key-value pairs in this section affect how yum operates, others affect how Yum treats repositories. You can add many additional options under the [main] section heading in /etc/yum.conf.
/etc/yum.conf configuration file can look like this:
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3
[comments abridged]
# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d[main] section:
assumeyes=valuevalue is one of:
0 — yum should prompt for confirmation of critical actions it performs. This is the default.
1 — Do not prompt for confirmation of critical yum actions. If assumeyes=1 is set, yum behaves in the same way that the command line option -y does.
cachedir=directorydirectory is an absolute path to the directory where Yum should store its cache and database files. By default, Yum's cache directory is /var/cache/yum/$basearch/$releasever.
$basearch and $releasever Yum variables.
debuglevel=valuevalue is an integer between 1 and 10. Setting a higher debuglevel value causes yum to display more detailed debugging output. debuglevel=0 disables debugging output, while debuglevel=2 is the default.
exactarch=valuevalue is one of:
0 — Do not take into account the exact architecture when updating packages.
1 — Consider the exact architecture when updating packages. With this setting, yum will not install an i686 package to update an i386 package already installed on the system. This is the default.
exclude=package_name [more_package_names]* and ?) are allowed.
gpgcheck=valuevalue is one of:
0 — Disable GPG signature-checking on packages in all repositories, including local package installation.
1 — Enable GPG signature-checking on all packages in all repositories, including local package installation. gpgcheck=1 is the default, and thus all packages' signatures are checked.
[main] section of the /etc/yum.conf file, it sets the GPG-checking rule for all repositories. However, you can also set gpgcheck=value for individual repositories instead; that is, you can enable GPG-checking on one repository while disabling it on another. Setting gpgcheck=value for an individual repository in its corresponding .repo file overrides the default if it is present in /etc/yum.conf.
groupremove_leaf_only=valuevalue is one of:
0 — yum should not check the dependencies of each package when removing a package group. With this setting, yum removes all packages in a package group, regardless of whether those packages are required by other packages or groups. groupremove_leaf_only=0 is the default.
1 — yum should check the dependencies of each package when removing a package group, and remove only those packages which are not not required by any other package or group.
installonlypkgs=space separated list of packagesyum can install, but will never update. Refer to the yum.conf(5) manual page for the list of packages which are install-only by default.
installonlypkgs directive to /etc/yum.conf, you should ensure that you list all of the packages that should be install-only, including any of those listed under the installonlypkgs section of yum.conf(5). In particular, kernel packages should always be listed in installonlypkgs (as they are by default), and installonly_limit should always be set to a value greater than 2 so that a backup kernel is always available in case the default one fails to boot.
installonly_limit=valuevalue is an integer representing the maximum number of versions that can be installed simultaneously for any single package listed in the installonlypkgs directive.
installonlypkgs directive include several different kernel packages, so be aware that changing the value of installonly_limit will also affect the maximum number of installed versions of any single kernel package. The default value listed in /etc/yum.conf is installonly_limit=3, and it is not recommended to decrease this value, particularly below 2.
keepcache=valuevalue is one of:
0 — Do not retain the cache of headers and packages after a successful installation. This is the default.
1 — Retain the cache after a successful installation.
logfile=file_namefile_name is an absolute path to the file in which yum should write its logging output. By default, yum logs to /var/log/yum.log.
multilib_policy=valuevalue is one of:
best — install the best-choice architecture for this system. For example, setting multilib_policy=best on an AMD64 system causes yum to install 64-bit versions of all packages.
all — always install every possible architecture for every package. For example, with multilib_policy set to all on an AMD64 system, yum would install both the i586 and AMD64 versions of a package, if both were available.
obsoletes=valuevalue is one of:
0 — Disable yum's obsoletes processing logic when performing updates.
1 — Enable yum's obsoletes processing logic when performing updates. When one package declares in its spec file that it obsoletes another package, the latter package will be replaced by the former package when the former package is installed. Obsoletes are declared, for example, when a package is renamed. obsoletes=1 the default.
plugins=valuevalue is one of:
0 — Disable all Yum plug-ins globally.
Yum services. In particular, rhnplugin provides support for RHN Classic, and product-id and subscription-manager plug-ins provide support for the certificate-based Content Delivery Network (CDN). Disabling plug-ins globally is provided as a convenience option, and is generally only recommended when diagnosing a potential problem with Yum.
1 — Enable all Yum plug-ins globally. With plugins=1, you can still disable a specific Yum plug-in by setting enabled=0 in that plug-in's configuration file.
reposdir=directorydirectory is an absolute path to the directory where .repo files are located. All .repo files contain repository information (similar to the [repository] sections of /etc/yum.conf). yum collects all repository information from .repo files and the [repository] section of the /etc/yum.conf file to create a master list of repositories to use for transactions. If reposdir is not set, yum uses the default directory /etc/yum.repos.d/.
retries=valuevalue is an integer 0 or greater. This value sets the number of times yum should attempt to retrieve a file before returning an error. Setting this to 0 makes yum retry forever. The default value is 10.
[main] options, refer to the [main] OPTIONS section of the yum.conf(5) manual page.
[repository] sections, where repository is a unique repository ID such as my_personal_repo (spaces are not permitted), allow you to define individual Yum repositories.
[repository] section takes:
[repository] name=repository_namebaseurl=repository_url
[repository] section must contain the following directives:
name=repository_namerepository_name is a human-readable string describing the repository.
baseurl=repository_urlrepository_url is a URL to the directory where the repodata directory of a repository is located:
http://path/to/repo
ftp://path/to/repo
file:///path/to/local/repo
username:password@linkbaseurl link could be specified as http://user:password@www.example.com/repo/.
baseurl=http://path/to/repo/releases/$releasever/server/$basearch/os/
$releasever, $arch, and $basearch variables in URLs. For more information about Yum variables, refer to Section 5.3.3, “Using Yum Variables”.
[repository] directive is the following:
enabled=valuevalue is one of:
0 — Do not include this repository as a package source when performing updates and installs. This is an easy way of quickly turning repositories on and off, which is useful when you desire a single package from a repository that you do not want to enable for updates or installs.
1 — Include this repository as a package source.
--enablerepo=repo_name or --disablerepo=repo_name option to yum, or through the Add/Remove Software window of the PackageKit utility.
[repository] options exist. For a complete list, refer to the [repository] OPTIONS section of the yum.conf(5) manual page.
/etc/yum.repos.d/redhat.repo file:
# # Red Hat Repositories # Managed by (rhsm) subscription-manager # [red-hat-enterprise-linux-scalable-file-system-for-rhel-6-entitlement-rpms] name = Red Hat Enterprise Linux Scalable File System (for RHEL 6 Entitlement) (RPMs) baseurl = https://cdn.redhat.com/content/dist/rhel/entitlement-6/releases/$releasever/$basearch/scalablefilesystem/os enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/key.pem sslclientcert = /etc/pki/entitlement/11300387955690106.pem [red-hat-enterprise-linux-scalable-file-system-for-rhel-6-entitlement-source-rpms] name = Red Hat Enterprise Linux Scalable File System (for RHEL 6 Entitlement) (Source RPMs) baseurl = https://cdn.redhat.com/content/dist/rhel/entitlement-6/releases/$releasever/$basearch/scalablefilesystem/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/key.pem sslclientcert = /etc/pki/entitlement/11300387955690106.pem [red-hat-enterprise-linux-scalable-file-system-for-rhel-6-entitlement-debug-rpms] name = Red Hat Enterprise Linux Scalable File System (for RHEL 6 Entitlement) (Debug RPMs) baseurl = https://cdn.redhat.com/content/dist/rhel/entitlement-6/releases/$releasever/$basearch/scalablefilesystem/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/key.pem sslclientcert = /etc/pki/entitlement/11300387955690106.pem
yum commands and in all Yum configuration files (that is, /etc/yum.conf and all .repo files in the /etc/yum.repos.d/ directory):
$releasever$releasever from the distroverpkg=value line in the /etc/yum.conf configuration file. If there is no such line in /etc/yum.conf, then yum infers the correct value by deriving the version number from the redhat-release package.
$archos.uname() function. Valid values for $arch include: i586, i686 and x86_64.
$basearch$basearch to reference the base architecture of the system. For example, i686 and i586 machines both have a base architecture of i386, and AMD64 and Intel64 machines have a base architecture of x86_64.
$YUM0-9/etc/yum.conf for example) and a shell environment variable with the same name does not exist, then the configuration file variable is not replaced.
$” sign) in the /etc/yum/vars/ directory, and add the desired value on its first line.