While initially setting up a kickstart installation on CentOS I needed to add additional repositories without having to worry about them overwriting base packages. Thankfully there are two options priorities and protectbase. Since I was only adding one extra repository that would conflict with anything (rpmforge) I used protectbase. It is really easy to setup all you need to do is add protect = 1 to the yum repositories that you want to protect located in /etc/yum.repos.d. Now everything works great and I don’t have to worry about a 3rd party RPMs effecting the stability of the base OS. I always assumed the process would be the same for RHEL too but this was a bad assumption.
The whole process for getting this to work on RHEL is much different. First, nothing that I did to any yum configuration files seemed to make any difference. Creating yum repositories with the same name will cause a conflict with the RHN plugin repositories. Nothing seemed to make the number of packages excluded due to repository protections increase. I wasted a lot of time trying to find a solution before I read that the RHN plugin doesn’t work with protectbase. That is when I started to look at the source code. YUM and the RHN plugin is written in Python and makes it easy to modify. What you will probably want to do is first configure your RHEL machine to receive updates from the RHN. Then update ‘yum-rhn-plugin’ to the latest version which as of this writing is 0.5.2-5. Now you’re going to configure an exclusion for that package so that it doesn’t get updated. If the plugin were to be updated it would remove the protections to the base repositories. You will have to keep an eye on updates for that plugin your self if you ever plan to update it. You can configure the exclusion by editing /etc/yum.conf and adding exclude=yum-rhn-plugin under [main].
Now that we have our yum-rhn-plugin updated and excluded from any future updates we will need to modify the plugin. The plugin is located in /usr/lib/yum-plugins and the file you need to update is rhnplugin.py. We will be modifying part of the init_hook function.
All I had to do was add repo.protect = 1. Now it should look like this.
Now you should get a message when you do yum update that X number of packages were excluded do to repository protections.
Update (May 27, 2008)
There was a update to the yum-rhn-plugin. The latest verion is 0.5.3-6.
yum-rhn-plugin provides support for yum to access a Red Hat Network server for software updates.
This package addresses the following bug:
* yum clean all would not remove packages from the cache correctly, leaving downloaded rpms in /var/cache/yum/rhel*/packages/. This updated package fixes the issue and yum clean all now removes packages from the cache correctly.
Users of yum should upgrade to this updated package, which resolves this issue.
Update (October 16, 2009)
This modification is no longer necessary with the latest plugin (yum-rhn-plugin-0.5.4-13.el5). Thanks Dan for bringing this to our attention! Just follow the directions in the comment.
This appears not to work for my RHEL 5.2 system… Any updates that you know of?
Found that RHEL 5.2 provides yum-protectbase as a package…
Once you have yum-protectbase installed you can make changes to yum-rhn-plugin. It should be working fine after that. If it still isn’t working then I’ll have to finish downloading the latest RHEL ISOs and test it my self.
Works perfectly for RHEL5.2, thanks for the write-up !
As of yum-rhn-plugin-0.5.4-13.el5 (current as of this writing), you can just go into /etc/yum/pluginconf.d/rhnplugin.conf and add “protect = 1″ to each repo listed in the plugin.
Once you’ve done that yum-protectbase appears to do its thing, no modification to yum-rhn-plugin required.
Note that there is a security advisory on yum-rhn-plugin, http://rhn.redhat.com/errata/RHSA-2008-0815.html
so if you’ve excluded it you might want to update it.
previously i’d only tested this on i386, not a x86_64
I just discovered that the default /etc/yum/pluginconf.d/rhnplugin.conf looks like this on i386 or x86_64:
[main]
enabled = 1
gpgcheck = 1
[rhel-i386-server-5]
enabled = 1
On an x86_64 system there is no stanza for rhel-x86_64-server-5, and you need to add one if you want protectbase to work. I haven’t tested this extensively but it seems to work.