Managing RPM-based systems with tools like YUM (Yellowdog Updater Modified) is an integral part of provisioning and maintaining Linux servers. While YUM simplifies the process of managing package dependencies, it can sometimes lead to unintended consequences, especially when developers remove a package that has critical dependencies. In this blog, we’ll explore a common use case and demonstrate how to safeguard important packages using YUM’s package protection features.
The Problem: Accidental Removal of Critical Packages
Let’s consider a scenario:
You have a custom package called dep-web that automates server provisioning by installing essential components like httpd, mod_ssl, and ingest, along with scripts and cron jobs critical to your environment. When a developer installs dep-web, everything works seamlessly. However, issues arise when they attempt to test a specific version of ingest.
A typical action might be:
yum remove ingest
This operation not only removes ingest but also uninstalls dep-web, since dep-web depends on ingest. Consequently, all the additional configurations, scripts, and cron jobs set up by dep-web are also removed. Even if the developer reinstalls ingest, dep-web and its functionality are not restored, leading to potential operational disruptions.
Developers may not always notice these cascading effects, causing long-term inconsistencies and errors in the environment. Clearly, there is a need to prevent the accidental removal of critical packages like dep-web.
The Solution: Protecting Packages in YUM
YUM includes functionality to prevent the removal of certain packages using the /etc/yum/protected.d directory and the yum-plugin-protect-packages. By default, YUM protects itself and its dependencies (e.g., rpm, python, glibc) from being uninstalled. However, administrators can extend this protection to other packages.
Steps to Protect Critical Packages
Install the YUM Plugin
Ensure the yum-plugin-protect-packages is installed on your system:
yum install yum-plugin-protect-packages
Create a Configuration File
Add your critical package to the protected list by creating a .conf file under /etc/yum/protected.d/. For example, to protect the dep-web package:
vi /etc/yum/protected.d/dep-web.conf
Add the following content:
dep-web
Save and close the file.
Verify the Protection
Attempt to remove the protected package to test the configuration:
yum remove dep-web
YUM will block the operation and display an error message, ensuring the package remains intact:
Error: Trying to remove "dep-web", which is protected
Add Additional Packages (Optional)
If there are other critical packages that need protection, create or edit their respective .conf files under the same directory.
Benefits of Package Protection
By implementing package protection, you can:
Prevent the accidental removal of critical packages and their dependencies.
Ensure that operational scripts, configurations, and cron jobs tied to these packages are preserved.
Enhance the reliability of your environment, especially in shared development and production systems.
Conclusion
Managing dependencies with YUM requires careful oversight, particularly in environments where multiple developers and administrators interact with the system. Protecting critical packages using YUM’s protected.d directory and plugins like yum-plugin-protect-packages provides a robust safeguard against unintended package removal.
In the example of dep-web, protecting the package ensures that its functionality, including the custom scripts and cron jobs, remains intact. This small configuration step can save countless hours of troubleshooting and recovery in large-scale deployments.
Proactively implementing such measures demonstrates a commitment to best practices in system administration, reducing downtime and fostering a more stable infrastructure.