Yum Proxy Setup

starsseeker

                                To use yum with proxy you have to configure 3 files:
/etc/yum.conf: add the line
    proxy=
http://xxx.xxx.xxx.xxx:yyy
where yyy is the port.
/etc/wgetrc: There are 2 lines that you have to edit:
    http_proxy=
http://xxxx(...
):yyy
    ftp_proxy=
http://xxx.(...
):yyy
/root/.bash_profile
    export http_proxy=
http://xxx(...
):yyyy
    export ftp_proxy=
http://xxx(...
):yyyy
===========================================================================
YUM: Setup and UsageInstallationRedHat Enterprise Linux systems (as of versions 3 and 4) must install the YUM package. If installing
via KickStart, install YUM as part of the %post install script
. The following example shows installation from a private Network File System (NFS) mount on a secure build network.
%post
export RH_MOUNT=/tmp/bootstrap
mkdir -p $RH_MOUNT
/etc/init.d/portmap start
mount -t nfs 192.0.2.1:/install $RH_MOUNT
export RH_RELEASE=rhel
export RH_VERSION=`rpm -q --queryformat '%{VERSION}' redhat-release`
# install package, default configuration
rpm -i $RH_MOUNT/yum/$RH_RELEASE.rpm
cp     $RH_MOUNT/yum/$RH_RELEASE.conf /etc/yum.conf
chmod +r /etc/yum.conf
# attempt package updates
yum -d 0 -e 0 -t -y update
Client ConfigurationBy default, YUM reads /etc/yum.conf. Always use the gpgcheck=1 option to prevent the installation of unsigned packages. Additional package sources can be defined by adding more [name] blocks, for example local YUM servers in addition to the vendor supplied ones. If possible, use $releasever and other variables to keep the configuration files portable between releases. The following definitions consult an example yum.example.org web server for packages:
# base packages for RHEL
[rhelbase]
name=RedHat Linux $releasever Install
baseurl=http://yum.example.org/redhat/$releasever/$basearch/
gpgcheck=1
# up2date ported updates
[rhelupdates]
name=RedHat Linux $releasever Updates
baseurl=http://yum.example.org/redhat/updates/$releasever/$basearch/
gpgcheck=1
# all system types check here (noarch, other highly portable packages)
[siteall]
name=Sitewide Packages
baseurl=http://yum.example.org/all/
gpgcheck=1
# local Fedora, RHEL packages
[siterpms]
name=Site $releasever Packages
baseurl=http://yum.example.org/site/$releasever/
gpgcheck=1
# packages if YUM0 environment variable set properly before yum run
[sitegroup]
name=Site Group
baseurl=http://yum.example.org/group/$YUM0/$releasever/
gpgcheck=1
Client systems should also periodically run yum clean to clear out old headers and packages. Use a cron job, or a
CFEngine
shellcommands statement:
shellcommands:
  redhat::
    "/usr/bin/yum -y -d 0 -e 0 clean all" umask=022 ifelapsed=1439
Importing SignaturesWith the gpgcheck=1 option set in yum.conf, all packages must be signed, and yum must be able to verify the signatures on packages. On current versions of Redhat, public keys must be registered via the rpm --import command. Installation of the vendor supplied keys can be done
during a KickStart install under the %post section
:
%post
rpm --import /usr/share/rhn/RPM-GPG-KEY
rpm --import /usr/share/rhn/BETA-RPM-GPG-KEY
Check the /usr/share/rhn directory for other public keys to install. Older RedHat systems had to register the keys via gpg --import. Bear
in mind an imported signature allows anyone with access to the private
key of the signature to run arbitrary commands as the super user.
Public
keys should be managed via some sort of configuration management, so
that local public keys can be expired periodically or when package
signers leave the site. I strongly recommend having a different public
key for each package signer. One problem with maintaining keys is that rpm --import
will allow the same public key to be installed multiple times. A
workaround is to erase all public keys before installing the required
public keys.
#!/bin/sh
/bin/rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release}\n' | \
  sort | uniq | while read pkgname; do
  /bin/rpm --erase --allmatches -- "$pkgname"
done
for file in /var/cfengine/local/rpm-pgp-keys/*; do
  /bin/rpm --import -- "$file"
done
Using the
CFEngine
configuration management software, the /var/cfengine/local/rpm-pgp-keys
directory can be maintained under version control, and public keys
updated when the directory changes, calling the above erase and import
code as /usr/sbin/update-rpm-keys:
copy:
  redhat::
    # PGP keys for RPM verification
    ${masterfiles}/etc/rpm-pgp-keys
      dest=/var/cfengine/local/rpm-pgp-keys
      mode=444 recurse=1 backup=false type=checksum purge=true
      server=${policyhost}
      define=rpm_pgp_keys_copied
shellcommands:
  rpm_pgp_keys_copied::
    "/usr/sbin/update-rpm-keys /var/cfengine/local/rpm-pgp-keys"
Server Configuration
Web Server
|
Metadata

Systems used to build and sign packages must not host packages. Instead, sign packages on separate build systems, then copy the packages to the YUM server. This way, an attacker that compromises a YUM server will not be able to install and run arbitrary software on clients.
YUM servers need only run a web server to provide packages to client systems, and maintain metadata files.
Web Server
An example Apache virtualhost configuration for yum.example.org is available
. Save it under /etc/httpd/conf.d on a RedHat system and restart Apache. The web server configuration must agree with the baseurl values set in the yum.conf configuration files on the client systems. The following list of directories to create are compatible with the yum.conf information outlined above, with the addition of a SRPMS directory to store *.src.rpm files under. Change FIXME_YUM_DIR to /var/www/yum or where ever the area is located on the YUM server.
If possible, use a distinctive name for the package directories, such as RPMS. This allows wrapper scripts to easily locate all package directories metadata must be maintained on.
# where to stash *.src.rpm files
FIXME_YUM_DIR/SRPMS
# RedHat RPMS for RHEL 3 and 4 AS, both base and updates, i386 and x86_64
FIXME_YUM_DIR/redhat/3AS/i386/RPMS
FIXME_YUM_DIR/redhat/3AS/i386/headers
FIXME_YUM_DIR/redhat/3AS/x86_64/RPMS
FIXME_YUM_DIR/redhat/3AS/x86_64/headers
FIXME_YUM_DIR/redhat/4AS/i386/RPMS
FIXME_YUM_DIR/redhat/4AS/i386/headers
FIXME_YUM_DIR/redhat/4AS/x86_64/RPMS
FIXME_YUM_DIR/redhat/4AS/x86_64/headers
FIXME_YUM_DIR/redhat/updates/3AS/i386/RPMS
FIXME_YUM_DIR/redhat/updates/3AS/i386/headers
FIXME_YUM_DIR/redhat/updates/3AS/x86_64/RPMS
FIXME_YUM_DIR/redhat/updates/3AS/x86_64/headers
FIXME_YUM_DIR/redhat/updates/4AS/i386/RPMS
FIXME_YUM_DIR/redhat/updates/4AS/i386/headers
FIXME_YUM_DIR/redhat/updates/4AS/x86_64/RPMS
FIXME_YUM_DIR/redhat/updates/4AS/x86_64/headers
# for noarch.rpm, other highly portable packages
FIXME_YUM_DIR/all/RPMS
FIXME_YUM_DIR/all/headers
# site packages, i386 and x86_64 mixed
FIXME_YUM_DIR/site/3AS/RPMS
FIXME_YUM_DIR/site/3AS/headers
FIXME_YUM_DIR/site/4AS/RPMS
FIXME_YUM_DIR/site/4AS/headers
# for packages by $YUM0 name. Create '$YUM0' directory to keep YUM happy?
FIXME_YUM_DIR/group/$YUM0/3AS/RPMS
FIXME_YUM_DIR/group/$YUM0/3AS/headers
FIXME_YUM_DIR/group/$YUM0/4AS/RPMS
FIXME_YUM_DIR/group/$YUM0/4AS/headers
The YUM server will consume a large amount of space; ensure that at least 40G is available under the packages directory.
MetadataUnder old versions of yum, the yum-arch command generates header files under the headers directory. The following command will find all RPMS directories and run yum-arch in the parent directory of each.
$ find FIXME_YUM_DIR -type d -name RPMS | sed 's/RPMS$//' | \
  while read dir; do yum-arch -q $dir; done
Current versions of yum require the createrepo command, found on Fedora in the createrepo package.
# yum -y install createrepo
# createrepo /var/www/yum/fedora/4/RPMS
Always run yum-arch or createrepo
after adding new packages. When transfering packages from a build
system, include a post-transfer command to rebuild the metadata. Also
consider a periodic job to keep the metadata built, in the event the
post-transfer command fails, such as
yum-update-repos
. For example, under CFEngine:
shellcommands:
  role_yum_server::
    "${yum_script_dir}/yum-update-repos" umask=022 ifelapsed=299
up2date to yumRedhat will only offer technical support to systems updated through up2date. However, updating via a local yum
repository is permitted by RedHat, saves bandwidth, avoids the need to
register each system, and provides local control of the update process.
If in doubt, have a lawyer review the
RedHat Subscription Agreement
, or ask RedHat directly.
up2date2yum
can download updates for RedHat Enterprise Linux via up2date and make them available to YUM. The system running
up2date2yum
must have entitlements from RedHat, or otherwise be able to access
updates from RedHat. An entitlement server is required for each
supported hardware architecture.
To test new packages, place updates into a test/RPMS directory, then move the packages to the updates/RPMS directory once checks on test systems pass. Another option would be to control yum update
runs on systems, so that test systems install new packages first. I
recommend moving packages to different directories, as this supports
creation of different release branches that different systems may
subscribe to (stable, security, unstable, and so forth).
Vendor
packages could be audited and resigned, though for most sites the audit
effort will not be worth the time or money. Resigning may be necessary
where junior administrators can update packages for test systems, but
only a senior admin sign off on production system changes.
Resigning vendor packages may not be possible in some cases
.
TipsSet exclude=… statements inside the yum configuration to ignore certain packages during a yum update.
               
               
               
               
               
               
               

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u3/99067/showart_2041751.html