Ch 9 Managing Software Flashcards
RPM stands for what?
Red Hat Package Manager
What do EUS, E4S, and ELS before the RPM stand for?
Extended Update Support(2 yrs and 4 yrs), Extended Life Cycle Support
What are some benefits of dnf?
- The way it handles package dependencies
What does dnf stand for?
dandified yum (yum is its predecessor)
Why use software repos?
Helps when you’re installing and need dependencies
Name 3 file compression/archiving tools
.tar, .zip, .gz
Name 4 package formats for installing software
.exe (Windows), .rpm (Linux - redhat), .deb (Linux - debian), .pkg (MacOS)
What’s a benefit of installing from a repo vs installing packages individually?
A repo resolves dependencies automatically
How does dnf resolve dependencies?
dnf looks at the repos configured on a system to fetch dependencies automatically
What is an EPEL repo?
Extra Packages for Enterprise Linux. These are Fedora project repos that aren’t from RHEL.
What command line tool is used to manage subscriptions?
subscription-manager
In what circumstances would you need to specify which repos to use?
- You want to use nondefault software packages
- You are installing RHEL but not registering it
What are the four main parameters needed or a repo file?
[label] a repo file can have many sub repos, and each section starts with a label that ids each sub repo
name= specifies the name of the repo
baseurl= url pointing to repo location
gpgcheck= use if you want a gpg key used to verify package integrity
What directory contains repos?
/etc/yum.repos.d
What tool can generate a template repo file so you don’t have to remember the specifics?
dnf config-manager
e.g. dnf config-manager —add-repo=file:///repo/BaseOS
What options can you point to for a repo?
URI (file location), URL
file://URI or file:///repo/BaseOS
https://URL or https://reposerver.example.com
What additional option needs to be set after creating a repo file with dnf config-manager –add-repo?
set gpgcheck = 0 if you don’t want the gpg check. If you don’t specify, by default it will want a gpgcheck
Detail for repo parameter [label]
This is the section header inside the .repo file, enclosed in square brackets ([ ]).
It serves as a unique identifier for the repository and is used when running dnf commands (e.g., dnf repolist or dnf install –enablerepo=repoid)
See example below from the fedora.repo file.
[fedora]
name=Fedora $releasever - $basearch
#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
countme=1
metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-debuginfo]
name=Fedora $releasever - $basearch - Debug
#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/debug/tree/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
enabled=0
metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-source]
name=Fedora $releasever - Source
#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/source/tree/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch
enabled=0
metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
~
Detail for the name= parameter
This is the human-readable description of the repository, specified by the name= directive.
It is displayed in dnf repolist and other output but is not used in commands.
example: inside the fedora.repo file
[fedora]
name=Fedora $releasever - $basearch
#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=1
countme=1
metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-debuginfo]
name=Fedora $releasever - $basearch - Debug
#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/debug/tree/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
enabled=0
metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
[fedora-source]
name=Fedora $releasever - Source
#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/source/tree/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch
enabled=0
metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
~
Detail for the mirrorlist= parameter
Optional parameter that refers to a URL where information about mirror servers for this server can be obtained. Typically used for big online repos only
Detail for the baseurl= parameter
mandatory option that refers to the base URL or URI where the RPM packages are found
Detail for the gpgcheck= parameter
Set to 1 if a GNU Privacy Guard integrity check needs to b eperformed on the packages. If set to 1, a GPG key is required. This is also the default and will be set as such if you create a new repo with the repo creation command line tool.
Detail for the gpgkey= parameter
Specifies the location of the GPG key that is used to check package integrity
What sort of circumstances would lead to the use of a gpg check being invaluable?
- A repo is hacked and the download files are replaced/changed
- A man in the middle attack
What are three protocol formats that can be used for the baseurl parameter of a repo file?
Http://, ftp://, or file://
Then follow with url or uri.
E.g. file:///location/of/files
What makes downloading from a repo especially vulnerable?
You have to run dnf commands as root, so whatever malicious interaction happens with the repo is going to happen as root user.
What directory are gpg keys stored?
/etc/pki/rpm-gpg
How is a gpg key for a repo acquired?
The gpg key is downloaded on first contact with the repo
Creating a repo: First two things you need
- Make sure all packages you need for the repo are in it
- Use the createrepo command to generated the repo metadata
What are the two subdirectories in a redhat installation repo directory?
- BaseOS - the base OS packages
- AppStream - the application stream packages
How do you list all repos?
dnf repolist
What command is used to manage repos?
dnf
dnf command that lets you search packages for a string that occurs in the package name or summary
dnf search
dnf command that searches packages for a string that occurs in the package name, summary, or description(this last one is extra)
dnf search all
dnf command that provides more information about the package
dnf info
dnf command that installs a package
dnf install
dnf command that removes a package
dnf remove
dnf command that lista all or installed packages
dnf list all, or dnf list installed
dnf command that lists package groups
dnf group lists
dnf command that installs all packages from a group
dnf group install
dnf command that updates specified packages
dnf update
dnf command that removes all stored metadata
dnf clean all
how does dnf search work?
- It contacts the online repo
- it downloads the most recent repo metadata to your local machine
- it then searches package names and descriptions for the string you give it.
if no output, try dnf search all
what dnf command do you use if you want to see if a package in a repo contains a specific file that you want?
dnf provides or dnf whatprovides or dnf wp
and THEN, you HAVE to put the following package as thus: */filename (because it’s looking inside a package) or any other full file pathname
ex; dnf whatprovides */Containter file
what dnf command removes a package from the system?
dnf remove
What do dnf remove and dnf install have in common?
They both do a dependency analysis
what should you never do when using dnf remove?
bypass looking at the dependencies of a package (and therefore missing what other associated packages will be removed when you remove any one package
the no-no command is
dnf remove -y (selects the yes option to just automatically remove without the prompt)
What is a protected package?
One that cannot just be removed easily, and dnf remove will not work on them. e.g…
how can you use dnf to check if there’s a newer version of a package available in a remote repo?
dnf list ___
What happens to an old package when you update it?
It replaces the old package, unless it’s a kernel. Old kernels are not replaced.
what is a package group?
a repo defines what that is, or what grouping exists for a given package
How do you know what the package groups in a repo are?
dnf group list
does dnf group list show all groups?
no, some are hidden
how do you show hidden package groups in a repo?
dnf group list hidden
what dnf command gives you further info on a package group?
dnf group info
what allows you to undo dnf commands?
dnf history, using dnf history undo [number in history]
e.g. dnf history undo 2 (erase the 2nd command in dnf history)
What is the big distinction between BaseOS and AppStream repos? (the two default)
AppStream has packages that can change in major version, while BaseOS explicitly avoids this (for those that want that stability)
Why do AppStream repos allow changes to major packages versions in the same distro, without having to do a major OS upgrade?
Because it was important that all dependencies of any one package be within one repo – but that’s hard to do if a major package version changes
Give an example of a package that the AppStream repo can provide a major version upgrade for
Python
What is the key difference between modules and package groups?
package groups are static. they don’t have different versions or streams
modules allow you to install different versions of software while avoiding conflicts. great for quickly evolving software like python, postgresql
table of properties with differences/distinctions bw package groups and modules
what is an application stream?
It is a specific version of a module. this allows different major versions of packages to be offered within the same repo
what must you do when working with modules from different streams? (diff major versions)
only one stream can be enabled at a time
what is a module profile?
a profile is a list of packages that are installed together for a particular use case, and one module can have multiple profiles
give an example of typical profiles within a module
minimal profile
default profile
server profile
what is the default package format?
rpm
What is inside an rpm?
files and metadata on how to install the files. may have a pre and post install script as well
what is a module?
a delivery mechanism to install rpm packages. diff versions and profiles can be provided
what is an application stream?
a specific version of a module
what is a profile?
a collection of packages that are installed together for a particular use case
what dnf command helps you find what modules are available?
dnf module list
what dnf command will show you what streams there are for a module?
dnf module list modulename,
e.g.dnf module list maven
what dnf command will tell you what profiles there are for a module?
dnf module info
dnf module info php - will tell you all the profiles for all the data streams for the php module
dnf module info php:8.1 - find all profiles for a specific stream (version) of php
Label vs name parameters in a repo file
Label (or ID)
**This is the section header in the .repo file, enclosed in square brackets ([]).
** It is used internally by dnf to identify the repository.
**Must be unique within the .repo file.
Name
**The name directive provides a human-readable description of the repository.
**It does not need to be unique.
**It is used for display purposes, such as in dnf repolist.
What command should be used if you want to change the stream (version) you’re on for a specific module?
dnf module enable php:8.1
this disables the old stream and enables the new stream
what command should you run after changing the stream(version) of a module?
dnf distro-sync
this ensures all dependent packages that aren’t in the module itself are updated as well
4 purposes of dnf distro-sync
Purpose of dnf distro-sync:
- Ensures Consistency: It aligns installed package versions with the repository versions.
- Downgrades Packages if Needed: If an installed package version is newer than what is available in the repo (e.g., after enabling an older repo), it will downgrade it.
- Upgrades Packages if Needed: If a newer version is available in the repo, it will upgrade the package.
- Fixes Partial Updates: If some packages were manually updated or installed from third-party sources, this command can bring them back to the official repository versions.
What was the biggest issue with the old way of managing packages with rpm?
dependency hell
often while installing a group of rpms, many dependencies would arise. These would all have to be installed and with the right order as well
What was rpm replaced (or rather extended) with?
repositories, then yum, then dnf (which looks at all available repos for dependencies)
Even though packages that are downloaded can still be installed with rpm -Uvh packagename, what could be used to install that downloaded package instead?
dnf install packagename.rpm
the not only installs the package as rpm -Uvh would, but it considers all its repos to resolve dependencies automatically
Even with better programs for package management than rpm, what is rpm often still used for?
querying packages
What two package databases are maintained on a RHEL system?
rpm and dnf
What happens with the dnf and rpm databases when a package is installed with dnf?
- dnf db gets updated
- that info then synchronizes with the rpm db
what happens to the dnf and rpm databases when installing a package through rpm?
- the update is written to the rpm database only and does not update the dnf database – a good reason to not use rpm when installing software!
Is there any reason to still use rpm when we have dnf?
Yes. Rpm is a better choice when…
1. when you want to install or remove a pkg without resolving dependencies (like if you already have the dependencies and you don’t want dnf adding more). This makes rpm faster when the extra dependency checks aren’t needed. ex: custom built rpm that has its dependencies included, removing a package while keeping dependencies intact)
- rpm checks if a file has been modified, corrupted, or deleted (helpful to see if a file was altered by an unintended process, diagnosing system integrity issues
- You can inspect a package BEFORE it is installed, which dnf can’t do (view package files, list info). This helps you checks a packages contents and see where a file would be placed.
rpm -qip for info and rpm -qlp for list files
- You can remove a package from rpm db without uninstalling the files (can’t do this with dnf) – helps when there is db corruption, or to force a package reinstallation without affecting files
- No repo is needed. If installing a local rpm, don’t need a repo. very fast and simple.
composition of an rpm filename?
packagename-version-subversion.redhatversion.platform(32 or 64 bits)
e.g.
python-5.0.7-40.el7.x86_64
python package, version 5.0.7, subversion 40, for Red Hat 7, and for 6 bit architecture
What rpm command will show you what software is installed on the machine?
rpm -qa
What is the dnf equivalent of the rpm -qa command?
dnf list installed
What rpm query would tell me more abaout what files are in the nmap package?
rpm -qi nmap
this queries the installed version itself for the description, and the rpm db for more details
What rpm command will show you all the files in a package, let’s say nmap?
rpm -ql nmap
What rpm command could find you documentation for a package, say nmap?
rpm -qd nmap
What rpm command would show you all the config files for a package, like nmap?
rpm -qc nmap
so like rpm query configs
What rpm command would help you find a file name and the package its in?
rpm -qf filename
What is the command rpm -qf /bin/ls doing?
queries the rpm database to find what package the file /bin/ls belongs to
What must you add to an rpm command if querying a file that has not yet been installed?
-p
without this flag, you query the rpm db instead of the package itself
What other consideration other than p flag, do you need to make when querying an rpm package directly and not the rpm db?
You have to provide the full rpm name and not just the package name. You need version and more.
What is happening with this command?
rpm -qp –scripts httpd-2.4.6-19.el7.centos.x86_64
Directly query the package httpd-2.4.6-19.el7.centos.x86_64 instead of the rpm db, in order to see if the package contains scripts
Why is it important to use rpm to query if an rpm package contains scripts?
Because rpms have to be installed as root, and you want to be sure there are no rogue scripts
What rpm command will tell you the dependencies of a specific package?
rpm -qR
what rpm command shows which parts of a specific package have been changed since installation?
rpm -V
What rpm command verifies installed packages and shows the parts that have been changed since installation?
rpm -Va
What’s the difference between rpm -V and rpm -Va?
rpm -V is for one package, rpm -Va is for all. It’s a system-wide integrity check.
On an rpm -Va command’s output, what would the following 9 digits before a file mean?
S.5….T. c /etc/httpd/conf/httpd.conf
What’s a drawback of rpm -qp?
It only works on RPM package files and can’t be used to query files directly form repos. That requires a separate command, repoquery
What’s the purpose of repoquery?
Queries repos for rpms since the rpm command can’t
Is repoquery a default package?
No, and it command with the dnf-utils package that would have to be installed
How similar are rpm and repoquery?
They have similar option flags, but not –scripts, but this can be worked around if you only work with trusted repos
If you wanted to know all the nitty gritty details of how an rpm is installed, how could you find out?
with the rpm -qp –scripts command
How could a package be downloaded to the local directory?
using yumdownloader, a package provided by yum-utils
rpm -qf $(which dnsmasq)
What’s going on in this command?
You’re querying to find out what package a file belongs to. For the file name, it’s using an embedded command to produce the filename (which dnsmasq) and you need the $ to embed it.
In the context of taking the RHCSA test, why is it so helpful to know rpm commands?
It allows you to learn and find things on the fly when taking the test, by finding documentation and files and config files and all that.
Very broadly and speaking high level, what’s different about dnf vs rpm?
dnf manages packages coming from repos, and rpm does queries on packages on a system
How could you make a directory containing RPM packages into a repo?
createrepo enables you to make a directory containing a collection of RPM packages in a repository
What needs to be in a repo file to point to a repository on http://server.example.com/repo?
the line [some-label] name=some-name baseurl=http://server.example.com/repo needs to be in the repo file
You’ve just configured a new repo to be used on your RHEL computer. What command enables you to verify that the repo is indeed available?
dnf repolist verifies that a repository is available
Which command enables you to search the RPM package containing the file useradd?
dnf provides */useradd enables you to search the RPM package containing the file useradd
Which two commands do you need to use to show the name of the dnf group that contains security tools and shows what is in that group?
using dnf group list followed by dnf group info “Security Tools” shows the name and contents of the dnf group that contains security tools
Which command do you use to ensure that all PHP related packages are going to be installed using the older version 7.1, without actually installing anything yet?
dnf module enable php:5.1 ensures that all PHP related packages are going to be installed using the older version 5.1, without actually installing anything yet
You want to make sure that an RPM package that you have downloaded does not contain any dangerous script code. Which command enables you to do so?
rpm -pq –scripts packagename enables you to ensure that a downloaded RPM package does not contain dangerous script code
Which command reveals all documentation in an RPM package?
rpm -qd packagename shows all documentation in an RPM package
Which command shows the RPM package a file comes from?
rpm -qf /path/to/file shows which PRM package a file comes from
Which command enables you to query software from the repository?
repoquery enables you to query software from the repository
What’s the difference between repoquery and dnf?
Review Q
Chapter 9
#1
D. The gpgcheck= line indicates whether to check the integrity of packages in the repository using the GPG key. Although useful, this capability is not mandatory in all cases
Review Q
Chapter 9
#2
Review Q
Chapter 9
#3
Review Q
Chapter 9
#4
Review Q
Chapter 9
#5
Review Q
Chapter 9
#6
Review Q
Chapter 9
#7
Review Q
Chapter 9
#8
Review Q
Chapter 9
#9
Review Q
Chapter 9
#10
