YUM/DNF Repository Setup: Managing RPM Repositories

Are you tired of manually installing RPM packages across multiple systems? Or perhaps you've developed custom software and need a streamlined way to distribute it to your team or customers? Setting up your own YUM or DNF repository might be the solution you're looking for.

RPM repositories are the backbone of package management in Red Hat-based distributions like RHEL, CentOS, and Fedora. While most users are familiar with consuming packages from existing repositories, creating and maintaining your own repository gives you complete control over package distribution, versioning, and dependency management.

Understanding RPM Repository Fundamentals

Before diving into the setup process, it's crucial to understand what makes up an RPM repository. Unlike simply storing RPM files in a directory, a proper repository contains both the package files and metadata that enables package managers to resolve dependencies, verify integrity, and efficiently retrieve packages.

Key Components of an RPM Repository

A well-structured RPM repository consists of several essential components:

Package Files: The actual .rpm files containing the software you want to distribute.

Repository Metadata: Index files that describe the packages, their dependencies, and other essential information. This includes:

• primary.xml.gz - Package details and dependencies
• filelists.xml.gz - List of files contained in each package
• other.xml.gz - Additional metadata and changelog information
• repomd.xml - Main metadata file that references other metadata files

GPG Signatures: Cryptographic signatures that verify the authenticity and integrity of both packages and metadata.

YUM vs DNF: Understanding the Evolution

While this guide uses the terms YUM and DNF repositories interchangeably, it's worth noting that DNF (Dandified YUM) has largely replaced YUM as the default package manager in newer Fedora, CentOS, and RHEL distributions. DNF maintains compatibility with YUM repositories while offering improved performance, better dependency resolution, and a cleaner API.

Setting Up Your RPM Repository

Creating a functional RPM repository involves several steps, from preparing your environment to configuring client systems to access your repository.

Step 1: Install Required Tools

First, ensure you have the necessary tools installed on your repository server:

# For RHEL/CentOS 7 and earlier (using yum)
yum install createrepo rpm-sign

# For RHEL 8+/CentOS Stream/Fedora (using dnf)
dnf install createrepo_c rpm-sign

The createrepo or createrepo_c tool is essential for generating repository metadata, while rpm-sign provides the utilities for signing your packages and metadata.

Step 2: Create Repository Directory Structure

Organize your repository with a logical directory structure:

mkdir -p /var/www/html/repos/myrepo/{packages,source,debug}
chmod -R 755 /var/www/html/repos

This structure separates binary packages, source packages, and debug packages, making your repository easier to manage and navigate.

Step 3: Add RPM Packages to Your Repository

Place your RPM files in the appropriate directory:

cp /path/to/your/*.rpm /var/www/html/repos/myrepo/packages/

For optimal organization, consider creating subdirectories based on architecture (x86_64, noarch, etc.) or release version.

Step 4: Generate Repository Metadata

This is where the createrepo command comes into play. It scans your RPM files and generates the necessary metadata:

# Generate basic metadata
createrepo /var/www/html/repos/myrepo/packages/

# For more advanced options with createrepo_c
createrepo_c --database --update /var/www/html/repos/myrepo/packages/

The --update flag is particularly useful for updating metadata when adding new packages, as it's much faster than regenerating everything from scratch.

Step 5: Set Up Web Server Access

Make your repository accessible via HTTP/HTTPS. If you're using Apache:

# Install Apache if not already installed
dnf install httpd

# Ensure the web server can access the repository files
chown -R apache:apache /var/www/html/repos

# Start and enable Apache
systemctl enable --now httpd
systemctl status httpd

# Configure firewall if needed
firewall-cmd --permanent --add-service=http
firewall-cmd --reload

Your repository should now be accessible at http://your-server-ip/repos/myrepo/packages/

Securing Your Repository with GPG Signing

Security is paramount when distributing software. GPG signing ensures that packages haven't been tampered with and originate from a trusted source.

Generating GPG Keys

First, generate a GPG key pair if you don't already have one:

gpg --gen-key

# Follow the prompts to create your key
# Recommended: RSA (1), 4096 bits, expiration as appropriate

Signing RPM Packages

Sign your packages before adding them to the repository:

# Export your GPG key for reference
gpg --export -a "Your Name" > RPM-GPG-KEY-myrepo

# Sign individual packages
rpm --addsign /path/to/package.rpm

# Or sign multiple packages at once
find /var/www/html/repos/myrepo/packages/ -name "*.rpm" -exec rpm --addsign {} \;

Signing Repository Metadata

After generating metadata with createrepo, sign the repomd.xml file:

# Navigate to your repository directory
cd /var/www/html/repos/myrepo/packages/

# Sign the metadata
gpg --detach-sign --armor repodata/repomd.xml

This creates a repomd.xml.asc file that clients can use to verify the metadata's integrity.

Configuring Client Systems

Now that your repository is set up, clients need to be configured to access it.

Adding the GPG Key to Clients

First, distribute your public GPG key to client systems:

# Download the key
curl -o /etc/pki/rpm-gpg/RPM-GPG-KEY-myrepo http://your-repo-server/RPM-GPG-KEY-myrepo

# Import the key
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-myrepo

Creating Repository Configuration

Create a .repo file in /etc/yum.repos.d/:

[myrepo]
name=My Custom Repository
baseurl=http://your-repo-server/repos/myrepo/packages/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-myrepo

Testing Client Access

Verify that clients can access your repository:

# Clear existing cache
dnf clean all

# Check for available packages from your repository
dnf --disablerepo="*" --enablerepo="myrepo" list available

# Install a package from your repository
dnf install your-package-name

Advanced Repository Management

Once your basic repository is operational, consider these advanced management techniques.

Automating Repository Updates

Create a script to automate the process of adding new packages and updating metadata:

#!/bin/bash

REPO_PATH="/var/www/html/repos/myrepo/packages"

# Copy new RPMs to repository
cp /path/to/new/packages/*.rpm $REPO_PATH/

# Sign new packages
find $REPO_PATH -name "*.rpm" -exec rpm --addsign {} \;

# Update repository metadata
createrepo_c --update $REPO_PATH

# Sign updated metadata
cd $REPO_PATH
gpg --detach-sign --armor repodata/repomd.xml

You can run this script manually or set up a cron job or inotify trigger to run it automatically when new packages are added.

Managing Multiple Repository Versions

For more complex environments, you might need to maintain multiple versions of your repository:

/var/www/html/repos/
├── production
│   └── packages
│       ├── el7
│       ├── el8
│       └── el9
├── staging
│   └── packages
│       ├── el7
│       ├── el8
│       └── el9
└── development
    └── packages
        ├── el7
        ├── el8
        └── el9

This structure allows you to separate packages by release stage and target distribution version.

Using Repository Management Tools

For enterprise-scale repository management, consider dedicated tools like Pulp, Spacewalk, or DistroPack that provide web interfaces, access control, and advanced repository management features.

Best Practices for RPM Repository Management

Follow these best practices to ensure your repository remains secure, reliable, and maintainable:

Security Best Practices

• Always sign packages and metadata with GPG

• Use HTTPS instead of HTTP for repository access

• Regularly rotate GPG keys and update client configurations

• Implement access controls for repository modifications

Performance Optimization

• Use the --update flag with createrepo to speed up metadata generation

• Consider using delta RPMs (DRPMs) for large packages

• Implement caching proxies for geographically distributed teams

• Regularly clean up old package versions to reduce repository size

Maintenance Procedures

• Establish a regular backup schedule for your repository

• Monitor repository disk space and availability

• Document your repository structure and management procedures

• Test client access from different network locations

Troubleshooting Common Issues

Even with proper setup, you might encounter issues with your RPM repository:

Metadata Corruption

If clients report metadata issues, regenerate it completely:

# Remove existing metadata
rm -rf /var/www/html/repos/myrepo/packages/repodata

# Regenerate metadata
createrepo_c /var/www/html/repos/myrepo/packages/

# Resign metadata
cd /var/www/html/repos/myrepo/packages/
gpg --detach-sign --armor repodata/repomd.xml

GPG Signature Errors

If clients report GPG errors, verify:

• The GPG key is properly imported on clients

• Packages and metadata are signed with the same key

• The repository configuration points to the correct GPG key

Network Access Issues

If clients cannot access the repository:

• Verify firewall rules allow HTTP/HTTPS traffic

• Check SELinux contexts if using SELinux

• Test network connectivity between clients and repository server

Conclusion

Setting up and managing your own YUM/DNF repository provides tremendous flexibility in distributing software across Red Hat-based systems. By following the steps outlined in this guide—from installing the necessary tools with createrepo to securing your repository with GPG signing—you can create a robust, secure package distribution system tailored to your organization's needs.

Remember that repository management is an ongoing process that requires regular maintenance, security updates, and performance monitoring. For organizations managing multiple repositories or requiring enterprise-grade features, consider dedicated repository management solutions like DistroPack that can streamline these processes and provide additional capabilities like access control, replication, and auditing.

Whether you're managing packages for a small team or a large enterprise, mastering RPM repository management is a valuable skill that will serve you well in maintaining efficient, reliable software distribution systems.