Alle,
I have installed and enabled (I think) the yum protectbase plugin:
[cwfox@lurker ~]$ rpm -qa | grep -i protectbase yum-plugin-protectbase-1.1-1.c4 [cwfox@lurker ~]$ cat /etc/yum/pluginconf.d/protectbase.conf [main] enabled = 1 [cwfox@lurker ~]$ grep plugin /etc/yum.conf plugins=1 [cwfox@lurker ~]$ cat /etc/yum.repos.d/CentOS-Base.repo <SNIP> [base] name=CentOS-$releasever - Base mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&rep... #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4 protect=1 </SNIP>
However, when I do yum check-update as in the following example, there are zero package exclusions and the Dag repo package for rsync (which is a CentOS base package, I believe) is listed:
[cwfox@lurker ~]$ sudo yum check-update --enablerepo=dag rsync Loading "protectbase" plugin Loading "fastestmirror" plugin Setting up repositories Loading mirror speeds from cached hostfile Reading repository metadata in from local files 0 packages excluded due to repository protections
rsync.i386 2.6.8-1.el4.rf dag [cwfox@lurker ~]$ rpm -qi rsync Name : rsync Relocations: /usr Version : 2.6.3 Vendor: CentOS Release : 1 Build Date: Mon Feb 21 07:16:46 2005 Install Date: Wed Aug 10 14:28:27 2005 Build Host: guru.build.karan.org Group : Applications/Internet Source RPM: rsync-2.6.3-1.src.rpm Size : 262544 License: GPL Signature : DSA/SHA1, Sat Feb 26 11:37:08 2005, Key ID a53d0bab443e1821 Packager : Karanbir Singh kbsingh@centos.org Summary : A program for synchronizing files over a network.
Shouldn't this package from the Dag repository be on the exclusion list or am I misunderstanding the way protectbase is supposed to work?
Best Regards, Camron
On Sat, 2006-05-06 at 09:26 -1000, Camron W. Fox wrote:
Alle,
I have installed and enabled (I think) the yum protectbase plugin:
[cwfox@lurker ~]$ rpm -qa | grep -i protectbase yum-plugin-protectbase-1.1-1.c4 [cwfox@lurker ~]$ cat /etc/yum/pluginconf.d/protectbase.conf [main] enabled = 1 [cwfox@lurker ~]$ grep plugin /etc/yum.conf plugins=1 [cwfox@lurker ~]$ cat /etc/yum.repos.d/CentOS-Base.repo
<SNIP> [base] name=CentOS-$releasever - Base mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4 protect=1 </SNIP>
However, when I do yum check-update as in the following example, there are zero package exclusions and the Dag repo package for rsync (which is a CentOS base package, I believe) is listed:
[cwfox@lurker ~]$ sudo yum check-update --enablerepo=dag rsync Loading "protectbase" plugin Loading "fastestmirror" plugin Setting up repositories Loading mirror speeds from cached hostfile Reading repository metadata in from local files 0 packages excluded due to repository protections
rsync.i386 2.6.8-1.el4.rf dag [cwfox@lurker ~]$ rpm -qi rsync Name : rsync Relocations: /usr Version : 2.6.3 Vendor: CentOS Release : 1 Build Date: Mon Feb 21 07:16:46 2005 Install Date: Wed Aug 10 14:28:27 2005 Build Host: guru.build.karan.org Group : Applications/Internet Source RPM: rsync-2.6.3-1.src.rpm Size : 262544 License: GPL Signature : DSA/SHA1, Sat Feb 26 11:37:08 2005, Key ID a53d0bab443e1821 Packager : Karanbir Singh kbsingh@centos.org Summary : A program for synchronizing files over a network.
Shouldn't this package from the Dag repository be on the exclusion list or am I misunderstanding the way protectbase is supposed to work?
Best Regards, Camron
You have to put:
protect=0
in all the non-protected repos as well
Johnny Hughes wrote:
You have to put:
protect=0
in all the non-protected repos as well
D'OH...1D10T. Sooo, if I want to protect my Base repository from updates from Dag, and I want to protect the Dag repository from updates from KBS, for example, I'm just have to run yum with enable/disable repos accordingly?
Best Regards, Camron
Camron W. Fox Hilo Office High Performance Computing Group Fujitsu America, INC. E-mail: cwfox@us.fujitsu.com
On Sat, 2006-05-06 at 10:02 -1000, Camron W. Fox wrote:
Johnny Hughes wrote:
You have to put:
protect=0
in all the non-protected repos as well
D'OH...1D10T. Sooo, if I want to protect my Base repository from updates from Dag, and I want to protect the Dag repository from updates from KBS, for example, I'm just have to run yum with enable/disable repos accordingly?
I haven't reviewed the docs recently, but IIRC all repos with protect=1 are protected from all with protect=0. They are not protected from each other and ones with protect=0 are not protected from anybody. So my take is the "base protected" is intended to protect base pkgs from corruption/destruction by "add ons". All other protection comes from "enablerepo=" on the command line combined with "disable=" in the repo definitions... and the loose nut behind the wheel, of course.
Don't trust *my* memory though (bothers me not one whit if you are screwed! ;-): review the docs and get it right~
Best Regards, Camron
<snip sigs>
HTH
Camron W. Fox wrote on Sat, 06 May 2006 10:02:27 -1000:
No protect line means protect=1 !
Sooo, if I want to protect my Base repository from updates from Dag, and I want to protect the Dag repository from updates from KBS, for example, I'm just have to run yum with enable/disable repos accordingly?
You can't do this easily with protectbase. Any protected repo can overwrite other protected repos. So you should set 1 only for repos that have a minimal chance over overlap (f.i. KBS-Extras does not overlap with CentOS). I set base and update plus kbs-extras to protect=1, all the rest to 0. It would indeed be nice to have more protection levels (10 can overwrite 9, 9 can overwrite 8 and so on ...) instead of just yes and no. That plugin isn't very long, maybe someone plays around with it, I haven't ever programmed in Python.
Kai
On Sat, 6 May 2006, Kai Schaetzl wrote:
No protect line means protect=1 !
Are you sure about that? protectbase.py says:
--- conduit.registerOpt('protect', PLUG_OPT_BOOL, PLUG_OPT_WHERE_REPO, False) ---
So, if the 'protect' option is not set, it the default value is false. This this also confirms how protectbase works in real-life on my machines.
You can't do this easily with protectbase. Any protected repo can overwrite other protected repos. So you should set 1 only for repos that have a minimal chance over overlap (f.i. KBS-Extras does not overlap with CentOS).
Another useful approach is to disable a risky repository completely, and allow installation/updates of select packages with the "includepkgs" setting.
I set base and update plus kbs-extras to protect=1, all the rest to 0. It would indeed be nice to have more protection levels (10 can overwrite 9, 9 can overwrite 8 and so on ...) instead of just yes and no.
That would be nifty :).
-- Daniel
Daniel de Kok wrote on Sun, 7 May 2006 00:14:37 +0200 (CEST):
No protect line means protect=1 !
Are you sure about that?
That is how it is explained in the documentation http://www.centos.org/docs/4/html/yum/sn-yum-maintenance.html#sn-yum-plugins Adding protect= to all repositories You MUST add protect=0 to all repos in all .repo files in /etc/yum.repos.d/ or any repos that you have in /etc/yum.conf if you want them unprotected, otherwise they belong to the protect=1 group. As a general rule add either protect=0 or protect=1 to each and every repo.
So, if the 'protect' option is not set, it the default value is false. This this also confirms how protectbase works in real-life on my machines.
Well, I'm certainly okay with that behavior, it's safer :-)
Kai
On Sun, 2006-05-07 at 12:31 +0200, Kai Schaetzl wrote:
Daniel de Kok wrote on Sun, 7 May 2006 00:14:37 +0200 (CEST):
No protect line means protect=1 !
Are you sure about that?
That is how it is explained in the documentation http://www.centos.org/docs/4/html/yum/sn-yum-maintenance.html#sn-yum-plugins Adding protect= to all repositories You MUST add protect=0 to all repos in all .repo files in /etc/yum.repos.d/ or any repos that you have in /etc/yum.conf if you want them unprotected, otherwise they belong to the protect=1 group. As a general rule add either protect=0 or protect=1 to each and every repo.
I have noticed inconsistencies in real updates if protect=0 is not added to repos ... which is why that note is there :)
When protect=0 is added the plugin works consistently.
So, if the 'protect' option is not set, it the default value is false. This this also confirms how protectbase works in real-life on my machines.
Well, I'm certainly okay with that behavior, it's safer :-)
As I said in the note in the "Official Documentation" , please add protect=0 ... or at least, don't say you have not been warned :)
On Sun, 2006-05-07 at 06:35 -0500, Johnny Hughes wrote:
I have noticed inconsistencies in real updates if protect=0 is not added to repos ... which is why that note is there :)
Thanks for the clarification! Under what circumstances is its behavior inconsistent? It would be nice to get that fixed, to give the least amount of surprise.
-- Daniel
Daniel de Kok wrote on Sun, 07 May 2006 15:01:36 +0200:
Under what circumstances is its behavior inconsistent?
Look at the recent thread "differences between yum update and yum check-update" which seems to be caused by protectbase. It showed different results for check-update and update which would create completely undesired action during the update. It doesn't seem to protect in all cases. F.i. if the package from protect=0 contains an "obsoletes" statement (at least that is what I assume) it can overwrite protect=1.
Kai
On Sun, 2006-05-07 at 22:31 +0200, Kai Schaetzl wrote:
Daniel de Kok wrote on Sun, 07 May 2006 15:01:36 +0200:
Under what circumstances is its behavior inconsistent?
Look at the recent thread "differences between yum update and yum check-update" which seems to be caused by protectbase. It showed different results for check-update and update which would create completely undesired action during the update. It doesn't seem to protect in all cases. F.i. if the package from protect=0 contains an "obsoletes" statement (at least that is what I assume) it can overwrite protect=1.
Kai
Actually ... I think if you go on with the update it will fail. (At least it did for me)
Regardless, the error is caused because of the naming not being the same between the two repos. If the names were the same (or if the obsoletes were consistent), then the plugin would function properly. The file clamav-db is newer than something else ... and it is not being blocked from being installed because it doesn't exist in the other repo. That is why there is confusion ... however the plugin ultimately prevents the install. You can't expect yum/RPM to solve this issue unless the two repos in question either name the files the same things ... OR ... make them provide the same things. That is how yum will know they are the same. To yum, clamav-db is not part of the already installed clamav stuff since it doesn't exist in the other repo.
At issue here is that file naming inconsistencies can cause problems. I don't believe yum will actually install that package though, as I think the plugin blocks it.
I am currently testing the Priorities plugin written by Daniel de Kok (earlier in this thread) ... it seems to allow assigning a number of between 1 (highest priority) and 99 (lowest priority) to each repo.
So far, it seems to work well ... although it too has an issue with clamav, because of the naming convention issues.
Johnny Hughes wrote on Sun, 07 May 2006 16:07:06 -0500:
Regardless, the error is caused because of the naming not being the same between the two repos. If the names were the same (or if the obsoletes were consistent), then the plugin would function properly. The file clamav-db is newer than something else ... and it is not being blocked from being installed because it doesn't exist in the other repo. That is why there is confusion ... however the plugin ultimately prevents the install. You can't expect yum/RPM to solve this issue unless the two repos in question either name the files the same things ... OR ... make them provide the same things. That is how yum will know they are the same. To yum, clamav-db is not part of the already installed clamav stuff since it doesn't exist in the other repo.
Sure, that it is really protectbase letting it fail in the end? I think the problem occurs because of the way protectbase works. It just excludes x packages and it checks against that list. Nothing else. I don't think that it is consulted again at that stage. Real protection would be to check with each package before installation which package it replaces and then check if the to-be-replaced package is from a protected repo or not (which is done by matching of the name and not by looking it up in a local database - the better way would be to store the repo in a database when a package gets installed - this way you would always know where it came from.)
Kai
On Sat, 2006-05-06 at 23:31 +0200, Kai Schaetzl wrote:
to 0. It would indeed be nice to have more protection levels (10 can overwrite 9, 9 can overwrite 8 and so on ...) instead of just yes and no. That plugin isn't very long, maybe someone plays around with it, I haven't ever programmed in Python.
I took that as a challenge and cooked something that does that :). Does anyone who uses more repositories than I do want to give it a try? Or maybe someone has a nice testcase? (I want to test it a little more before putting it online)
-- Daniel
On Sun, 2006-05-07 at 15:54 +0200, Daniel de Kok wrote:
On Sat, 2006-05-06 at 23:31 +0200, Kai Schaetzl wrote:
to 0. It would indeed be nice to have more protection levels (10 can overwrite 9, 9 can overwrite 8 and so on ...) instead of just yes and no. That plugin isn't very long, maybe someone plays around with it, I haven't ever programmed in Python.
I took that as a challenge and cooked something that does that :). Does anyone who uses more repositories than I do want to give it a try? Or maybe someone has a nice testcase? (I want to test it a little more before putting it online)
Daniel,
Great ... I would like to try it.
If we can get it to work reliably, that is something that we might want to roll into centos (though we should call it something other than protectbase).
Thanks, Johnny Hughes
Daniel de Kok wrote on Sun, 07 May 2006 16:24:45 +0200:
Thanks! I have sent the plugin off-list to $FROM, I hope that it doesn't get caught in a non-list filter :).
Daniel, I'm interested in it as well. Can you send it zipped?
Kai
On Sat, 2006-05-06 at 09:26 -1000, Camron W. Fox wrote:
Alle,
I have installed and enabled (I think) the yum protectbase plugin:
[cwfox@lurker ~]$ rpm -qa | grep -i protectbase yum-plugin-protectbase-1.1-1.c4 [cwfox@lurker ~]$ cat /etc/yum/pluginconf.d/protectbase.conf [main] enabled = 1 [cwfox@lurker ~]$ grep plugin /etc/yum.conf plugins=1 [cwfox@lurker ~]$ cat /etc/yum.repos.d/CentOS-Base.repo
<SNIP> [base] name=CentOS-$releasever - Base mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4 protect=1 </SNIP>
First, do you have the protect=? in the repo entry for dag (or, preferably, rpmforge that should be used)? IIRC, the docs say that a protect is needed for all? Protected ones have "1" and unprotected have 0? I don't recall if they said a default was assumed if the protect statement wqas not found.
However, when I do yum check-update as in the following example, there are zero package exclusions and the Dag repo package for rsync (which is a CentOS base package, I believe) is listed:
[cwfox@lurker ~]$ sudo yum check-update --enablerepo=dag rsync Loading "protectbase" plugin Loading "fastestmirror" plugin Setting up repositories Loading mirror speeds from cached hostfile Reading repository metadata in from local files 0 packages excluded due to repository protections
rsync.i386 2.6.8-1.el4.rf dag [cwfox@lurker ~]$ rpm -qi rsync Name : rsync Relocations: /usr Version : 2.6.3 Vendor: CentOS Release : 1 Build Date: Mon Feb 21 07:16:46 2005 Install Date: Wed Aug 10 14:28:27 2005 Build Host: guru.build.karan.org Group : Applications/Internet Source RPM: rsync-2.6.3-1.src.rpm Size : 262544 License: GPL Signature : DSA/SHA1, Sat Feb 26 11:37:08 2005, Key ID a53d0bab443e1821 Packager : Karanbir Singh kbsingh@centos.org Summary : A program for synchronizing files over a network.
Shouldn't this package from the Dag repository be on the exclusion list or am I misunderstanding the way protectbase is supposed to work?
There is a thread posted in the last few days complaining that check- update does not give the same results as a real yum up date run. Maybe that is your problem here too?
Do yum update and reply 'n' if it is not your problem and the update won't happen.
Best Regards, Camron
HTH
-
Camron W. Fox -
Daniel de Kok -
Johnny Hughes -
Kai Schaetzl -
William L. Maltby