How to Configure YUM Repository Server Using Apache Webserver in CentOS/RHEL 7

Here is a quick reference guide on configuring an apache webserver based YUM repository server in CentOS/RHEL 7.


1. Check the Redhat Linux Vesion using the following command:

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.0 (Maipo)

2. Check the required softwares are installed for configuring YUM server:

# rpm -qa |grep -e httpd -e createrepo

For configuring Apache based YUM server we can divide this process into 3 parts:

  1. YUM repository configuration
  2. Apache configuration (httpd)
  3. YUM client configuration

YUM repository configuration

1. Mount the RHEL 7 DVD into the server:

# mount -t iso9660 /dev/sr0 /dvd

Check the contents of the dvd:

# ll /dvd
total 816
dr-xr-xr-x.  4 root root   2048 Apr  9  2014 addons
dr-xr-xr-x.  3 root root   2048 Apr  9  2014 EFI
-r--r--r--.  1 root root   8266 Apr  4  2014 EULA
-r--r--r--.  1 root root  18092 Mar  6  2012 GPL
dr-xr-xr-x.  3 root root   2048 Apr  9  2014 images
dr-xr-xr-x.  2 root root   2048 Apr  9  2014 isolinux
dr-xr-xr-x.  2 root root   2048 Apr  9  2014 LiveOS
-r--r--r--.  1 root root    108 Apr  9  2014 media.repo
dr-xr-xr-x.  2 root root 778240 Apr  9  2014 Packages
dr-xr-xr-x. 24 root root   6144 Apr  9  2014 release-notes
dr-xr-xr-x.  2 root root   4096 Apr  9  2014 repodata
-r--r--r--.  1 root root   3375 Apr  1  2014 RPM-GPG-KEY-redhat-beta
-r--r--r--.  1 root root   3211 Apr  1  2014 RPM-GPG-KEY-redhat-release
-r--r--r--.  1 root root   1568 Apr  9  2014 TRANS.TBL

2. Create a directory /yum for holding all the rpms:

# mkdir /yum

Copy all the RPMs from DVD to /yum using the following command. # cp -r /dvd/Packages/*.rpm /yum

3. Create meta data for all the packages for copied in /yum we need to run createrepo command.

# cd /yum
# createrepo .

You will see a repodata directory under /yum. under repodata you could see the following files.

# ls /yum/repodata
  • repomd.xml - This is the file that describes the other metadata files. It is like an index file to point to the other files. It contains timestamps and checksums for the other files. This lets a client download this one, small file and know if anything else has changed. This also means that cryptographically (ex: gpg) signing this one file can ensure repository integrity.
  • primary.xml.gz - This file stores the primary metadata information. This includes information such as name, epoch, version, release, architecture, file size, file location, description, summary, format, checksums header byte-ranges, dependencies, provides, conflicts, obsoletes, suggests, recommends,file lists for the package for CERTAIN files – specifically files matching: /etc*, *bin/*, /usr/lib/sendmail
  • filelists.xml.gz - This file stores the complete file and directory listings for the packages. The package is identified by: name, epoch, version, release, architecture and package checksum id.
  • other.xml.gz - This file currently only stores the changelog data from packages. However, this file could be used for any other additional metadata that could be useful for clients.

For running group commands like grouplist, groupinstall we need to copy *-comps-Server.x86_64.xml and using this file we need to update the metadata again using the following command.

# cd /yum/repodata
# cp 76a190afa1c59e14d3a03f9b03c3eee31df0099f1193528ebb87d4d493d2b686-comps-Server.x86_64.xml /yum/
# createrepo -g 76a190afa1c59e14d3a03f9b03c3eee31df0099f1193528ebb87d4d493d2b686-comps-Server.x86_64.xml /yum

Now let us add the gpgcheck to /yum. If set to 1, verify the authenticity of the packages by checking the GPG signatures. You might need to set gpgcheck to 0 if a package is unsigned, but you should be wary that the package could have been maliciously altered.

For enabling this feature we need to copy the gpgkey from DVD.

# cp /dvd/RPM-GPG-KEY-redhat-release /yum

Apache configuration (httpd)

1. Edit the Apache main configuration fie /etc/httpd/conf/httpd.conf and add the following lines at the bottom of httpd.conf.

<Directory "/yum">
    AllowOverride None
    Require all granted

2. Create repo configuration file under /etc/httpd/conf.d/ using the following command and add the following line.

# vi /etc/httpd/conf.d/repo.conf
Alias /repo/ "/yum/"

3. Start Apache service and enable the apache at server bootup.

# systemctl start httpd      ### Start the apache service
# systemctl enable httpd     ### enable the apache service at bootup
# systemctl status httpd     ### check the apache status

4. Let us check the SElinux policy of this server. currently SElinux is enabled and its in Enforcing mode.

# getenforce

If the SElinux is enabled Apache cannot access the /yum directory because it has different SElinux contexts.

# ls -ldaZ /yum
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /yum

5. Look at the SElinux context for Apache document root /var/www/html. This means Apache service can access httpd_sys_content_t type context.

# ll -ladZ /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html

So we need to change /yum SElinux context to httpd_sys_content_t for enabling access to Apache. run the following command to provide access.

# chcon -R -t httpd_sys_content_t /yum

6. Now let us check the firewall status. firewall is currently running.

# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Sat 2014-11-01 01:26:15 EDT; 1h 32min ago
 Main PID: 871 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─871 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Nov 01 01:26:15 server3 systemd[1]: Started firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.

We need to create a rule for Apache to provide access to external network. run the following commands to create rule.

# firewall-cmd --permanent --zone=public --add-port=80/tcp
# firewall-cmd --reload
# firewall-cmd --list-all

7. Check the Apache is able to access the /yum contents now. you could use the following command.

# elinks http://localhost/repo/repodata/repomd.xml

YUM client configuration

1. Create a client repo configuration file under /etc/yum.repos.d/ and add the following lines to access the YUM server.

# vi /etc/yum.repos.d/www.repo
name=vinil yum http

2. Run the following command to check the YUM server access.

# yum clean all       ### Clean the metadata in YUM server.
# yum repolist        ### Check the repo list.
# yum install ftp     ### Install the required package.