Linux Commands

Introduction to RPM/YUM Package Management

Red Hat Package Manager is the default open-source package management utility built under General Public License (GPU). The package management system is for all Red Hat-based Linux derivatives like Fedora, RHEL, and CentOS. RPM facilitates system administrators with the basic five modes of package management operations: installing, updating, removing, querying, and verifying packages.

Moreover, Yellowdog Updater Modified (YUM) is to RPM what APT package management tool is for dpkg utility in Debian packaging system: it resolves the package dependency issues of RPM. In this guide, we will briefly introduce YUM. Whereas, we will have an in-depth introduction and background to the RPM packaging system for Red Hat Linux distributions.

Background

In the earlier days of Linux, software/programs were included in the system by compiling the source code into runnable binaries. Sometimes they were compiled in the form of a package known as tarballs containing multiple files. After software installation from a tarball, all the executable files, documents, configuration files, and libraries would spread across the system into relevant directories.

However, this way of application inclusion has its limitations:

  • User’s inability to find program documents and configuration files.
  • Difficulty to find the program’s required dependencies.
  • Requires the user to locate and remove each program file individually.
  • Did not hold metadata: hence, after installation, the users were unaware of the program version and other details.

Since then, Linux distributions have covered a long way by providing software into complex prebuilt programs known as packages. Hence, all Linux distributions followed two main packaging formats, RPM and DEB. In this article, we are focusing on an RPM packaging system.

Getting Started

The package management systems RPM, YUM, and DEB (for Debian Linux Distributions) have many similarities. All of them can update, install, remove, and upgrade packages with a command-line facility.

At the time of any Linux installation, a large section of packages gets installed as well, which is relevant to the intended use of the system. However, at some point in time, a user needs to add new packages for additional functionality, update current packages, or remove packages that are not required in Red Hat-based systems.

Let’s figure out how the package managers for Red Hat Linux Distributions perform the above tasks, including the challenges of finding package details or the commands that packages contain.

RPM

The RPM Package Manager offers the main command named rpm that provides several options to enable the user to find all the package-related information. The options rpm offers are grouped into three main categories:

  • install, upgrade, and remove packages
  • to query package related information and verify
  • to perform miscellaneous functions

In this article, we will discuss the first two rpm command options. Even though it can perform the basic package management-related tasks, being the first tool to deal with RPM packaging, rpm has some main limitations:

The package installation with rpm fails if the package dependency isn’t available. It further requires the user to search what package contains the component, which itself has some dependencies. Besides, the rpm commands require the user to pinpoint the RPM file location.

YUM

A convenient solution to the above problems is YUM that automates package update and management to the RPM system. It also provides dependency management by considering RPM packages, not as an individual software but as a part of a repository system.

RPM Packaging

RPM package is the combination of configuration files, commands, documents to provide a software feature. It also contains metadata that contains package content, from where it came from or installed, version, and dependency details with other information.

Before getting further into RPM package files, the package name itself shares a lot of details about the software. To find details of a package already installed inside the system, use the rpm command with the -qi query information option:

[fedora@fedora]$ sudo rpm -qi nmap | less
Name        : nmap
Epoch       : 3
Version     : 7.80
Release     : 11.fc34
Architecture: x86_64
Install Date: Tue 29 Jun 2021 12:45:34 PM EDT
Group       : Unspecified
Size        : 24743073
......

Source RPM  : nmap-7.80-11.fc34.src.rpm
Build Date  : Thu 11 Mar 2021 12:34:34 AM EST
Build Host  : buildvm-x86-27.iad2.fedoraproject.org
Packager    : Fedora Project
...

The output of the above command shares details from where the program was downloaded, directly from the YUM repository or any installation medium. Similarly, it also shares details along the lines of when the program was installed, who built it, its size, and when it was installed.

The software for Linux distributions comes from open-source projects known as upstream software providers. They make the software available with licensing conditions. The distributions build the source code into binaries and consolidate them with other relevant components into a package.

The consolidated RPM package is signed to verify its integrity and added to the repository in correspondence to distribution and architecture. All the RPM packages come from the yum repositories available inside a directory at the webserver, a local machine directory, or a medium like CD or DVD or an FTP server.

Package Location

The location of repository files is available in the user’s system inside /etc/yum.repos.d/ directory, it’s the default location to store repository information. However, users can also find or specify these locations inside the main YUM’s configuration file /etc/yum.conf.

[fedora@fedora]$ cat /etc/yum.repo.d/fedora.repo | less

A repository file contains multiple copies of distribution packages available from different locations, also known as mirrors. Hence, it informs YUM about the closest mirror location for the fastest download. The repository file has three sections, containing information about the normal, debug, and lastly source packages.

Just like Debian packaging, RPM and YUM get details about the installed packages from the local database. The package managers retrieve metadata (from /var/cache/yum directory) about the packages inside the local database from enabled repositories.

Download RPMs from YUM Repository

To examine RPMs content or to install them in a non-networked environment, a user may require to download the package. It can be made possible with the help of the yumdownloader command. Use the yumdownloader command, with the package name to download it in the current directory. For instance, download the vim text-editor as follows:

[fedora@fedora]$ yumdownloader vim

Or, use the –resolve option to download the required dependencies for the package.

[fedora@fedora]$ yumdownloader --resolve vim
....
(4/6): vim-minimal-8.2.3046-1.fc34.x86_64.rpm                         208 kB/s | 698 kB     00:03    

(5/6): vim-common-8.2.3046-1.fc34.x86_64.rpm                          727 kB/s | 6.6 MB     00:09  
...

RPMs Installation

Even though the rpm command can do basic installation and upgrades, users utilize it only when the program files are already in the current directory and are ready to install. Since vim is already available in the current directory, install it via rpm command with an -i option with the entire package name, as follows:

[fedora@fedora]$ yumdownloader --resolve nmap-7.80-11.fc34.x86_64.rpm
[fedora@fedora]$ sudo rpm -i nmap-7.80-11.fc34.x86_64.rpm

Use the –U option to upgrade the package with a -hv option to print the hash signs and detailed verbose output. Note that the -U option installs the zsh package even when it’s already installed.

[fedora@fedora]$ sudo rpm -Uhv nmap-7.80-11.fc34.x86_64.rpm
Verifying...                          ################################# [100%]

Preparing...                          ################################# [100%]

The rpm command offers another type of install with the -F (freshen) options that install a package only if an earlier version of that package exists. It’s helpful in a scenario when the user wants to update all the installed RPMs in a current directory.

[fedora@fedora]$ rpm -Fhv *.rpm

Users can add more options to any of the install options, such as –replacepkgs option enables reinstalling a package if a component of it gets deleted mistakenly. Similarly, –oldpackage option allows the installation of an older version of the package.

[fedora@fedora]$ sudo rpm -Uhv --replacepkgs emacs-common-24.4-3.fc21.x86_64.rpm
[fedora@fedora]$ sudo rpm -Uhv --oldpackage zsh-4.3.10-7.el6.x86_64.rpm

RPM Removal

To remove RPM packages, use the -e option of the rpm command with only a package base name. The output to the following command displays that, unlike package removal in the Debian packaging system, it does not show any dependencies removed in the process.

[fedora@fedora]$ sudo rpm -e nmap

Note that, unlike package installation, it does not prompt before package removal. But if the package is a dependency for another program, the user gets an error message as the rpm command fails to remove it.

Querying RPM Information

In this section, we will discuss various ways to query information via the rpm command. In the RPM packaging section, we learn to display information about an already installed package via -qi information. Similarly, the rpm command also enables the display of files, configuration files, and other documentation with the help of –ql, –qc, and –qd options, as follows:

[fedora@fedora]$ rpm -ql nmap
/usr/bin/nmap
/usr/bin/nping
/usr/lib/.build-id
/usr/lib/.build-id/4e
...
 
[fedora@fedora]$ rpm -qc nmap
 
[fedora@fedora]$ rpm -qd nmap
/usr/share/doc/nmap/README
/usr/share/doc/nmap/nmap.usage.txt
/usr/share/man/de/man1/nmap.1.gz
/usr/share/man/es/man1/nmap.1.gz
...

RPM packages include a plethora of information that can be retrieved with various flags. For instance, a user can use the –require option to find prerequisite programs or files to install an emac-common program.

[fedora@fedora]$ rpm -q --requires emacs-common


Similarly, query the information about scripts run before and after RPM installation or removal with the help of the <strong>--scripts</strong> option.

[cc lang="text"  width="100%" height="100%" escaped="true" theme="blackboard" nowrap="0"]
[fedora@fedora]$ rpm -q --scripts httpd

Another important feature that rpm offers is a —queryformat option that enables us to query information like tags and output in any format the user prefers. Run the following command to display all the available tags:

[fedora@fedora]$ rpm --querytags | less
ARCH
ARCHIVESIZE
BASENAMES
BUGURL
BUILDARCHS
BUILDHOST
BUILDTIME
....

For instance, to display the name, size, and release number of the tag binutils, use the following command:

[fedora@fedora]$ rpm -q binutils --queryformat "The package is %{NAME}, \ and its size is %{SIZE}\n".

The package is binutils, its size is 31814958 and the release is 41.fc34

Lastly, add the –p flag to the query option to help investigate RPMs shared by someone before installation.

[fedora@fedora]$ yumdownloader emac-common
[fedora@fedora]$ rpm -qip emacs-common-27.2-3.fc34.x86_64.rpm    

This package contains all the common files needed by emacs, emacs-lucid or emacs-nox.

RPM Verification

RPM database contains fingerprints for each package file that enables the user to verify its integrity. The rpm command offers a –V feature to check any changes made to installed package components. However, it’s important to note that the changes do take place in the configuration file after installation, but changes in binaries are a problem.

Install the emac-common package and make changes to its files. But remember to remove and reinstall the package after experimentation.

[fedora@fedora]$ rpm -i zsh-5.8-5.fc34.x86_64.rpm
[fedora@fedora]$ sudo -i
[root@fedora ~]# echo fedora > /bin/zsh

[root@fedora ~]# rm /etc/zshrc

rm: remove regular file '/etc/zshrc'? y

[fedora@fedora]$ rpm -V vim

missing   c /etc/zshrc
S.5....T.    /usr/bin/zsh

The above output displays changes made in the /etc/ file whereas, the file /etc/ is removed. The letters or numbers in the above output represent any changes made to the package files. These letters replace the dots after file manipulation, some of the indicators are as follows:

  • S: file Size differs
  • D: Device major/minor number mismatch
  • M: File Mode differs
  • P: Capabilities differ
  • U: User ownership differs
  • 5: MD5 sum differs
  • T: Modification Time

You can find more detail about verification indicators from the official documentation.

The above output helps interpret file size changes, changes in md5sum against the file fingerprint, and modification time. The rpm command offers a –replacepkgs option to restore the package state. Check again with the verify option: no output displays no changes.

[fedora@fedora]$ rpm -i --replacepkgs zsh-5.0.2-7.el7.x86_64.rpm
[fedora@fedora]$ rpm -V vim

The ideal practice is to keep a backup of the database /var/lib/rpm to a read-only medium. It helps verify package integrity with surety that it isn’t checked against a tempered/cracked database.

Conclusion

The article details the history and evolution of the packaging system for Red Hat Linux distribution. It also provides details on RPM packaging and its location inside the system. Lastly, the article provides in-depth detail on the five basic operations of RPM.

About the author

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14