yum-plugin-priorities

Many people find the priorities plugin to be a useful tool if properly configured, and used with an understanding of the functionality and a recognition of the limitations and potential issues. It can be used in conjunction with the 'exclude' and/or 'includepkg' options, as well as the 'enabled=0' option to disable a repo by default. This can let you choose which packages a less important repo will supersede those of a more important one.

1. Nomenclature

Note: This plugin has carried at least two differing names over time. It is named yum-priorities on CentOS-5 but was named yum-plugin-priorities on CentOS-4. CentOS-6 has reverted to yum-plugin-priorities. It functions in a substantially similar ways in these three CentOS major releases

2. Usage

The priorities plugin can be used to enforce ordered protection of repositories, by associating priorities to repositories. Packages from repositories with a lower priority will never be used to upgrade packages that were installed from a repository with a higher priority. The priorities are also in effect when a new package is installed - if a package is in more than one repository, it will be installed from the repository with the highest priority. This plugin is particularly useful for anyone who uses one or more third-party repositories, as these repositories may update system files, which can potentially compromise the stability of your CentOS installation.

To be able to use this plugin, you must enable plugins in your /etc/yum.conf file, see Yum Plugins for details.

3. Installation

It can be installed with this command:

CentOS-4 or CentOS-6:

yum install yum-plugin-priorities

CentOS-5:

yum install yum-priorities

The priorities plugin is available from two locations:

After the plugin is installed, make sure that it is enabled when you decide to use a given archive. You can do this by editing the /etc/yum/pluginconf.d/priorities.conf file, and ensuring that it contains the following lines:

[main]
enabled=1

4. Description of function

<!> A man page is of course more authoritative than a wiki article.

Some packages specify obsoletes in their metadata. This property of a package specifies which old packages with a different name the package replaces. This can interfere with the priority protection of packages. For example, this would be enabled if a package from a low-priority repository contained an obsoletes: for package from a high-priority repository. For instance, if the gconfmm2 package was installed from a high-priority repository, and another package (say gconfmm20) claims to replace the obsolete gconfmm2 package, yum will replace the gconfmm2 package with the gconfmm20 package. The plugin can set to consider, but resolve through a fixed rule to OVER-RIDE the otherwise prevented block of a desired transition, for such upgrades, by adding the following line to the main section of /etc/yum/pluginconf.d/priorities.conf:

check_obsoletes=1

This is a mechanical rule, and cannot be aware of analysis and a through process of managing a distribution over time, and is accordingly potentially harmful to good hygiene of a system. Blindly enabling any set of priorities rules is trusting an auto-pilot, unable to react to the growth of the distribution. It can, if properly and thoughtfully used, prevent a 3rd party repo from replacing a core package of a different name through the use of obsoletes.

5. Specific Configuration

With the plugin enabled, you may add priorities to repositories by adding the line:

priority=N

to a repository entry, where N is an integer from 1 to 99. The default priority for repositories is 99. The repositories with the lowest numerical priority number have the highest priority. Usually, it is best to give at least the CentOS base and update repositories a very high priority. In the following example of the /etc/yum.repos.d/CentOS-Base.repo file, the CentOS base and update repositories are given the highest possible priority (1):

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4
priority=1
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4
priority=1
#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
#baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4
priority=1
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4
priority=1
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4
priority=1
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4
priority=2

Note: The above example is for CentOS-4, the file name RPM-GPG-KEY-centos4 (in the gpgkey line) should be replaced with RPM-GPG-KEY-CentOS-5 for use with CentOS-5.

After making these changes to the /etc/yum.repos.d/CentOS-Base.repo file, yum will never update packages from the base and update repositories with packages from repositories with lower priorities. This can cause security updates, and 'point release' respin updates to be silently suppressed, and expose your system to potential damage. See the cautions at the head of this article.

6. Miscellany

One author's recommended settings are:

[base], [addons], [updates], [extras] ... priority=1
[centosplus] priority=1 (same priority as base and updates) but should be left disabled
[contrib] ... priority=2
Third Party Repos ... priority=N  (where N is > 10 and based on your preference)

You can list all repositories set up on your system by a yum repolist all. However, this does not show priority scores. Here's a one liner for that. If no number is defined, the default is the lowest priority (99).

sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n

7. A Cautionary Note

<!> Note: The upstream maintainer of yum, Seth Vidal, had the following to say about 'yum priorities' in September 2009:

Gosh, I hope people do not set up yum priorities. There are so many things about
priorities that make me cringe all over. It could just be that it reminds me of
apt 'pinning' and that makes me want to hurl.

<!> This matter was discussed in more depth in the mailing list thread starting here. The Repositories article noted in that thread, which discusses the exclude and includepkg options for yum, is a better place to start in understanding priorities.

The primary concern is that priorities is heavy handed over removing packages from the transaction set. It makes it difficult to readily determine what packages are being ignored and why. Even so, it is very flexible and can be extremely useful to provide the largest available list of packages.

PackageManagement/Yum/Priorities (last edited 2011-08-02 20:26:28 by PhilSchaffner)