yum repo and package dependencies with puppet

Over the last couple of months I’ve been using puppet to help scale out sysadmin tasks. As puppet manifests are based on a declarative programming language I’ve discovered you can not rely on flow control such as ‘drop in a RPM GPG key, then configure repo foo. Once both of those tasks are done install package bar from repo foo’ unless you add some smarts.

This is how I install a package on a RHEL5/CentOS/Fedora type system which depends on a yum repo first which in turn depends on a GPG key.

Within the puppet manifest first define a file resource for the GPG key that RPM needs to install packages from the EPEL repository

file { “/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL”: owner => root, group => root, mode => 0444, source => “puppet:///yum/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL” }

The yum puppet module I have has RPM-GPG-KEY-EPEL in /etc/puppet/modules/yum/files/etc/pki/rpm-gpg/ on the puppetmaster server.

Next define a yumrepo resource with the repo details. Note the ‘require’ attribute which references the GPG key file resource.

yumrepo { “epel”: mirrorlist => ‘http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch’, enabled => 1, gpgcheck => 1, gpgkey => “file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL”, require => File["/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL"] }

Finally the package resource which references the yumrepo resource.

package { [ "nginx", "rtpproxy" ]: ensure => latest, require => Yumrepo[ "epel" ], }