yum repo and package dependencies with puppet

June 28, 2010

Over the last couple of months I’ve been using puppet to help scale out sysadmin tasks. As puppet manifests are based on a declarative programming language I’ve discovered you can not rely on flow control such as ‘drop in a RPM GPG key, then configure repo foo. Once both of those tasks are done install package bar from repo foo’ unless you add some smarts.

This is how I install a package on a RHEL5/CentOS/Fedora type system which depends on a yum repo first which in turn depends on a GPG key.

Within the puppet manifest first define a file resource for the GPG key that RPM needs to install packages from the EPEL repository

file { "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL":
    owner => root,
    group => root,
    mode => 0444,
    source => "puppet:///yum/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL"

The yum puppet module I have has RPM-GPG-KEY-EPEL in /etc/puppet/modules/yum/files/etc/pki/rpm-gpg/ on the puppetmaster server.

Next define a yumrepo resource with the repo details. Note the ‘require’ attribute which references the GPG key file resource.

yumrepo { "epel":
    mirrorlist => 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch',
    enabled => 1,
    gpgcheck => 1,
    gpgkey => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL",
    require => File["/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL"]

Finally the package resource which references the yumrepo resource.

package { [
    ensure => latest,
    require => Yumrepo[ "epel" ],
  • http://twitter.com/catherinedevlin catherinedevlin

    Thank you! This helped a lot.

    Anybody cutting-and-pasting from your post should beware the typeset quote-marks around strings like “/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL” – they need to replace them with plain vanilla quote marks, or they’ll get errors like

    err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse for environment production: Could not match ?/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL?

    I totally hate typeset quote marks. :P

  • http://emmeff.myopenid.com/ EmmEff

    FWIW, I’ve also seen recipes using stages to do the package repository before the main stage.  That way it’s not necessary to put yumrepo dependencies in all package declarations.

  • Stephiepea

    EmmEff could you point us in the direction of the other ‘recipes’ you have found?

  • Sridhar

    Thank you for posting this. Also, I made some changes (corrected puppet-lint errors) and posted the code on github.


Previous post:

Next post: