Configuring RPM
Repositories

Configure access to RPM repositories

CIS126RH | RHEL System Administration 1
Mesa Community College

Before you can install or update software on a RHEL system, the system must know where to find packages. RPM repositories are the source — and configuring access to them is a fundamental administration task. This module covers how repositories work, how to write and manage repository configuration files, how to use dnf to interact with repositories, and how to configure a local repository from installation media. These skills are tested on the RHCSA exam.

Learning Objectives

  1. Explain what RPM repositories are and how they work — Describe the relationship between packages, repositories, and the DNF package manager
  2. Write and manage repository configuration files — Create .repo files in /etc/yum.repos.d/ with the required directives
  3. Use dnf to manage repository access — List, enable, disable, and add repositories using dnf config-manager
  4. Configure a local repository from installation media — Mount an ISO image and configure it as a local repository source

What is an RPM Repository?

A repository (repo) is a collection of RPM packages stored at a network or local location, along with metadata that describes what packages are available and their dependencies.

  • The repository metadata tells DNF what packages are available, their versions, and what they depend on
  • DNF reads the metadata, resolves dependencies, and downloads only what is needed
  • Repositories can be hosted on HTTP servers, FTP servers, NFS shares, or on the local filesystem
  • Red Hat hosts the official RHEL repositories at cdn.redhat.com — access requires a valid subscription
  • Without a subscription, the RHEL DVD ISO or a mirror can serve as a local repository
RPM vs DNF

RPM is the low-level package format and tool — it installs a single package file you already have. DNF is the high-level package manager — it finds packages in repositories, resolves dependencies, and calls RPM to do the actual installation.

Repository Configuration Files

DNF reads repository definitions from files ending in .repo located in /etc/yum.repos.d/. Each file can define one or more repositories.

# List configured repository files
$ ls /etc/yum.repos.d/
rhel-9.repo  epel.repo  local-media.repo

# Each .repo file contains one or more repository sections
# A minimal valid .repo file looks like this:

[rhel-9-baseos]
name=Red Hat Enterprise Linux 9 - BaseOS
baseurl=https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
RHCSA Exam Requirement

You must be able to write a .repo file from scratch given a URL or path. The three required directives are the section header in brackets, baseurl, and enabled. All other directives are optional but commonly tested.

.repo File Directives

Directive Required Description
[repoid] Yes Section header — unique identifier for this repository, no spaces
name= Yes Human-readable repository name shown in dnf output
baseurl= Yes * URL or path where the repository is located — must contain a repodata/ directory
mirrorlist= Yes * URL to a list of mirrors — alternative to baseurl
enabled= No 1 to enable (default), 0 to disable the repository
gpgcheck= No 1 to verify package signatures (recommended), 0 to skip
gpgkey= No Path or URL to the GPG public key used for signature verification
sslverify= No 1 to verify SSL certificates (default), 0 to skip

* Either baseurl or mirrorlist is required — not both.

Writing a .repo File

Create the file in /etc/yum.repos.d/ using vim or a here document. The filename must end in .repo.

Using vim

$ sudo vim /etc/yum.repos.d/rhel9.repo

Using a here document

$ sudo tee /etc/yum.repos.d/rhel9.repo <<EOF
[rhel-9-baseos]
name=RHEL 9 BaseOS
baseurl=http://content.example.com/rhel9.0/x86_64/dvd/BaseOS
enabled=1
gpgcheck=0

[rhel-9-appstream]
name=RHEL 9 AppStream
baseurl=http://content.example.com/rhel9.0/x86_64/dvd/AppStream
enabled=1
gpgcheck=0
EOF
RHEL 9 has two main repositories

RHEL 9 splits packages between BaseOS (core OS packages) and AppStream (applications, runtime environments, and developer tools). Both are typically needed — configure both in the same .repo file.

Verifying Repository Configuration

After creating a .repo file, confirm DNF can read it and reach the repository.

# List all configured repositories and their status
$ dnf repolist
repo id              repo name                    status
rhel-9-appstream     RHEL 9 AppStream             8,000
rhel-9-baseos        RHEL 9 BaseOS                2,500

# List all repos including disabled ones
$ dnf repolist all
repo id              repo name                    status
rhel-9-appstream     RHEL 9 AppStream             enabled
rhel-9-baseos        RHEL 9 BaseOS                enabled
rhel-9-supplementary RHEL 9 Supplementary         disabled

# Show detailed information about a specific repository
$ dnf repoinfo rhel-9-baseos

# Test that packages can be found — install nothing
$ dnf --disablerepo='*' --enablerepo=rhel-9-baseos list available
Count in repolist confirms connectivity

The package count shown by dnf repolist confirms that DNF successfully downloaded and read the repository metadata. A count of 0 or an error indicates a connectivity or configuration problem.

Using dnf config-manager

The dnf config-manager subcommand provides a command-line interface for managing repository configuration without editing files directly.

# Add a repository from a URL — creates a .repo file automatically
$ sudo dnf config-manager --add-repo \
    http://content.example.com/rhel9.0/x86_64/dvd/BaseOS

# Enable a disabled repository by its ID
$ sudo dnf config-manager --enable rhel-9-supplementary

# Disable a repository
$ sudo dnf config-manager --disable rhel-9-supplementary

# Set a specific option in a repository section
$ sudo dnf config-manager --setopt=rhel-9-baseos.gpgcheck=0

# Confirm the change was applied
$ dnf repolist all
config-manager requires dnf-plugins-core

The config-manager subcommand is provided by the dnf-plugins-core package. If the subcommand is not available, install it first: sudo dnf install dnf-plugins-core

Enabling and Disabling Repositories

There are two ways to enable or disable a repository — one is permanent, one is temporary for a single command.

Permanent — Edit the .repo File or Use config-manager

# Permanently disable by editing the .repo file
enabled=0

# Or use config-manager (modifies the file automatically)
$ sudo dnf config-manager --disable rhel-9-supplementary

Temporary — Override for a Single dnf Command

# Use only a specific repo for this one command
$ sudo dnf install --enablerepo=rhel-9-supplementary package-name

# Disable all repos and use only one — useful for testing
$ dnf list --disablerepo='*' --enablerepo=rhel-9-baseos available

# Skip a repo that is unreachable for this one command
$ sudo dnf update --disablerepo=rhel-9-supplementary
Temporary flags do not modify .repo files

--enablerepo and --disablerepo on a single dnf command override the configuration for that command only. The .repo file is unchanged and the next dnf command uses the original settings.

Local Repository from ISO Media

The RHEL installation ISO contains BaseOS and AppStream repositories and can be mounted and used as a local package source — no network required.

Step 1: Mount the ISO

# Mount the ISO image to a directory
$ sudo mkdir -p /mnt/rhel9-iso
$ sudo mount -o loop /dev/sr0 /mnt/rhel9-iso

# For a downloaded ISO file
$ sudo mount -o loop,ro /tmp/rhel-9.iso /mnt/rhel9-iso

# Confirm the repository directories exist on the mounted media
$ ls /mnt/rhel9-iso
AppStream  BaseOS  EFI  images  isolinux  media.repo  TRANS.TBL
Persistent mount — add to /etc/fstab

A mount command does not survive a reboot. To make the mount persistent, add an entry to /etc/fstab or use a systemd mount unit. For lab and exam use, the one-time mount command is sufficient.

Local Repository .repo File

After mounting the ISO, create a .repo file pointing to the local paths. Use the file:// URL scheme for local filesystem paths.

$ sudo tee /etc/yum.repos.d/rhel9-local.repo <<EOF
[rhel-9-baseos-local]
name=RHEL 9 BaseOS (Local ISO)
baseurl=file:///mnt/rhel9-iso/BaseOS
enabled=1
gpgcheck=0

[rhel-9-appstream-local]
name=RHEL 9 AppStream (Local ISO)
baseurl=file:///mnt/rhel9-iso/AppStream
enabled=1
gpgcheck=0
EOF

# Verify both repositories are reachable
$ dnf repolist
repo id                  repo name                    status
rhel-9-appstream-local   RHEL 9 AppStream (Local ISO) 4,672
rhel-9-baseos-local      RHEL 9 BaseOS (Local ISO)    1,658
file:// uses three slashes for absolute paths

file:///mnt/rhel9-iso/BaseOS has three slashes — two for the URL scheme separator and one for the absolute path. Two slashes is incorrect and the repository will fail to load.

GPG Key Verification

GPG signature checking confirms that packages came from the expected source and have not been tampered with. It requires a GPG public key to be imported or referenced in the .repo file.

# Import the Red Hat GPG key from the local system
$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

# Import from the installation media
$ sudo rpm --import /mnt/rhel9-iso/RPM-GPG-KEY-redhat-release

# Reference the key in the .repo file with gpgkey=
[rhel-9-baseos]
name=RHEL 9 BaseOS
baseurl=file:///mnt/rhel9-iso/BaseOS
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

# List imported GPG keys
$ rpm -q --qf '%{NAME}-%{VERSION}\n' gpg-pubkey
Lab vs production

Setting gpgcheck=0 is acceptable in a lab or exam environment with trusted local media. In production, always use gpgcheck=1 with a valid gpgkey directive to prevent installing tampered packages.

Managing the Repository Cache

DNF caches repository metadata locally to speed up package operations. Cache management is essential when repository contents change or when troubleshooting.

# Download and cache metadata from all enabled repositories
$ sudo dnf makecache

# Clean all cached metadata and packages
$ sudo dnf clean all

# Clean only cached metadata (keep downloaded packages)
$ sudo dnf clean metadata

# Force refresh of metadata on the next command
$ sudo dnf --refresh list updates

# View cache storage location and size
$ du -sh /var/cache/dnf
When to clean the cache

Run dnf clean metadata after changing a .repo file, after mounting new media, or when DNF reports stale or inconsistent metadata. Stale cache is the most common cause of confusing repository errors.

Red Hat Subscription Manager

On systems registered with Red Hat, subscription-manager controls access to the official Red Hat CDN repositories. It manages entitlements and generates .repo files automatically.

# Register a system with Red Hat (requires a login)
$ sudo subscription-manager register
Username: user@example.com
Password:

# Attach an available subscription automatically
$ sudo subscription-manager attach --auto

# List available and consumed subscriptions
$ sudo subscription-manager list --available
$ sudo subscription-manager list --consumed

# Refresh subscription data and regenerate repo files
$ sudo subscription-manager refresh

# Repos created by subscription-manager appear here
$ ls /etc/yum.repos.d/
redhat.repo
Lab and exam environments

The RHCSA exam environment typically uses a local content server rather than the Red Hat CDN, so subscription-manager is not required. Students configure .repo files pointing to the provided URLs directly.

Troubleshooting Repository Problems

Symptom Likely cause How to fix
Repository not in dnf repolist File not in /etc/yum.repos.d/, not ending in .repo, or enabled=0 Check filename, location, and enabled directive
Repo shows 0 packages Wrong baseurl path, media not mounted, no repodata/ directory Verify URL or path, check mount, run dnf clean metadata
GPG key error on install gpgcheck=1 but key not imported or wrong key Set gpgcheck=0 for lab, or import the correct key with rpm --import
SSL certificate error Connecting to HTTPS repo with an invalid or self-signed certificate Set sslverify=0 in the .repo file (lab only)
Metadata error or stale cache Cached metadata no longer matches the repository Run sudo dnf clean all then sudo dnf makecache
Cannot find package after adding repo Cache not refreshed after adding the repository Run sudo dnf makecache or use --refresh

Common Mistakes

Mistake What goes wrong Correct approach
File not ending in .repo DNF ignores the file entirely — no error message Always name repository files with the .repo extension
Spaces in the repository ID DNF fails to parse the section header Use only letters, numbers, hyphens, and underscores in [repoid]
Two slashes in a file:// URL Path resolves incorrectly — 0 packages or connection error Use three slashes: file:///absolute/path
Pointing baseurl at the top of the ISO No repodata/ directory at that level — 0 packages Point to /mnt/rhel9-iso/BaseOS or /AppStream, not /mnt/rhel9-iso
Not running dnf clean metadata after changes Stale cache masks new or modified repositories Run dnf clean metadata after any .repo file change
Forgetting enabled=1 Repository exists but is disabled — packages not available Add enabled=1 or omit it (enabled is the default)

Knowledge Check

Answer these before moving to the next slide.

  1. Where must .repo files be placed for DNF to read them? What must the filename end with?
  2. Write a complete .repo file section for a repository named "RHEL 9 BaseOS" with ID rhel-9-baseos, located at http://content.example.com/rhel9/BaseOS, enabled, with GPG checking disabled.
  3. After writing a new .repo file, what command confirms it is working and shows the number of available packages?
  4. The RHEL 9 installation ISO is mounted at /mnt/dvd. What baseurl values would you use for the BaseOS and AppStream repos?
  5. You add a new repository but dnf install still cannot find the package. What is the most likely cause and what command resolves it?
  6. What is the difference between dnf config-manager --disable repoid and dnf install --disablerepo=repoid?

Knowledge Check — Answers

  1. Repository files must be placed in /etc/yum.repos.d/ and the filename must end with .repo. Files with any other extension are silently ignored.
  2. [rhel-9-baseos]
    name=RHEL 9 BaseOS
    baseurl=http://content.example.com/rhel9/BaseOS
    enabled=1
    gpgcheck=0
  3. dnf repolist — a package count greater than 0 confirms the repository is reachable and its metadata was downloaded successfully.
  4. BaseOS: baseurl=file:///mnt/dvd/BaseOS
    AppStream: baseurl=file:///mnt/dvd/AppStream
    Note three slashes in the file:// URL scheme.
  5. The most likely cause is a stale DNF metadata cache that does not yet include the new repository's packages. Run sudo dnf clean metadata followed by sudo dnf makecache, then try the install again.
  6. dnf config-manager --disable permanently sets enabled=0 in the .repo file — all future dnf commands will skip the repository.
    dnf install --disablerepo=repoid disables the repository for that single command only — the .repo file is unchanged.

Key Takeaways

  1. Repositories are configured in /etc/yum.repos.d/*.repo files. Each file must end in .repo. Each repository section needs a unique ID in brackets, a name, a baseurl or mirrorlist, and optionally enabled and gpgcheck directives.
  2. Verify with dnf repolist — the package count confirms connectivity. A count of 0 means the baseurl is wrong or the media is not mounted. Run dnf clean metadata after any .repo file change.
  3. Use file:///path (three slashes) for local repositories. For the RHEL ISO, point to the BaseOS and AppStream subdirectories — not the ISO root. Mount the ISO first and confirm the paths exist.
  4. Permanent changes go in .repo files; temporary changes use command flags. dnf config-manager --enable/--disable modifies the file permanently. --enablerepo/--disablerepo on a dnf command applies to that command only.

Graded Lab

  • Create /etc/yum.repos.d/rhel9.repo with two sections — one for BaseOS and one for AppStream — using the URLs provided by your instructor. Set gpgcheck=0 and enabled=1 for both.
  • Run dnf repolist and confirm both repositories show a package count greater than zero.
  • Use dnf repoinfo rhel-9-baseos to display the full configuration details of the BaseOS repository and note the Repo-baseurl field.
  • Disable the AppStream repository using dnf config-manager --disable. Confirm it is disabled with dnf repolist all. Re-enable it and verify it is active again.
  • Mount the RHEL 9 installation ISO and create a second .repo file pointing to the local media. Verify both local repositories show package counts.
  • Run dnf clean all then dnf makecache and observe DNF downloading fresh metadata from all configured repositories.
RHCSA Objective

"Configure access to RPM repositories." Writing a correct .repo file from a given URL and verifying it with dnf repolist is one of the first tasks on the exam — without it, package installation tasks cannot be completed.