RED HAT ENTERPRISE LINUX
Configuring RPM
Repositories
Configure access to RPM repositories
CIS126RH | RHEL System Administration 1
Mesa Community College
Before you can install or update software on a RHEL system, the system must know where to find packages. RPM repositories are the source — and configuring access to them is a fundamental administration task. This module covers how repositories work, how to write and manage repository configuration files, how to use dnf to interact with repositories, and how to configure a local repository from installation media. These skills are tested on the RHCSA exam.
Learning Objectives
- Explain what RPM repositories are and how they work — Describe the relationship between packages, repositories, and the DNF package manager
-
Write and manage repository configuration files —
Create
.repofiles in/etc/yum.repos.d/with the required directives -
Use dnf to manage repository access —
List, enable, disable, and add repositories using
dnf config-manager - Configure a local repository from installation media — Mount an ISO image and configure it as a local repository source
What is an RPM Repository?
A repository (repo) is a collection of RPM packages stored at a network or local location, along with metadata that describes what packages are available and their dependencies.
- The repository metadata tells DNF what packages are available, their versions, and what they depend on
- DNF reads the metadata, resolves dependencies, and downloads only what is needed
- Repositories can be hosted on HTTP servers, FTP servers, NFS shares, or on the local filesystem
- Red Hat hosts the official RHEL repositories at
cdn.redhat.com— access requires a valid subscription - Without a subscription, the RHEL DVD ISO or a mirror can serve as a local repository
RPM is the low-level package format and tool — it installs a single package file you already have. DNF is the high-level package manager — it finds packages in repositories, resolves dependencies, and calls RPM to do the actual installation.
Repository Configuration Files
DNF reads repository definitions from files ending in .repo located in
/etc/yum.repos.d/. Each file can define one or more repositories.
# List configured repository files
$ ls /etc/yum.repos.d/
rhel-9.repo epel.repo local-media.repo
# Each .repo file contains one or more repository sections
# A minimal valid .repo file looks like this:
[rhel-9-baseos]
name=Red Hat Enterprise Linux 9 - BaseOS
baseurl=https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
You must be able to write a .repo file from scratch given a URL or path.
The three required directives are the section header in brackets, baseurl,
and enabled. All other directives are optional but commonly tested.
.repo File Directives
| Directive | Required | Description |
|---|---|---|
[repoid] |
Yes | Section header — unique identifier for this repository, no spaces |
name= |
Yes | Human-readable repository name shown in dnf output |
baseurl= |
Yes * | URL or path where the repository is located — must contain a repodata/ directory |
mirrorlist= |
Yes * | URL to a list of mirrors — alternative to baseurl |
enabled= |
No | 1 to enable (default), 0 to disable the repository |
gpgcheck= |
No | 1 to verify package signatures (recommended), 0 to skip |
gpgkey= |
No | Path or URL to the GPG public key used for signature verification |
sslverify= |
No | 1 to verify SSL certificates (default), 0 to skip |
* Either baseurl or mirrorlist is required — not both.
Writing a .repo File
Create the file in /etc/yum.repos.d/ using vim or a here document.
The filename must end in .repo.
Using vim
$ sudo vim /etc/yum.repos.d/rhel9.repo
Using a here document
$ sudo tee /etc/yum.repos.d/rhel9.repo <<EOF
[rhel-9-baseos]
name=RHEL 9 BaseOS
baseurl=http://content.example.com/rhel9.0/x86_64/dvd/BaseOS
enabled=1
gpgcheck=0
[rhel-9-appstream]
name=RHEL 9 AppStream
baseurl=http://content.example.com/rhel9.0/x86_64/dvd/AppStream
enabled=1
gpgcheck=0
EOF
RHEL 9 splits packages between BaseOS (core OS packages) and
AppStream (applications, runtime environments, and developer tools).
Both are typically needed — configure both in the same .repo file.
Verifying Repository Configuration
After creating a .repo file, confirm DNF can read it and reach
the repository.
# List all configured repositories and their status
$ dnf repolist
repo id repo name status
rhel-9-appstream RHEL 9 AppStream 8,000
rhel-9-baseos RHEL 9 BaseOS 2,500
# List all repos including disabled ones
$ dnf repolist all
repo id repo name status
rhel-9-appstream RHEL 9 AppStream enabled
rhel-9-baseos RHEL 9 BaseOS enabled
rhel-9-supplementary RHEL 9 Supplementary disabled
# Show detailed information about a specific repository
$ dnf repoinfo rhel-9-baseos
# Test that packages can be found — install nothing
$ dnf --disablerepo='*' --enablerepo=rhel-9-baseos list available
The package count shown by dnf repolist confirms that DNF successfully
downloaded and read the repository metadata. A count of 0 or an error indicates a
connectivity or configuration problem.
Using dnf config-manager
The dnf config-manager subcommand provides a command-line interface
for managing repository configuration without editing files directly.
# Add a repository from a URL — creates a .repo file automatically
$ sudo dnf config-manager --add-repo \
http://content.example.com/rhel9.0/x86_64/dvd/BaseOS
# Enable a disabled repository by its ID
$ sudo dnf config-manager --enable rhel-9-supplementary
# Disable a repository
$ sudo dnf config-manager --disable rhel-9-supplementary
# Set a specific option in a repository section
$ sudo dnf config-manager --setopt=rhel-9-baseos.gpgcheck=0
# Confirm the change was applied
$ dnf repolist all
The config-manager subcommand is provided by the
dnf-plugins-core package. If the subcommand is not available,
install it first: sudo dnf install dnf-plugins-core
Enabling and Disabling Repositories
There are two ways to enable or disable a repository — one is permanent, one is temporary for a single command.
Permanent — Edit the .repo File or Use config-manager
# Permanently disable by editing the .repo file
enabled=0
# Or use config-manager (modifies the file automatically)
$ sudo dnf config-manager --disable rhel-9-supplementary
Temporary — Override for a Single dnf Command
# Use only a specific repo for this one command
$ sudo dnf install --enablerepo=rhel-9-supplementary package-name
# Disable all repos and use only one — useful for testing
$ dnf list --disablerepo='*' --enablerepo=rhel-9-baseos available
# Skip a repo that is unreachable for this one command
$ sudo dnf update --disablerepo=rhel-9-supplementary
--enablerepo and --disablerepo on a single dnf command
override the configuration for that command only. The .repo file is
unchanged and the next dnf command uses the original settings.
Local Repository from ISO Media
The RHEL installation ISO contains BaseOS and AppStream repositories and can be mounted and used as a local package source — no network required.
Step 1: Mount the ISO
# Mount the ISO image to a directory
$ sudo mkdir -p /mnt/rhel9-iso
$ sudo mount -o loop /dev/sr0 /mnt/rhel9-iso
# For a downloaded ISO file
$ sudo mount -o loop,ro /tmp/rhel-9.iso /mnt/rhel9-iso
# Confirm the repository directories exist on the mounted media
$ ls /mnt/rhel9-iso
AppStream BaseOS EFI images isolinux media.repo TRANS.TBL
A mount command does not survive a reboot. To make the mount persistent, add an entry
to /etc/fstab or use a systemd mount unit. For lab and exam use,
the one-time mount command is sufficient.
Local Repository .repo File
After mounting the ISO, create a .repo file pointing to the local paths.
Use the file:// URL scheme for local filesystem paths.
$ sudo tee /etc/yum.repos.d/rhel9-local.repo <<EOF
[rhel-9-baseos-local]
name=RHEL 9 BaseOS (Local ISO)
baseurl=file:///mnt/rhel9-iso/BaseOS
enabled=1
gpgcheck=0
[rhel-9-appstream-local]
name=RHEL 9 AppStream (Local ISO)
baseurl=file:///mnt/rhel9-iso/AppStream
enabled=1
gpgcheck=0
EOF
# Verify both repositories are reachable
$ dnf repolist
repo id repo name status
rhel-9-appstream-local RHEL 9 AppStream (Local ISO) 4,672
rhel-9-baseos-local RHEL 9 BaseOS (Local ISO) 1,658
file:///mnt/rhel9-iso/BaseOS has three slashes — two for the URL scheme
separator and one for the absolute path. Two slashes is incorrect and the repository
will fail to load.
GPG Key Verification
GPG signature checking confirms that packages came from the expected source and
have not been tampered with. It requires a GPG public key to be imported
or referenced in the .repo file.
# Import the Red Hat GPG key from the local system
$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
# Import from the installation media
$ sudo rpm --import /mnt/rhel9-iso/RPM-GPG-KEY-redhat-release
# Reference the key in the .repo file with gpgkey=
[rhel-9-baseos]
name=RHEL 9 BaseOS
baseurl=file:///mnt/rhel9-iso/BaseOS
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
# List imported GPG keys
$ rpm -q --qf '%{NAME}-%{VERSION}\n' gpg-pubkey
Setting gpgcheck=0 is acceptable in a lab or exam environment with trusted
local media. In production, always use gpgcheck=1 with a valid
gpgkey directive to prevent installing tampered packages.
Managing the Repository Cache
DNF caches repository metadata locally to speed up package operations. Cache management is essential when repository contents change or when troubleshooting.
# Download and cache metadata from all enabled repositories
$ sudo dnf makecache
# Clean all cached metadata and packages
$ sudo dnf clean all
# Clean only cached metadata (keep downloaded packages)
$ sudo dnf clean metadata
# Force refresh of metadata on the next command
$ sudo dnf --refresh list updates
# View cache storage location and size
$ du -sh /var/cache/dnf
Run dnf clean metadata after changing a .repo file,
after mounting new media, or when DNF reports stale or inconsistent metadata.
Stale cache is the most common cause of confusing repository errors.
Red Hat Subscription Manager
On systems registered with Red Hat, subscription-manager controls access
to the official Red Hat CDN repositories. It manages entitlements and generates
.repo files automatically.
# Register a system with Red Hat (requires a login)
$ sudo subscription-manager register
Username: user@example.com
Password:
# Attach an available subscription automatically
$ sudo subscription-manager attach --auto
# List available and consumed subscriptions
$ sudo subscription-manager list --available
$ sudo subscription-manager list --consumed
# Refresh subscription data and regenerate repo files
$ sudo subscription-manager refresh
# Repos created by subscription-manager appear here
$ ls /etc/yum.repos.d/
redhat.repo
The RHCSA exam environment typically uses a local content server rather than the Red Hat
CDN, so subscription-manager is not required. Students configure .repo files
pointing to the provided URLs directly.
Troubleshooting Repository Problems
| Symptom | Likely cause | How to fix |
|---|---|---|
Repository not in dnf repolist |
File not in /etc/yum.repos.d/, not ending in .repo, or enabled=0 |
Check filename, location, and enabled directive |
| Repo shows 0 packages | Wrong baseurl path, media not mounted, no repodata/ directory |
Verify URL or path, check mount, run dnf clean metadata |
| GPG key error on install | gpgcheck=1 but key not imported or wrong key |
Set gpgcheck=0 for lab, or import the correct key with rpm --import |
| SSL certificate error | Connecting to HTTPS repo with an invalid or self-signed certificate | Set sslverify=0 in the .repo file (lab only) |
| Metadata error or stale cache | Cached metadata no longer matches the repository | Run sudo dnf clean all then sudo dnf makecache |
| Cannot find package after adding repo | Cache not refreshed after adding the repository | Run sudo dnf makecache or use --refresh |
Common Mistakes
| Mistake | What goes wrong | Correct approach |
|---|---|---|
File not ending in .repo |
DNF ignores the file entirely — no error message | Always name repository files with the .repo extension |
| Spaces in the repository ID | DNF fails to parse the section header | Use only letters, numbers, hyphens, and underscores in [repoid] |
Two slashes in a file:// URL |
Path resolves incorrectly — 0 packages or connection error | Use three slashes: file:///absolute/path |
| Pointing baseurl at the top of the ISO | No repodata/ directory at that level — 0 packages |
Point to /mnt/rhel9-iso/BaseOS or /AppStream, not /mnt/rhel9-iso |
Not running dnf clean metadata after changes |
Stale cache masks new or modified repositories | Run dnf clean metadata after any .repo file change |
Forgetting enabled=1 |
Repository exists but is disabled — packages not available | Add enabled=1 or omit it (enabled is the default) |
Knowledge Check
Answer these before moving to the next slide.
- Where must
.repofiles be placed for DNF to read them? What must the filename end with? - Write a complete
.repofile section for a repository named "RHEL 9 BaseOS" with IDrhel-9-baseos, located athttp://content.example.com/rhel9/BaseOS, enabled, with GPG checking disabled. - After writing a new
.repofile, what command confirms it is working and shows the number of available packages? - The RHEL 9 installation ISO is mounted at
/mnt/dvd. Whatbaseurlvalues would you use for the BaseOS and AppStream repos? - You add a new repository but
dnf installstill cannot find the package. What is the most likely cause and what command resolves it? - What is the difference between
dnf config-manager --disable repoidanddnf install --disablerepo=repoid?
Knowledge Check — Answers
- Repository files must be placed in
/etc/yum.repos.d/and the filename must end with.repo. Files with any other extension are silently ignored. -
[rhel-9-baseos] name=RHEL 9 BaseOS baseurl=http://content.example.com/rhel9/BaseOS enabled=1 gpgcheck=0 dnf repolist— a package count greater than 0 confirms the repository is reachable and its metadata was downloaded successfully.- BaseOS:
baseurl=file:///mnt/dvd/BaseOS
AppStream:baseurl=file:///mnt/dvd/AppStream
Note three slashes in thefile://URL scheme. - The most likely cause is a stale DNF metadata cache that does not yet include the
new repository's packages. Run
sudo dnf clean metadatafollowed bysudo dnf makecache, then try the install again. dnf config-manager --disablepermanently setsenabled=0in the.repofile — all future dnf commands will skip the repository.
dnf install --disablerepo=repoiddisables the repository for that single command only — the.repofile is unchanged.
Key Takeaways
-
Repositories are configured in
/etc/yum.repos.d/*.repofiles. Each file must end in.repo. Each repository section needs a unique ID in brackets, aname, abaseurlormirrorlist, and optionallyenabledandgpgcheckdirectives. -
Verify with
dnf repolist— the package count confirms connectivity. A count of 0 means the baseurl is wrong or the media is not mounted. Rundnf clean metadataafter any.repofile change. -
Use
file:///path(three slashes) for local repositories. For the RHEL ISO, point to theBaseOSandAppStreamsubdirectories — not the ISO root. Mount the ISO first and confirm the paths exist. -
Permanent changes go in
.repofiles; temporary changes use command flags.dnf config-manager --enable/--disablemodifies the file permanently.--enablerepo/--disablerepoon a dnf command applies to that command only.
Graded Lab
- Create
/etc/yum.repos.d/rhel9.repowith two sections — one for BaseOS and one for AppStream — using the URLs provided by your instructor. Setgpgcheck=0andenabled=1for both. - Run
dnf repolistand confirm both repositories show a package count greater than zero. - Use
dnf repoinfo rhel-9-baseosto display the full configuration details of the BaseOS repository and note theRepo-baseurlfield. - Disable the AppStream repository using
dnf config-manager --disable. Confirm it is disabled withdnf repolist all. Re-enable it and verify it is active again. - Mount the RHEL 9 installation ISO and create a second
.repofile pointing to the local media. Verify both local repositories show package counts. - Run
dnf clean allthendnf makecacheand observe DNF downloading fresh metadata from all configured repositories.
"Configure access to RPM repositories."
Writing a correct .repo file from a given URL and verifying it with
dnf repolist is one of the first tasks on the exam — without it,
package installation tasks cannot be completed.