Can I Force Yum To Only Use Http.
Our outsourced IT department has decided to use white listing on the firewalls for outbound ftp. I was given a list of sites our lab had accessed via ftp and eventually tracked them down to Linux machines running yum. They are all CentOS 5 or 6 with a smattering of 7. It is impractical to list all the possibilities since they change on a regular basis. Also any 3rd party repos we need are another ball of wax.
Various Google searches and the manual page have not shown me how to avoid using ftp mirrors. I have considered taking out the ftp-proxy information so that the ftp cannot get out, but I suspect it will just hang waiting for a response.
Does anyone have any suggestions on ways to tell yum not to use ftp as the download mechanism?
Thank you in advance.
Bob
8 thoughts on - Can I Force Yum To Only Use Http.
FWIW, my CentOS 7 install doesn’t have ftp installed and yum has no apparent issues.
I also, mainly, use Fedora (22 currently) and it hasn’t had ftp installed for a long time. Of course it uses dnf now, not yum.
HTH
AFAIK yum and its successor dnf uses “libcurl” for the transfer, which has “curl” as cli.
curl and wget both can use the ftp:// protocol, so the (non-)presence of “ftp” is not a deciding factor.
Setting up a proxy that gives a “404”/deny on ftp:// is more helpful here.
– Yamaban.
or a simple REJECT on outbound port 21 (FTP).
404 is a http error, not of much use here.
If I understand you correctly, if I uninstall the ftp client, yum will not use it as it cannot. Is this the case? I had assumed that the code underlying yum had its own stack for dealing with ftp://… urls.
I will try this on a couple of machines.
Thank you, Bob
no, thats quite wrong. yum uses libcurl, which is the guts of the curl command, and curl accesses ftp:// url’s without using the ftp command
configure your external gateway firewall to REJECT (not DROP) any outbound ftp, and yum will quickly move onto other protocols.
Hello Robert,
When configuring your repo’s using baseurl= instead of mirrorlist= you can pin the server being used. Find a http mirror at https://www.CentOS.org/download/mirrors/ or configure all hosts to use the same FTP mirror and white list that one.
If you have many clients accessing the same mirror configuring a proxy
(proxy= in yum.conf) to cache the downloaded rpms will reduce download time and load on the mirror you are using.
Regards, Leonard.
You should be able to accomplish the same thing by configuring your local firewall to REJECT the packets before the reach the company firewall and get dropped, that means configuring each box though so it may be easier to get your IT admin to make the change to the company firewall, or he may refuse in which case you’re left with the local option at least.
Peter
On the machines that are using ftp, do the contents of /etc/yum.repos.d/CentOS-Base.repo look the same as the machines that are not using FTP? Perhaps include the CentOS-Base.repo file from ONE of the offending machines in an email. Baseurl can be used to force where and how to connect, but because are getting ftp instead of http connections I am suspecting someone has probably already forced it the other way, the files may tell.
Another possibility is that on those machines once-upon-a-time they found that the ftp host had the fastest _ping_ time, and have used it ever since. You may be able to log into those machines, `cat /var/cache/yum/timedhosts.txt` and see ftp hosts listed. If so try [large hammer warning] `yum clean all; yum update` and see if they try going back to the ftp site or pick a new http one.
Even when this disclaimer is not here:
I am not a contracting officer. I do not have authority to make or modify the terms of any contract.