Mastering DNF & YUM: Advanced Repository Management for RHEL/CentOS SysAdmins
Ensuring Enterprise Continuity: Mastering Software Lifecycles and Recovery in the DNF Ecosystem
In the RHEL ecosystem, package management has evolved from the aging YUM (Yellowdog Updater, Modified) v3 to the more sophisticated DNF (Dandified YUM). While the commands may feel familiar, the underlying engine—libdnf—.
Although RHEL 8 and RHEL 9 are based on DNF*, they are compatible with **YUM** used in RHEL 7.*
Note: All technical procedures and CLI examples in this guide were validated on RHEL 9.7 (Plow). While most commands are backward compatible with RHEL 8, ensure you test in a staging environment before production execution.
1. Introduction: The Evolution of Package Management
In RHEL 8 and 9, the /usr/bin/yum command is a symbolic link to dnf. While legacy scripts still run, the backend is powered by the YUM v4 engine.
[root@mosalahlab ~]$ ll /usr/bin/yum
lrwxrwxrwx. 1 root root 5 Jul 1 07:15 /usr/bin/yum -> dnf-3
[root@mosalahlab ~]$
DNF uses an alternative dependency resolver (libsolv) which is significantly faster and more memory-efficient.
2. Anatomy of a Repo (.repo files)
Repository configurations reside in /etc/yum.repos.d/. Each .repo file can contain multiple repository stanzas.
Key Parameters Breakdown
[repositoryid]: A unique name for the repo (no spaces).baseurl: The URL to the directory where the repodata resides.gpgcheck: (0 or 1) Enables/disables GPG signature checking to ensure package integrity.enabled: (0 or 1) Tells DNF whether to include this repo in operations.priority: Requires thednf-plugins-core. Lower values mean higher priority (1 is highest).
Practical Example: Adding the HashiCorp Repository
Manually creating a repo file is a standard task for modern infrastructure tooling.
# Create the repo file manually
cat <<EOF | sudo tee /etc/yum.repos.d/hashicorp.repo
[hashicorp]
name=Hashicorp Stable - \$basearch
baseurl=https://rpm.releases.hashicorp.com/RHEL/\$releasever/\$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://rpm.releases.hashicorp.com/gpg
EOF
# Clean cache
dnf clean all
# verify the repo is active
[root@mosalahlab yum.repos.d]$ dnf repolist
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
repo id repo name
AppStream RHEL 9 AppStream Local Repository
BaseOS RHEL 9 BaseOS Local Repository
hashicorp Hashicorp Stable
3. Modern Management: AppStream & Modules
The most significant change in RHEL 8/9 is the AppStream repository. It allows the OS to decouple the lifecycle of the base operating system from the software running on it via Modules.
Understanding Modules
Modules represent a collection of packages that form a logical unit (e.g., a database). Each module can have multiple Streams, representing different versions (e.g., PostgreSQL 12 vs. 15).
To view available versions of a package like PostgreSQL:
[root@mosalahlab yum.repos.d]$ dnf module list postgresql
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:02:22 ago on Fri 19 Dec 2025 09:52:31 PM EET.
RHEL 9 AppStream Local Repository
Name Stream Profiles Summary
postgresql 15 client, server [d] PostgreSQL server and client module
postgresql 16 client, server [d] PostgreSQL server and client module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
[root@mosalahlab yum.repos.d]$
To enable a specific version (e.g., version 15):
[root@mosalahlab yum.repos.d]$ dnf module enable postgresql:15 -y
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:03:21 ago on Fri 19 Dec 2025 09:52:31 PM EET.
Dependencies resolved.
======================================================================================================================================================
Package Architecture Version Repository Size
======================================================================================================================================================
Enabling module streams:
postgresql 15
Transaction Summary
======================================================================================================================================================
Complete!
To switch or reset a module stream:
[root@mosalahlab yum.repos.d]$ dnf module reset postgresql
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:04:00 ago on Fri 19 Dec 2025 09:52:31 PM EET.
Dependencies resolved.
======================================================================================================================================================
Package Architecture Version Repository Size
======================================================================================================================================================
Resetting modules:
postgresql
Transaction Summary
======================================================================================================================================================
Is this ok [y/N]: y
Complete!
[root@mosalahlab yum.repos.d]$
[root@mosalahlab yum.repos.d]$ dnf module enable postgresql:16 -y
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:04:52 ago on Fri 19 Dec 2025 09:52:31 PM EET.
Dependencies resolved.
======================================================================================================================================================
Package Architecture Version Repository Size
======================================================================================================================================================
Enabling module streams:
postgresql 16
Transaction Summary
======================================================================================================================================================
Complete!
[root@mosalahlab yum.repos.d]$
4. Survival Tools: History & Undo
One of DNF’s most powerful features is its "flight recorder." Every transaction is logged, allowing for surgical reverts.
Viewing the History
[root@mosalahlab yum.repos.d]$ dnf history
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
ID | Command line | Date and time | Action(s) | Altered
------------------------------------------------------------------------------------------------------------------------------------------------------
3 | install xorriso | 2025-12-09 21:04 | Install | 4
2 | install pykickstart | 2025-12-09 20:45 | Install | 2
1 | | 2025-12-09 20:01 | Install | 694 EE
[root@mosalahlab yum.repos.d]$
This lists transaction IDs, the user who ran them, and the action taken. To see details of a specific transaction (e.g., ID 3):
[root@mosalahlab yum.repos.d]$ dnf history info 3
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Transaction ID : 3
Begin time : Tue 09 Dec 2025 09:04:04 PM EET
Begin rpmdb : 64be7ee728dfb9aafb51bc0706e2b79ec8c284bc9ed3bc8b24df455f1c310fda
End time : Tue 09 Dec 2025 09:04:05 PM EET (1 seconds)
End rpmdb : bec3710d8d5b695c528092b0ab93070f4a905320bb682da10984554a4a4793d7
User : root <root>
Return-Code : Success
Releasever : 9
Command Line : install xorriso
Persistence : Persist
Comment :
Packages Altered:
Install libburn-1.5.4-5.el9.x86_64 @AppStream
Install libisoburn-1.5.4-5.el9_5.x86_64 @AppStream
Install libisofs-1.5.4-4.el9.x86_64 @AppStream
Install xorriso-1.5.4-5.el9_5.x86_64 @AppStream
[root@mosalahlab yum.repos.d]$
Scenario: Reverting a Broken Update
If a recent update caused a service failure, you can undo that specific transaction.
[!WARNING] While
dnf history undois generally safe, it may fail if dependencies have shifted significantly since the transaction or if packages have been removed from the upstream repository.
[root@mosalahlab yum.repos.d]$ dnf history undo 3 -y
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:01:36 ago on Fri 19 Dec 2025 09:59:11 PM EET.
Dependencies resolved.
======================================================================================================================================================
Package Architecture Version Repository Size
======================================================================================================================================================
Removing:
xorriso x86_64 1.5.4-5.el9_5 @AppStream 334 k
Removing dependent packages:
libburn x86_64 1.5.4-5.el9 @AppStream 373 k
libisoburn x86_64 1.5.4-5.el9_5 @AppStream 1.1 M
libisofs x86_64 1.5.4-4.el9 @AppStream 483 k
Transaction Summary
======================================================================================================================================================
Remove 4 Packages
Freed space: 2.2 M
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: xorriso-1.5.4-5.el9_5.x86_64 1/4
Erasing : xorriso-1.5.4-5.el9_5.x86_64 1/4
Erasing : libisoburn-1.5.4-5.el9_5.x86_64 2/4
Erasing : libburn-1.5.4-5.el9.x86_64 3/4
Erasing : libisofs-1.5.4-4.el9.x86_64 4/4
Running scriptlet: libisofs-1.5.4-4.el9.x86_64 4/4
Verifying : libburn-1.5.4-5.el9.x86_64 1/4
Verifying : libisoburn-1.5.4-5.el9_5.x86_64 2/4
Verifying : libisofs-1.5.4-4.el9.x86_64 3/4
Verifying : xorriso-1.5.4-5.el9_5.x86_64 4/4
Installed products updated.
Removed:
libburn-1.5.4-5.el9.x86_64 libisoburn-1.5.4-5.el9_5.x86_64 libisofs-1.5.4-4.el9.x86_64 xorriso-1.5.4-5.el9_5.x86_64
Complete!
Undo VS. Rollback:
"undo" and "rollback" represent two fundamentally different approaches to reversing changes. Undo is transaction-based, targeting discrete operations within a session. Rollback is snapshot-based, reverting an entire system state to a previous point in time. Choosing the correct mechanism is critical for effective system management and recovery.
Locking Packages
Package locking is the practice of preventing specific packages from being updated, downgraded, or removed. This protects critical dependencies, ensures compliance, and maintains application compatibility. RHEL provides multiple mechanisms for package locking, each with distinct use cases.
[root@mosalahlab yum.repos.d]$ dnf install 'dnf-command(versionlock)'
Locking a Package
To lock the current version of the kernel:
[root@mosalahlab yum.repos.d]$ dnf versionlock add kernel
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:06:26 ago on Fri 19 Dec 2025 09:59:11 PM EET.
Adding versionlock on: kernel-0:5.14.0-611.5.1.el9_7.*
[root@mosalahlab yum.repos.d]$
To view all active locks:
[root@mosalahlab yum.repos.d]$ dnf versionlock list
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:09:35 ago on Fri 19 Dec 2025 09:59:11 PM EET.
kernel-0:5.14.0-611.5.1.el9_7.*
To remove a lock:
[root@mosalahlab yum.repos.d]$ dnf versionlock delete kernel
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 0:10:30 ago on Fri 19 Dec 2025 09:59:11 PM EET.
Deleting versionlock for: kernel-0:5.14.0-611.5.1.el9_7.*
[root@mosalahlab yum.repos.d]$
Summary Checklist for SysAdmins
Check Repolist: Always verify active repos with
dnf repolist.Modular Check: Before installing software, check if a module stream exists with
dnf module list.Audit Changes: Use
dnf historyas a standard part of your post-maintenance review.Enforce Stability: Use
versionlockfor any package where a version jump would violate your SLA.
