Troubleshooting Yum connection problems¶
This page is designed to help you do problem determination for scenarios where yum itself is not working due to connection problems. That is, you are having trouble getting RPM packages installed.
There are several yum
problems that may not be connection related, and those are documented
on the main troubleshooting page
Before you go further… make sure you have ibmi-repos
installed¶
To make sure you’re seeing the latest updates available for your operating system, make sure you have
the latest version of yum
and ibmi-repos
installed, if you are able to.
/QOpenSys/pkgs/bin/yum upgrade yum ibmi-repos
Once the ibmi-repos
package is installed, you may need to upgrade again to make sure you are at the
latest version available for your release:
/QOpenSys/pkgs/bin/yum upgrade ibmi-repos
If you are able to successfully install the ibmi-repos
package, you can consider removing the
legacy repo definition by running:
mv /QOpenSys/etc/yum/repos.d/ibm.repo /QOpenSys/etc/yum/repos.d/ibm.repo.backup
If you cannot install the ibmi-repos
package, for some reason, you can try using http:
/QOpenSys/pkgs/bin/yum-config-manager --setopt=ibm.baseurl=http://public.dhe.ibm.com/software/ibmi/products/pase/rpms/repo
Or ftp:
/QOpenSys/pkgs/bin/yum-config-manager --setopt=ibm.baseurl=http://public.dhe.ibm.com/software/ibmi/products/pase/rpms/repo
Checking Connectivity¶
The most common cause of issue with yum is related to network connectivity. Errors will state something like
unable to open repomd.xml
The IBM server supports three protocols for downloading packages:
HTTPs (secure, default, recommended)
HTTP (disabled by default)
FTP (disabled by default)
HTTP or FTP can be used as a backup mechanism if you are unable to get the default configuration working, or if your network prohibits https connections.
You can use Python to check connectivity to the IBM RPM server. To check if you have HTTPS connectivity and have proper TLS setup, run:
/QOpenSys/pkgs/bin/python2.7 -c "import socket; import ssl; hostname='public.dhe.ibm.com'; ssl.create_default_context().wrap_socket(socket.create_connection((hostname,443), 30), server_hostname=hostname) ; print 'success'"
The output from this command can help you figure out next steps:
If the output contains
Hostname and service name not provided or found
, DNS is not configured properlyIf the output contains
timed out
orconnection refused
then you cannot reach IBM’s serverIf the output contains
ssl.CertificateError: hostname '______________' doesn't match 'public.dhe.ibm.com'
, a separate entity is injecting an SSL certificateIf the output contains another CertificateError, you need to install the
ca-certificates-mozilla
package
Checking Connectivity for alternative protocols¶
Occasionally, you can use alternative protocols (http, ftp, or https without TLS verification) to circumvent connectivity issues.
To check if you have HTTPs connectivity (without TLS verification):
/QOpenSys/pkgs/bin/python2.7 -c "import socket; socket.create_connection(('public.dhe.ibm.com', 443), 30); print 'success'"
To check for HTTP connectivity
/QOpenSys/pkgs/bin/python2.7 -c "import socket; socket.create_connection(('public.dhe.ibm.com', 80), 30); print 'success'"
To check for FTP connectivity:
/QOpenSys/pkgs/bin/python2.7 -c "import socket; socket.create_connection(('public.dhe.ibm.com', 21), 30); print 'success'"
The output from this command can help you figure out next steps:
If the output contains
Hostname and service name not provided or found
, DNS is not configured properlyIf the output contains
timed out
orconnection refused
then you cannot reach IBM’s server
DNS not configured properly¶
If DNS is not configured properly, please work with your IBM i system administrator or networking team to resolve the problem correctly.
As a stopgap workaroud, you can create a host table entry for the IBM server at public.dhe.ibm.com
.
Important Note: This IP address may change in the future. At which point, yum will start failing and you will need to create new host table entries
From SSH or QP2TERM:
system "ADDTCPHTE INTNETADR('129.35.224.112') HOSTNAME((public.dhe.ibm.com))"
From 5250 CL:
ADDTCPHTE INTNETADR('129.35.224.112') HOSTNAME((public.dhe.ibm.com))
Cannot reach IBM’s server with any protocol¶
Please work with your networking team to resolve the problem.
A separate entity is enjecting an SSL certificate¶
Follow these steps to add the new certificate as needed.
Temporarily disabling SSL verification to install ca-certificates-mozilla¶
To resolve certificate validation errors, usually installing ca-certificate-mozilla will resolve it, but if HTTPS is broken you can’t install it resulting in a Catch-22. Temporarily disabling SSL verification can resolve the Catch-22 and allow you to install ca-certificates-mozilla.
If you have the ibmi-repos
package installed:
/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibmi-base.sslverify=0
/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibmi-release.sslverify=0
Otherwise:
/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibm.sslverify=0
Then, proceed to install the ca-certificates-mozilla
package
Then, set the sslverify
property back to 1
. To do so, If you have the ibmi-repos
package installed:
/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibmi-base.sslverify=1
/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibmi-release.sslverify=1
Otherwise:
/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibm.sslverify=1
Other Networking problems¶
Operation too slow¶
Sometimes, corporate network firewalls don’t explicitly block ports, but they can drastically interfere with traffic throughput, resulting in:
'Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds'
You can try working around this issue by enabling alternative protocols.
Enabling alternative protocols¶
Assuming you have a modern version of ibmi-repos
installed, you can try connecting with http or ftp if https does not work. To enable http and ftp mirrors:
/QOpenSys/pkgs/bin/yum-config-manager --enable-repo=ibmi-base-unsecure
/QOpenSys/pkgs/bin/yum-config-manager --enable-repo=ibmi-release-unsecure
(note this is unsecure and should be a temporary workaround until the http protocol issue is resolved by your networking team)
Debug tool¶
You can download this debug tool, save it to IFS, and run
/QOpenSys/pkgs/bin/python2.7 yum_conncheck.py
It will provide guidance
TL;DR Steps that will fix most people that have a working DNS setup¶
If you have ibmi-repos
installed
/QOpenSys/pkgs/bin/yum-config-manager --disable-repo=ibm
/QOpenSys/pkgs/bin/yum-config-manager --enable-repo=ibmi-base-unsecure
/QOpenSys/pkgs/bin/yum-config-manager --enable-repo=ibmi-release-unsecure
/QOpenSys/pkgs/bin/yum install ca-certificates-mozilla
/QOpenSys/pkgs/bin/yum-config-manager --disable-repo=ibmi-base-unsecure
/QOpenSys/pkgs/bin/yum-config-manager --disable-repo=ibmi-release-unsecure
/QOpenSys/pkgs/bin/yum upgrade ibmi-repos
If you do not have ibmi-repos
installed
/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibm.sslverify=0
/QOpenSys/pkgs/bin/yum install ca-certificates-mozilla ibmi-repos
/QOpenSys/pkgs/bin/yum-config-manager --disable-repo=ibm
What if I cannot access the Internet from my IBM i system?¶
Doc forthcoming…