Troubleshooting Yum connection problems

This page is designed to help you do problem determination for scenarios where yum itself is not working due to connection problems. That is, you are having trouble getting RPM packages installed.

There are several yum problems that may not be connection related, and those are documented on the main troubleshooting page

Before you go further… make sure you have ibmi-repos installed

To make sure you’re seeing the latest updates available for your operating system, make sure you have the latest version of yum and ibmi-repos installed, if you are able to.

/QOpenSys/pkgs/bin/yum upgrade yum ibmi-repos

Once the ibmi-repos package is installed, you may need to upgrade again to make sure you are at the latest version available for your release:

/QOpenSys/pkgs/bin/yum upgrade ibmi-repos

If you are able to successfully install the ibmi-repos package, you can consider removing the legacy repo definition by running:

mv /QOpenSys/etc/yum/repos.d/ibm.repo /QOpenSys/etc/yum/repos.d/ibm.repo.backup

If you cannot install the ibmi-repos package, for some reason, you can try using http:

/QOpenSys/pkgs/bin/yum-config-manager --setopt=ibm.baseurl=http://public.dhe.ibm.com/software/ibmi/products/pase/rpms/repo

Or ftp:

/QOpenSys/pkgs/bin/yum-config-manager --setopt=ibm.baseurl=http://public.dhe.ibm.com/software/ibmi/products/pase/rpms/repo

Checking Connectivity

The most common cause of issue with yum is related to network connectivity. Errors will state something like

unable to open repomd.xml

The IBM server supports three protocols for downloading packages:

  • HTTPs (secure, default, recommended)

  • HTTP (disabled by default)

  • FTP (disabled by default)

HTTP or FTP can be used as a backup mechanism if you are unable to get the default configuration working, or if your network prohibits https connections.

You can use Python to check connectivity to the IBM RPM server. To check if you have HTTPS connectivity and have proper TLS setup, run:

/QOpenSys/pkgs/bin/python2.7 -c "import socket; import ssl; hostname='public.dhe.ibm.com'; ssl.create_default_context().wrap_socket(socket.create_connection((hostname,443), 30), server_hostname=hostname) ; print 'success'"

The output from this command can help you figure out next steps:

  • If the output contains Hostname and service name not provided or found, DNS is not configured properly

  • If the output contains timed out or connection refused then you cannot reach IBM’s server

  • If the output contains ssl.CertificateError: hostname '______________' doesn't match 'public.dhe.ibm.com', a separate entity is injecting an SSL certificate

  • If the output contains another CertificateError, you need to install the ca-certificates-mozilla package

Checking Connectivity for alternative protocols

Occasionally, you can use alternative protocols (http, ftp, or https without TLS verification) to circumvent connectivity issues.

To check if you have HTTPs connectivity (without TLS verification):

/QOpenSys/pkgs/bin/python2.7 -c "import socket; socket.create_connection(('public.dhe.ibm.com', 443), 30); print 'success'"

To check for HTTP connectivity

/QOpenSys/pkgs/bin/python2.7 -c "import socket; socket.create_connection(('public.dhe.ibm.com', 80), 30); print 'success'"

To check for FTP connectivity:

/QOpenSys/pkgs/bin/python2.7 -c "import socket; socket.create_connection(('public.dhe.ibm.com', 21), 30); print 'success'"

The output from this command can help you figure out next steps:

  • If the output contains Hostname and service name not provided or found, DNS is not configured properly

  • If the output contains timed out or connection refused then you cannot reach IBM’s server

DNS not configured properly

If DNS is not configured properly, please work with your IBM i system administrator or networking team to resolve the problem correctly.

As a stopgap workaroud, you can create a host table entry for the IBM server at public.dhe.ibm.com.

Important Note: This IP address may change in the future. At which point, yum will start failing and you will need to create new host table entries

From SSH or QP2TERM:

system "ADDTCPHTE INTNETADR('129.35.224.112') HOSTNAME((public.dhe.ibm.com))"

From 5250 CL:

ADDTCPHTE INTNETADR('129.35.224.112') HOSTNAME((public.dhe.ibm.com))

Cannot reach IBM’s server with any protocol

Please work with your networking team to resolve the problem.

A separate entity is enjecting an SSL certificate

Follow these steps to add the new certificate as needed.

Temporarily disabling SSL verification to install ca-certificates-mozilla

To resolve certificate validation errors, usually installing ca-certificate-mozilla will resolve it, but if HTTPS is broken you can’t install it resulting in a Catch-22. Temporarily disabling SSL verification can resolve the Catch-22 and allow you to install ca-certificates-mozilla.

If you have the ibmi-repos package installed:

/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibmi-base.sslverify=0
/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibmi-release.sslverify=0

Otherwise:

/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibm.sslverify=0

Then, proceed to install the ca-certificates-mozilla package

Then, set the sslverify property back to 1. To do so, If you have the ibmi-repos package installed:

/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibmi-base.sslverify=1
/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibmi-release.sslverify=1

Otherwise:

/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibm.sslverify=1

Other Networking problems

Operation too slow

Sometimes, corporate network firewalls don’t explicitly block ports, but they can drastically interfere with traffic throughput, resulting in:

'Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds'

You can try working around this issue by enabling alternative protocols.

Enabling alternative protocols

Assuming you have a modern version of ibmi-repos installed, you can try connecting with http or ftp if https does not work. To enable http and ftp mirrors:

/QOpenSys/pkgs/bin/yum-config-manager --enable-repo=ibmi-base-unsecure
/QOpenSys/pkgs/bin/yum-config-manager --enable-repo=ibmi-release-unsecure

(note this is unsecure and should be a temporary workaround until the http protocol issue is resolved by your networking team)

Debug tool

You can download this debug tool, save it to IFS, and run

/QOpenSys/pkgs/bin/python2.7 yum_conncheck.py

It will provide guidance

TL;DR Steps that will fix most people that have a working DNS setup

If you have ibmi-repos installed

/QOpenSys/pkgs/bin/yum-config-manager --disable-repo=ibm
/QOpenSys/pkgs/bin/yum-config-manager --enable-repo=ibmi-base-unsecure
/QOpenSys/pkgs/bin/yum-config-manager --enable-repo=ibmi-release-unsecure
/QOpenSys/pkgs/bin/yum install ca-certificates-mozilla
/QOpenSys/pkgs/bin/yum-config-manager --disable-repo=ibmi-base-unsecure
/QOpenSys/pkgs/bin/yum-config-manager --disable-repo=ibmi-release-unsecure
/QOpenSys/pkgs/bin/yum upgrade ibmi-repos

If you do not have ibmi-repos installed

/QOpenSys/pkgs/bin/yum-config-manager --save --setopt=ibm.sslverify=0
/QOpenSys/pkgs/bin/yum install ca-certificates-mozilla ibmi-repos
/QOpenSys/pkgs/bin/yum-config-manager --disable-repo=ibm

What if I cannot access the Internet from my IBM i system?

Doc forthcoming…