Why do I receive errors when I use yum on my Amazon EC2 instance that runs RHEL?

Short description

After you run a yum command on your EC2 instance, you might receive an error. To determine what error occurred, use the output messages of the yum command. Then, use the resolution method that best fits your error message.

Resolution

Connection timed out or failed to download packages error

Error: "Connection timed out XXXX milliseconds or failed to download the packages."

To resolve this error, complete the following steps:

1. Verify that the security group that's attached to your EC2 instance allows outbound HTTP and HTTPS traffic.

2. Verify that the network access control lists (network ACLs) that are associated with your instance's subnet allow outbound HTTP and HTTPS traffic. See the following example of network ACL rules:

   Inbound rules  Rule#    Type                    Protocol    Port Range    Source        Allow/Deny
   130      Custom TCP Rule         TCP (6)     1024-65535    0.0.0.0/0     ALLOW
   140      Custom TCP Rule         TCP (6)     1024-65535    ::/0          ALLOW
   *        ALL Traffic             ALL         ALL           0.0.0.0/0     DENY
   *        ALL Traffic             ALL         ALL           ::/0          DENY
     
     
   Outbound rules  
   Rule #    Type                   Protocol    Port Range    Destination  Allow/Deny
   100       HTTP (80)              TCP (6)     80            0.0.0.0/0    ALLOW
   101       HTTPS (443)            TCP (6)     443           0.0.0.0/0    ALLOW
   102       HTTP (80)              TCP (6)     80            ::/0         ALLOW
   103       HTTPS (443)            TCP (6)     443           ::/0         ALLOW
   *         ALL Traffic            ALL         ALL           ::/0         DENY
   *         ALL Traffic            ALL         ALL           0.0.0.0/0    DENY

   In the preceding example, Rule 100 and Rule 101 in the outbound rules correspond to Rule 130 in the inbound rules. Rule 102 and Rule 103 in the outbound rules correspond to Rule 140 in the inbound rules. The allowed outbound traffic on port 80 and port 443 (HTTP and HTTPS) is matched with the allowed inbound traffic on the ephemeral ports.

   The example network ACL uses an ephemeral port range of 1024-65535. The type of client that you use or communicate with determines the range for your network ACLs. To cover the different types of clients that might initiate traffic to public-facing instances in your virtual private cloud (VPC), open ephemeral ports 1024-65535. You can also add rules to the network ACL that deny traffic on any malicious ports within that range. Make sure that you place the deny rules earlier in the table than the allow rules that open the wide range of ephemeral ports.

   For more information, see Ephemeral ports and Custom network ACL.

3. Verify that your instance has access to RHEL repositories.

   If your instance is in a public subnet with an internet gateway, then see Configuration for internet access.

   If your instance is in a private subnet with a NAT gateway, then see NAT gateways.

   If your instance is in a private subnet with a NAT instance, then see NAT instances.

   If your instance is in a public or private subnet with an Amazon Simple Storage Service (Amazon S3) VPC endpoint, then see How can we update a disconnected or an air-gapped system (A system without internet connection)? on the Red Hat website.

   If your instance is in a private subnet with a proxy, then configure yum to use a proxy. Modify the /etc/yum.conf file with the following parameters. In this example, replace proxy-port, proxy-user-name, and proxy-password with the correct values for your proxy:

   proxy=http://proxy-server-IP-address:proxy_port
   proxy_username="proxy-user-name"  
   proxy_password="proxy-password"

4. To confirm that the instance can access the repository, run the following command:

   sudo yum check-update

   If the command successfully retrieves package information without errors, then your instance can access the repositories.

   If you encounter errors, check the repository configuration files in the /etc/yum.repos.d/ directory to make sure that they're configured correctly. Then, confirm that your instance is in a public subnet with the appropriate security group rules to allow outbound internet traffic.

Could not contact any CDS load balancers error

Error: "Could not contact any CDS load balancers."

To resolve this error, launch an EC2 instance with the newest version of the same RHEL release as your instance.

1. To download the newest RHUI client package, log in to the new instance, and then run the following command:

   $ sudo yum install --downloadonly --downloaddir=/root/ rh-amazon-rhui-client.noarch

2. Copy the downloaded rpm package to the instance. Then, run the following commands:

   $ sudo yum remove -y rh-amazon-rhui-client  
   $ sudo rpm -ivh --nodeps /path/to/rpmfile/rh-amazon-rhui-client*

   Note: Replace /path/to/rpmfile with the file path that you copied the file to.

3. After you install the package, you must reinstall it to get all the dependencies:

   $ sudo yum reinstall -y rh-amazon-rhui-client

4. Download the required packages from RHUI:

   $ sudo yum clean all
   $ sudo yum repolist
   $ sudo yum list

"Failure: Repodata/repomd.xml" error or a similar "404 - Not Found" error

Error: "Failure: repodata/repomd.xml from rhel-7-server-rhui-rh-common-rpms: [Errno 256] No more mirrors to try or https://rhui3.eu-west-1.aws.ce.redhat.com/pulp/repos/content/dist/rhel/rhui/server/7/7/x86_64/rh-common/os/repodata/repomd.xml : [Errno 14] HTTPS Error 404 - Not Found"

This error occurs for the following reasons:

• Corrupted yum cache
• Inaccessible repository URL caused by network-related issues
• Customized or other media repositories
• Outdated allowlist when you use an IP-based firewall configuration to access Red Hat's Content Delivery Network (CDN)

To remove and then rebuild the yum cache, run the following commands:

# rm -rf /var/cache/yum/*
# yum clean all
# yum check-update
# yum repolist enabled

For more information, see Troubleshooting '[Errno 14] HTTPS Error 404 - Not Found' error observed on Red Hat Satellite 6 clients on the Red Hat website.

This system is not registered with an entitlement server error

Error: "This system is not registered with an entitlement server. You can use subscription-manager to register."

To resolve this error, use subscription-manager to register the system. When you run an instance from the AWS Marketplace, that instance includes an embedded billing product in the metadata that Red Hat provides. When Red Hat connects to the RHUI repositories that AWS uses, Red Hat uses the billing product to check for a valid subscription.

To check the billing product on an instance, run the following command:

$ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document -q 2>/dev/null | grep billingProducts

  "billingProducts" : [ "bp-6fa54006" ],

If your instance has the required billing code, then ignore the message from subscription-manager. If you don't want to see the message, set the subscription-manager plugin from /etc/yum/pluginconf.d/subscription-manager.conf to enabled=0. Run the following command:

sudo vi  /etc/yum/pluginconf.d/subscription-manager.conf
enabled=0

Then, save and quit the configuration file.

Note: If you migrate your instance or create an Amazon Machine Image (AMI) from snapshots, then the billing product isn't available. If you use a CreateImage from an existing instance that has a billing code, then the new AMI inherits this information. The AMI can now communicate with the RHUI repositories.