# CentOS 7 yum HTTPS upgrade

> This guide aims to help in pinning down the repository location to a known FQDN, so it can be set in the allowlists, without affecting the performance of downloads.

This guide aims to help in pinning down the repository location to a known FQDN, so it can be set in the allowlists, without affecting the performance of downloads.

## Virtual Machine

### AWS User Data

```bash
#!/bin/bash -ex
sed --in-place=.orig --regexp-extended 's%#baseurl=http://mirror.centos.org/centos/%baseurl=https://mirrors.edge.kernel.org/centos/%g' /etc/yum.repos.d/CentOS-*.repo
sed --in-place --regexp-extended 's%^mirrorlist=%#mirrorlist=%g' /etc/yum.repos.d/CentOS-*.repo
```

The commands simply replace CentOS's default mirror redirector with a known, reliable CDN, making a backup file (with extension _.orig_) in the process.

### GCP Startup Script

```bash
#!/bin/bash -ex
# centos
sed --in-place=.orig --regexp-extended 's%#baseurl=http://mirror.centos.org/centos/%baseurl=https://mirrors.edge.kernel.org/centos/%g' /etc/yum.repos.d/CentOS-*.repo
sed --in-place --regexp-extended 's%^mirrorlist=%#mirrorlist=%g' /etc/yum.repos.d/CentOS-*.repo
# epel
sed --in-place=.orig --regexp-extended 's%#baseurl=http://(download.example|download.fedoraproject.org)/pub/epel/%baseurl=https://mirrors.edge.kernel.org/fedora-epel/%g' /etc/yum.repos.d/epel*.repo
sed --in-place --regexp-extended 's%^metalink=%#metalink=%g' /etc/yum.repos.d/epel*.repo
```

The first set of commands simply replace CentOS's default mirror redirector with a known, reliable CDN, making a backup file (with extension _.orig_) in the process.

The second set of commands simply replace Fedora's default mirror redirector with a known, reliable CDN, making a backup file (with extension _.orig_) in the process.

## Container

### Dockerfile

```Dockerfile
FROM centos:7

RUN sed --in-place=.orig --regexp-extended 's%#baseurl=http://mirror.centos.org/centos/%baseurl=https://mirrors.edge.kernel.org/centos/%g' /etc/yum.repos.d/CentOS-*.repo && \
    sed --in-place --regexp-extended 's%^mirrorlist=%#mirrorlist=%g' /etc/yum.repos.d/CentOS-*.repo && \
    yum clean expire-cache
```

## Allowlist

### FQDNs

```
mirrors.edge.kernel.org
```

### DiscrimiNAT Annotation

```
discriminat:tls:mirrors.edge.kernel.org
```

### Alternative Mirrors

Although `mirrors.edge.kernel.org` is a CDN with geo-located caches, you may want to pick a specific `https` mirror from CentOS's [official mirrors list](https://www.centos.org/download/mirrors/).