Repo Server

Ein Repository-Server hostet die Paket-Dateien und ist nichts weiteres als ein Webserver. Hier am Beispiel von Apache und den Linuxfabrik Monitoring Plugins.

GPG-Key generieren

Sollen die Pakete GPG-signiert werden, muss zuerst ein GPG-Keypair angelegt werden:

NAME='ACME (Packager)'
EMAIL='packager@example.com'
PASSWORD=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 60)

old_umask=$(umask)
umask 077
cat > /tmp/packager.def << EOF
Key-Type: RSA
Key-Length: 4096
Name-Real: $NAME
Name-Email: $EMAIL
Expire-Date: 0
Passphrase: $PASSWORD
%commit
EOF

gpg --batch --generate-key /tmp/packager.def
rm -f /tmp/packager.def

gpg --list-keys --keyid-format long
# pub   rsa4096/EE582183B38936AE 2022-10-05 [SCEA]
#       A78FF23B5ACDDA78AADAABB5EE582183B38936AE
# uid                 [ultimate] ACME (Packager) <packager@example.com>

# ====> store "A78FF23B5ACDDA78AADAABB5EE582183B38936AE" as GPG_KEY
GPG_KEY="..."

# export the gpg key to ascii
gpg --armor --export $GPG_KEY > /tmp/packager.pub
echo "$PASSWORD" | gpg --pinentry-mode loopback --passphrase-fd 0 --armor --export-secret-keys $GPG_KEY > /tmp/packager.key
umask "$old_umask"
echo $PASSWORD

Danach umbedingt das Keypair und Passwort sichern. Der public key /tmp/packager.pub muss auf dem Webserver abgelegt werden, hier als /var/www/html/repo.linuxfabrik.ch/linuxfabrik.key.

RPM-Repo erstellen

Ordnerstruktur erstellen:

mkdir -p /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/rhel/{7,8,9}/{release,testing}/noarch

Falls die Pakete signiert werden solle, muss die RPM-Config mit dem Namen des GPG-Keys ($NAME) angelegt werden:

~/.rpmmacros
%_gpg_name ACME (Packager)
dnf install rpm-sign -y
rpmsign --addsign /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/rhel/7/release/*.rpm

# check the signature
rpm --checksig --verify /tmp/linuxfabrik-monitoring-plugins-2022072001-1.noarch.rpm
# /tmp/linuxfabrik-monitoring-plugins-2022072001-1.noarch.rpm:
#     Header V4 RSA/SHA256 Signature, key ID 39d17a78: OK
#     Header SHA1 digest: OK
#     V4 RSA/SHA256 Signature, key ID 39d17a78: OK
#     MD5 digest: OK

Nun müssen die Repodaten für RHEL und kompatible generiert werden:

dnf install createrepo -y
createrepo --update /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/rhel/7/release/

chown -R apache:apache /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/
restorecon -Fvr /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/

Das Repo kann jetzt mit folgender Config verwendet werden:

/etc/yum.repos.d/linuxfabrik-monitoring-plugins-release.repo
[linuxfabrik-monitoring-plugins-release]
name=Linuxfabrik Monitoring Plugins (release)
baseurl=https://repo.linuxfabrik.ch/monitoring-plugins/rhel/$releasever/release/
enabled=1
gpgcheck=1
gpgkey=https://repo.linuxfabrik.ch/linuxfabrik.key

DEB-Repo erstellen

Ein DEB-Repo kann zwar von Hand erstellt werden, ist aber deutlich einfacher mit einem Hilfsprogram wie freight.

Ordnerstruktur erstellen:

mkdir -p /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/{debian,ubuntu}

Die Konfigurationen anlegen, und GPG= auf den oben generierten GPG-Key setzen ($GPG_KEY):

/etc/freight-monitoring-plugins-debian.conf
# Directories for the Freight library and Freight cache.  Your web
# server's document root should be `$VARCACHE`.
VARLIB="/var/lib/freight/monitoring-plugins-debian"
VARCACHE="/var/www/html/repo.linuxfabrik.ch/monitoring-plugins/debian/"

# Default `Origin`, `Label`, `NotAutomatic`, and
# `ButAutomaticUpgrades` fields for `Release` files.
ORIGIN="Linuxfabrik Monitoring Plugins"
LABEL="Linuxfabrik Monitoring Plugins"
NOT_AUTOMATIC="no"
BUT_AUTOMATIC_UPGRADES="no"

# Cache the control files after each run (on), or regenerate them every
# time (off).
CACHE="off"

# GPG key(s) to use to sign repositories.  This is required by the `apt`
# repository provider.  Use `gpg --gen-key` (see `gpg`(1) for more
# details) to generate a key and put its email address here.
#
# Multiple addresses can be given sign the repository with them all.
GPG="REPLACE-ME"
# GPG="example@example.com another@example.com"

# Message digest algorithm that GPG should use to sign the repository.
# It is not recommended to use SHA1 as new versions of `apt` will report
# that the repository is half-broken due to weak digest.
#
# SHA512 is the default
GPG_DIGEST_ALGO="SHA512"

# Whether to follow symbolic links in `$VARLIB` to produce extra components
# in the cache directory (on) or not (off).
SYMLINKS="off"
/etc/freight-monitoring-plugins-ubuntu.conf
# Directories for the Freight library and Freight cache.  Your web
# server's document root should be `$VARCACHE`.
VARLIB="/var/lib/freight/monitoring-plugins-ubuntu"
VARCACHE="/var/www/html/repo.linuxfabrik.ch/monitoring-plugins/ubuntu/"

# Default `Origin`, `Label`, `NotAutomatic`, and
# `ButAutomaticUpgrades` fields for `Release` files.
ORIGIN="Linuxfabrik Monitoring Plugins"
LABEL="Linuxfabrik Monitoring Plugins"
NOT_AUTOMATIC="no"
BUT_AUTOMATIC_UPGRADES="no"

# Cache the control files after each run (on), or regenerate them every
# time (off).
CACHE="off"

# GPG key(s) to use to sign repositories.  This is required by the `apt`
# repository provider.  Use `gpg --gen-key` (see `gpg`(1) for more
# details) to generate a key and put its email address here.
#
# Multiple addresses can be given sign the repository with them all.
GPG="REPLACE-ME"
# GPG="example@example.com another@example.com"

# Message digest algorithm that GPG should use to sign the repository.
# It is not recommended to use SHA1 as new versions of `apt` will report
# that the repository is half-broken due to weak digest.
#
# SHA512 is the default
GPG_DIGEST_ALGO="SHA512"

# Whether to follow symbolic links in `$VARLIB` to produce extra components
# in the cache directory (on) or not (off).
SYMLINKS="off"

Nun können DEB-Pakete hinzugefügt werden:

# debian
freight-add --conf=/etc/freight-monitoring-plugins-debian.conf /tmp/linuxfabrik-monitoring-plugins_2022072001_all.deb apt/buster-release apt/bullseye-release
freight-cache --conf=/etc/freight-monitoring-plugins-debian.conf

# ubuntu
freight-add --conf=/etc/freight-monitoring-plugins-ubuntu.conf /tmp/linuxfabrik-monitoring-plugins_2022072001_all.deb apt/bionic-release apt/focal apt/jammy-release
freight-cache --conf=/etc/freight-monitoring-plugins-ubuntu.conf

chown -R apache:apache /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/
restorecon -Fvr /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/

Built on 2023-01-27