Repo Server
Siehe auch
Ein Repository-Server hostet die Paket-Dateien und ist nichts weiteres als ein Webserver. Hier am Beispiel von Apache und den Linuxfabrik Monitoring Plugins.
GPG-Key generieren
Sollen die Pakete GPG-signiert werden, muss zuerst ein GPG-Keypair angelegt werden:
NAME='ACME (Packager)'
EMAIL='packager@example.com'
PASSWORD=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 60)
old_umask=$(umask)
umask 077
cat > /tmp/packager.def << EOF
Key-Type: RSA
Key-Length: 4096
Name-Real: $NAME
Name-Email: $EMAIL
Expire-Date: 0
Passphrase: $PASSWORD
%commit
EOF
gpg --batch --generate-key /tmp/packager.def
rm -f /tmp/packager.def
gpg --list-keys --keyid-format long
# pub rsa4096/EE582183B38936AE 2022-10-05 [SCEA]
# A78FF23B5ACDDA78AADAABB5EE582183B38936AE
# uid [ultimate] ACME (Packager) <packager@example.com>
# ====> store "A78FF23B5ACDDA78AADAABB5EE582183B38936AE" as GPG_KEY
GPG_KEY="..."
# export the gpg key to ascii
gpg --armor --export $GPG_KEY > /tmp/packager.pub
echo "$PASSWORD" | gpg --pinentry-mode loopback --passphrase-fd 0 --armor --export-secret-keys $GPG_KEY > /tmp/packager.key
umask "$old_umask"
echo $PASSWORD
Danach umbedingt das Keypair und Passwort sichern. Der public key /tmp/packager.pub muss auf dem Webserver abgelegt werden, hier als /var/www/html/repo.linuxfabrik.ch/linuxfabrik.key.
RPM-Repo erstellen
Ordnerstruktur erstellen:
mkdir -p /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/rhel/{7,8,9}/{release,testing}/noarch
Falls die Pakete signiert werden solle, muss die RPM-Config mit dem Namen des GPG-Keys ($NAME) angelegt werden:
~/.rpmmacros
%_gpg_name ACME (Packager)
dnf install rpm-sign -y
rpmsign --addsign /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/rhel/7/release/*.rpm
# check the signature
rpm --checksig --verify /tmp/linuxfabrik-monitoring-plugins-2022072001-1.noarch.rpm
# /tmp/linuxfabrik-monitoring-plugins-2022072001-1.noarch.rpm:
# Header V4 RSA/SHA256 Signature, key ID 39d17a78: OK
# Header SHA1 digest: OK
# V4 RSA/SHA256 Signature, key ID 39d17a78: OK
# MD5 digest: OK
Nun müssen die Repodaten für RHEL und kompatible generiert werden:
dnf install createrepo -y
createrepo --update /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/rhel/7/release/
chown -R apache:apache /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/
restorecon -Fvr /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/
Das Repo kann jetzt mit folgender Config verwendet werden:
/etc/yum.repos.d/linuxfabrik-monitoring-plugins-release.repo
[linuxfabrik-monitoring-plugins-release]
name=Linuxfabrik Monitoring Plugins (release)
baseurl=https://repo.linuxfabrik.ch/monitoring-plugins/rhel/$releasever/release/
enabled=1
gpgcheck=1
gpgkey=https://repo.linuxfabrik.ch/linuxfabrik.key
DEB-Repo erstellen
Ein DEB-Repo kann zwar von Hand erstellt werden, ist aber deutlich einfacher mit einem Hilfsprogram wie freight.
Ordnerstruktur erstellen:
mkdir -p /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/{debian,ubuntu}
Die Konfigurationen anlegen, und GPG= auf den oben generierten GPG-Key setzen ($GPG_KEY):
/etc/freight-monitoring-plugins-debian.conf
# Directories for the Freight library and Freight cache. Your web
# server's document root should be `$VARCACHE`.
VARLIB="/var/lib/freight/monitoring-plugins-debian"
VARCACHE="/var/www/html/repo.linuxfabrik.ch/monitoring-plugins/debian/"
# Default `Origin`, `Label`, `NotAutomatic`, and
# `ButAutomaticUpgrades` fields for `Release` files.
ORIGIN="Linuxfabrik Monitoring Plugins"
LABEL="Linuxfabrik Monitoring Plugins"
NOT_AUTOMATIC="no"
BUT_AUTOMATIC_UPGRADES="no"
# Cache the control files after each run (on), or regenerate them every
# time (off).
CACHE="off"
# GPG key(s) to use to sign repositories. This is required by the `apt`
# repository provider. Use `gpg --gen-key` (see `gpg`(1) for more
# details) to generate a key and put its email address here.
#
# Multiple addresses can be given sign the repository with them all.
GPG="REPLACE-ME"
# GPG="example@example.com another@example.com"
# Message digest algorithm that GPG should use to sign the repository.
# It is not recommended to use SHA1 as new versions of `apt` will report
# that the repository is half-broken due to weak digest.
#
# SHA512 is the default
GPG_DIGEST_ALGO="SHA512"
# Whether to follow symbolic links in `$VARLIB` to produce extra components
# in the cache directory (on) or not (off).
SYMLINKS="off"
/etc/freight-monitoring-plugins-ubuntu.conf
# Directories for the Freight library and Freight cache. Your web
# server's document root should be `$VARCACHE`.
VARLIB="/var/lib/freight/monitoring-plugins-ubuntu"
VARCACHE="/var/www/html/repo.linuxfabrik.ch/monitoring-plugins/ubuntu/"
# Default `Origin`, `Label`, `NotAutomatic`, and
# `ButAutomaticUpgrades` fields for `Release` files.
ORIGIN="Linuxfabrik Monitoring Plugins"
LABEL="Linuxfabrik Monitoring Plugins"
NOT_AUTOMATIC="no"
BUT_AUTOMATIC_UPGRADES="no"
# Cache the control files after each run (on), or regenerate them every
# time (off).
CACHE="off"
# GPG key(s) to use to sign repositories. This is required by the `apt`
# repository provider. Use `gpg --gen-key` (see `gpg`(1) for more
# details) to generate a key and put its email address here.
#
# Multiple addresses can be given sign the repository with them all.
GPG="REPLACE-ME"
# GPG="example@example.com another@example.com"
# Message digest algorithm that GPG should use to sign the repository.
# It is not recommended to use SHA1 as new versions of `apt` will report
# that the repository is half-broken due to weak digest.
#
# SHA512 is the default
GPG_DIGEST_ALGO="SHA512"
# Whether to follow symbolic links in `$VARLIB` to produce extra components
# in the cache directory (on) or not (off).
SYMLINKS="off"
Nun können DEB-Pakete hinzugefügt werden:
# debian
freight-add --conf=/etc/freight-monitoring-plugins-debian.conf /tmp/linuxfabrik-monitoring-plugins_2022072001_all.deb apt/buster-release apt/bullseye-release
freight-cache --conf=/etc/freight-monitoring-plugins-debian.conf
# ubuntu
freight-add --conf=/etc/freight-monitoring-plugins-ubuntu.conf /tmp/linuxfabrik-monitoring-plugins_2022072001_all.deb apt/bionic-release apt/focal apt/jammy-release
freight-cache --conf=/etc/freight-monitoring-plugins-ubuntu.conf
chown -R apache:apache /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/
restorecon -Fvr /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/
Built on 2023-01-27