Repo Server

Ein Repository-Server hostet die Paket-Dateien und ist nichts weiteres als ein Webserver. Hier am Beispiel von Apache und den Linuxfabrik Monitoring Plugins.

Repo hinzufügen

Ein weiteres Repo soll gespiegelt und über unseren Mirror angeboten werden: Siehe https://github.com/Linuxfabrik/mirror.

GPG-Key generieren

Sollen die Pakete GPG-signiert werden, muss zuerst ein GPG-Keypair angelegt werden:

NAME='ACME (Packager)'
EMAIL='packager@example.com'
PASSWORD=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 60)

old_umask=$(umask)
umask 077
cat > /tmp/packager.def << EOF
Key-Type: RSA
Key-Length: 4096
Name-Real: $NAME
Name-Email: $EMAIL
Expire-Date: 0
Passphrase: $PASSWORD
%commit
EOF

gpg --batch --generate-key /tmp/packager.def
rm -f /tmp/packager.def

gpg --list-keys --keyid-format long
# pub   rsa4096/EE582183B38936AE 2022-10-05 [SCEA]
#       A78FF23B5ACDDA78AADAABB5EE582183B38936AE
# uid                 [ultimate] ACME (Packager) <packager@example.com>

# ====> store "A78FF23B5ACDDA78AADAABB5EE582183B38936AE" as GPG_KEY
GPG_KEY="..."

# export the gpg key to ascii
gpg --armor --export $GPG_KEY > /tmp/packager.pub
echo "$PASSWORD" | gpg --pinentry-mode loopback --passphrase-fd 0 --armor --export-secret-keys $GPG_KEY > /tmp/packager.key
umask "$old_umask"
echo $PASSWORD

Danach umbedingt das Keypair und Passwort sichern. Der public key /tmp/packager.pub muss auf dem Webserver abgelegt werden, hier als /var/www/html/repo.linuxfabrik.ch/linuxfabrik.key.

RPM-Repo erstellen

Ordnerstruktur erstellen:

mkdir -p /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/rhel/{7,8,9}/{release,testing}/noarch
# workaround for RHEL7, $releasever is "7Server" instead of "7" there
cd /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/rhel/
ln -s 7 7Server

Falls die Pakete signiert werden sollen, muss die RPM-Config mit dem Namen des GPG-Keys ($NAME) angelegt werden:

~/.rpmmacros
%_gpg_name ACME (Packager)
dnf install rpm-sign -y
rpmsign --addsign /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/rhel/7/release/*.rpm

# check the signature
rpm --checksig --verify /tmp/linuxfabrik-monitoring-plugins-2022072001-1.noarch.rpm
# /tmp/linuxfabrik-monitoring-plugins-2022072001-1.noarch.rpm:
#     Header V4 RSA/SHA256 Signature, key ID 39d17a78: OK
#     Header SHA1 digest: OK
#     V4 RSA/SHA256 Signature, key ID 39d17a78: OK
#     MD5 digest: OK

Nun müssen die Repodaten für RHEL und kompatible generiert werden:

dnf install createrepo -y
createrepo --update /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/rhel/7/release/

chown -R apache:apache /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/
restorecon -Fvr /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/

Das Repo kann jetzt mit folgender Config verwendet werden:

/etc/yum.repos.d/linuxfabrik-monitoring-plugins-release.repo
[linuxfabrik-monitoring-plugins-release]
name=Linuxfabrik Monitoring Plugins (release)
baseurl=https://repo.linuxfabrik.ch/monitoring-plugins/rhel/$releasever/release/
enabled=1
gpgcheck=1
gpgkey=https://repo.linuxfabrik.ch/linuxfabrik.key

DEB-Repo erstellen

Ein DEB-Repo kann zwar von Hand erstellt werden, ist aber deutlich einfacher mit einem Hilfsprogram wie freight.

Ordnerstruktur erstellen:

mkdir -p /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/{debian,ubuntu}

Die Konfigurationen anlegen, und GPG= auf den oben generierten GPG-Key setzen ($GPG_KEY):

/etc/freight-monitoring-plugins-debian.conf
# Directories for the Freight library and Freight cache.  Your web
# server's document root should be `$VARCACHE`.
VARLIB="/var/lib/freight/monitoring-plugins-debian"
VARCACHE="/var/www/html/repo.linuxfabrik.ch/monitoring-plugins/debian/"

# Default `Origin`, `Label`, `NotAutomatic`, and
# `ButAutomaticUpgrades` fields for `Release` files.
ORIGIN="Linuxfabrik Monitoring Plugins"
LABEL="Linuxfabrik Monitoring Plugins"
NOT_AUTOMATIC="no"
BUT_AUTOMATIC_UPGRADES="no"

# Cache the control files after each run (on), or regenerate them every
# time (off).
CACHE="off"

# GPG key(s) to use to sign repositories.  This is required by the `apt`
# repository provider.  Use `gpg --gen-key` (see `gpg`(1) for more
# details) to generate a key and put its email address here.
#
# Multiple addresses can be given sign the repository with them all.
GPG="REPLACE-ME"
# GPG="example@example.com another@example.com"

# Message digest algorithm that GPG should use to sign the repository.
# It is not recommended to use SHA1 as new versions of `apt` will report
# that the repository is half-broken due to weak digest.
#
# SHA512 is the default
GPG_DIGEST_ALGO="SHA512"

# Whether to follow symbolic links in `$VARLIB` to produce extra components
# in the cache directory (on) or not (off).
SYMLINKS="off"
/etc/freight-monitoring-plugins-ubuntu.conf
# Directories for the Freight library and Freight cache.  Your web
# server's document root should be `$VARCACHE`.
VARLIB="/var/lib/freight/monitoring-plugins-ubuntu"
VARCACHE="/var/www/html/repo.linuxfabrik.ch/monitoring-plugins/ubuntu/"

# Default `Origin`, `Label`, `NotAutomatic`, and
# `ButAutomaticUpgrades` fields for `Release` files.
ORIGIN="Linuxfabrik Monitoring Plugins"
LABEL="Linuxfabrik Monitoring Plugins"
NOT_AUTOMATIC="no"
BUT_AUTOMATIC_UPGRADES="no"

# Cache the control files after each run (on), or regenerate them every
# time (off).
CACHE="off"

# GPG key(s) to use to sign repositories.  This is required by the `apt`
# repository provider.  Use `gpg --gen-key` (see `gpg`(1) for more
# details) to generate a key and put its email address here.
#
# Multiple addresses can be given sign the repository with them all.
GPG="REPLACE-ME"
# GPG="example@example.com another@example.com"

# Message digest algorithm that GPG should use to sign the repository.
# It is not recommended to use SHA1 as new versions of `apt` will report
# that the repository is half-broken due to weak digest.
#
# SHA512 is the default
GPG_DIGEST_ALGO="SHA512"

# Whether to follow symbolic links in `$VARLIB` to produce extra components
# in the cache directory (on) or not (off).
SYMLINKS="off"

Nun können DEB-Pakete hinzugefügt werden:

# debian
freight-add --conf=/etc/freight-monitoring-plugins-debian.conf /tmp/linuxfabrik-monitoring-plugins_2022072001_all.deb apt/buster-release apt/bullseye-release
freight-cache --conf=/etc/freight-monitoring-plugins-debian.conf

# ubuntu
freight-add --conf=/etc/freight-monitoring-plugins-ubuntu.conf /tmp/linuxfabrik-monitoring-plugins_2022072001_all.deb apt/bionic-release apt/focal apt/jammy-release
freight-cache --conf=/etc/freight-monitoring-plugins-ubuntu.conf

chown -R apache:apache /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/
restorecon -Fvr /var/www/html/repo.linuxfabrik.ch/monitoring-plugins/

Built on 2024-03-28