Intro
Tested on the following configuration:
Server: ubuntu 20.04
Clients: ubuntu 16.04, 18.04, 20.04
It doesn’t require a lot of software to create it.
-
web server with directory listing ( I use lighttpd)
-
packages: gpg(for signs), dpkg-dev
-
rng-tools (highly recommended)
Repo URL: http://192.168.56.48/repo/ (it is preferable to use DNS)
Repo directory on the server : /var/www/html/repo/
Deb-packages directory: /var/www/html/repo/deb-packages
Repo generation script: /usr/bin/update-repo.sh
Server preparation
Main steps:
-
web server installation
-
gpg-key generation
-
creating script for repo generation
-
repo creation
Gpg-key generation notes
GPG needs entropy for key generation. These operations can be very time-consuming, but they can be sped up with rng-tools packages. Use the next command for ubuntu:
sudo apt-get update sudo apt-get install -y rng-tools
Web server configuration
Now you need to install lighttpd and enable dir-listing on it:
# install package apt-get install lighttpd # enable directory listing echo 'server.dir-listing = "enable"' > /etc/lighttpd/conf-enabled/dir-listing.conf # start lighhttpd and enable autostrt systemctl restart lighttpd systemctl enable lighttpd # create dir for repo mkdir -p /var/www/html/repo/deb-packages/
Now you should put your deb-packages in /var/www/html/repo/deb-packages/
GPG-keys
I will use self-signed keys, but you should use your company’s PKI-infrastructure (if available). Check if you already have the keys:
root@repo:~# gpg --list-keys gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: /root/.gnupg/trustdb.gpg: trustdb created
Now you can see that there are no keys available. First, we’ll create keys-generation script. You should use the proper values for your repo:
cat >~/.gnupg/aptRepo <<EOF %echo Generating a basic OpenPGP key Key-Type: RSA Key-Length: 3072 Subkey-Type: ELG-E Subkey-Length: 3072 Name-Real: apt tech user Name-Comment: without passphrase Name-Email: apt@email.non Expire-Date: 0 %echo done EOF
Now create the keys. This may take some time. Do not set a password for the keys since you’ll need to enter it every time the repo is updated:
root@repo:~# gpg --batch --gen-key ~/.gnupg/aptRepo gpg: Generating a basic OpenPGP key gpg: done gpg: key 16B7C8484EC3AC5F marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/D538A3381F3D2FC89F34EFDD16B7C8484EC3AC5F.rev'
Check the keys availability:
root@repo:~# gpg --list-keys gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /root/.gnupg/pubring.kbx pub rsa3072 2021-02-07 [SCEA] D538A3381F3D2FC89F34EFDD16B7C8484EC3AC5F uid [ultimate] apt tech user (without passphrase) <apt@email.non> sub elg3072 2021-02-07 [E]
OK, now you need to export keys to the file:
gpg --export -a D538A3381F3D2FC89F34EFDD16B7C8484EC3AC5F > /var/www/html/repo/boozlachuRepo.gpg It's time to write a repo-creation script. I used the following variables • updatescript=/usr/bin/update-repo.sh - path to this script • repodir=/var/www/html/repo - path to the repo • gpgKey="D538A3381F3D2FC89F34EFDD16B7C8484EC3AC5F" - gpg-key ID
updatescript=/usr/bin/update-repo.sh cat <<'EOFSH' >${updatescript} #!/bin/sh # working directory repodir=/var/www/html/repo/ # GPG key gpgKey="D538A3381F3D2FC89F34EFDD16B7C8484EC3AC5F" cd ${repodir} # create the package index dpkg-scanpackages -m . > Packages cat Packages | gzip -9c > Packages.gz # create the Release file PKGS=$(wc -c Packages) PKGS_GZ=$(wc -c Packages.gz) cat <<EOF > Release Architectures: all Date: $(date -R -u) MD5Sum: $(md5sum Packages | cut -d" " -f1) $PKGS $(md5sum Packages.gz | cut -d" " -f1) $PKGS_GZ SHA1: $(sha1sum Packages | cut -d" " -f1) $PKGS $(sha1sum Packages.gz | cut -d" " -f1) $PKGS_GZ SHA256: $(sha256sum Packages | cut -d" " -f1) $PKGS $(sha256sum Packages.gz | cut -d" " -f1) $PKGS_GZ EOF gpg --yes -u $gpgKey --sign -bao Release.gpg Release EOFSH chmod 755 ${updatescript}
Don’t forget to install the dpkg-scanpackages util:
apt-get install dpkg-dev
Repo creation/update
Required steps for creation/update:
-
add your deb-packages to /var/www/html/repo/deb-packages
-
run the creation script /usr/bin/update-repo.sh
Script output example (for a single package):
/usr/bin/update-repo.sh dpkg-scanpackages: info: Wrote 1 entries to output Packages file.
Clients setup
First, add your repo to the apt source lists:
wget -O - http://192.168.56.48/repo/boozlachuRepo.gpg | sudo apt-key add - echo 'deb http://192.168.56.48/repo/ ./ ' > /etc/apt/sources.list.d/boozlachuRepo.list apt-get update
You can now use this repo on clients:
root@alexey-VirtualBox:~# apt-cache search testpackage testpackage - simple testpackage for demo
My test package is now available for installation.
ссылка на оригинал статьи https://habr.com/ru/articles/543854/
Добавить комментарий