Monday, October 25, 2010

Signing RPM Packages and Creating Your Own Repository

So much for "break" week. With so much to do, I'll be spending most of it just doing work.
Anyway, aside from that, let's look at another lab which consists of two phases:
- signing RPM packages, and then
- creating our own yum repository from where we will serve our signed packages.


First Phase - Signing Packages
The first phase involved signing rpm packages and I had chosen to sign two rpms that I created using spec files: nled and snort.
This was an easy task which is accomplished by:
- generating a GPG key (using gpg --gen-key),
- editing the .rpmmacros file and adding my email address (adding %_gpg_name "asingh114@learn.senecac.on.ca"), and finally,
- signing the desired rpm packages using rpm --addsign packagefilename

Instructions can be found on our SBR600 Weekly Schedule wiki under "Week 5 (October 4) - Repositories/Distributing)"



Second Phase - Creating a Yum Repository
Again, instructions can be found on our SBR600 Weekly Schedule wiki.

Since I am running my host system (Fedora 12) in a virtual machine, I decided to create a local or internal yum repository and test it using another fedora virtual machine that I already had installed. The test virtual machine is running Fedora 13 64-bit edition. Furthermore, I will be using HTTP as the protocol to serve my repository directories and of course, Apache Web Server was already installed and running on the system.

The repository directories were created in the public HTTP directory, and will be served out of /var/www/html/fedora/12/. However, in order to organize content I created two additional directories:
- i386, for 32 bit Fedora editions, and
- x86_64 for 64 bit.

The following command was used:
mkdir -p /var/www/html/fedora/{i386,x86_64}

Then, I copied my signed repositories from Phase 1 over to their respective directory (either i386 or x86_64). Next is creating the repository metadata for both of the directories, which can be accomplished through the command:

createrepo /var/www/html/fedora/i386
and then do the same for x86_64 directory.

Or through a script such as this:


#!/bin/bash
destdir="/var/www/html/repo/fedora"

for repo in i386 x86_64
    do
    pushd ${destdir}/${repo}
    createrepo .
done

Modified from http://blogs.techrepublic.com.com/opensource/?p=609

Either way, this will create a repodata directory containing the repository metadata in both of those directories.



Testing the Repository
We will be using a GPG key for our repository, so I also had to create a GPG key file. This is simply done by using the command:
gpg --export --armour asingh114@learn.senecac.on.ca > RPM-GPG-KEY-asingh114
This created the gpg key output which is saved into the RPM-GPG-KEY-asingh114 file. This file is placed into the /etc/pki/rpm-gpg/ directory and will be used by the repository.

As mentioned before, this repository will be tested by serving to internal clients. Therefore, I created a new repository file in the /etc/yum.repos.d directory called asingh114.repo, which contained the following:

[asingh114 repo]
name=Asingh114 Repository
failovermethod=priority
baseurl=http://localhost/repo/fedora/$basearch
enabled=1
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-asingh114

Notes:
- The gpgkey is pointing to the file I generated earlier.
- Notice the baseurl is pointing to my localhost. The yum built-in $basearch variable denotes the architecture such as i386 or x86_64, etc, hence using $basearch at the end allows it to be able to find the proper repository directories for the host depending on the host's architecure.
- Additionally, I could have used another yum variable, $releasever, which is the release version of the system (e.g. Fedora 12, 13 etc) to further organize content, but this is just a simple repository test and I figured it is not needed.

When I tested this on my host machine, it worked fine.


Moreover, these two files were packaged into the RPM below that was created using a SPEC file:
http://asdesigned.ca/asingh114-repo-1-1.fc12.i686.rpm

I wanted to try this on the test virtual machine (Fedora 13 64 bit) so I temporarily moved all other repository files from the test machines' /etc/yum.repos.d directory and installed the rpm I created. This placed my repository file and my GPG key file into the proper locations.
Then I ran yum to test it, which I was then prompted to import the keys - after which, it was able to pull from my own repository. Cool stuff!

By the way, we can also use rpm --import GRPM-GPG-KEY-asingh114 to import the GPG key files manually.

To summarize, the setup was as follows:
Host machine: Fedora 12 (32 bit)
- Repository Serving Protocol: HTTP, Web Server
- Repository Directories: /var/www/html/fedora/i386 and /var/www/html/fedora/x86_64

Test Virtual machine: Fedora 13 64 bit
- Moved all other repository files out of the /etc/yum.repos.d directory temporarily
- Repository configuration file installed: /etc/yum.repos.d/asingh114.repo via my RPM package
- GPG Key file installed: /etc/pki/rpm-gpg/RPM-GPG-KEY-asingh114 via my RPM package
- Ran yum

No comments:

Post a Comment