With reprepro simple own package repositories can be created and managed. The tool is located in the Ubuntu repositories and can be used to provide your own packages or to mirror existing repositories. This article introduces reprepro and shows the structure of a simple repos on Ubuntu Server. For situations where complete repositories should be mirrored for deployment in their own local network, there are alternatives such as apt-mirror.

installation

reprepro can be installed from the repositories under Ubuntu: http://packages.ubuntu.com/precise/reprepro

: ~ $ apt-cache search reprepro
reprepro - Debian package repository producer
: ~ $ sudo apt-get install reprepro

Useful information for setting up a repos can be found at the end of the installation

: ~ $ ls / usr / share / doc / reprepro /
changelog.Debian.gz copyright examples FAQ.gz manual.html NEWS.gz README README.Debian recovery short-howto.gz TODO

configuration

In the following example, a separate user has been created to provide the packages in his home directory.

: ~ $ pwd
/ Home / repository

For the packages a separate directory as well as a directory for the configuration of the repos are created:

: ~ $ mkdir packages
: ~ $ mkdir packages / conf

The first configuration step is to create the file distributionsthat determines which distribution, architecture, etc. the repository will use. Other examples of the file distributionscan also be found at ( wiki.debian.org ) and( debian-administration.org ):

: ~ / packages $ vi conf / distributions
Origin: TKmon
Label: tkmon
Code name: precise
Suite: stable
Architectures: i386 amd64 source
Components: main

“Origin” and “Label” are descriptive fields that are included in the release file. “Codename” is a mandatory field and indicates the unique identifier of the distribution (eg precise, quantal for Ubuntu, wheezy for Debian):

Codename: This required field is the unique identifier of a distribution and is used as a directory name within dists /.

The parameter “Suite” indicates the common parameters like “stable”, “unstable” or “testing”:

Suite: This optional field is simply copied into the release file. In Debian it contains names like stable, testing or unstable. To create symlinks from the suite to the codename, use the createsymlinks command of reprepro.

“Architectures” and “Components” indicate the target architecture of the system (32-bit, 64-bit, “source” for source code) as well as the components of the distribution (main, contrib, etc.):

Architectures: This required field lists the binary architectures in this distribution and if it contains source

In order not to always have to specify the path of the package folder for the following commands, the following environment variable can be defined (sa setting environment variables permanently under Ubuntu ):

: ~ $ cat .pam_environment 
REPREPRO_BASE_DIR DEFAULT = / home / repository / packages

Include packages

When using the “Suite” option in the “distributions” file, symbolic links are created from “stable” to “precise” in the first step:

: ~ $ reprepro -b / home / repository / packages createsymlinks
: ~ $ tree packages /
packages /
├── conf
├ ├── distributions
└ └── updates
├── db
─ ├── checksums.db
├ ├── contents.cache.db
─ ├── packages.db
├ ├── references.db
└ └── version
└── dists
    └── stable -> precise

3 directories, 8 files

If, as described above, the environment variable is REPREPRO_BASE_DIR DEFAULTset, the option “-b” can be omitted. Now a first package is added to the repository:

: ~ $ ls tkmon *
tkmon_0.0.1-1_all.deb tkmon_0.0.1-1_amd64.changes tkmon_0.0.1-1.debian.tar.gz tkmon_0.0.1-1.dsc tkmon_0.0.1.orig.tar.gz
: ~ $ reprepro -V include precise tkmon_0.0.1-1_amd64.changes 
Created directory "/ home / repository / packages / pool"
Created directory "/ home / repository / packages / pool / main"
Created directory "/ home / repository / packages / pool / main / t"
Created directory "/ home / repository / packages / pool / main / t / tkmon"
Exporting indices ...
Created directory "/ home / repository / packages / dists / precise"
Created directory "/ home / repository / packages / dists / precise / main"
Created directory "/ home / repository / packages / dists / precise / main / binary-i386"
Created directory "/ home / repository / packages / dists / precise / main / binary-amd64"
Created directory "/ home / repository / packages / dists / precise / main / source"

As a check the contents of the repos are listed:

: ~ $ reprepro list precise 
precise | main | i386: tkmon 0.0.1-1
precise | main | amd64: tkmon 0.0.1-1
precise | main | source: tkmon 0.0.1-1

The tree overview shows where the packages are in the directory structure:

: ~ $ tree packages /
packages /
├── conf
├ ├── distributions
└ └── updates
├── db
─ ├── checksums.db
├ ├── contents.cache.db
─ ├── packages.db
├ ├── references.db
├ ├── release.caches.db
└ └── version
├── dists
├ ├── precise
├ │ ├── main
├ │ ├ ─── binary-amd64
├ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─
├ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
└ │ │ └ ─── release
├ │ ├ ─── binary-i386
├ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─
├ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
└ │ │ └ ─── release
└ │ └ └── source
├ │ ├ ├── release
└ │ └ └ ─ ─ ─
└ │ └── release
└ └── stable -> precise
└── pool
    └── main
        └── t
            └── tkmon
                ├── tkmon_0.0.1-1_all.deb
                ├── tkmon_0.0.1-1.debian.tar.gz
                ├── tkmon_0.0.1-1.dsc
                └── tkmon_0.0.1.orig.tar.gz

Remove packages

To remove packages, the removecommand is called. The following example also limits the removal to a specific architecture:

: ~ $ reprepro -A amd64 remove precise tkmon
Exporting indices ...
: ~ $ reprepro list precise 
precise | main | i386: tkmon 0.0.1-1
precise | main | source: tkmon 0.0.1-1

Deployment of the repos over Apache

There are several ways to distribute the repos via a web server. For all variants, the internal configuration files “/ conf” and “/ db” should be protected against unauthorized access. The following setup uses “mod userdir” for publishing in the home directory of the user “repository”. In the first step we activate the module “userdir”:

: ~ $ sudo a2enmod userdir

For security reasons and because no other users should use “userdir”, the userdir configuration file is modified as follows:

: ~ $ sudo vi /etc/apache2/mods-enabled/userdir.conf
<IfModule mod_userdir.c>
        UserDir public_html
        UserDir disabled
        UserDir enabled repository
[...]

Then we created in the home directory of repository the public_htmlfolder:

: ~ $ mkdir public_html

A symbolic link provides the packages in public_html:

: ~ / public_html $ ln -s ../packages packages

A change in the file permissions prevents access to the configuration folders:

: ~ / public_html / packages $ chmod 750 conf /
: ~ / public_html / packages $ chmod 750 db /

Create a “.list” file

The “.list” file makes it easy to add the repos to the user:

: ~ / public_html $ vi tkmon.list
deb http://192.168.56.102/~repository/packages precise main

The IP address must be adapted according to the correct hostname!

Add the repos to the user client

A user can add and use the repo as follows:

: ~ $ wget http://192.168.56.102/~repository/tkmon.list
: ~ $ sudo mv tkmon.list /etc/apt/sources.list.d/
: ~ $ sudo apt-get update
: ~ $ apt-cache search tkmon
tkmon - web based configuration for tk-monitoring appliance

The user thus has the packages available at the client.

Switch the repository Hash algorithm to SHA-2

This section shows how to provide your repository with a secure SHA512 hash algorithm.

Behavior of apt update when using SHA1

On Ubuntu 16.04, warnings are displayed when calling apt update when using a repository with an outdated and weak SHA1 hash method.

$ sudo apt update
[...]
Update repository

This issue can be resolved quickly, as described below.

  • Log in to your repository server.
  • Switch to the appropriate user. In this example, the user repo manages the repository.
  • Open with an editor, eg vim, the gpg.conf file of the repository.
    • sudo vi .gnupg / gpg.conf
  • In this file, add the following entries:
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
cert-digest-algo SHA512
personal digest preferences SHA512 SHA384 SHA256
  • Save the file and close the editor.

Rebuild InRelease file of the repos

For existing repos, the InRelase file is then updated. This is done by re-exporting the corresponding repositories.

  • Export of the repository, here with the example of an Ubuntu 14.04 (trusty) repos.
    • reprepro export trusty
    • Specify the GPG key of the repo user for signing.
  • Check the InRelease file:
    • The following output should now appear in the first line of this file:
----- BEGIN PGP SIGNED MESSAGE -----
Hash: SHA512
[...]

apt update after updating to SHA512

The warning is no longer displayed, you can check this by calling apt update again .

Categories: Tutorials

0 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: