With reprepro simple own package repositories can be created and managed. The tool is located in the Ubuntu repositories and can be used to provide your own packages or to mirror existing repositories. This article introduces reprepro and shows the structure of a simple repos on Ubuntu Server. For situations where complete repositories should be mirrored for deployment in their own local network, there are alternatives such as apt-mirror.
reprepro can be installed from the repositories under Ubuntu: http://packages.ubuntu.com/precise/reprepro
: ~ $ apt-cache search reprepro reprepro - Debian package repository producer : ~ $ sudo apt-get install reprepro
Useful information for setting up a repos can be found at the end of the installation
: ~ $ ls / usr / share / doc / reprepro / changelog.Debian.gz copyright examples FAQ.gz manual.html NEWS.gz README README.Debian recovery short-howto.gz TODO
In the following example, a separate user has been created to provide the packages in his home directory.
: ~ $ pwd / Home / repository
For the packages a separate directory as well as a directory for the configuration of the repos are created:
: ~ $ mkdir packages : ~ $ mkdir packages / conf
The first configuration step is to create the file
distributionsthat determines which distribution, architecture, etc. the repository will use. Other examples of the file
distributionscan also be found at ( wiki.debian.org ) and( debian-administration.org ):
: ~ / packages $ vi conf / distributions Origin: TKmon Label: tkmon Code name: precise Suite: stable Architectures: i386 amd64 source Components: main
“Origin” and “Label” are descriptive fields that are included in the release file. “Codename” is a mandatory field and indicates the unique identifier of the distribution (eg precise, quantal for Ubuntu, wheezy for Debian):
Codename: This required field is the unique identifier of a distribution and is used as a directory name within dists /.
The parameter “Suite” indicates the common parameters like “stable”, “unstable” or “testing”:
Suite: This optional field is simply copied into the release file. In Debian it contains names like stable, testing or unstable. To create symlinks from the suite to the codename, use the createsymlinks command of reprepro.
“Architectures” and “Components” indicate the target architecture of the system (32-bit, 64-bit, “source” for source code) as well as the components of the distribution (main, contrib, etc.):
Architectures: This required field lists the binary architectures in this distribution and if it contains source
In order not to always have to specify the path of the package folder for the following commands, the following environment variable can be defined (sa setting environment variables permanently under Ubuntu ):
: ~ $ cat .pam_environment REPREPRO_BASE_DIR DEFAULT = / home / repository / packages
When using the “Suite” option in the “distributions” file, symbolic links are created from “stable” to “precise” in the first step:
: ~ $ reprepro -b / home / repository / packages createsymlinks : ~ $ tree packages / packages / ├── conf ├ ├── distributions └ └── updates ├── db ─ ├── checksums.db ├ ├── contents.cache.db ─ ├── packages.db ├ ├── references.db └ └── version └── dists └── stable -> precise 3 directories, 8 files
If, as described above, the environment variable is
REPREPRO_BASE_DIR DEFAULTset, the option “-b” can be omitted. Now a first package is added to the repository:
: ~ $ ls tkmon * tkmon_0.0.1-1_all.deb tkmon_0.0.1-1_amd64.changes tkmon_0.0.1-1.debian.tar.gz tkmon_0.0.1-1.dsc tkmon_0.0.1.orig.tar.gz : ~ $ reprepro -V include precise tkmon_0.0.1-1_amd64.changes Created directory "/ home / repository / packages / pool" Created directory "/ home / repository / packages / pool / main" Created directory "/ home / repository / packages / pool / main / t" Created directory "/ home / repository / packages / pool / main / t / tkmon" Exporting indices ... Created directory "/ home / repository / packages / dists / precise" Created directory "/ home / repository / packages / dists / precise / main" Created directory "/ home / repository / packages / dists / precise / main / binary-i386" Created directory "/ home / repository / packages / dists / precise / main / binary-amd64" Created directory "/ home / repository / packages / dists / precise / main / source"
As a check the contents of the repos are listed:
: ~ $ reprepro list precise precise | main | i386: tkmon 0.0.1-1 precise | main | amd64: tkmon 0.0.1-1 precise | main | source: tkmon 0.0.1-1
The tree overview shows where the packages are in the directory structure:
: ~ $ tree packages / packages / ├── conf ├ ├── distributions └ └── updates ├── db ─ ├── checksums.db ├ ├── contents.cache.db ─ ├── packages.db ├ ├── references.db ├ ├── release.caches.db └ └── version ├── dists ├ ├── precise ├ │ ├── main ├ │ ├ ─── binary-amd64 ├ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ├ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ └ │ │ └ ─── release ├ │ ├ ─── binary-i386 ├ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ├ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ └ │ │ └ ─── release └ │ └ └── source ├ │ ├ ├── release └ │ └ └ ─ ─ ─ └ │ └── release └ └── stable -> precise └── pool └── main └── t └── tkmon ├── tkmon_0.0.1-1_all.deb ├── tkmon_0.0.1-1.debian.tar.gz ├── tkmon_0.0.1-1.dsc └── tkmon_0.0.1.orig.tar.gz
To remove packages, the
removecommand is called. The following example also limits the removal to a specific architecture:
: ~ $ reprepro -A amd64 remove precise tkmon Exporting indices ... : ~ $ reprepro list precise precise | main | i386: tkmon 0.0.1-1 precise | main | source: tkmon 0.0.1-1
Deployment of the repos over Apache
There are several ways to distribute the repos via a web server. For all variants, the internal configuration files “/ conf” and “/ db” should be protected against unauthorized access. The following setup uses “mod userdir” for publishing in the home directory of the user “repository”. In the first step we activate the module “userdir”:
: ~ $ sudo a2enmod userdir
For security reasons and because no other users should use “userdir”, the userdir configuration file is modified as follows:
: ~ $ sudo vi /etc/apache2/mods-enabled/userdir.conf <IfModule mod_userdir.c> UserDir public_html UserDir disabled UserDir enabled repository [...]
Then we created in the home directory of repository the
: ~ $ mkdir public_html
A symbolic link provides the packages in
: ~ / public_html $ ln -s ../packages packages
A change in the file permissions prevents access to the configuration folders:
: ~ / public_html / packages $ chmod 750 conf / : ~ / public_html / packages $ chmod 750 db /
Create a “.list” file
The “.list” file makes it easy to add the repos to the user:
: ~ / public_html $ vi tkmon.list deb http://192.168.56.102/~repository/packages precise main
The IP address must be adapted according to the correct hostname!
Add the repos to the user client
A user can add and use the repo as follows:
: ~ $ wget http://192.168.56.102/~repository/tkmon.list : ~ $ sudo mv tkmon.list /etc/apt/sources.list.d/ : ~ $ sudo apt-get update : ~ $ apt-cache search tkmon tkmon - web based configuration for tk-monitoring appliance
The user thus has the packages available at the client.
Switch the repository Hash algorithm to SHA-2
This section shows how to provide your repository with a secure SHA512 hash algorithm.
Behavior of apt update when using SHA1
On Ubuntu 16.04, warnings are displayed when calling apt update when using a repository with an outdated and weak SHA1 hash method.
$ sudo apt update [...] Update repository
This issue can be resolved quickly, as described below.
- Log in to your repository server.
- Switch to the appropriate user. In this example, the user repo manages the repository.
- Open with an editor, eg vim, the gpg.conf file of the repository.
- sudo vi .gnupg / gpg.conf
- In this file, add the following entries:
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed cert-digest-algo SHA512 personal digest preferences SHA512 SHA384 SHA256
- Save the file and close the editor.
Rebuild InRelease file of the repos
For existing repos, the InRelase file is then updated. This is done by re-exporting the corresponding repositories.
- Export of the repository, here with the example of an Ubuntu 14.04 (trusty) repos.
- reprepro export trusty
- Specify the GPG key of the repo user for signing.
- Check the InRelease file:
- The following output should now appear in the first line of this file:
----- BEGIN PGP SIGNED MESSAGE ----- Hash: SHA512 [...]
apt update after updating to SHA512
The warning is no longer displayed, you can check this by calling apt update again .