[POSSIBLE SPAM] Re: Sane way to resolve potential conflicts in the system

markham_breitbach at ssimicro.com markham_breitbach at ssimicro.com
Mon Apr 25 17:36:05 UTC 2016 

On 2016-04-25 9:52 AM, Odhiambo Washington wrote:
>
>
> On 25 April 2016 at 18:25, markham breitbach <markham at ssimicro.com
> <mailto:markham at ssimicro.com>> wrote:
>
>
>     I have taken to using the ports tree to `make package` on a
>     development
>     host, and then store my customized packages in my own private repo.  I
>     add my private repo as part of my server commissioning routine so
>     it is
>     checked first, then I only have to build once and deploy many.
>
>     -Markham
>
>
>
> Sounds cool. Kindly share the procedure
>
First, let me say I do intend to look at poudrier, but I was very
familiar with pkgng at the time, so this was a quick and dirty shortcut
and seems to be working well enough for me so far, but care must be
taken to ensure that your private repo is kept current, or that all the
dependencies are copied into your private repo so you have a fixed point
of reference for an entire server build  (`pkg info` is your friend!) . 
I have taken some security for granted as I know none of this traffic
crosses public internets and my servers do not have local users with
shell access. YMMV.  :)

I have created a jail to act as a pkg repo.  The jail runs thttpd as a
webserver for pkgng to connect to, and I use ssh (with keys only) to
upload my packages and manage the repo from my working devel host, which
is a different jail on another box.  There is really no reason you
couldn't build the ports in the same jail and just copy them to the repo
directory.


### Part 1 ###

For the new jailed host (your new pkg repo):

# pkg install thttpd
# pw user add -m -n pkg -g www -d /home/pkg
# chown pkg:www /usr/home/pkg/repo/

/etc/rc.conf

sshd_enable="yes"
syslogd_enable="yes"
thttpd_enable="yes"


/etc/ssh/sshd_config

ChallengeResponseAuthentication no


/home/pkg/.ssh/authorized_keys

ssh-rsa ### Public Key from my dev box ### "me at my.devbox"

# mkdir mkdir /home/pkg/repo/freebsd:10:x86:64

make a key pair for signing our repository. ( You will need to install
the public key into your servers)

# openssl genrsa -out /home/pkg/repo.key 2048
# chmod 0400 /home/pkg/repo.key
# openssl rsa -in /home/pkg/repo.key -out /home/pkg/repo/repo.pub -pubout

finally whenever anything is added to the repo, it needs to be indexed
and signed

# pkg repo /home/pkg/repo/ /home/pkg/repo.key


### Part 2 ###

Now, For each one of your servers you will need to update pkg.conf so it
will check your private repo first. I use Ansible to manage my servers
with a playbook role that updates this for me for all servers, but once
this is setup there is no reason it needs to change.

/usr/local/etc/pkg.conf

repos_dir: [
  "/usr/local/etc/repos",
  "/etc/pkg",
]
syslog: true
autodeps: true

/usr/local/etc/repos/repo.pub

-----BEGIN PUBLIC KEY-----

This is the public key from the pair you generated on your private repo server.

-----END PUBLIC KEY-----

/usr/local/etc/repos/private_repo.conf

PrivateRepo: {
  url: "pkg+http://pkg.mydomain.com/${ABI}/latest",
  enabled:      true,
  signature_type: "PUBKEY",
  PUBKEY: "/usr/local/etc/repos/repo.pub",
  mirror_type: "srv"
}

### Part 3 ###
Now you can create packages from ports on your development host/jail
(make sure you are running the same build as target):

# cd /usr/ports/www/thttpd
# make package

Setup your custom configuration options.  In a more complex build, you
may also need to setup custom options for a run-dependency.  You will
also need to make package and copy the customized package for the
run-dependency to your repo as well.  You do not need to do that for
build dependencies though.  After the build is complete you can copy the
pkg file to your private repo:

# scp /usr/ports/www/thttpd/work/pkg/thttpd*.txz pkg at pkg.mydomain.com:repo/freebsd:10:x86:64/latest


Finally, you will need to reindex the package repo:

# ssh pkg at pkg.mydomain.com 'pkg repo /home/pkg/repo/ /home/pkg/repo.key'


### Part 4 ###

You can now install your new thttpd package from any of the hosts that
are configured to use your private repo as simple as:

# pkg install thttpd


### end ###

More information about the freebsd-questions mailing list