From owner-freebsd-questions@freebsd.org Mon Apr 25 17:36:05 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38CECB1CA17 for ; Mon, 25 Apr 2016 17:36:05 +0000 (UTC) (envelope-from markham_breitbach@ssimicro.com) Received: from mail.ssimicro.com (mail.ssimicro.com [64.247.129.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.ssimicro.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E6CA31176 for ; Mon, 25 Apr 2016 17:36:04 +0000 (UTC) (envelope-from markham_breitbach@ssimicro.com) Received: from markham.ssimicro.com (markham.ssimicro.com [64.247.130.99]) (authenticated bits=0) by mail.ssimicro.com (8.14.7/8.14.7) with ESMTP id u3PHUxGp008376 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 25 Apr 2016 11:31:00 -0600 (MDT) Subject: Re: [POSSIBLE SPAM] Re: Sane way to resolve potential conflicts in the system To: Odhiambo Washington References: <20160423162910.7cd2ede2@curlew.lan> <9ed38de6-0089-9645-9798-7cdf767d3047@hiwaay.net> <785fd558-5604-1597-75c3-2ad39825ff11@ssimicro.com> Cc: FreeBSD Questions From: markham_breitbach@ssimicro.com Message-ID: <1528d673-c587-cf66-d790-5310058ce9d3@ssimicro.com> Date: Mon, 25 Apr 2016 11:36:01 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Apr 2016 17:36:05 -0000 On 2016-04-25 9:52 AM, Odhiambo Washington wrote: > > > On 25 April 2016 at 18:25, markham breitbach > wrote: > > > I have taken to using the ports tree to `make package` on a > development > host, and then store my customized packages in my own private repo.= I > add my private repo as part of my server commissioning routine so > it is > checked first, then I only have to build once and deploy many. > > -Markham > > > > Sounds cool. Kindly share the procedure > First, let me say I do intend to look at poudrier, but I was very familiar with pkgng at the time, so this was a quick and dirty shortcut and seems to be working well enough for me so far, but care must be taken to ensure that your private repo is kept current, or that all the dependencies are copied into your private repo so you have a fixed point of reference for an entire server build (`pkg info` is your friend!) .=20 I have taken some security for granted as I know none of this traffic crosses public internets and my servers do not have local users with shell access. YMMV. :) I have created a jail to act as a pkg repo. The jail runs thttpd as a webserver for pkgng to connect to, and I use ssh (with keys only) to upload my packages and manage the repo from my working devel host, which is a different jail on another box. There is really no reason you couldn't build the ports in the same jail and just copy them to the repo directory. ### Part 1 ### For the new jailed host (your new pkg repo): # pkg install thttpd # pw user add -m -n pkg -g www -d /home/pkg # chown pkg:www /usr/home/pkg/repo/ /etc/rc.conf sshd_enable=3D"yes" syslogd_enable=3D"yes" thttpd_enable=3D"yes" /etc/ssh/sshd_config ChallengeResponseAuthentication no /home/pkg/.ssh/authorized_keys ssh-rsa ### Public Key from my dev box ### "me@my.devbox" # mkdir mkdir /home/pkg/repo/freebsd:10:x86:64 make a key pair for signing our repository. ( You will need to install the public key into your servers) # openssl genrsa -out /home/pkg/repo.key 2048 # chmod 0400 /home/pkg/repo.key # openssl rsa -in /home/pkg/repo.key -out /home/pkg/repo/repo.pub -pubout= finally whenever anything is added to the repo, it needs to be indexed and signed # pkg repo /home/pkg/repo/ /home/pkg/repo.key ### Part 2 ### Now, For each one of your servers you will need to update pkg.conf so it will check your private repo first. I use Ansible to manage my servers with a playbook role that updates this for me for all servers, but once this is setup there is no reason it needs to change. /usr/local/etc/pkg.conf repos_dir: [ "/usr/local/etc/repos", "/etc/pkg", ] syslog: true autodeps: true /usr/local/etc/repos/repo.pub -----BEGIN PUBLIC KEY----- This is the public key from the pair you generated on your private repo s= erver. -----END PUBLIC KEY----- /usr/local/etc/repos/private_repo.conf PrivateRepo: { url: "pkg+http://pkg.mydomain.com/${ABI}/latest", enabled: true, signature_type: "PUBKEY", PUBKEY: "/usr/local/etc/repos/repo.pub", mirror_type: "srv" } ### Part 3 ### Now you can create packages from ports on your development host/jail (make sure you are running the same build as target): # cd /usr/ports/www/thttpd # make package Setup your custom configuration options. In a more complex build, you may also need to setup custom options for a run-dependency. You will also need to make package and copy the customized package for the run-dependency to your repo as well. You do not need to do that for build dependencies though. After the build is complete you can copy the pkg file to your private repo: # scp /usr/ports/www/thttpd/work/pkg/thttpd*.txz pkg@pkg.mydomain.com:rep= o/freebsd:10:x86:64/latest Finally, you will need to reindex the package repo: # ssh pkg@pkg.mydomain.com 'pkg repo /home/pkg/repo/ /home/pkg/repo.key' ### Part 4 ### You can now install your new thttpd package from any of the hosts that are configured to use your private repo as simple as: # pkg install thttpd ### end ###