UW School of Computer Science UWCS-* Metapackages

A convenient way to bundle, deploy and update collections of deb packages across UW CS Ubuntu Linux Hosts.

See also:

• https://cs.uwaterloo.ca/cscf/internal/infrastructure/setups/os/ubuntu/
• https://cs.uwaterloo.ca/cscf/internal/infrastructure/setups/os/ubuntu/apt/
• RSGMetapackages - RSG MetaPackages documentation for final hand-off to CS for integration into uwcs- metapackages

Metapackage Administration

See https://git.uwaterloo.ca/a2brennan/package-sponsorship-database or read depot.cs.uwaterloo.ca:/home/depot/pkg_sponsorship_tools/README.md

Metapackage Server Setup

The metapackage server is a simple, local debian package server called depot.cs.uwaterloo.ca accessible via the web at http://depot.cs.uwaterloo.ca.

Apache Configuration

Depot.cs.uwaterloo.ca uses apache to serve the web interface and to support the use of https:// as a transport mechanism for packages.

Step 0: Install apache

apt-get install --quiet --force-yes apache2

Step 1: Configure apache to serve depot directory

echo "<VirtualHost *:80>
    ServerAdmin a2brenna@csclub.uwaterloo.ca
    ServerName depot.cs.uwaterloo.ca
    ServerAlias depot.cs depot

    DocumentRoot /depot/debian/www

    ErrorLog /var/log/apache2/debian-error.log
    CustomLog /var/log/apache2/debian-access.log combined

    <Directory /depot/debian/www>
        Allow from all
    </Directory>
</virtualHost>" > /etc/apache2/sites-enabled/debian
echo "<VirtualHost *:80>
    ServerAdmin a2brenna@csclub.uwaterloo.ca
    ServerName depot.cs.uwaterloo.ca
    ServerAlias depot.cs depot

    DocumentRoot /depot/debian/www

    ErrorLog /var/log/apache2/debian-error.log
    CustomLog /var/log/apache2/debian-access.log combined

    <Directory /depot/debian/www>
        Allow from all
    </Directory>
</virtualHost>" > /etc/apache2/sites-available/debian
/etc/init.d/apache2 restart

In the near future, these files will by symlinked together as they are identical and should remain so.

Reprepro Configuration

We use a utility called reprepro ( http://mirrorer.alioth.debian.org/ ) to manage the repository and enable easy publishing of our various metapackages. Installation, configuration and use are relatively straightforward and are based on the instructions found at http://anonscm.debian.org/gitweb/?p=mirrorer/reprepro.git;a=blob_plain;hb=HEAD;f=docs/short-howto.

Step 0: Create local depot user

It is beneficial to create a local unprivileged user that will own permissions to your repository. It is possible to administrate it as root, but this is less safe, since anyone uploading and maintaining packages will then require root permissions.

adduser depot

To facilitate controlled safe access to this account it is advisable to use ssh keys. At present, access to the depot account (and permissions to manage the repository) are governed by the ssh keys in /home/depot/.ssh/authorized_keys2. Given the small number of administrators at CSCF this solution seems perfectly adequate.

Step 1: Install reprepro from your official Ubuntu mirror.

apt-get install --quiet --force-yes reprepro

Step 2: Choose a directory to house your repository.

mkdir -p /depot/debian

Technically this can be an arbitrary empty directory. Depot.cs.uwaterloo.ca:/depot/debian seemed reasonable since we may eventually support distributions that are not debian based, and this naming scheme allows us to encapsulate our entire software packaging solution in a single top level directory, /depot.

Step 3: Create a configuration directory within your repository.

mkdir -p /depot/debian/conf

Step 4: Create a configuration file to define the distributions you support.

echo "Origin: CSCF
Label: Ubuntu
Suite: precise
Codename: precise
Architectures: alpha amd64 i386 mips mipsel sparc powerpc source
Components: main contrib non-free
Log: precise.log" > /depot/debian/conf/distributions

Multiple entries in this file are separated with empty lines.

Since metapackages have no binary components and exist only to conveniently install a set of dependencies, we can safely support numerous architectures. In retrospect, Ubuntu (and CSCF) only supports i386, amd64 and experimental arm architectures, so we can likely safely remove the other entries at some point.

CSCF currently only supports the Ubuntu 12.04 LTS release, codenamed Precise. There is legacy support for Ubuntu 10.10 (Maverick), but this is no longer maintained and should not be used on new machines.

GPG Configuration

Step 0: Install necessary packages

apt-get install --quiet --force-yes gnupg dpkg-sig

Step 1: Generate a key

su - depot
gpg --gen-key

To securely generate a key it is necessary that the machine have sufficient entropy in the entropy pool. This is occasionally a problem on machines that do not have a lot of interactive use. In our case, it took many many days to gather sufficient entropy for the pool in order to generate a proper key.

Step 2: Export public key

su - depot
gpg --armor --export > depot.pub.gpg.key

This public key is what your clients will use to verify the integrity of your signed packages. It is safe to post this somewhere public. In our case CSCF has placed this key at https://cs.uwaterloo.ca/cscf/certs/depot.pub.gpg.key.

Step 3: Enable Signing with reprepro

Add "SignWith: yes" to any distribution entries in /depot/debian/conf/distributions to enable gpg signing of that distributions packages and release data.

"SignWith: yes" is important. It tells reprepro that we'd like to cryptographically sign or packages and release information, ensuring our users (and ourselves) that the packages being installed are legitimate. Properly configuring package signing is subsequently explained. If cryptographically security is not required, you can omit this line and publish unsigned packages, but this will cause the package manager on your client machines to complain every time an installation or upgrade of one of your packages is attempted.

"SignWith: yes" causes reprepro and gnupg to assume that the private signing key is placed in the default reasonable location (where gpg --gen-key placed it). It is possible to use different configuration options to allow reprepro to make more advanced use of gnupg's signing abilities, such as having multiple keys, but this is beyond the scope of CSCF's deployment at this time.

Add package administrator

Adding someone to the set of administrators of the package repository is simple.

SSH key access"> Step 0: SSH key access

Add their public ssh key to /home/depot/.ssh/authorized_keys2.

Add Legato package

IST provides a Debian package of the latest Legato Networker Client. Re-hosting it on depot.cs is convenient.

Step 0: Write script to download package and update our repository

Save the following to /home/depot/bin/legato_update.sh

#!/usr/bin/env bash

set -o errexit
set -o xtrace
set -o nounset

rm /tmp/legato.deb || true
wget -O /tmp/legato.deb http://ist.uwaterloo.ca/download/networker/current/nw_lgtoclnt_amd64.deb

#Will fail if identical version already exists
reprepro -b /depot/debian includedeb trusty /tmp/legato.deb || true

Step 1: Make sure user depot has cronjob to run script

Include the following line in user depot's crontab file

0 0 * * * ~/bin/legato_update.sh

-- AnthonyBrennan - 2013-05-22