To follow up on my post about Debian Mirrors I thought I’d do one on mirroring an external repo using a really good tool called reprepro. Using reprepro comes in handy for two operations. The first is when you want to host your own internal repo of packages you’ve created.
The second reason, and the one I’ll cover here, is when you want to mirror a repo that you can’t easily connect to via an rsync server.
Setting up reprepro is incredibly easy to do. The first think you want to do is install the package on your debian host. The second thing you need to do is set up a set of configuration files. As an example we’re going to do this for the debian SaltStack mirror.
On your host make a location for your repo.
$ mkdir -p /srv/repos/external/{,conf}
Now you need to make three files and put them in the /srv/repos/external/conf directory. These files are named distributions, options, and updates.
The /srv/repos/external/conf/distributions file looks like this:
Origin: Saltstack
Label: Saltstack
Suite: wheezy-saltstack
Codename: wheezy-saltstack
Description: Saltstack nightly packages for wheezy
Architectures: amd64 source
Components: main
SignWith: yes
Update: wheezy-saltstack
Log: /var/log/reprepro/saltstack.log
Let me pull this apart for you. The important things here are the Architectures, Components, and SignWith. The first part you modify for your specific machine. In this case amd64 is the architecture of all my hosts. The next part is the available components and for SaltStack there is only main. You also need to make sure you use SignWith so that you can get the correct Release.gpg file from the remote server.
The /srv/repos/external/conf/updates file looks like this:
Name: wheezy-saltstack
Method: http://debian.saltstack.com/debian
Suite: wheezy-saltstack
Components: main
Architectures: amd64 source
VerifyRelease: B09E40B0F2AE6AB9
The updates file is used to grab the files from the remote server. This is pretty easy to understand because there are a lot of similarities to the first one. Where distributions is used to server the repo files, updates is used to get the files from the remote server. The important part here is the VerifyRelease part which I’ll talk about in a little bit.
The /srv/repos/external/conf/options file looks like this:
basedir /srv/repos/external
gnupghome /srv/repos/.gnupg
keepunreferencedfiles
Finally the options file lets you set options that you would otherwise have to include on the command line when calling reprepro. I’ve included three things here, the base directory, the location of the gpg files, and I ensure that any time a new file is added the old files are not deleted.
So this is pretty easy. You can read the man page to learn more but frankly this is the minimum subset to get going. Next you need to download the key to your gpg directory so you can verify that the packages you’re getting are indeed the ones you asked for. This is just standard security. Follow this procedure:
$ HOMEDIR=/srv/repos/.gnupg
$ URL="http://debian.saltstack.com/debian/dists/wheezy-saltstack/"
$ wget ${URL}/Release.gpg
$ wget ${URL}/Release
$ gpg Release.gpg
$ echo "Enter the key that you want to search for, followed by [ENTER]:"
$ read KEY
$ gpg --homedir ${HOMEDIR} --keyserver subkeys.pgp.net --search-keys ${KEY}
$ gpg --homedir ${HOMEDIR} --with-colons --list-key
You can probably script that up but basically you’re getting the Release files, you get the key signature, you search for the key on the keyserver, and finally add it to your keyring. This is where you get the key for the VerifyRelease in the updates file.
Now all you have to do is update the repo. Run these commands:
$ /usr/bin/reprepro -b /srv/repos/external update
$ /usr/bin/reprepro -b /srv/repos/external export
Now add this to your /etc/apt/sources.list file:
deb http://myhost/external/ wheezy-saltstack main
Serve the files with apache2 and then update apt and you’re good to go!
If you want to learn more you can always read the main reprepro page or the reprepro man page. I also highly recommend the IRC channel #reprepro. You can usually get help there for any obscure questions.