Build rpm packages and configure your repository
This article will describe in detail the process of creating rpm packages and organizing the repository. I ask everyone who is interested in this topic, go under the cat.
I took to writing in great detail, so you can browse through things that are obvious to you.
Table of contents
- System installation
- Preset
- Assembly site preparation
- We collect Tmux
- We collect fbida
- Configure access via http / https
- Ftp access setup
- Conclusion
System installation
Theater starts with a hanger
Our service begins with the installation of the operating system on it. Naturally, to build rpm packages we choose the rhel distribution. In this case, CentOS 7 was selected.
Download CentOS
Create a directory where the image will lie and go into it:
mkdir ~/centos && cd $_ Then you can directly download the image and the files required for verification:
wget https://mirror.yandex.ru/centos/7/isos/x86_64/CentOS-7-x86_64-Everything-1708.iso wget https://mirror.yandex.ru/centos/7/isos/x86_64/sha256sum.txt.asc
or via torrent using the aria2 program, which we first install:
sudo yum install -y epel-release sudo yum install -y aria2 aria2c https://mirror.yandex.ru/centos/7/isos/x86_64/CentOS-7-x86_64-Everything-1708.torrent cd ~/centos/CentOS-7-x86_64-Everything-1708
Check image
Download the image a little, you need to check its integrity and reliability, which we will do.
Download the key for CentOS 7:
wget http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7
Let's look at the key and import it:
gpg --quiet --with-fingerprint RPM-GPG-KEY-CentOS-7 pub 4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org> Key fingerprint = 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5 gpg --import RPM-GPG-KEY-CentOS-7 gpg: key F4A80EB5: public key "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Check the file signature with the checksum of the image:
gpg --verify sha256sum.txt.asc 2>&1 | grep "Good signature" gpg: Good signature from "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
As we see, everything is fine and now we can check the image itself for integrity:
sha256sum -c sha256sum.txt.asc 2>&1 | grep OK CentOS-7-x86_64-Everything-1708.iso: OK
Burn image to media
After we were convinced of the integrity of the image and its authenticity, it would be nice to write it down and install it already! So let's do it, but first we will decide what we will record.
Burn image to disk
To record this image, we need a double-sided DVD. Suppose we found it and write it down by setting wodim beforehand:
sudo yum install -y wodim sudo wodim dev=/dev/cdrom -eject -v CentOS-7-x86_64-Everything-1708.iso
Burn image to USB flash drive
A double-sided DVD is archaic, so let's take a 16 GB flash drive and write the image on it, but first of all / dev / sda here is a flash drive, and you may have another one. See the fdisk command:
sudo dd if=CentOS-7-x86_64-Everything-1708.iso of=/dev/sda bs=1M status=progress; sync eject /dev/sda
If status=progress not supported, then as follows:
watch -n 10 "sudo kill -USR1 $(pgrep ^dd)"
or like this:
watch -n 10 "sudo pkill -usr1 dd"
or you can use pv:
sudo yum install -y epel-release sudo yum install -y pv sudo su dd if=CentOS-7-x86_64-Everything-1708.iso | pv | dd of=/dev/sda
Installation
How to install Centos 7, it's up to you, you can think about it for RAID and for LVM and a lot more,
I set the minimum package.
The installation process can be viewed in this video .
Preset
After installing the system, we need to configure our server.
Upgrading and installing packages
At the beginning we will update all the installed packages, then we will install the epel repository, which has a lot of useful things for us:
sudo yum update -y sudo yum install -y epel-release
The next step is to install a group of packages that we need to build, as well as a number of packages necessary for the deployment of the repository.
sudo yum groupinstall -y "Development Tools" sudo yum install -y glibc-static tree wget vim createrepo sudo yum install -y httpd httpd-devel mod_ssl python2-certbot-apache vsftpd
Ssh
In order to comfortably and securely manage the server, configure SSH.
Itβs safer to use keys, that's why we will create our own keys for accessing the server on our work computer:
ssh-keygen
and add the key to the server:
ssh-copy-id chelaxe@rpmbuild
or handles:
mkdir ~/.ssh chmod 700 ~/.ssh vim ~/.ssh/authorized_keys ssh-rsa AAAA...tzU= ChelAxe (DFH) <chelaxe@gmail.com> chmod 600 ~/.ssh/authorized_keys
You must also tighten the nuts in the service itself. Create a copy of the configuration file and start editing:
sudo cp /etc/ssh/sshd_config{,.bak} sudo vim /etc/ssh/sshd_config
The file should add / change / uncomment the following lines:
# 192.168.0.2 ListenAddress 192.168.0.2 # 30 LoginGraceTime 30 # root PermitRootLogin no # MaxAuthTries 3 # PasswordAuthentication no # 10 ClientAliveInterval 600 ClientAliveCountMax 0 # chelaxe AllowUsers chelaxe # chelaxe AllowGroups chelaxe # sshd SSH2 Protocol 2
Restart the service:
sudo systemctl restart sshd
Firewall
It is important to restrict access to our server. For this reason, we configure the firewall:
sudo firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client sudo firewall-cmd --permanent --zone=public --remove-service=ssh sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/28" service name="ssh" accept' sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https sudo firewall-cmd --permanent --zone=public --add-service=ftp sudo firewall-cmd --permanent --list-all public target: default icmp-block-inversion: no interfaces: sources: services: http https ftp ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.0.0/28" service name="ssh" accept sudo firewall-cmd --reload
Here we added our http https ftp services for accessibility from outside and ssh, but only for the network 192.168.0.0/28.
Assembly site preparation
Prepare the very site for assembly. It is worth noting that the assembly is most likely to be carried out on a separate virtual host, actively using the technology of snapshots, but here I will describe everything in a single whole. Also for the assembly you need to select an individual user who is not an administrator (i.e. sudo is not available to him).
Creating directories
Create the necessary directories:
mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} sudo mkdir /var/www/repo sudo chown -R chelaxe:chelaxe /var/www/repo ln -s /var/www/repo ~/rpmbuild/REPO tree ~/rpmbuild/ /home/chelaxe/rpmbuild/ βββ BUILD βββ BUILDROOT βββ REPO -> /var/www/repo βββ RPMS βββ SOURCES βββ SPECS βββ SRPMS 7 directories, 0 files
PGP signature setup
Our packages, which we collect, must be signed, which will ensure integrity and reliability.
We will use our key, or if we donβt have one, we will create it. To create a key is on your work computer.
Create a key if we do not have it:
gpg --gen-key
We will be asked to answer a series of questions:
key type, select (1) RSA and RSA (default), key size: 4096, expiration date: 6m, our name: Alexander F. Mikhaylov, Email: chelaxe@gmail.com, comment, here you can indicate why we need the key: repo and wait ...
If suddenly after answering all the questions we get this gpg: cancelled by user , then run the command:
script /dev/null
and repeat.
View key:
gpg --fingerprint chelaxe@gmail.com pub 2048R/E6D53D4D 2014-05-07 Key fingerprint = EE2A FF9A 2BE3 318E 9346 A675 8440 3961 E6D5 3D4D uid ChelAxe (DFH) <chelaxe@gmail.com>
Save our private key:
gpg --export-secret-keys --armor chelaxe@gmail.com > chelaxe-privkey.asc
Create a key for review:
gpg --output chelaxe-revoke.asc --gen-revoke chelaxe@gmail.com
Export public key to keyserver:
gpg --keyserver pgp.mit.edu --send-keys E6D53D4D
Now the key can be imported to our server:
gpg --import ~/chelaxe-privkey.asc rm -rf ~/chelaxe-privkey.asc
Look where gpg utility is:
which gpg /usr/bin/gpg
and configure the file to sign the packages:
vim ~/.rpmmacros %_signature gpg %_gpg_path /home/chelaxe/.gnupg %_gpg_name ChelAxe %_gpgbin /usr/bin/gpg
Create a repository
Now we organize the repository itself.
Create a directory where we will store the packages:
mkdir ~/rpmbuild/REPO/Packages
Export the key to the repository:
gpg --export -a 'ChelAxe' > ~/rpmbuild/REPO/RPM-GPG-KEY-chelaxe
Create the repository itself and sign the metadata:
createrepo ~/rpmbuild/REPO gpg --detach-sign --armor ~/rpmbuild/REPO/repodata/repomd.xml
Repository package
Build a package to automatically install the repository in the system
cd ~/rpmbuild/SOURCES mkdir chelaxe-release && cd $_
Yum repository file:
vim ~/rpmbuild/SOURCES/chelaxe-release/chelaxe.repo [chelaxe] name=ChelAxe Official Repository - $basearch baseurl=https://repo.chelaxe.ru/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-chelaxe
Export the key for the package:
gpg --export -a 'ChelAxe' > ~/rpmbuild/SOURCES/chelaxe-release/RPM-GPG-KEY-chelaxe
Putting it all in the archive:
cd ~/rpmbuild/SOURCES tar -czf chelaxe-release.tar.gz chelaxe-release/
Create a SPECS file for the package:
cd ~/rpmbuild/SPECS vim ~/rpmbuild/SPECS/chelaxe-release.spec Name: chelaxe-release Version: 1.0 Release: 1%{?dist} Summary: ChelAxe repository configuration Vendor: DFH Packager: ChelAxe Group: System Environment/Base License: GPL URL: https://repo.chelaxe.ru Source0: https://repo.chelaxe.ru/%{name}.tar.gz BuildArch: noarch %description This package contains the ChelAxe official repository GPG key as well as configuration for yum. %prep %setup -q -n %{name} %install %__rm -rf %{buildroot} install -d -m 755 %{buildroot}%{_sysconfdir}/yum.repos.d install -p -m 644 chelaxe.repo %{buildroot}%{_sysconfdir}/yum.repos.d/chelaxe.repo install -d -m 755 %{buildroot}%{_sysconfdir}/pki/rpm-gpg install -p -m 644 RPM-GPG-KEY-chelaxe %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-chelaxe %post rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-chelaxe %clean %__rm -rf %{buildroot} %files %defattr(-,root,root,-) %{_sysconfdir}/yum.repos.d/chelaxe.repo %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-chelaxe %changelog * Tue May 1 2018 ChelAxe (DFH) <chelaxe@gmail.com> - 1.0-1%{?dist} - Initial package.
Putting the package:
rpmbuild -ba --sign ~/rpmbuild/SPECS/chelaxe-release.spec
At this stage, we will be asked for the password from our PGP key.
Copy the created package into the repository and update it:
cp ~/rpmbuild/RPMS/noarch/chelaxe-release-1.0-1.el7.centos.noarch.rpm ~/rpmbuild/REPO/ createrepo --update ~/rpmbuild/REPO
Do not forget to sign the metadata:
gpg --detach-sign --armor ~/rpmbuild/REPO/repodata/repomd.xml
Now we will install our repository in the system:
sudo yum install -y ~/rpmbuild/REPO/chelaxe-release-1.0-1.el7.centos.noarch.rpm
In the future, this package will be available at: https://repo.chelaxe.ru/chelaxe-release-1.0-1.el7.centos.noarch.rpm
After installation, the chelaxe repository and the PGP key should appear:
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' | grep ChelAxe gpg-pubkey-e6d53d4d-5369c520 --> gpg(ChelAxe (DFH) <chelaxe@gmail.com>)
The most important thing here is the SPEC files, I will not describe them, but I will provide a number of links:
- https://www.altlinux.org/Spec
- https://docs.fedoraproject.org/quick-docs/en-US/creating-rpm-packages.html
- https://www.opennet.ru/docs/HOWTO-RU/RPM-HOWTO-48.html
and one useful command:
rpm --showrc
it will display the finished macros for the assembly.
We collect Tmux
Now we will collect, for an example, something useful. We will assemble tmux - a terminal multiplexer, without which I am not comfortable working. It is worth noting tmux is in the CentOS 7 base repository, but the version is 1.8 there, and we will build 2.7. Also, the package from the base repository has a libevent dependency, but we will build tmux with static libraries of the latest versions.
Cooking source
Download the tmux sources and the necessary libraries:
cd ~/rpmbuild/SOURCES wget https://github.com/tmux/tmux/releases/download/2.7/tmux-2.7.tar.gz wget https://github.com/libevent/libevent/releases/download/release-2.1.8-stable/libevent-2.1.8-stable.tar.gz wget https://github.com/libevent/libevent/releases/download/release-2.1.8-stable/libevent-2.1.8-stable.tar.gz.asc wget ftp://ftp.gnu.org/gnu/ncurses/ncurses-6.1.tar.gz wget ftp://ftp.gnu.org/gnu/ncurses/ncurses-6.1.tar.gz.sig
We export GPG keys for source verification:
gpg --recv-keys 8EF8686D gpg --recv-keys F7E48EDB
Check files:
gpg --verify libevent-2.1.8-stable.tar.gz.asc libevent-2.1.8-stable.tar.gz 2>&1 | grep "Good signature" gpg: Good signature from "Azat Khuzhin <a3at.mail@gmail.com>" gpg --verify ncurses-6.1.tar.gz.sig ncurses-6.1.tar.gz 2>&1 | grep "Good signature" gpg: Good signature from "Thomas Dickey <dickey@invisible-island.net>"
Prepare the tmux configuration file:
vim ~/rpmbuild/SOURCES/tmux.conf # : # set-option -g buffer-limit 50 # set-option -g command-alias[100] zoom="resize-pane -Z" # set-option -g default-terminal "screen-256color" # escape set-option -g escape-time 500 # set-option -g exit-empty off # set-option -g exit-unattached off # set-option -g focus-events off # set-option -g history-file ~/.tmux_history # set-option -g message-limit 100 # escape set-option -g set-clipboard on # set-option -g terminal-overrides[100] "xterm:colors=256" set-option -g terminal-overrides[101] "xterm*:colors=256" set-option -g terminal-overrides[102] "screen:colors=256" set-option -g terminal-overrides[103] "screen*:colors=256" # # set-option -g user-keys[100] "\e[5;30012~" # : # set-option -g activity-action other # set-option -g assume-paste-time 1 # set-option -g base-index 1 # "" set-option -g bell-action other # ( default-shell) # set-option -g default-command "vim" # Shell set-option -g default-shell "/bin/bash" # set-option -g destroy-unattached off # set-option -g detach-on-destroy on # set-option -g display-panes-active-colour "red" # set-option -g display-panes-colour "green" # set-option -g display-panes-time 1000 # . set-option -g display-time 750 # set-option -g history-limit 2000 # set-option -g key-table "root" # set-option -g lock-after-time 1800 # set-option -g lock-command "vlock" # # : message-command-attr message-command-bg message-command-fg set-option -g message-command-style "bg=black,fg=yellow" # # : message-attr message-bg message-fg set-option -g message-style "bg=yellow,fg=black" # # 2.1 : mode-mouse mouse-resize-pane mouse-select-pane mouse-select-window set-option -g mouse off # set-option -g prefix Cb # set-option -g prefix2 Ca # set-option -g renumber-windows on # set-option -g repeat-time 500 # set-option -g set-titles on # set-option -g set-titles-string "#{session_name}" # "" set-option -g silence-action other # set-option -g status on # set-option -g status-interval 1 # set-option -g status-justify left # set-option -g status-keys vi # set-option -g status-left " [#{session_name}]#{?session_many_attached,*,} #{version} #[reverse] #[default] " # set-option -g status-left-length 20 # # : status-left-attr status-left-bg status-left-fg set-option -g status-left-style "default" # set-option -g status-position bottom # set-option -g status-right " #[reverse] #[default] %a %d %b %Y %H:%M:%S [%V/%j] " # set-option -g status-right-length 40 # # : status-right-attr status-right-bg status-right-fg set-option -g status-right-style "default" # # : status-attr status-bg status-fg set-option -g status-style "bg=green,fg=black" # set-option -g update-environment[100] "TERMINFO" # # set-option -g user-keys[100] "\e[1~" # set-option -g visual-activity off # "" set-option -g visual-bell off # "" set-option -g visual-silence off # set-option -g word-separators " -_@" # : # set-option -gw aggressive-resize on # set-option -gw allow-rename on # set-option -gw alternate-screen on # set-option -gw automatic-rename on # set-option -gw automatic-rename-format "#{?pane_in_mode,[tmux],#{pane_current_command}}#{?pane_dead,[dead],}" # set-option -gw clock-mode-colour "green" # set-option -gw clock-mode-style 24 # set-option -gw force-height 0 # set-option -gw force-width 0 # set-option -gw main-pane-height 24 # set-option -gw main-pane-width 80 # set-option -gw mode-keys vi # # : mode-attr mode-bg mode-fg set-option -gw mode-style "bg=yellow,fg=black" # set-option -gw monitor-activity on # "" set-option -gw monitor-bell on # "" . . set-option -gw monitor-silence 0 # set-option -gw other-pane-height 0 # set-option -gw other-pane-width 0 # # : pane-active-border-attr pane-active-border-bg pane-active-border-fg set-option -gw pane-active-border-style "fg=green" # set-option -gw pane-base-index 1 # set-option -gw pane-border-format "#{?pane_active,#[reverse],}#{?window_zoomed_flag,#[fg=red],} #{pane_index}:#{=6:pane_current_command} #[default]" # set-option -gw pane-border-status top # # : pane-border-attr pane-border-bg pane-border-fg set-option -gw pane-border-style "fg=green" # set-option -gw remain-on-exit off # set-option -gw synchronize-panes off # set-option -gw window-active-style "default" # # : window-status-activity-attr window-status-activity-bg window-status-activity-fg set-option -gw window-status-activity-style "fg=red" # "" # : window-status-bell-attr window-status-bell-bg window-status-bell-fg set-option -gw window-status-bell-style "fg=red" # set-option -gw window-status-current-format " #{window_index}:#{window_name} " # # : window-status-current-attr window-status-current-bg window-status-current-fg set-option -gw window-status-current-style "reverse" # set-option -gw window-status-format " #{window_index}:#{window_name}#{?window_activity_flag,#,}#{?window_bell_flag,!,}#{?window_silence_flag,~,} " # # : window-status-last-attr window-status-last-bg window-status-last-fg set-option -gw window-status-last-style "default" # set-option -gw window-status-separator "" # set-option -gw window-status-style "default" # set-option -gw window-style "default" # set-option -gw wrap-search on # set-option -gw xterm-keys on # # Alt + bind-key -rT root M-Up select-pane -U bind-key -rT root M-Down select-pane -D bind-key -rT root M-Left select-pane -L bind-key -rT root M-Right select-pane -R # bind-key -T root M-PageUp copy-mode -eu # bind-key -T prefix Ms set-option -gw synchronize-panes\; display-message " : #{?synchronize-panes,on,off}" # bind-key -T prefix Ml lock-session # bind-key -T prefix Mr source-file /etc/tmux.conf\; display-message " " # # bind-key -T prefix Me # # new-session -s "work"
Preparing a SPEC file
This file will be more interesting than the previous SPEC file:
cd ~/rpmbuild/SPECS vim ~/rpmbuild/SPECS/tmux.spec %define libevent 2.1.8 %define ncurses 6.1 Name: tmux Version: 2.7 Release: 1%{?dist} Summary: A terminal multiplexer Vendor: DFH Packager: ChelAxe Group: Applications/System License: ISC and BSD URL: https://github.com/%{name}/%{name} Source0: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz Source1: https://github.com/libevent/libevent/releases/download/release-%{libevent}-stable/libevent-%{libevent}-stable.tar.gz Source2: ftp://ftp.gnu.org/gnu/ncurses/ncurses-%{ncurses}.tar.gz Source3: tmux.conf BuildRequires: gcc, gcc-c++, make, glibc-static %description tmux is a "terminal multiplexer", it enables a number of terminals (or windows) to be accessed and controlled from a single terminal. tmux is intended to be a simple, modern, BSD-licensed alternative to programs such as GNU screen. %prep %setup -q -a1 -a2 %build %__mkdir "libs" pushd "libevent-%{libevent}-stable" %_configure \ --prefix="$(pwd)/../libs" \ --disable-shared %__make install popd pushd "ncurses-%{ncurses}" %_configure \ --prefix="$(pwd)/../libs" \ --with-default-terminfo-dir="/usr/share/terminfo" \ --with-terminfo-dirs="/etc/terminfo:/lib/terminfo:/usr/share/terminfo:$HOME/.terminfo" %__make install popd %_configure \ --enable-static \ --prefix="/usr" \ CFLAGS="-Ilibs/include -Ilibs/include/ncurses" \ LDFLAGS="-Llibs/lib -Llibs/include -Llibs/include/ncurses" \ LIBEVENT_CFLAGS="-Ilibs/include" \ LIBEVENT_LIBS="-Llibs/lib -levent" \ LIBNCURSES_CFLAGS="-Ilibs/include" \ LIBNCURSES_LIBS="-Llibs/lib -lncurses" %__make %install %__rm -rf %{buildroot} %make_install install -d -m 755 %{buildroot}%{_sysconfdir} install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/tmux.conf %clean %__rm -rf %{buildroot} %files %defattr(-,root,root,-) %doc README TODO CHANGES example_tmux.conf %config(noreplace) %{_sysconfdir}/tmux.conf %{_bindir}/tmux %{_mandir}/man1/tmux.1.gz %changelog * Fri Jun 29 2018 ChelAxe (DFH) <chelaxe@gmail.com> - 2.7-1%{?dist} - Rebuild for new version tmux. * Tue May 1 2018 ChelAxe (DFH) <chelaxe@gmail.com> - 2.6-1%{?dist} - Initial package.
Assembly
Build the package and add it to the repository:
rpmbuild -ba --sign ~/rpmbuild/SPECS/tmux.spec cp ~/rpmbuild/RPMS/x86_64/tmux-2.7-1.el7.centos.x86_64.rpm ~/rpmbuild/REPO/Packages/ createrepo --update ~/rpmbuild/REPO
Do not forget to sign the metadata:
gpg --detach-sign --armor ~/rpmbuild/REPO/repodata/repomd.xml
See what and how it happened:
tree ~/rpmbuild/ -L 2 /home/chelaxe/rpmbuild/ βββ BUILD β βββ chelaxe-release β βββ tmux-2.7 βββ BUILDROOT βββ REPO -> /var/www/repo βββ RPMS β βββ noarch β βββ x86_64 βββ SOURCES β βββ chelaxe-release β βββ chelaxe-release.tar.gz β βββ libevent-2.1.8-stable.tar.gz β βββ libevent-2.1.8-stable.tar.gz.asc β βββ ncurses-6.1.tar.gz β βββ ncurses-6.1.tar.gz.sig β βββ tmux-2.7.tar.gz β βββ tmux.conf βββ SPECS β βββ chelaxe-release.spec β βββ tmux.spec βββ SRPMS βββ chelaxe-release-1.0-1.el7.centos.src.rpm βββ tmux-2.7-1.el7.centos.src.rpm
Install and Run
Install our package:
sudo yum clean all sudo yum install -y tmux
Run tmux and enjoy:
tmux attach-session
We collect fbida
We will collect fbida - a set of applications for viewing images in the console. This package is not found under Centos 7.
Cooking source
Download the fbida sources:
cd ~/rpmbuild/SOURCES wget https://www.kraxel.org/releases/fbida/fbida-2.14.tar.gz wget https://www.kraxel.org/releases/fbida/fbida-2.14.tar.gz.asc
We export GPG keys for source verification:
gpg --recv-keys D3E87138
Check files:
gpg --verify fbida-2.14.tar.gz.asc fbida-2.14.tar.gz 2>&1 | grep "Good signature" gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
Preparing a SPEC file
SPEC :
cd ~/rpmbuild/SPECS vim ~/rpmbuild/SPECS/fbida.spec Name: fbida Version: 2.14 Release: 1%{?dist} Summary: FrameBuffer Imageviewer Vendor: DFH Packager: ChelAxe Group: Applications/Multimedia License: GPLv2+ URL: https://www.kraxel.org/blog/linux/fbida/ Source: https://www.kraxel.org/releases/fbida/fbida-%{version}.tar.gz BuildRequires: libexif-devel fontconfig-devel libjpeg-turbo-devel BuildRequires: libpng-devel libtiff-devel pkgconfig BuildRequires: giflib-devel libcurl-devel libXpm-devel BuildRequires: pixman-devel libepoxy-devel libdrm-devel BuildRequires: mesa-libEGL-devel poppler-devel poppler-glib-devel BuildRequires: freetype-devel mesa-libgbm-devel Requires: libexif fontconfig libjpeg-turbo Requires: libpng libtiff giflib Requires: libcurl libXpm pixman Requires: libepoxy libdrm mesa-libEGL Requires: poppler poppler-glib freetype Requires: mesa-libgbm ImageMagick dejavu-sans-mono-fonts %description fbi displays the specified file(s) on the linux console using the framebuffer device. PhotoCD, jpeg, ppm, gif, tiff, xwd, bmp and png are supported directly. For other formats fbi tries to use ImageMagick's convert. %prep %setup -q %{__sed} -i -e "s,/X11R6,,g" GNUmakefile %install %__rm -rf %{buildroot} %make_install PREFIX=/usr %clean %__rm -rf %{buildroot} %files %defattr(-,root,root,-) %doc Changes COPYING INSTALL README TODO VERSION %{_prefix}/* %changelog * Tue May 1 2018 ChelAxe (DFH) <chelaxe@gmail.com> - 2.14-1%{?dist} - Initial package.
Assembly
:
sudo yum install -y libexif-devel fontconfig-devel libjpeg-turbo-devel libpng-devel libtiff-devel pkgconfig giflib-devel libcurl-devel libXpm-devel ImageMagick dejavu-sans-mono-fonts pixman-devel libepoxy-devel libdrm-devel mesa-libEGL-devel poppler-devel poppler-glib-devel mesa-libgbm-devel rpmbuild -ba --sign ~/rpmbuild/SPECS/fbida.spec cp ~/rpmbuild/RPMS/x86_64/fbida-2.14-1.el7.centos.x86_64.rpm ~/rpmbuild/REPO/Packages/ createrepo --update ~/rpmbuild/REPO
:
gpg --detach-sign --armor ~/rpmbuild/REPO/repodata/repomd.xml
:
sudo yum clean all sudo yum install -y fbida
http/https
http/https.
Customization
Apache:
sudo mv /etc/httpd/conf.d/welcome{.conf,.bak} sudo cp /etc/httpd/conf/httpd{.conf,.bak}
// :
sudo vim /etc/httpd/conf/httpd.conf # Listen 192.168.0.2:80 # Email ServerAdmin chelaxe@gmail.com ServerName repo.chelaxe.ru # Apache ServerSignature Off ServerTokens Prod sudo cp /etc/httpd/conf.d/ssl{.conf,.bak} sudo vim /etc/httpd/conf.d/ssl.conf # Listen 192.168.0.2:443 https # OCSP (Online Certificate Status Protocol) SSLStaplingCache "shmcb:logs/stapling-cache(128000)"
:
sudo apachectl configtest Syntax OK
:
sudo systemctl start httpd sudo systemctl enable httpd
:
# - cd /etc/ssl/certs sudo openssl dhparam -out dhparam.pem 4096 # HKPK (HTTP Public Key Pinning) sudo openssl x509 -noout -in /etc/pki/tls/certs/localhost.crt -pubkey | openssl asn1parse -noout -inform pem -out /tmp/public.key # HKPK (HTTP Public Key Pinning) openssl dgst -sha256 -binary /tmp/public.key | openssl enc -base64 aQxRkBUlhfQjidLUovOlxdZe/4ygObbDG7l+RgwzSWA= rm -rf /tmp/public.key
VirtualHost :
sudo vim /etc/httpd/conf.d/repo.conf <VirtualHost "192.168.0.2:80"> ServerAdmin "chelaxe@gmail.com" ServerName "repo.chelaxe.ru" DocumentRoot "/var/www/repo" <Directory "/var/www/repo"> AllowOverride None Options Indexes </Directory> </VirtualHost> <VirtualHost "192.168.0.2:443"> ServerAdmin "chelaxe@gmail.com" ServerName "repo.chelaxe.ru" DocumentRoot "/var/www/repo" <Directory "/var/www/repo"> AllowOverride None Options Indexes </Directory> SSLEngine on # HSTS (HTTP Strict Transport Security) Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" # HKPK (HTTP Public Key Pinning) Header set Public-Key-Pins "pin-sha256=\"aQxRkBUlhfQjidLUovOlxdZe/4ygObbDG7l+RgwzSWA=\"; max-age=2592000; includeSubDomains" # Header set X-Robots-Tag "none" # XSS- Header set X-XSS-Protection "1; mode=block" # - Header always append X-Frame-Options DENY # MIME Header set X-Content-Type-Options nosniff # XSS- Header set Content-Security-Policy "default-src 'self';" # OCSP (Online Certificate Status Protocol) SSLUseStapling on # SSL ( CRIME) SSLCompression off # SSLv2 SSLv3 SSLProtocol all -SSLv2 -SSLv3 # SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH # SSLHonorCipherOrder on # - # cat /etc/ssl/certs/dhparam.pem >> /etc/pki/tls/certs/localhost.crt # 2.4.8 # SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" SSLOptions +StrictRequire SSLCertificateFile "/etc/pki/tls/certs/localhost.crt" SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key" </VirtualHost>
Since Centos 7 Apache 2.4.6, 2.4.8, - :
sudo bash -c "cat /etc/ssl/certs/dhparam.pem >> /etc/pki/tls/certs/localhost.crt"
HTTP/2 , Apache HTTP/2.
:
sudo apachectl configtest Syntax OK sudo systemctl reload httpd
Let's Encrypt
, Let's Encrypt:
sudo certbot --apache --agree-tos --email chelaxe@gmail.com -d repo.chelaxe.ru
, rewrite https. VirtualHost http:
RewriteEngine on RewriteCond %{SERVER_NAME} =repo.chelaxe.ru RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
VirtualHost https:
Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/repo.chelaxe.ru/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/repo.chelaxe.ru/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/repo.chelaxe.ru/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf .
- :
sudo bash -c "cat /etc/ssl/certs/dhparam.pem >> /etc/letsencrypt/live/repo.chelaxe.ru/cert.pem"
HKPK (HTTP Public Key Pinning):
# HKPK (HTTP Public Key Pinning) sudo openssl x509 -noout -in /etc/letsencrypt/live/repo.chelaxe.ru/cert.pem -pubkey | openssl asn1parse -noout -inform pem -out /tmp/public.key # HKPK (HTTP Public Key Pinning) openssl dgst -sha256 -binary /tmp/public.key | openssl enc -base64 aidlhfQjoxRkbvOlxdZLBUe/4ygOUDG7l+RgwzQbSWA= rm -rf /tmp/public.key
:
# HKPK (HTTP Public Key Pinning) Header set Public-Key-Pins "pin-sha256=\"aidlhfQjoxRkbvOlxdZLBUe/4ygOUDG7l+RgwzQbSWA=\"; max-age=2592000; includeSubDomains"
:
sudo apachectl configtest Syntax OK sudo systemctl reload httpd
. :
sudo crontab -e SHELL=/bin/bash MAILTO=chelaxe@gmail.com @daily certbot renew >> /var/log/certbot-renew.log
, - HKPK (HTTP Public Key Pinning).
.htaccess
.htaccess , , :
sudo chown apache:apache ~/rpmbuild/REPO/.htaccess sudo chmod 600 ~/rpmbuild/REPO/.htaccess sudo chcon -R -t httpd_sys_content_t ~/rpmbuild/REPO/.htaccess
AllowOverride All . :
IndexIgnore .htaccess
.
vsftpd :
hide_file={.htaccess} deny_file={.htaccess}
.htaccess AccessFileName :
AccessFileName .acl
mod_autoindex Apache . noscript html5, css3, javascript, jquery, bootstrap, backbone, awesome , :
javascript :
web vsftpd , .htaccess .
mod_autoindex nginx:
ftp
:
sudo systemctl start vsftpd sudo systemctl enable vsftpd
:
sudo cp /etc/vsftpd/vsftpd{.conf,.bak} sudo vim /etc/vsftpd/vsftpd.conf anonymous_enable=YES local_enable=NO write_enable=NO local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES force_dot_files=NO anon_root=/var/www/repo no_anon_password=YES hide_ids=YES sudo usermod -d /var/www/repo ftp
SeLinux:
sudo semanage fcontext -a -t public_content_t '/var/www/repo(/.*)?' sudo restorecon -Rv '/var/www/repo'
:
sudo systemctl restart vsftpd
.htaccess β , ftp:
sudo chcon -R -t httpd_sys_content_t ~/rpmbuild/REPO/.htaccess
Conclusion
. , .
')
Source: https://habr.com/ru/post/354136/
All Articles