⬆️ ⬇️

Build rpm packages and configure your repository

This article will describe in detail the process of creating rpm packages and organizing the repository. I ask everyone who is interested in this topic, go under the cat.



I took to writing in great detail, so you can browse through things that are obvious to you.



Table of contents





System installation



Theater starts with a hanger

Our service begins with the installation of the operating system on it. Naturally, to build rpm packages we choose the rhel distribution. In this case, CentOS 7 was selected.



Download CentOS



Create a directory where the image will lie and go into it:



mkdir ~/centos && cd $_ 


Then you can directly download the image and the files required for verification:



 wget https://mirror.yandex.ru/centos/7/isos/x86_64/CentOS-7-x86_64-Everything-1708.iso wget https://mirror.yandex.ru/centos/7/isos/x86_64/sha256sum.txt.asc 


or via torrent using the aria2 program, which we first install:



 sudo yum install -y epel-release sudo yum install -y aria2 aria2c https://mirror.yandex.ru/centos/7/isos/x86_64/CentOS-7-x86_64-Everything-1708.torrent cd ~/centos/CentOS-7-x86_64-Everything-1708 


Check image



Download the image a little, you need to check its integrity and reliability, which we will do.



Download the key for CentOS 7:



 wget http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7 


Let's look at the key and import it:



 gpg --quiet --with-fingerprint RPM-GPG-KEY-CentOS-7 pub 4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org> Key fingerprint = 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5 gpg --import RPM-GPG-KEY-CentOS-7 gpg: key F4A80EB5: public key "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) 


Check the file signature with the checksum of the image:



 gpg --verify sha256sum.txt.asc 2>&1 | grep "Good signature" gpg: Good signature from "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>" 


As we see, everything is fine and now we can check the image itself for integrity:



 sha256sum -c sha256sum.txt.asc 2>&1 | grep OK CentOS-7-x86_64-Everything-1708.iso: OK 


Burn image to media



After we were convinced of the integrity of the image and its authenticity, it would be nice to write it down and install it already! So let's do it, but first we will decide what we will record.



Burn image to disk



To record this image, we need a double-sided DVD. Suppose we found it and write it down by setting wodim beforehand:



 sudo yum install -y wodim sudo wodim dev=/dev/cdrom -eject -v CentOS-7-x86_64-Everything-1708.iso 


Burn image to USB flash drive



A double-sided DVD is archaic, so let's take a 16 GB flash drive and write the image on it, but first of all / dev / sda here is a flash drive, and you may have another one. See the fdisk command:



 sudo dd if=CentOS-7-x86_64-Everything-1708.iso of=/dev/sda bs=1M status=progress; sync eject /dev/sda 


If status=progress not supported, then as follows:



 watch -n 10 "sudo kill -USR1 $(pgrep ^dd)" 


or like this:



 watch -n 10 "sudo pkill -usr1 dd" 


or you can use pv:



 sudo yum install -y epel-release sudo yum install -y pv sudo su dd if=CentOS-7-x86_64-Everything-1708.iso | pv | dd of=/dev/sda 


Installation



How to install Centos 7, it's up to you, you can think about it for RAID and for LVM and a lot more,

I set the minimum package.



The installation process can be viewed in this video .



Preset



After installing the system, we need to configure our server.



Upgrading and installing packages



At the beginning we will update all the installed packages, then we will install the epel repository, which has a lot of useful things for us:



 sudo yum update -y sudo yum install -y epel-release 


The next step is to install a group of packages that we need to build, as well as a number of packages necessary for the deployment of the repository.



 sudo yum groupinstall -y "Development Tools" sudo yum install -y glibc-static tree wget vim createrepo sudo yum install -y httpd httpd-devel mod_ssl python2-certbot-apache vsftpd 


Ssh



In order to comfortably and securely manage the server, configure SSH.



It’s safer to use keys, that's why we will create our own keys for accessing the server on our work computer:



 ssh-keygen 


and add the key to the server:



 ssh-copy-id chelaxe@rpmbuild 


or handles:



 mkdir ~/.ssh chmod 700 ~/.ssh vim ~/.ssh/authorized_keys ssh-rsa AAAA...tzU= ChelAxe (DFH) <chelaxe@gmail.com> chmod 600 ~/.ssh/authorized_keys 


You must also tighten the nuts in the service itself. Create a copy of the configuration file and start editing:



 sudo cp /etc/ssh/sshd_config{,.bak} sudo vim /etc/ssh/sshd_config 


The file should add / change / uncomment the following lines:



 #       192.168.0.2 ListenAddress 192.168.0.2 #     30  LoginGraceTime 30 #   root  PermitRootLogin no #     MaxAuthTries 3 #     PasswordAuthentication no #  10     ClientAliveInterval 600 ClientAliveCountMax 0 #     chelaxe AllowUsers chelaxe #       chelaxe AllowGroups chelaxe #  sshd     SSH2 Protocol 2 


Restart the service:



 sudo systemctl restart sshd 


Firewall



It is important to restrict access to our server. For this reason, we configure the firewall:



 sudo firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client sudo firewall-cmd --permanent --zone=public --remove-service=ssh sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/28" service name="ssh" accept' sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https sudo firewall-cmd --permanent --zone=public --add-service=ftp sudo firewall-cmd --permanent --list-all public target: default icmp-block-inversion: no interfaces: sources: services: http https ftp ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.0.0/28" service name="ssh" accept sudo firewall-cmd --reload 


Here we added our http https ftp services for accessibility from outside and ssh, but only for the network 192.168.0.0/28.



Assembly site preparation



Prepare the very site for assembly. It is worth noting that the assembly is most likely to be carried out on a separate virtual host, actively using the technology of snapshots, but here I will describe everything in a single whole. Also for the assembly you need to select an individual user who is not an administrator (i.e. sudo is not available to him).



Creating directories



Create the necessary directories:



 mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} sudo mkdir /var/www/repo sudo chown -R chelaxe:chelaxe /var/www/repo ln -s /var/www/repo ~/rpmbuild/REPO tree ~/rpmbuild/ /home/chelaxe/rpmbuild/ β”œβ”€β”€ BUILD β”œβ”€β”€ BUILDROOT β”œβ”€β”€ REPO -> /var/www/repo β”œβ”€β”€ RPMS β”œβ”€β”€ SOURCES β”œβ”€β”€ SPECS └── SRPMS 7 directories, 0 files 


PGP signature setup



Our packages, which we collect, must be signed, which will ensure integrity and reliability.



We will use our key, or if we don’t have one, we will create it. To create a key is on your work computer.



Create a key if we do not have it:



 gpg --gen-key 


We will be asked to answer a series of questions:

key type, select (1) RSA and RSA (default), key size: 4096, expiration date: 6m, our name: Alexander F. Mikhaylov, Email: chelaxe@gmail.com, comment, here you can indicate why we need the key: repo and wait ...



If suddenly after answering all the questions we get this gpg: cancelled by user , then run the command:



 script /dev/null 


and repeat.



View key:



 gpg --fingerprint chelaxe@gmail.com pub 2048R/E6D53D4D 2014-05-07 Key fingerprint = EE2A FF9A 2BE3 318E 9346 A675 8440 3961 E6D5 3D4D uid ChelAxe (DFH) <chelaxe@gmail.com> 


Save our private key:



 gpg --export-secret-keys --armor chelaxe@gmail.com > chelaxe-privkey.asc 


Create a key for review:



 gpg --output chelaxe-revoke.asc --gen-revoke chelaxe@gmail.com 


Export public key to keyserver:



 gpg --keyserver pgp.mit.edu --send-keys E6D53D4D 


Now the key can be imported to our server:



 gpg --import ~/chelaxe-privkey.asc rm -rf ~/chelaxe-privkey.asc 


Look where gpg utility is:



 which gpg /usr/bin/gpg 


and configure the file to sign the packages:



 vim ~/.rpmmacros %_signature gpg %_gpg_path /home/chelaxe/.gnupg %_gpg_name ChelAxe %_gpgbin /usr/bin/gpg 


Create a repository



Now we organize the repository itself.



Create a directory where we will store the packages:



 mkdir ~/rpmbuild/REPO/Packages 


Export the key to the repository:



 gpg --export -a 'ChelAxe' > ~/rpmbuild/REPO/RPM-GPG-KEY-chelaxe 


Create the repository itself and sign the metadata:



 createrepo ~/rpmbuild/REPO gpg --detach-sign --armor ~/rpmbuild/REPO/repodata/repomd.xml 


Repository package



Build a package to automatically install the repository in the system



 cd ~/rpmbuild/SOURCES mkdir chelaxe-release && cd $_ 


Yum repository file:



 vim ~/rpmbuild/SOURCES/chelaxe-release/chelaxe.repo [chelaxe] name=ChelAxe Official Repository - $basearch baseurl=https://repo.chelaxe.ru/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-chelaxe 


Export the key for the package:



 gpg --export -a 'ChelAxe' > ~/rpmbuild/SOURCES/chelaxe-release/RPM-GPG-KEY-chelaxe 


Putting it all in the archive:



 cd ~/rpmbuild/SOURCES tar -czf chelaxe-release.tar.gz chelaxe-release/ 


Create a SPECS file for the package:



 cd ~/rpmbuild/SPECS vim ~/rpmbuild/SPECS/chelaxe-release.spec Name: chelaxe-release Version: 1.0 Release: 1%{?dist} Summary: ChelAxe repository configuration Vendor: DFH Packager: ChelAxe Group: System Environment/Base License: GPL URL: https://repo.chelaxe.ru Source0: https://repo.chelaxe.ru/%{name}.tar.gz BuildArch: noarch %description This package contains the ChelAxe official repository GPG key as well as configuration for yum. %prep %setup -q -n %{name} %install %__rm -rf %{buildroot} install -d -m 755 %{buildroot}%{_sysconfdir}/yum.repos.d install -p -m 644 chelaxe.repo %{buildroot}%{_sysconfdir}/yum.repos.d/chelaxe.repo install -d -m 755 %{buildroot}%{_sysconfdir}/pki/rpm-gpg install -p -m 644 RPM-GPG-KEY-chelaxe %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-chelaxe %post rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-chelaxe %clean %__rm -rf %{buildroot} %files %defattr(-,root,root,-) %{_sysconfdir}/yum.repos.d/chelaxe.repo %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-chelaxe %changelog * Tue May 1 2018 ChelAxe (DFH) <chelaxe@gmail.com> - 1.0-1%{?dist} - Initial package. 


Putting the package:



 rpmbuild -ba --sign ~/rpmbuild/SPECS/chelaxe-release.spec 


At this stage, we will be asked for the password from our PGP key.



Copy the created package into the repository and update it:



 cp ~/rpmbuild/RPMS/noarch/chelaxe-release-1.0-1.el7.centos.noarch.rpm ~/rpmbuild/REPO/ createrepo --update ~/rpmbuild/REPO 


Do not forget to sign the metadata:



 gpg --detach-sign --armor ~/rpmbuild/REPO/repodata/repomd.xml 


Now we will install our repository in the system:



 sudo yum install -y ~/rpmbuild/REPO/chelaxe-release-1.0-1.el7.centos.noarch.rpm 


In the future, this package will be available at: https://repo.chelaxe.ru/chelaxe-release-1.0-1.el7.centos.noarch.rpm



After installation, the chelaxe repository and the PGP key should appear:



 rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' | grep ChelAxe gpg-pubkey-e6d53d4d-5369c520 --> gpg(ChelAxe (DFH) <chelaxe@gmail.com>) 


The most important thing here is the SPEC files, I will not describe them, but I will provide a number of links:



  1. https://www.altlinux.org/Spec
  2. https://docs.fedoraproject.org/quick-docs/en-US/creating-rpm-packages.html
  3. https://www.opennet.ru/docs/HOWTO-RU/RPM-HOWTO-48.html


and one useful command:



 rpm --showrc 


it will display the finished macros for the assembly.



We collect Tmux



Now we will collect, for an example, something useful. We will assemble tmux - a terminal multiplexer, without which I am not comfortable working. It is worth noting tmux is in the CentOS 7 base repository, but the version is 1.8 there, and we will build 2.7. Also, the package from the base repository has a libevent dependency, but we will build tmux with static libraries of the latest versions.



Cooking source



Download the tmux sources and the necessary libraries:



 cd ~/rpmbuild/SOURCES wget https://github.com/tmux/tmux/releases/download/2.7/tmux-2.7.tar.gz wget https://github.com/libevent/libevent/releases/download/release-2.1.8-stable/libevent-2.1.8-stable.tar.gz wget https://github.com/libevent/libevent/releases/download/release-2.1.8-stable/libevent-2.1.8-stable.tar.gz.asc wget ftp://ftp.gnu.org/gnu/ncurses/ncurses-6.1.tar.gz wget ftp://ftp.gnu.org/gnu/ncurses/ncurses-6.1.tar.gz.sig 


We export GPG keys for source verification:



 gpg --recv-keys 8EF8686D gpg --recv-keys F7E48EDB 


Check files:



 gpg --verify libevent-2.1.8-stable.tar.gz.asc libevent-2.1.8-stable.tar.gz 2>&1 | grep "Good signature" gpg: Good signature from "Azat Khuzhin <a3at.mail@gmail.com>" gpg --verify ncurses-6.1.tar.gz.sig ncurses-6.1.tar.gz 2>&1 | grep "Good signature" gpg: Good signature from "Thomas Dickey <dickey@invisible-island.net>" 


Prepare the tmux configuration file:



 vim ~/rpmbuild/SOURCES/tmux.conf #   : #   set-option -g buffer-limit 50 #      set-option -g command-alias[100] zoom="resize-pane -Z" #    set-option -g default-terminal "screen-256color" #    escape set-option -g escape-time 500 #     set-option -g exit-empty off #     set-option -g exit-unattached off #     set-option -g focus-events off #       set-option -g history-file ~/.tmux_history #        set-option -g message-limit 100 #        escape set-option -g set-clipboard on #    set-option -g terminal-overrides[100] "xterm:colors=256" set-option -g terminal-overrides[101] "xterm*:colors=256" set-option -g terminal-overrides[102] "screen:colors=256" set-option -g terminal-overrides[103] "screen*:colors=256" #    # set-option -g user-keys[100] "\e[5;30012~" #   : #     set-option -g activity-action other #       set-option -g assume-paste-time 1 #    set-option -g base-index 1 #  ""   set-option -g bell-action other #     ( default-shell) # set-option -g default-command "vim" # Shell   set-option -g default-shell "/bin/bash" #     set-option -g destroy-unattached off #       set-option -g detach-on-destroy on #     set-option -g display-panes-active-colour "red" #    set-option -g display-panes-colour "green" #     set-option -g display-panes-time 1000 #        .  set-option -g display-time 750 #      set-option -g history-limit 2000 #      set-option -g key-table "root" #      set-option -g lock-after-time 1800 #     set-option -g lock-command "vlock" #     #  : message-command-attr message-command-bg message-command-fg set-option -g message-command-style "bg=black,fg=yellow" #     #  : message-attr message-bg message-fg set-option -g message-style "bg=yellow,fg=black" #   #   2.1  : mode-mouse mouse-resize-pane mouse-select-pane mouse-select-window set-option -g mouse off #   set-option -g prefix Cb #   set-option -g prefix2 Ca #    set-option -g renumber-windows on #        set-option -g repeat-time 500 #    set-option -g set-titles on #    set-option -g set-titles-string "#{session_name}" #  ""   set-option -g silence-action other #    set-option -g status on #     set-option -g status-interval 1 #       set-option -g status-justify left #       set-option -g status-keys vi #      set-option -g status-left " [#{session_name}]#{?session_many_attached,*,} #{version} #[reverse] #[default] " #      set-option -g status-left-length 20 #      #  : status-left-attr status-left-bg status-left-fg set-option -g status-left-style "default" #    set-option -g status-position bottom #      set-option -g status-right " #[reverse] #[default] %a %d %b %Y %H:%M:%S [%V/%j] " #      set-option -g status-right-length 40 #      #  : status-right-attr status-right-bg status-right-fg set-option -g status-right-style "default" #    #  : status-attr status-bg status-fg set-option -g status-style "bg=green,fg=black" #       set-option -g update-environment[100] "TERMINFO" #    # set-option -g user-keys[100] "\e[1~" #       set-option -g visual-activity off #    ""   set-option -g visual-bell off #    ""   set-option -g visual-silence off #       set-option -g word-separators " -_@" #   : #      set-option -gw aggressive-resize on #      set-option -gw allow-rename on #       set-option -gw alternate-screen on #    set-option -gw automatic-rename on #     set-option -gw automatic-rename-format "#{?pane_in_mode,[tmux],#{pane_current_command}}#{?pane_dead,[dead],}" #    set-option -gw clock-mode-colour "green" #    set-option -gw clock-mode-style 24 #       set-option -gw force-height 0 #       set-option -gw force-width 0 #    set-option -gw main-pane-height 24 #    set-option -gw main-pane-width 80 #       set-option -gw mode-keys vi #      #  : mode-attr mode-bg mode-fg set-option -gw mode-style "bg=yellow,fg=black" #     set-option -gw monitor-activity on #  ""   set-option -gw monitor-bell on #  ""  .  . set-option -gw monitor-silence 0 #    set-option -gw other-pane-height 0 #    set-option -gw other-pane-width 0 #     #  : pane-active-border-attr pane-active-border-bg pane-active-border-fg set-option -gw pane-active-border-style "fg=green" #    set-option -gw pane-base-index 1 #     set-option -gw pane-border-format "#{?pane_active,#[reverse],}#{?window_zoomed_flag,#[fg=red],} #{pane_index}:#{=6:pane_current_command} #[default]" #     set-option -gw pane-border-status top #    #  : pane-border-attr pane-border-bg pane-border-fg set-option -gw pane-border-style "fg=green" #       set-option -gw remain-on-exit off #       set-option -gw synchronize-panes off #    set-option -gw window-active-style "default" #         #  : window-status-activity-attr window-status-activity-bg window-status-activity-fg set-option -gw window-status-activity-style "fg=red" #     ""    #  : window-status-bell-attr window-status-bell-bg window-status-bell-fg set-option -gw window-status-bell-style "fg=red" #        set-option -gw window-status-current-format " #{window_index}:#{window_name} " #        #  : window-status-current-attr window-status-current-bg window-status-current-fg set-option -gw window-status-current-style "reverse" #       set-option -gw window-status-format " #{window_index}:#{window_name}#{?window_activity_flag,#,}#{?window_bell_flag,!,}#{?window_silence_flag,~,} " #        #  : window-status-last-attr window-status-last-bg window-status-last-fg set-option -gw window-status-last-style "default" #        set-option -gw window-status-separator "" #       set-option -gw window-status-style "default" #   set-option -gw window-style "default" #    set-option -gw wrap-search on #    set-option -gw xterm-keys on #    #    Alt +  bind-key -rT root M-Up select-pane -U bind-key -rT root M-Down select-pane -D bind-key -rT root M-Left select-pane -L bind-key -rT root M-Right select-pane -R #     bind-key -T root M-PageUp copy-mode -eu #      bind-key -T prefix Ms set-option -gw synchronize-panes\; display-message " : #{?synchronize-panes,on,off}" #   bind-key -T prefix Ml lock-session #   bind-key -T prefix Mr source-file /etc/tmux.conf\; display-message " " #   # bind-key -T prefix Me #   #   new-session -s "work" 


Preparing a SPEC file



This file will be more interesting than the previous SPEC file:



 cd ~/rpmbuild/SPECS vim ~/rpmbuild/SPECS/tmux.spec %define libevent 2.1.8 %define ncurses 6.1 Name: tmux Version: 2.7 Release: 1%{?dist} Summary: A terminal multiplexer Vendor: DFH Packager: ChelAxe Group: Applications/System License: ISC and BSD URL: https://github.com/%{name}/%{name} Source0: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz Source1: https://github.com/libevent/libevent/releases/download/release-%{libevent}-stable/libevent-%{libevent}-stable.tar.gz Source2: ftp://ftp.gnu.org/gnu/ncurses/ncurses-%{ncurses}.tar.gz Source3: tmux.conf BuildRequires: gcc, gcc-c++, make, glibc-static %description tmux is a "terminal multiplexer", it enables a number of terminals (or windows) to be accessed and controlled from a single terminal. tmux is intended to be a simple, modern, BSD-licensed alternative to programs such as GNU screen. %prep %setup -q -a1 -a2 %build %__mkdir "libs" pushd "libevent-%{libevent}-stable" %_configure \ --prefix="$(pwd)/../libs" \ --disable-shared %__make install popd pushd "ncurses-%{ncurses}" %_configure \ --prefix="$(pwd)/../libs" \ --with-default-terminfo-dir="/usr/share/terminfo" \ --with-terminfo-dirs="/etc/terminfo:/lib/terminfo:/usr/share/terminfo:$HOME/.terminfo" %__make install popd %_configure \ --enable-static \ --prefix="/usr" \ CFLAGS="-Ilibs/include -Ilibs/include/ncurses" \ LDFLAGS="-Llibs/lib -Llibs/include -Llibs/include/ncurses" \ LIBEVENT_CFLAGS="-Ilibs/include" \ LIBEVENT_LIBS="-Llibs/lib -levent" \ LIBNCURSES_CFLAGS="-Ilibs/include" \ LIBNCURSES_LIBS="-Llibs/lib -lncurses" %__make %install %__rm -rf %{buildroot} %make_install install -d -m 755 %{buildroot}%{_sysconfdir} install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/tmux.conf %clean %__rm -rf %{buildroot} %files %defattr(-,root,root,-) %doc README TODO CHANGES example_tmux.conf %config(noreplace) %{_sysconfdir}/tmux.conf %{_bindir}/tmux %{_mandir}/man1/tmux.1.gz %changelog * Fri Jun 29 2018 ChelAxe (DFH) <chelaxe@gmail.com> - 2.7-1%{?dist} - Rebuild for new version tmux. * Tue May 1 2018 ChelAxe (DFH) <chelaxe@gmail.com> - 2.6-1%{?dist} - Initial package. 


Assembly



Build the package and add it to the repository:



 rpmbuild -ba --sign ~/rpmbuild/SPECS/tmux.spec cp ~/rpmbuild/RPMS/x86_64/tmux-2.7-1.el7.centos.x86_64.rpm ~/rpmbuild/REPO/Packages/ createrepo --update ~/rpmbuild/REPO 


Do not forget to sign the metadata:



 gpg --detach-sign --armor ~/rpmbuild/REPO/repodata/repomd.xml 


See what and how it happened:



 tree ~/rpmbuild/ -L 2 /home/chelaxe/rpmbuild/ β”œβ”€β”€ BUILD β”‚  β”œβ”€β”€ chelaxe-release β”‚  └── tmux-2.7 β”œβ”€β”€ BUILDROOT β”œβ”€β”€ REPO -> /var/www/repo β”œβ”€β”€ RPMS β”‚  β”œβ”€β”€ noarch β”‚  └── x86_64 β”œβ”€β”€ SOURCES β”‚  β”œβ”€β”€ chelaxe-release β”‚  β”œβ”€β”€ chelaxe-release.tar.gz β”‚  β”œβ”€β”€ libevent-2.1.8-stable.tar.gz β”‚  β”œβ”€β”€ libevent-2.1.8-stable.tar.gz.asc β”‚  β”œβ”€β”€ ncurses-6.1.tar.gz β”‚  β”œβ”€β”€ ncurses-6.1.tar.gz.sig β”‚  β”œβ”€β”€ tmux-2.7.tar.gz β”‚  └── tmux.conf β”œβ”€β”€ SPECS β”‚  β”œβ”€β”€ chelaxe-release.spec β”‚  └── tmux.spec └── SRPMS β”œβ”€β”€ chelaxe-release-1.0-1.el7.centos.src.rpm └── tmux-2.7-1.el7.centos.src.rpm 


Install and Run



Install our package:



 sudo yum clean all sudo yum install -y tmux 


Run tmux and enjoy:



 tmux attach-session 


We collect fbida



We will collect fbida - a set of applications for viewing images in the console. This package is not found under Centos 7.



Cooking source



Download the fbida sources:



 cd ~/rpmbuild/SOURCES wget https://www.kraxel.org/releases/fbida/fbida-2.14.tar.gz wget https://www.kraxel.org/releases/fbida/fbida-2.14.tar.gz.asc 


We export GPG keys for source verification:



 gpg --recv-keys D3E87138 


Check files:



 gpg --verify fbida-2.14.tar.gz.asc fbida-2.14.tar.gz 2>&1 | grep "Good signature" gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" 


Preparing a SPEC file



SPEC :



 cd ~/rpmbuild/SPECS vim ~/rpmbuild/SPECS/fbida.spec Name: fbida Version: 2.14 Release: 1%{?dist} Summary: FrameBuffer Imageviewer Vendor: DFH Packager: ChelAxe Group: Applications/Multimedia License: GPLv2+ URL: https://www.kraxel.org/blog/linux/fbida/ Source: https://www.kraxel.org/releases/fbida/fbida-%{version}.tar.gz BuildRequires: libexif-devel fontconfig-devel libjpeg-turbo-devel BuildRequires: libpng-devel libtiff-devel pkgconfig BuildRequires: giflib-devel libcurl-devel libXpm-devel BuildRequires: pixman-devel libepoxy-devel libdrm-devel BuildRequires: mesa-libEGL-devel poppler-devel poppler-glib-devel BuildRequires: freetype-devel mesa-libgbm-devel Requires: libexif fontconfig libjpeg-turbo Requires: libpng libtiff giflib Requires: libcurl libXpm pixman Requires: libepoxy libdrm mesa-libEGL Requires: poppler poppler-glib freetype Requires: mesa-libgbm ImageMagick dejavu-sans-mono-fonts %description fbi displays the specified file(s) on the linux console using the framebuffer device. PhotoCD, jpeg, ppm, gif, tiff, xwd, bmp and png are supported directly. For other formats fbi tries to use ImageMagick's convert. %prep %setup -q %{__sed} -i -e "s,/X11R6,,g" GNUmakefile %install %__rm -rf %{buildroot} %make_install PREFIX=/usr %clean %__rm -rf %{buildroot} %files %defattr(-,root,root,-) %doc Changes COPYING INSTALL README TODO VERSION %{_prefix}/* %changelog * Tue May 1 2018 ChelAxe (DFH) <chelaxe@gmail.com> - 2.14-1%{?dist} - Initial package. 


Assembly



:



 sudo yum install -y libexif-devel fontconfig-devel libjpeg-turbo-devel libpng-devel libtiff-devel pkgconfig giflib-devel libcurl-devel libXpm-devel ImageMagick dejavu-sans-mono-fonts pixman-devel libepoxy-devel libdrm-devel mesa-libEGL-devel poppler-devel poppler-glib-devel mesa-libgbm-devel rpmbuild -ba --sign ~/rpmbuild/SPECS/fbida.spec cp ~/rpmbuild/RPMS/x86_64/fbida-2.14-1.el7.centos.x86_64.rpm ~/rpmbuild/REPO/Packages/ createrepo --update ~/rpmbuild/REPO 


:



 gpg --detach-sign --armor ~/rpmbuild/REPO/repodata/repomd.xml 




:



 sudo yum clean all sudo yum install -y fbida 


http/https



http/https.



Customization



Apache:



 sudo mv /etc/httpd/conf.d/welcome{.conf,.bak} sudo cp /etc/httpd/conf/httpd{.conf,.bak} 


// :



 sudo vim /etc/httpd/conf/httpd.conf #       Listen 192.168.0.2:80 # Email     ServerAdmin chelaxe@gmail.com ServerName repo.chelaxe.ru #    Apache ServerSignature Off ServerTokens Prod sudo cp /etc/httpd/conf.d/ssl{.conf,.bak} sudo vim /etc/httpd/conf.d/ssl.conf #       Listen 192.168.0.2:443 https # OCSP (Online Certificate Status Protocol) SSLStaplingCache "shmcb:logs/stapling-cache(128000)" 


:



 sudo apachectl configtest Syntax OK 


:



 sudo systemctl start httpd sudo systemctl enable httpd 


:



 #      - cd /etc/ssl/certs sudo openssl dhparam -out dhparam.pem 4096 #     HKPK (HTTP Public Key Pinning) sudo openssl x509 -noout -in /etc/pki/tls/certs/localhost.crt -pubkey | openssl asn1parse -noout -inform pem -out /tmp/public.key #      HKPK (HTTP Public Key Pinning) openssl dgst -sha256 -binary /tmp/public.key | openssl enc -base64 aQxRkBUlhfQjidLUovOlxdZe/4ygObbDG7l+RgwzSWA= rm -rf /tmp/public.key 


VirtualHost :



 sudo vim /etc/httpd/conf.d/repo.conf <VirtualHost "192.168.0.2:80"> ServerAdmin "chelaxe@gmail.com" ServerName "repo.chelaxe.ru" DocumentRoot "/var/www/repo" <Directory "/var/www/repo"> AllowOverride None Options Indexes </Directory> </VirtualHost> <VirtualHost "192.168.0.2:443"> ServerAdmin "chelaxe@gmail.com" ServerName "repo.chelaxe.ru" DocumentRoot "/var/www/repo" <Directory "/var/www/repo"> AllowOverride None Options Indexes </Directory> SSLEngine on # HSTS (HTTP Strict Transport Security) Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" # HKPK (HTTP Public Key Pinning) Header set Public-Key-Pins "pin-sha256=\"aQxRkBUlhfQjidLUovOlxdZe/4ygObbDG7l+RgwzSWA=\"; max-age=2592000; includeSubDomains" #    Header set X-Robots-Tag "none" #    XSS- Header set X-XSS-Protection "1; mode=block" #   - Header always append X-Frame-Options DENY #    MIME  Header set X-Content-Type-Options nosniff #   XSS- Header set Content-Security-Policy "default-src 'self';" # OCSP (Online Certificate Status Protocol) SSLUseStapling on #   SSL (   CRIME) SSLCompression off #  SSLv2  SSLv3 SSLProtocol all -SSLv2 -SSLv3 #   SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH #      SSLHonorCipherOrder on #      - # cat /etc/ssl/certs/dhparam.pem >> /etc/pki/tls/certs/localhost.crt #  2.4.8   # SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" SSLOptions +StrictRequire SSLCertificateFile "/etc/pki/tls/certs/localhost.crt" SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key" </VirtualHost> 


Since Centos 7 Apache 2.4.6, 2.4.8, - :



 sudo bash -c "cat /etc/ssl/certs/dhparam.pem >> /etc/pki/tls/certs/localhost.crt" 


HTTP/2 , Apache HTTP/2.



:



 sudo apachectl configtest Syntax OK sudo systemctl reload httpd 


Let's Encrypt



, Let's Encrypt:



 sudo certbot --apache --agree-tos --email chelaxe@gmail.com -d repo.chelaxe.ru 


, rewrite https. VirtualHost http:



 RewriteEngine on RewriteCond %{SERVER_NAME} =repo.chelaxe.ru RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] 


VirtualHost https:



 Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/repo.chelaxe.ru/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/repo.chelaxe.ru/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/repo.chelaxe.ru/chain.pem 


Include /etc/letsencrypt/options-ssl-apache.conf .



- :



 sudo bash -c "cat /etc/ssl/certs/dhparam.pem >> /etc/letsencrypt/live/repo.chelaxe.ru/cert.pem" 


HKPK (HTTP Public Key Pinning):



 #     HKPK (HTTP Public Key Pinning) sudo openssl x509 -noout -in /etc/letsencrypt/live/repo.chelaxe.ru/cert.pem -pubkey | openssl asn1parse -noout -inform pem -out /tmp/public.key #      HKPK (HTTP Public Key Pinning) openssl dgst -sha256 -binary /tmp/public.key | openssl enc -base64 aidlhfQjoxRkbvOlxdZLBUe/4ygOUDG7l+RgwzQbSWA= rm -rf /tmp/public.key 


:



  # HKPK (HTTP Public Key Pinning) Header set Public-Key-Pins "pin-sha256=\"aidlhfQjoxRkbvOlxdZLBUe/4ygOUDG7l+RgwzQbSWA=\"; max-age=2592000; includeSubDomains" 


:



 sudo apachectl configtest Syntax OK sudo systemctl reload httpd 


. :



 sudo crontab -e SHELL=/bin/bash MAILTO=chelaxe@gmail.com @daily certbot renew >> /var/log/certbot-renew.log 


, - HKPK (HTTP Public Key Pinning).



.htaccess



.htaccess , , :



 sudo chown apache:apache ~/rpmbuild/REPO/.htaccess sudo chmod 600 ~/rpmbuild/REPO/.htaccess sudo chcon -R -t httpd_sys_content_t ~/rpmbuild/REPO/.htaccess 


AllowOverride All . :



 IndexIgnore .htaccess 


.



vsftpd :



 hide_file={.htaccess} deny_file={.htaccess} 


.htaccess AccessFileName :



 AccessFileName .acl 


mod_autoindex Apache . noscript html5, css3, javascript, jquery, bootstrap, backbone, awesome , :



repo.chelaxe.ru



javascript :



LINKS2



web vsftpd , .htaccess .



mod_autoindex nginx:



  1. http://www.oglib.ru/apman/mod/mod_autoindex.html
  2. https://habr.com/post/353478/


ftp



:



 sudo systemctl start vsftpd sudo systemctl enable vsftpd 


:



 sudo cp /etc/vsftpd/vsftpd{.conf,.bak} sudo vim /etc/vsftpd/vsftpd.conf anonymous_enable=YES local_enable=NO write_enable=NO local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES force_dot_files=NO anon_root=/var/www/repo no_anon_password=YES hide_ids=YES sudo usermod -d /var/www/repo ftp 


SeLinux:



 sudo semanage fcontext -a -t public_content_t '/var/www/repo(/.*)?' sudo restorecon -Rv '/var/www/repo' 


:



 sudo systemctl restart vsftpd 


.htaccess β€” , ftp:



 sudo chcon -R -t httpd_sys_content_t ~/rpmbuild/REPO/.htaccess 


Conclusion



. , .



')

Source: https://habr.com/ru/post/354136/



All Articles