Pulp_deb for pulp3 in Katello

With the support for (Debian-/)APT-repositories having been merged to katello, I think it is time to document how to use it
This Howto does not cover data-migration! It is solely for new systems and people who want to test it.
The following steps were tested on a centos7-katello-nightly libvirt VM deployed by forklift.
Works for Katello >= 3.18

Installation
Fairly straight forward:

  1. install the pulpcore plugin yum -y install python3-pulp-deb
  2. run foreman-installer, this will make sure the pulpcore DB-migrations are applied and the pulpcore-services are restarted
  3. make sure that the SmartProxy now uses pulpcore for the deb-repositories, by looking at Infrasturcture->SmartProxies->Services.
    If it is still shown for pulp, Click on Actions->Refresh

Signing Repository Metadata
This is currently a little more tricky, because this feature uses the pulpcore-SigningService feature, which is currently in a state of tech-preview.
Enabling this will need three things:

  1. GPG-Key pair owned by the pulp user
  2. signing-script (similar to pulp2), which will be used by pulp to sign the Release-files with the aforementioned GPG-Key
  3. python-script to add the Signing Service in pulpcore, which will tell pulpcore what script should be used for signing

1) Generating Signing-Keys

su pulp -s /bin/bash

# this is necessary for GPG's pinentry to work.
script /dev/null

# make sure to set the correct ID for the key here, this example uses 'Pulp QE'
# also either set no passphrase here (which you should not use for productive use!!!)
# or add additional code to handle the passphrase in the signing-script
gpg --gen-key

# export the public-key
gpg --export --armor "Pulp QE"

2) Create Signing-Script
For testing you can use the script from the pulp_deb plugin, which is used for the unit-tests.
Make sure it uses the correct GPG-Key.

3) Get add_signing_service Script
As with the Signing-Script it is easiest to use the script from the pulp_deb plugin for now.
However, you have to adapt the name, the SigningService will be given to katello_deb_sign. Otherwise, katello will not be able to find it.

You have to make sure both scripts are executable and in a location the pulp-user can access it!

After that the the signing-service can be added by running the script with some additional env-vars, so it can run in the context of the pulpcore-server:

sudo -u pulp \
  PULP_SETTINGS='/etc/pulp/settings.py' \
  DJANGO_SETTINGS_MODULE='pulpcore.app.settings' \
  ./setup_signing_service.py "${PWD}/sign_deb_release.sh"
4 Likes

Not specified in your post, but : Do not try this with Katello 3.17 !!
pulp3 for deb content had been added in 3.18

1 Like

It would indeed be good to update the manual to mention that with 3.18 the installer will take care of everything. --foreman-proxy-content-enable-deb true --katello-enable-deb true should be sufficient, but those are also the defaults so it should work out of the box.

However, all the signing is not set up by the installer.

As far as I see, I am not able to edit the text :frowning:
Or I just do not see it :sweat_smile:

I’ve made it a wiki now so everyone can edit it.

2 Likes