Pulp_deb for pulp3 in Katello

m-bucher · November 19, 2020, 5:06pm

With the support for (Debian-/)APT-repositories having been merged to katello, I think it is time to document how to use it
This Howto does not cover data-migration! It is solely for new systems and people who want to test it.
The following steps were tested on a centos7-katello-nightly libvirt VM deployed by forklift.
Works for Katello >= 3.18

Installation
Fairly straight forward:

install the pulpcore plugin yum -y install python3-pulp-deb
run foreman-installer, this will make sure the pulpcore DB-migrations are applied and the pulpcore-services are restarted
make sure that the SmartProxy now uses pulpcore for the deb-repositories, by looking at Infrasturcture → SmartProxies → Services.
If it is still shown for pulp, Click on Actions → Refresh

Signing Repository Metadata
This is currently a little more tricky, because this feature uses the pulpcore-SigningService feature, which is currently in a state of tech-preview.
Enabling this will need three things:

GPG-Key pair owned by the pulp user
signing-script (similar to pulp2), which will be used by pulp to sign the Release-files with the aforementioned GPG-Key
python-script to add the Signing Service in pulpcore, which will tell pulpcore what script should be used for signing

1) Generating Signing-Keys

su pulp -s /bin/bash

# this is necessary for GPG's pinentry to work.
script /dev/null

# make sure to set the correct ID for the key here, this example uses 'Pulp QE'
# also either set no passphrase here (which you should not use for productive use!!!)
# or add additional code to handle the passphrase in the signing-script
gpg --gen-key

# export the public-key
gpg --export --armor "Pulp QE"

2) Create Signing-Script
For testing you can use the script from the pulp_deb plugin, which is used for the unit-tests.
Make sure it uses the correct GPG-Key.

3) Get add_signing_service Script
As with the Signing-Script it is easiest to use the script from the pulp_deb plugin for now.
However, you have to adapt the name, the SigningService will be given to katello_deb_sign. Otherwise, katello will not be able to find it.

You have to make sure both scripts are executable and in a location the pulp-user can access it!

After that the the signing-service can be added by running the script with some additional env-vars, so it can run in the context of the pulpcore-server:

sudo -u pulp \
  PULP_SETTINGS='/etc/pulp/settings.py' \
  DJANGO_SETTINGS_MODULE='pulpcore.app.settings' \
  ./setup_signing_service.py "${PWD}/sign_deb_release.sh"

Update #1:
pulpcore-3.10, pulp_deb-2.10 upgrades how the signing-service is configured/used. This requires changed sign_deb_release.sh-Script and add_signing_service-Script. The updated scripts can also be found in the linked github-repository. If in doubt, select the git-Tag that equals the used/installed version of pulp_deb to find the correct script.

Update #2:
Since pulpcore-3.13.0, pulpcore-manager has a sub-command to add a signing-service, which makes step 3) a little easier

pulpcore-manager add-signing-service \
  --class 'deb:AptReleaseSigningService' \
  katello_deb_sign "${PWD}/sign_deb_release.sh" 'Pulp QE'

GC29 · February 2, 2021, 2:29pm

Not specified in your post, but : Do not try this with Katello 3.17 !!
pulp3 for deb content had been added in 3.18

ekohl · February 2, 2021, 5:06pm

It would indeed be good to update the manual to mention that with 3.18 the installer will take care of everything. --foreman-proxy-content-enable-deb true --katello-enable-deb true should be sufficient, but those are also the defaults so it should work out of the box.

However, all the signing is not set up by the installer.

m-bucher · February 2, 2021, 5:19pm

As far as I see, I am not able to edit the text
Or I just do not see it

ekohl · February 2, 2021, 5:27pm

I’ve made it a wiki now so everyone can edit it.

mdiorio · April 1, 2021, 2:30pm

Thank you for this. I’m struggling with it now.

When you say make sure to set the correct ID for the key. Where to we get the correct ID?

mdiorio · April 1, 2021, 3:18pm

Also - I do have existing deb repositories. If I switch Debian over to pulp3, I’d need to re-create the repos right - since there’s no upgrade path yet that I can see.

SB358 · April 2, 2021, 7:10am

Hi,
Thanks for the post , Just one clarification Step 3) if i am understanding this correctly add_signing_service -Script should be renamed to katello_deb_sign.py??

m-bucher · April 6, 2021, 9:00am

No, the script can be named to anything.
Only the name that the Signing-Service is named in the database has top be adapted here, because Katello will always use the SigningService named katello_deb_sign.
The name of the script is saved in the SigningService database-entry and therefore can be customized.

quba42 · April 6, 2021, 9:00am

Right now you would need to recreate them, we are working on an upgrade path (and the underlying feature in the pulp_2to3_migration plugin exists), but we have not yet added it to Katello.

m-bucher · April 6, 2021, 12:13pm

If you set the ID to something different than Pulp QE, you will have to adapt it in the signing-script and when you export the public-key

If your pulp-user only has one secret-key in gpg, you may be able to get away with not specifying the key-ID at all. But I am not fully sure about that.

SB358 · April 6, 2021, 3:02pm

Thanks Markus appreciate your help

quba42 · October 25, 2021, 11:49am

One more slight update/add-on:

The post pulpcore 3.13 version of the signing service script can be found here (make sure you adjust the GPG_KEY_ID to identify your signing key!):

github.com

pulp/pulp_deb/blob/main/pulp_deb/tests/functional/sign_deb_release.sh

#!/bin/bash

set -e

RELEASE_FILE="$(/usr/bin/readlink -f $1)"
OUTPUT_DIR="$(/usr/bin/mktemp -d)"
DETACHED_SIGNATURE_PATH="${OUTPUT_DIR}/Release.gpg"
INLINE_SIGNATURE_PATH="${OUTPUT_DIR}/InRelease"
GPG_KEY_ID="Pulp QE"
COMMON_GPG_OPTS="--batch --armor --digest-algo SHA256"

# Create a detached signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \
  --detach-sign \
  --output "${DETACHED_SIGNATURE_PATH}" \
  --local-user "${GPG_KEY_ID}" \
  "${RELEASE_FILE}"

# Create an inline signature
/usr/bin/gpg ${COMMON_GPG_OPTS} \

This file has been truncated. show original

(In fact, this URL points at the main branch so it will always point at the latest version of the script).

Also, I would amend the instructions for creating the signing service using pulpcore-manager as follows:

export PULP_SETTINGS="/etc/pulp/settings.py"  # needed for pulpcore-manager on Katello installations
pulpcore-manager add-signing-service \
  --class 'deb:AptReleaseSigningService' \
  'katello_deb_sign' \
  <path_to_signing_service_script> <signing_key_fingerprint>

Strictly speaking <signing_key_fingerprint> can be anything that will allow gpg to identify the signing key it should use. However, I recommend using the full fingerprint, since this is saved to the signing service’s fingerprint field in the Pulp DB, and who knows what kind of validation may be added to that in the future.

If you are using a local gpg key owned by the Pulp user, you can find out the fingerprint by running gpg --list-keys --fingerprint as the Pulp user. If you want more details, consult man gpg.