Pulp_deb for pulp3 in Katello

With the support for (Debian-/)APT-repositories having been merged to katello, I think it is time to document how to use it
This Howto does not cover data-migration! It is solely for new systems and people who want to test it.
The following steps were tested on a centos7-katello-nightly libvirt VM deployed by forklift.

Installation
Fairly straight forward:

  1. install the pulpcore plugin yum -y install python3-pulp-deb
  2. run foreman-installer, this will make sure the pulpcore DB-migrations are applied and the pulpcore-services are restarted
  3. make sure that the SmartProxy now uses pulpcore for the deb-repositories, by looking at Infrasturcture->SmartProxies->Services.
    If it is still shown for pulp, Click on Actions->Refresh

Signing Repository Metadata
This is currently a little more tricky, because this feature uses the pulpcore-SigningService feature, which is currently in a state of tech-preview.
Enabling this will need three things:

  1. GPG-Key pair owned by the pulp user
  2. signing-script (similar to pulp2), which will be used by pulp to sign the Release-files with the aforementioned GPG-Key
  3. python-script to add the Signing Service in pulpcore, which will tell pulpcore what script should be used for signing

1) Generating Signing-Keys

su pulp -s /bin/bash

# this is necessary for GPG's pinentry to work.
script /dev/null

# make sure to set the correct ID for the key here, this example uses 'Pulp QE'
# also either set no passphrase here (which you should not use for productive use!!!)
# or add additional code to handle the passphrase in the signing-script
gpg --gen-key

# export the public-key
gpg --export --armor "Pulp QE"

2) Create Signing-Script
For testing you can use the script from the pulp_deb plugin, which is used for the unit-tests.
Make sure it uses the correct GPG-Key.

3) Get add_signing_service Script
As with the Signing-Script it is easiest to use the script from the pulp_deb plugin for now.
However, you have to adapt the name, the SigningService will be given to katello_deb_sign. Otherwise, katello will not be able to find it.

You have to make sure both scripts are executable and in a location the pulp-user can access it!

After that the the signing-service can be added by running the script with some additional env-vars, so it can run in the context of the pulpcore-server:

sudo -u pulp \
  PULP_SETTINGS='/etc/pulp/settings.py' \
  DJANGO_SETTINGS_MODULE='pulpcore.app.settings' \
  ./setup_signing_service.py "${PWD}/sign_deb_release.sh"
3 Likes