Creating a debian package from binaries

Create directory following the naming $PACKAGE-$VERSION:

mkdir private-tomcat-7.0.42
cd private-tomcat-7.0.42

Copy to this directory the files that you want to be installed.


Create configuration:

#dh_make --createorig

Type of package: single binary, indep binary, multiple binary, library, kernel module, kernel patch?
 [s/i/m/l/k/n] s

Maintainer name  : root
Email-Address    : root@unknown
Date             : Wed, 21 Aug 2013 01:36:59 -0700
Package Name     : private-tomcat
Version          : 7.0.42
License          : blank
Type of Package  : Single
Hit  to confirm: 
Currently there is no top level Makefile. This may require additional tuning.
Done. Please edit the files in the debian/ subdirectory now. You should also
check that the private-tomcat Makefiles install into $DESTDIR and not in / .

Edit the created debian/control file:

Source: private-tomcat
Section: main
Priority: extra
Maintainer: root 
Build-Depends: debhelper (>= 8.0.0)
Standards-Version: 3.9.2
#Vcs-Git: git://git.debian.org/collab-maint/private-tomcat.git
#Vcs-Browser: http://git.debian.org/?p=collab-maint/private-tomcat.git;a=summary

Package: private-tomcat
Replaces: 7.0.35
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Apache tomcat for internal use in private Project

Edit debian/changelog and remove references to ITP (is not needed)

Rename debian/postinst.ex to postinst

mv postinst.ex postinst

Create the file debian/packagename.install with the following structure:

path/to/file/relative/to/source/root path/to/install/relative/to/system/root

i.e.

apache-tomcat-7.0.42/* opt/

change debian/compat to level 7

echo "7" > debian/compat

Copy the init.d or upstart script for the installed package name it as
debian/$PACKAGENAME.init

then run:

dh_installinit

IF you want to install the init.d package under a different name, please rename the init file to debian/$NAME.init and edit debian/rules and add the following

override_dh_installinit
 dh_installinit --name=tomcat (this is the desired name)

please remember to run dh_prep between runs of dh_installinit, Otherwise, it may cause multiple instances of the same text to be added to maintainer scripts.


from the directory above:

dpkg-buildpackage -b -us -uc

This will build the package and avoid signing errors

Puppet: certificates signed with multiple names

The default creation of SSL certs for the puppet master create a certicate base on the hostname of the server. If this server is reached with two different names (zB internalname.domain.com & external.domain.com) this creates problems such as: Server hostname 'internalname.domain.com' did not match server certificate; expected observer1 You can do the following:

rm -fr /var/lib/puppet/ssl #could delete individual .pem files 
puppet cert generate external.domain.com --dns_alt_names=internalname.domain,puppet

If executed as above (deleting all certs, all puppet nodes need to request certificate and the master to sign it)

Managing SIP extensions with puppet

I decided to take the next step into the world of Puppet and actually created my own Provider and Type. So I would like to introduce "puppet-asterisk" which creates a custom type and provider for managing Asterisk's SIP configuration. The provider allows for simple SIP resource management, by managing /etc/asterisk/sip.conf and treating each SIP extension defined as an individual resource, so the following extension:

[100]
type=friend
host=dynamic
secret=MyPass123
context=internal
mailbox=100@default
callgroup=1
pickupgroup=1
dtmfmode=rfc2833
canreinvite=no
permit=10.34.0.1/32
deny=10.34.0.2/32

Can be expressed as:

sip {'100':
    ensure  => present,
    type    => 'friend',
    host    => 'dynamic',
    secret  => 'MyPass123',
    context => 'internal'
    mailbox => '100@default'
    permit  => '10.34.0.1/32',
    deny    => '10.34.0.2/32',
}

This allow to actually manage a SIP extension and it's properties individually and even grouping them as Virtual Resources. I have scouted Puppet Forge and most solutions focus completely on uploading the entire sip.conf as a template, which is pretty limiting. We must aim to keep as much as the infrastructure managed by Puppet as possible. Installing At the time of this writing I have not yet submitted it to puppet forge, so you must clone the repository from Github https://github.com/AlexRRR/puppet-asterisk and copy it to your /etc/puppet/modules Testing Please make sure you have rake, rspec installed

gem install rake
gem install rspec

Run the tests from root directory of project

>
rake spec

Creating a private signed repository with Ubuntu

To have a streamlined deployment and management strategy via Puppet it is necessary to be able to create signed Debian Packages and have a private signed repository that can contain such packages, this makes the Puppet manifest simpler and the updates will be done in a controlled manner.

Webserver configuration

Installing the webserver

apt-get install apache

<Directory /var/www/repos/ >
        Options Indexes FollowSymLinks Multiviews
        Order allow,deny
        Allow from all
</Directory>
<Directory "/var/www/repos/apt/*/db/">
        Order allow,deny
        Deny from all
</Directory>
<Directory "/var/www/repos/apt/*/conf/">
        Order allow,deny
        Deny from all
</Directory>
<Directory "/var/www/repos/apt/*/incoming/">
        Order allow,deny
        Deny from all
<?/Directory>

RNG Tools

The rngd daemon acts as a bridge between a Hardware TRNG (true random number generator) such as the ones in some Intel/AMD/VIA chipsets, and the kernel's PRNG (pseudo-random number generator). Virtual Machines are generally really bad at generating enough entropy that the gpg key generation need. RNG Tools aids that process.< /br>

NOTE: This step is optional but highly recommended if you are using a virtual machine

apt-get install rng-tools
vi /etc/default/rng-tools

Edit and Add the following

HRNGDEVICE=/dev/urandom

Finally start the service

/etc/init.d/rng-tools start

GPG key file generation

Next we will generate a GPG key to sign our repository and all of our packages with.

root@agent1:/home/alex# gpg --gen-key
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "
Real name: DevOps stuff
Email address: dev@gmx.de
Comment: DevOps stuff
You selected this USER-ID:
    "devops (DevOps stuff) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
gpg: gpg-agent is not available in this session
passphrase not correctly repeated; try again.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++
+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.................+++++
.......+++++
gpg: key F15542E1 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/F15542E1 2012-11-30
      Key fingerprint = FF1E A313 F3DA 256B A40E  FB3E 0749 613D F155 42E1
uid                  devops (DevOps stuff) 
sub   2048R/024EC2A2 2012-11-30

Create public GPG key

Now the key is already created and in the keychain. You may list it with

root@agent1:/home/alex# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/F15542E1 2012-11-30
uid                  devops (DevOps stuff) 
sub   2048R/024EC2A2 2012-11-30

Create the gpg key file that will be shared publicly via the webserver.

root@agent1:/home/alex# gpg --armor --output secure.gpg.key --export 024EC2A2

please note 024EC2A2 comes from the gpg --list-keys above!

Configure the Repository

Create the directory structure

mkdir -p /var/www/repos/apt/debian/conf
cd /var/www/repos/apt/debian/conf

Create the file "distributions" in the cwd and make sure the gpg key is used to sign the repository, add the following to the file

Origin: Alex Debian repo
Label: alex
Codename: precise
Architectures: amd64 i386 source
Components: main
Description: alex apt repository
DebOverride: override.precise
DscOverride: override.precise
SignWith: 024EC2A2

Create a file called "options" with the following content:

verbose
basedir .
ask-passphrase

Now create an empty file called "override.precise"

touch override.precise

Signing existing packages

dpkg-sig --sign builder /home/alex/demo-package-2.0.6_1.0-1_amd64.deb

Managing the repository

For this task we will use the tool "reprepro" which makes it very straightforward:
Install reprepro:

sudo apt-get install reprepro

Add a package:

reprepro -Vb . includedeb precise /home/alex/demo-package-2.0.6_1.0-1_amd64.deb

Remove a package:

reprepro -b . remove precise demo-package

Please note that when removing we are using the package name as it is described in the package manifest and the the filename itself