1 简介
由于很多企业内网环境都是不允许连网,无法使用网上的各种源,在安装软件包时来回拷贝软件包安装也比较麻烦,而且还得解决依赖问题。所以就需要搭建个本地/局域网源,配置需要用一台主机当服务器存放deb软件包,局域网内的其他主机可以通过这台主机下载安装包。
在Ubuntu22版本搭建本局域网源时,APT要求所有软件源都要经过数字签名,以确保软件包的完整性和安全性,为此要为本地源创建GPG签名。
2 系统环境
| 系统版本 |
IP |
用途 |
| Ubuntu 22.04.1 LTS |
192.168.20.125 |
客户端(ub-client) |
| Ubuntu 22.04.1 LTS |
192.168.20.128 |
软件包源服务器(ub-server) |
6.2 服务器端修改主机名并安装web服务
(1)修改主机名称
| root@ubuntn:~# hostnamectl --static set-hostname ub-server |
(2)安装提供http服务的软件包
如果软件仓库要为内网其他ubuntu服务器提供服务,就需要安装能提供网络服务的软件包,这样的软件有很多种,如ftp,nginx、apache等,这里使用apache2软件包来提供网络应用服务,下面进行apache2软件的安装。
| root@ub-server:~# apt install -y apache2 |
在ubuntu 22.04中安装apaches2后,服务将自动启动,查看如下:
6.3 生成GPG密钥
在Ubuntu22版本中搭建网络源时,APT要求所有软件源都要经过数字签名,以确保软件包的完整性和安全性,现在来先安装gnupg软件包,为本地源创建GPG签名。
| root@ub-server:~# apt-get install gnupg rng-tools -y |
安装gnupg是用来生成GPG密钥,安装rng-tools加快gpg密钥的生成速度。
生成GPG密钥
生成密钥需要输入名称,邮箱,以及密码,下面生成密钥,按照提示输入相关信息。
| root@ub-server:~# gpg --full-generate-key gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (14) Existing key from card Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: repokey Email address: [email protected] Comment: You selected this USER-ID: "repokey <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o +------------------------------------------------------+ | Please enter the passphrase to | | protect your new key | | | | Passphrase: *_______________________________________ | | | | <OK> <Cancel> | +------------------------------------------------------+ +--------------------------------------------------------------------+ | Warning: You have entered an insecure passphrase. | | | | A passphrase should be at least 8 characters long. | | | | <Take this one anyway> <Enter new passphrase> | +--------------------------------------------------------------------+ +------------------------------------------------------+ | Please re-enter this passphrase | | | | Passphrase: *_______________________________________ | | | | <OK> <Cancel> | +------------------------------------------------------+ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 315A8D4CFA13F1C8 marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/4BF7B898B3230B606DDA08C5315A8D4CFA13F1C8.rev' public and secret key created and signed. Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. pub rsa3072 2023-06-19 [SC] 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE uid mykey <[email protected]> root@ub-server:~# |
列出密钥:
| root@ub-server:~# gpg --list-key gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /root/.gnupg/pubring.kbx ------------------------ pub rsa3072 2023-06-19 [SC] 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE uid [ultimate] mykey <[email protected]> root@ub-server:~# |
6.4 创建存放安装包的目录和准备安装包。
因为apache网站默认根路径为/var/www/html/,为了不修改apache的配置文件,这里就直接在/var/www/html/目录下创建本地仓库的存储目录。
创建/var/www/html/repo目录,将预先的准备好的deb包复制到/var/www/html/repo目录下:
| root@ub-server:~# mkdir /var/www/html/repo root@ub-server:~# cd /var/www/html/repo root@ub-server:/var/www/html/repo# |
预先的准备好的deb包如下:
| root@ub-server:/var/www/html/repo# ll total 22380 drwxr-xr-x 2 root root 4096 Jun 18 13:53 ./ drwxr-xr-x 3 root root 4096 Jun 18 13:29 ../ -rw-r--r-- 1 root root 17530700 Apr 29 2021 ansible_2.10.7+merged+base+2.10.8+dfsg-1_all.deb -rw-r--r-- 1 root root 1887104 Jun 12 2021 ieee-data_20210605.1_all.deb -rw-r--r-- 1 root root 27236 Feb 28 2021 python3-argcomplete_1.8.1-1.5_all.deb -rw-r--r-- 1 root root 123058 Dec 15 2021 python3-dnspython_2.1.0-1ubuntu1_all.deb -rw-r--r-- 1 root root 21708 May 30 2020 python3-jmespath_0.10.0-1_all.deb -rw-r--r-- 1 root root 23012 Mar 17 2022 python3-kerberos_1.1.14-3.1build5_amd64.deb -rw-r--r-- 1 root root 1554184 Feb 11 2021 python3-libcloud_3.2.0-2_all.deb -rw-r--r-- 1 root root 14576 Apr 27 2020 python3-lockfile_1%3a0.12.2-2.2_all.deb -rw-r--r-- 1 root root 308658 Oct 18 2021 python3-netaddr_0.8.0-2_all.deb -rw-r--r-- 1 root root 20384 May 14 2020 python3-ntlm-auth_1.4.0-1_all.deb -rw-r--r-- 1 root root 30672 Nov 27 2021 python3-packaging_21.3-1_all.deb -rw-r--r-- 1 root root 1026726 Mar 25 2022 python3-pycryptodome_3.11.0+dfsg1-3build1_amd64.deb -rw-r--r-- 1 root root 11892 Oct 26 2019 python3-requests-kerberos_0.12.0-2_all.deb -rw-r--r-- 1 root root 6160 Jan 2 2021 python3-requests-ntlm_1.1.0-1.1_all.deb -rw-r--r-- 1 root root 37984 Dec 22 2020 python3-requests-toolbelt_0.9.1-1_all.deb -rw-r--r-- 1 root root 158910 Mar 17 2022 python3-selinux_3.3-1build2_amd64.deb -rw-r--r-- 1 root root 54722 Mar 17 2022 python3-simplejson_3.17.6-1build1_amd64.deb -rw-r--r-- 1 root root 21660 May 13 2018 python3-winrm_0.3.0-2_all.deb -rw-r--r-- 1 root root 12608 Apr 27 2020 python3-xmltodict_0.12.0-2_all.deb root@ub-server:/var/www/html/repo# |
6.5 在本地源目录,创建本地APT仓库所需元数据文件。
安装dpkg-dev软件包,才能为本地APT仓库创建软件包元数据。
| root@ub-server:~# apt install -y dpkg-dev |
在本地软件源目录下生成Packages和Release文件,创建本地软件源的Package.gz元数据。
| root@ub-server:~# cd /var/www/html/repo/ root@ub-server:/var/www/html/repo# apt-ftparchive packages . > Packages root@ub-server:/var/www/html/repo# apt-ftparchive release . > Release
root@ub-server:/var/www/html/repo# dpkg-scanpackages ./ | gzip -9c > Packages.gz dpkg-scanpackages: info: Wrote 19 entries to output Packages file. root@ub-server:/var/www/html/repo# |
6.6 导出公钥并使用apt-key命令加密
apt-key命令用于管理Debian Linux系统中的软件包密钥。每个发布的Debian软件包都是通过密钥认证的,apt-key命令用来管理Debian软件包密钥。
| (1)、因为需要导出GPG生成的密钥,先列出密钥: root@ub-server:~# gpg --list-key gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /root/.gnupg/pubring.kbx ------------------------ pub rsa3072 2023-06-19 [SC] 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE uid [ultimate] mykey <[email protected]> root@ub-server:~# (2)、导出公钥并使用apt-key命令加密 root@ub-server:~# cd /var/www/html/repo/ root@ub-server:/var/www/html/repo# gpg -a --export 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE | apt-key add - Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). OK root@ub-server:/var/www/html/repo# |
6.6 配置数字签名
ubuntu apt 对软件包索引,首先要求有InRelease文件,其次才去找Release、Release.gpg文件, 这情况下, 其实只需要创建InRelease文件(包含Release文件和明文签名)即可:
为本地源配置数字签名
| root@ub-server:/var/www/html/repo# gpg --clearsign -o InRelease Release |
这里需要输入密码,输入生成GPG密钥时输入的密码:
| root@ub-server:/var/www/html/repo# gpg -abs -o Release.gpg Release root@ub-server:/var/www/html/repo# |
6.7 导出密钥
6.7.1 导出公钥
使用格式: gpg -a -o public-file.key --export keyId #导出公钥keyId 到 文件 public-file.key中;
选项详解:
-a 为 --armor 的简写,表示密钥以ASCII的形式输出,默认以二进制的形式输出;
-o 为 --output 的简写,指定写入的文件;
| root@ub-server:~# gpg -a -o public-file.key --export 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE |
导出的公钥,需在其他内网主机导入,供apt-get使用。
6.7.2 导出私钥
使用格式:
gpg -a -o private-file.key --export-secret-keys keyId #导出私钥 keyId 到文件 private-file.key中,导出的时候需要输入密钥密码;
其中,导出私钥需要输入保护私钥的密码;
| root@ub-server:~# gpg -a -o private-file.key --export-secret-keys 0AC2A21EFD3745B7BB27ADB92C816822A0805CCE |
6.8 配置其他内网主机使用服务器提供的源
先备份内网其他主机的apt源文件/etc/apt/source.list,并修改源,在如下主机修改:
| root@ub-client:~# cp -p /etc/apt/sources.list /etc/apt/sources.list.new root@ub-client:~# vi /etc/apt/sources.list |
(1)、更新软件源:
| root@ub-client:~# apt update Ign:1 http://192.168.20.128/repo InRelease Get:2 http://192.168.20.128/repo Release [1,204 B] Get:3 http://192.168.20.128/repo Release.gpg [488 B] Ign:3 http://192.168.20.128/repo Release.gpg Reading package lists... Done W: GPG error: http://192.168.20.128/repo Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 64C5275D111B6254 E: The repository 'http://192.168.20.128/repo Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. root@ub-client:~# |
这里更新源报错 了,提示仓库没有签名。
(2)、这里需要在内网其他主机上导入服务器中导出的公钥,需要把服务器导出的公钥复制到内网其他主机,然后导入公钥。
服务器导出的公钥复制到内网其他主机
| root@ub-server:~# scp public-file.key [email protected]:/root [email protected]'s password: public-file.key 100% 945 897.8KB/s 00:00 root@ub-server:~# |
(3)、导入公钥
| root@ub-client:~# apt-key add public-file.key |
更新一下软件源:
| root@ubuntn:/var/www/html/repo# apt update Ign:1 http://192.168.20.128/repo InRelease Get:2 http://192.168.20.128/repo Release [816 B] Get:3 http://192.168.20.128/repo Release.gpg [488 B] Get:4 http://192.168.20.128/repo Packages [88.6 kB] Fetched 89.9 kB in 0s (962 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. W: http://192.168.20.128/repo/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details. root@ub-client:/var/www/html/repo# |
有个告警,但源也可以使用。
| 解决这个告警: |
|
| W: http://192.168.20.128/repo/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION |
|
| (1)找到警告相关源的key 使用 apt-key list 命令列出所有 keyring 的信息, 然后找出该 keyring 的 fingerprint, 具体方法是找关键字 root@ub-client:/etc/apt/trusted.gpg.d# apt-key list Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). /etc/apt/trusted.gpg -------------------- pub rsa3072 2023-06-19 [SC] 0AC2 A21E FD37 45B7 BB27 ADB9 2C81 6822 A080 5CCE uid [ unknown] mykey <[email protected]> /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg ----------------------------------------------- pub rsa2048 2016-07-15 [SC] A184 8F53 52D0 22B9 471D 83D0 082A B56B A14F E591 uid [ unknown] Zabbix LLC <[email protected]> sub rsa2048 2016-07-15 [E] root@ub-client:/etc/apt/trusted.gpg.d# (2). 导出相应key到指定目录 导出命令中只需要fingerprint的末尾 8 位, (这里假设有警告的key是A0805CCE),导出可以自定义名称, 只要保存在 /etc/apt/trusted.gpg.d 这个路径下即可
(3).修改有问题源的配置文件,关联key文件位置. 源配置文件在/etc/apt/目录下 root@ub-client:/etc/apt/trusted.gpg.d# cat /etc/apt/sources.list deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/ros.gpg] http://192.168.20.126/repo /
至此,问题解决,再次 apt update 不会出现那个警告了,如下:
root@ub-client:~# apt update Ign:1 http://192.168.20.126/repo InRelease Hit:2 http://192.168.20.126/repo Release Hit:4 Zabbix Official Repository jammy InRelease Hit:5 Zabbix Official Repository jammy InRelease Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. root@ub-client:~#
另外如果发现列表中某些key的状态是 [expired] 也可以用以下命令删除 $ sudo apt-key del A0805CCE |
6.9 下面测试安装软件:
| root@ub-client:/var/www/html/repo# apt install -y ansible Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: ieee-data python3-argcomplete python3-dnspython python3-jmespath python3-kerberos python3-libcloud python3-lockfile python3-netaddr python3-ntlm-auth python3-packaging python3-pycryptodome python3-requests-kerberos python3-requests-ntlm python3-requests-toolbelt python3-selinux python3-simplejson python3-winrm python3-xmltodict Suggested packages: cowsay sshpass python3-sniffio python3-trio python-lockfile-doc ipython3 python-netaddr-docs The following NEW packages will be installed: ansible ieee-data python3-argcomplete python3-dnspython python3-jmespath python3-kerberos python3-libcloud python3-lockfile python3-netaddr python3-ntlm-auth python3-packaging python3-pycryptodome python3-requests-kerberos python3-requests-ntlm python3-requests-toolbelt python3-selinux python3-simplejson python3-winrm python3-xmltodict 0 upgraded, 19 newly installed, 0 to remove and 0 not upgraded. Need to get 22.9 MB of archives. After this operation, 243 MB of additional disk space will be used. Get:1 http://192.168.20.128/repo python3-packaging 21.3-1 [30.7 kB] Get:2 http://192.168.20.128/repo python3-pycryptodome 3.11.0+dfsg1-3build1 [1,027 kB] Get:3 http://192.168.20.128/repo python3-dnspython 2.1.0-1ubuntu1 [123 kB] Get:4 http://192.168.20.128/repo ieee-data 20210605.1 [1,887 kB] Get:5 http://192.168.20.128/repo python3-netaddr 0.8.0-2 [309 kB] Get:6 http://192.168.20.128/repo ansible 2.10.7+merged+base+2.10.8+dfsg-1 [17.5 MB] Get:7 http://192.168.20.128/repo python3-argcomplete 1.8.1-1.5 [27.2 kB] Get:8 http://192.168.20.128/repo python3-jmespath 0.10.0-1 [21.7 kB] Get:9 http://192.168.20.128/repo python3-kerberos 1.1.14-3.1build5 [23.0 kB] Get:10 http://192.168.20.128/repo python3-lockfile 1:0.12.2-2.2 [14.6 kB] Get:11 http://192.168.20.128/repo python3-simplejson 3.17.6-1build1 [54.7 kB] Get:12 http://192.168.20.128/repo python3-libcloud 3.2.0-2 [1,554 kB] Get:13 http://192.168.20.128/repo python3-ntlm-auth 1.4.0-1 [20.4 kB] Get:14 http://192.168.20.128/repo python3-requests-kerberos 0.12.0-2 [11.9 kB] Get:15 http://192.168.20.128/repo python3-requests-ntlm 1.1.0-1.1 [6,160 B] Get:16 http://192.168.20.128/repo python3-requests-toolbelt 0.9.1-1 [38.0 kB] Get:17 http://192.168.20.128/repo python3-selinux 3.3-1build2 [159 kB] Get:18 http://192.168.20.128/repo python3-xmltodict 0.12.0-2 [12.6 kB] Get:19 http://192.168.20.128/repo python3-winrm 0.3.0-2 [21.7 kB] Fetched 22.9 MB in 0s (177 MB/s) Selecting previously unselected package python3-packaging. (Reading database ... 74588 files and directories currently installed.) Preparing to unpack .../00-python3-packaging_21.3-1_all.deb ... Unpacking python3-packaging (21.3-1) ... Selecting previously unselected package python3-pycryptodome. Preparing to unpack .../01-python3-pycryptodome_3.11.0+dfsg1-3build1_amd64.deb ... Unpacking python3-pycryptodome (3.11.0+dfsg1-3build1) ... Selecting previously unselected package python3-dnspython. Preparing to unpack .../02-python3-dnspython_2.1.0-1ubuntu1_all.deb ... Unpacking python3-dnspython (2.1.0-1ubuntu1) ... Selecting previously unselected package ieee-data. Preparing to unpack .../03-ieee-data_20210605.1_all.deb ... Unpacking ieee-data (20210605.1) ... Selecting previously unselected package python3-netaddr. Preparing to unpack .../04-python3-netaddr_0.8.0-2_all.deb ... Unpacking python3-netaddr (0.8.0-2) ... Selecting previously unselected package ansible. Preparing to unpack .../05-ansible_2.10.7+merged+base+2.10.8+dfsg-1_all.deb ... Unpacking ansible (2.10.7+merged+base+2.10.8+dfsg-1) ... Selecting previously unselected package python3-argcomplete. Preparing to unpack .../06-python3-argcomplete_1.8.1-1.5_all.deb ... Unpacking python3-argcomplete (1.8.1-1.5) ... Selecting previously unselected package python3-jmespath. Preparing to unpack .../07-python3-jmespath_0.10.0-1_all.deb ... Unpacking python3-jmespath (0.10.0-1) ... Selecting previously unselected package python3-kerberos. Preparing to unpack .../08-python3-kerberos_1.1.14-3.1build5_amd64.deb ... Unpacking python3-kerberos (1.1.14-3.1build5) ... Selecting previously unselected package python3-lockfile. Preparing to unpack .../09-python3-lockfile_1%3a0.12.2-2.2_all.deb ... Unpacking python3-lockfile (1:0.12.2-2.2) ... Selecting previously unselected package python3-simplejson. Preparing to unpack .../10-python3-simplejson_3.17.6-1build1_amd64.deb ... Unpacking python3-simplejson (3.17.6-1build1) ... Selecting previously unselected package python3-libcloud. Preparing to unpack .../11-python3-libcloud_3.2.0-2_all.deb ... Unpacking python3-libcloud (3.2.0-2) ... Selecting previously unselected package python3-ntlm-auth. Preparing to unpack .../12-python3-ntlm-auth_1.4.0-1_all.deb ... Unpacking python3-ntlm-auth (1.4.0-1) ... Selecting previously unselected package python3-requests-kerberos. Preparing to unpack .../13-python3-requests-kerberos_0.12.0-2_all.deb ... Unpacking python3-requests-kerberos (0.12.0-2) ... Selecting previously unselected package python3-requests-ntlm. Preparing to unpack .../14-python3-requests-ntlm_1.1.0-1.1_all.deb ... Unpacking python3-requests-ntlm (1.1.0-1.1) ... Selecting previously unselected package python3-requests-toolbelt. Preparing to unpack .../15-python3-requests-toolbelt_0.9.1-1_all.deb ... Unpacking python3-requests-toolbelt (0.9.1-1) ... Selecting previously unselected package python3-selinux. Preparing to unpack .../16-python3-selinux_3.3-1build2_amd64.deb ... Unpacking python3-selinux (3.3-1build2) ... Selecting previously unselected package python3-xmltodict. Preparing to unpack .../17-python3-xmltodict_0.12.0-2_all.deb ... Unpacking python3-xmltodict (0.12.0-2) ... Selecting previously unselected package python3-winrm. Preparing to unpack .../18-python3-winrm_0.3.0-2_all.deb ... Unpacking python3-winrm (0.3.0-2) ... Setting up python3-lockfile (1:0.12.2-2.2) ... Setting up python3-requests-toolbelt (0.9.1-1) ... Setting up python3-ntlm-auth (1.4.0-1) ... Setting up python3-pycryptodome (3.11.0+dfsg1-3build1) ... Setting up python3-kerberos (1.1.14-3.1build5) ... Setting up python3-simplejson (3.17.6-1build1) ... Setting up python3-xmltodict (0.12.0-2) ... Setting up python3-packaging (21.3-1) ... Setting up python3-jmespath (0.10.0-1) ... Setting up python3-requests-kerberos (0.12.0-2) ... Setting up ieee-data (20210605.1) ... Setting up python3-dnspython (2.1.0-1ubuntu1) ... Setting up python3-selinux (3.3-1build2) ... Setting up python3-argcomplete (1.8.1-1.5) ... Setting up python3-requests-ntlm (1.1.0-1.1) ... Setting up python3-libcloud (3.2.0-2) ... Setting up python3-netaddr (0.8.0-2) ... Setting up python3-winrm (0.3.0-2) ... Setting up ansible (2.10.7+merged+base+2.10.8+dfsg-1) ... Processing triggers for man-db (2.10.2-1) ... Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@ub-client:/var/www/html/repo# |
可以看出安装软件是从自建服务器的源下载软件进行安装。