Porting swup to Redhat 7.3
This article is outdated. Swup is an rpm-based alternative to Debian’s apt, used in the Trustix Secure Linux distribution. I haven’t followed what TSL is up to, but chances are that swup is still in use today. However, there are more widely used options for rpm-based distributions, like apt-rpm or yum. Furthermore, the swup Sourceforge project set up by the TSL developers way back when seems to have abandoned a few years ago.
The swup (software updater) package is roughly equivalent to Debian’s apt (advanced packaging tool). Swup allows for automatic software updates, while satisfying package dependencies and verifying the integrity of the packages and meta-information by means of a cryptographic signature. Since I’m primarily using RedHat 7.3 and Trustix, it makes more sense to port swup to RedHat than to port apt to both distributions.
Swup is written in Python and ports very easily. The related rdfgen package that creates the RDF repositories requires but a short patch to address some intrinsic capabilities of RPM 4.0.4 that ships with Redhat 7.3.
Running swup is trivial ("swup --upgrade") and the rest of the article describes how to set up a repository for RedHat. The repository is a web or ftp archive of package files and meta-information. While Trustix uses the i586 architecture for all architecture-dependent packages, RedHat uses i386/i586/i686/athlon for the actual kernel packages and i386/i686 for a few select application packages. Unless all RedHat boxes using a repository share the same architecture, it’s probably best to create separate meta-information for each architecture. The specifics are a matter of individual preference, but here is a sample layout that works for me:
(read more below the fold)
# the up-to-date RedHat packages /some/where/RPMS.redhat # local/thirdparty packages /some/where/RPMS.local # architecture-specfic RPMS /some/where/i686/RPMS # architecture-specific meta-information /some/where/i686/rdfs
As a prerequite, you need to create a GnuPG key to cryptographically sign every file in the repository. After the directory hierarchy has been set up and populated with packages, you can script the manual procedure listed below. A simple set of scripts to automate this process can be downloaded here.
cd /path/to/repository
# sample procedure for i686 architecture
# set up temp file for signing passphrase
passfile=/path/to/passfile
echo PASSPHRASE > $passfile
# re-sign packages
pushd RPMS.redhat
rm -f *.asc
for file in *.rpm; do
# supply passphrase from (temp) file
cat $passfile | gpg -b -a --passphrase-fd 0 $file
done
# tear down and set up
rm -rf i686
mkdir -p i686/RPMS
cd i686/RPMS
# link in packages and signatures
# NB: don't overflow the command line
ln -s ../../RPMS.redhat/*.rpm .
ln -s ../../RPMS.redhat/*.asc .
ln -s ../../RPMS.local/* .
cd ..
# create meta-information
rdfgen -o rdfs RPMS/*.rpm > /path/to/logfile
# sign meta-data
cd rdfs
for file in `find . -type f -print`; do
cat $passfile | gpg -b -a --passphrase-fd 0 $file
done
# wipe passphrase temp file
cat /garbage/file > $passfile
sync
rm -f $passfile
Creating and signing the meta-information is a time-consuming process. However, unless you actually use Pentium-class or older hardware, it should suffice to create the repository for i686 only. The only athlon-specific packages are the UP and SMP kernels, which nobody wants to update automatically anyway.
To use the repository, the architecture-specific directories should be made visible on a web server or ftp site. The public part of the GnuPG key and the URL to the repository is all the information required to configure the swup client. To update a RedHat 7.3 system, make sure that the swup config file and public key are correct and run the command
swup --upgrade
That’s it.
Last but not least, you’ll want to update the packages in the repository itself. I mirror the matching RedHat updates and manually merge in newly updates packages. I’m afraid I I never got around to automate this part of the process.
The RedHat 7.3 repository, excluding any locally maintained packages, requires about 2GB of disk space. Recreating the meta-information for all architectures spells c-o-f-f-e-e-b-r-e-a-k.