Docker image for maintaining a private APT/YUM repository in Amazon S3.
Most of the code was extracted from the elastic/beats repository.
The image includes the following projects
Place your .deb and .rpm packages under ./packages directory. Copy your encrypted GPG key to ./conf directory.
Run the container
docker run -it --rm \
--env="GPG_PASSPHRASE=<gpg key password>" \
--volume `pwd`:/data \
ennexa/deb-rpm-s3 \
--bucket=<amazon s3 bucket> \
--prefix=<bucket prefix> \
--directory=/data/packages \
--aws-access-key=<AWS_ACCESS_KEY> \
--aws-secret-key=<$AWS_SECRET_KEY> \
--gpg-key=/data/conf/gpgkey.asc \
--verbose \
"$@"
A simple REST server is also included for pushing packages to the repository programatically.
Given below is a sample docker-compose configuration for the REST server
version: "3.3"
services:
deb-rpm-s3:
image: ennexa/deb-rpm-s3:server
restart: always
volumes:
- "./conf:/data/conf"
environment:
- AWS_ACCESS_KEY=<aws access key>
- AWS_SECRET_KEY=<aws secret key>
- BUCKET=<bucket name>
- PREFIX=<prefix for s3 bucket>
- GPG_PASSPHRASE=<gpg key password>
ports:
- 8000:8000
To start the server run
docker-compose up
The GPG key for signing should be named as gpgkey.asc and placed under ./conf directory. The GPG_PASSPHRASE environment variable is not required if the key is unencrpted.
First we need some .deb/.rpm packages for testing. Let us download the official packages for ModPagespeed.
wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-beta_current_x86_64.rpm
wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-beta_current_amd64.deb
Now to upload the files to our new repository, run
curl -XPUT http://admin:secret@localhost:8000/mod-pagespeed-beta_current_x86_64.rpm --data-binary @mod-pagespeed-beta_current_x86_64.rpm
curl -XPUT http://admin:secret@localhost:8000/mod-pagespeed-beta_current_amd64.deb --data-binary @mod-pagespeed-beta_current_amd64.deb
HTTP Basic auth is used to prevent unauthorized access to the REST server. To add your credentials create a file named config.json under ./conf with the following content.
{
"auth_backends": {
"predefined": {
"users": {
"<username>": "<bcrypt hash>"
}
}
}
}
A helper script is included for generating the bcrypt hash.
$ docker run docker.ennexa.org/ennexa/deb-rpm-s3:server gen-hash secret
$2a$10$bbUwtsMPdb.gbMvW2DCyUuvivdVbvP8ljE5859IMYY6P8pO3LKbOy
You can install the packages by using public url of your S3 bucket.
sudo add-apt-repository "deb https://repo.example.com/apt stable main"
You can run a private repository protected with HTTP basic auth. The serverless configuration in serverless-s3-proxy can be used to setup up an http authentication proxy for the S3 bucket. Also, add the --visibility=private flag to the docker run command to ensure that the uploaded files are not privately accessible. The configuration is based on APIGatewayS3Proxy by Sumit Maingi.
sudo add-apt-repository "deb https://admin:[email protected]/apt stable main"