Spotlight: Pulp Protected Repositories
Have you ever wanted to control access to your yum repositories? Well, with Pulp you can! This entry will explore the steps necessary to configure the Pulp Server and Consumer for Repository Authentication; including creating the necessary PKI infrastructure.
Steps:¶
1. Enable Repo Auth on Pulp Server¶
$ vi /etc/pulp/repo_auth.conf |
This is essentially the on/off switch for protected repos. If this is set to false, all repositories on the Pulp Server will be available publicly for consumption.
[main] enabled: true [repos] cert_location: /etc/pki/content/ global_cert_location: /etc/pki/content/ protected_repo_listing_file: /etc/pki/content/pulp-protected-repos |
2. Create a CA Certificate¶
A Certificate Authority is required for issuing and validating entitlement certificates. I will use openssl to create my CA. First the key, then the CA itself.
$ openssl genrsa -out caPulp.key 2048 Generating RSA private key, 2048 bit long modulus ....+++ ......................+++ e is 65537 (0x10001) |
$ openssl req -new -x509 -days 365 -key caPulp.key -out caPulp.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:North Carolina Locality Name (eg, city) [Default City]:Raleigh Organization Name (eg, company) [Default Company Ltd]:Red Hat Inc Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:Pulp Server CA Email Address []:tsanders@redhat.com |
3. Create the Entitlement Certificate¶
The Entitlement Certificate is the credential that will be used by yum clients for accessing the protected repository. Again, the first step here is to create a key for signing.
$ openssl genrsa -out client.key 2048 Generating RSA private key, 2048 bit long modulus ......................................+++ .....................................+++ e is 65537 (0x10001) |
Next we need to create the extensions file that contains the entitlements you wish to include. The most import oid is 1.3.6.1.4.1.2312.9.2.0000.1.6. This oid contains the relative path of the pulp repository that you intend to protect.
$ vi extensions.txt |
[myRepo] basicConstraints=CA:FALSE 1.3.6.1.4.1.2312.9.2.0000.1.1=ASN1:UTF8:Pulp Production MyRepo x86_64 1.3.6.1.4.1.2312.9.2.0000.1.2=ASN1:UTF8:pulp-prod-myrepo-64 1.3.6.1.4.1.2312.9.2.0000.1.6=ASN1:UTF8:repos/myRepo/ |
And finally we create the entitlement certificate .csr and sign it.
$ openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:North Carolina Locality Name (eg, city) [Default City]:Raleigh Organization Name (eg, company) [Default Company Ltd]:Red Hat Inc Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:Pulp Entitlement Certificate Email Address []:tsanders@redhat.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
$ openssl x509 -req -days 365 -CA caPulp.crt -CAkey caPulp.key -CAcreateserial -extfile extensions.txt -extensions myRepo -in client.csr -out client.crt Signature ok subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc /OU=Engineering/CN=Pulp Entitlement Certificate/emailAddress=tsanders@redhat.com Getting CA Private Key |
Notes:
-
The name in the extensions.txt file [ ] is what is passed to the -extensions argument when signing the request. This allows you to pick which batch of entitlements to include.
-
The -CAcreateserial option will create a serial number file to allow openssl to manage the serial number incrementing for each successive signing. In this case the file will be caPulp.srl. Once this file exists, use the -CAserial option to supply this file when signing.
4. Create the Repository¶
We are now ready to create our repository using the CA and Entitlement Certificate that we created above.
$ pulp-admin repo create --id=myRepo --name=myRepo --consumer_ca=caPulp.crt --consumer_cert=client.crt --consumer_key=client.key Successfully created repository [ myRepo ] |
5. Upload Content¶
In our case I am choosing to upload an rpm that I created locally, however, this could have also easily as been a feeded repository mirroring content from a remote location.
$ pulp-admin content upload --repoid=myRepo --nosig pulp-demo-1.0-1.fc14.x86_64.rpm * Starting Content Upload operation. See /var/log/pulp/client.log for more verbose output * Performing Content Uploads to Pulp server * Performing Repo Associations * Content Upload complete. |
6. Create Consumer and Bind to Repository¶
$ pulp-client -u admin -p admin consumer create --id=myConsumer Successfully created consumer [ myConsumer ] |
$ pulp-client consumer bind --repoid=myRepo Successfully subscribed consumer [myConsumer] to repo [myRepo] |
7. Manually update /etc/yum.repos.d/pulp.repo on Consumer¶
Currently, Pulp doesn’t handle automatically setting the appropriate PKI attributes in the yum.repos.d configuration during bind. This is coming in a future sprint, so for now we’ll make these mods by hand. Without this added configuration, as you’ll see in the demo below, yum will not be able to access the repository.
$ vi /etc/yum.repos.d/pulp.repo |
# # Pulp Repositories # Managed by Pulp client # [myRepo] name = myRepo enabled = 1 sslverify = 0 gpgcheck = 0 baseurl = https://localhost/pulp/repos/myRepo |
Next you need to copy the ca, entitlement certificate and key (from steps 2 & 3) to the /etc/pki/content directory on the consumer. Then add the following three attributes to the [myRepo] section:
sslclientkey=/etc/pki/content/client.key sslclientcert=/etc/pki/content/client.crt sslcacert=/etc/pki/content/caPulp.crt |
That’s it! You should now be able to yum install packages from the authenticated repository on your pulp server.
Demo¶
A simple screen-cast walking you through steps 4-7 from above.