Skip to content

Spotlight: Pulp Protected Repositories

Have you ever wanted to control access to your yum repositories?  Well, with Pulp you can!  This entry will explore the steps necessary to configure the Pulp Server and Consumer for Repository Authentication; including creating the necessary PKI infrastructure.

Steps:

1.  Enable Repo Auth on Pulp Server

$ vi /etc/pulp/repo_auth.conf

This is essentially the on/off switch for protected repos. If this is set to false, all repositories on the Pulp Server will be available publicly for consumption.

[main]
enabled:  true
 
[repos]
cert_location: /etc/pki/content/
global_cert_location: /etc/pki/content/
protected_repo_listing_file: /etc/pki/content/pulp-protected-repos

2. Create a CA Certificate

A Certificate Authority is required for issuing and validating entitlement certificates.  I will use openssl to create my CA. First the key, then the CA itself.

$ openssl genrsa -out caPulp.key 2048
 
Generating RSA private key, 2048 bit long modulus
....+++
......................+++
e is 65537 (0x10001)
$ openssl req -new -x509 -days 365 -key caPulp.key -out caPulp.crt
 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Raleigh
Organization Name (eg, company) [Default Company Ltd]:Red Hat Inc
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []:Pulp Server CA
Email Address []:tsanders@redhat.com

3. Create the Entitlement Certificate

The Entitlement Certificate is the credential that will be used by yum clients for accessing the protected repository. Again, the first step here is to create a key for signing.

$ openssl genrsa -out client.key 2048
 
Generating RSA private key, 2048 bit long modulus
......................................+++
.....................................+++
e is 65537 (0x10001)

Next we need to create the extensions file that contains the entitlements you wish to include. The most import oid is 1.3.6.1.4.1.2312.9.2.0000.1.6. This oid contains the relative path of the pulp repository that you intend to protect.

$ vi extensions.txt
[myRepo]
basicConstraints=CA:FALSE
1.3.6.1.4.1.2312.9.2.0000.1.1=ASN1:UTF8:Pulp Production MyRepo x86_64
1.3.6.1.4.1.2312.9.2.0000.1.2=ASN1:UTF8:pulp-prod-myrepo-64
1.3.6.1.4.1.2312.9.2.0000.1.6=ASN1:UTF8:repos/myRepo/

And finally we create the entitlement certificate .csr and sign it.

$ openssl req -new -key client.key -out client.csr
 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Raleigh
Organization Name (eg, company) [Default Company Ltd]:Red Hat Inc
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []:Pulp Entitlement Certificate
Email Address []:tsanders@redhat.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -days 365 -CA caPulp.crt -CAkey caPulp.key -CAcreateserial -extfile extensions.txt 
  -extensions myRepo -in client.csr -out client.crt
 
Signature ok
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc
/OU=Engineering/CN=Pulp Entitlement Certificate/emailAddress=tsanders@redhat.com
Getting CA Private Key

Notes:

  1. The name in the extensions.txt file [ ] is what is passed to the -extensions argument when signing the request. This allows you to pick which batch of entitlements to include.

  2. The -CAcreateserial option will create a serial number file to allow openssl to manage the serial number incrementing for each successive signing. In this case the file will be caPulp.srl. Once this file exists, use the -CAserial option to supply this file when signing.

4. Create the Repository

We are now ready to create our repository using the CA and Entitlement Certificate that we created above.

$ pulp-admin repo create --id=myRepo --name=myRepo --consumer_ca=caPulp.crt  --consumer_cert=client.crt  
   --consumer_key=client.key
 
Successfully created repository [ myRepo ]

5. Upload Content

In our case I am choosing to upload an rpm that I created locally, however, this could have also easily as been a feeded repository mirroring content from a remote location.

$ pulp-admin content upload --repoid=myRepo --nosig pulp-demo-1.0-1.fc14.x86_64.rpm
 
* Starting Content Upload operation. See /var/log/pulp/client.log for more verbose output
 
* Performing Content Uploads to Pulp server
 
* Performing Repo Associations 
 
* Content Upload complete.

6. Create Consumer and Bind to Repository

$ pulp-client -u admin -p admin consumer create --id=myConsumer
 
Successfully created consumer [ myConsumer ]
$ pulp-client consumer bind --repoid=myRepo
 
Successfully subscribed consumer [myConsumer] to repo [myRepo]

7. Manually update /etc/yum.repos.d/pulp.repo on Consumer

Currently, Pulp doesn’t handle automatically setting the appropriate PKI attributes in the yum.repos.d configuration during bind. This is coming in a future sprint, so for now we’ll make these mods by hand. Without this added configuration, as you’ll see in the demo below, yum will not be able to access the repository.

$ vi /etc/yum.repos.d/pulp.repo
#
# Pulp Repositories
# Managed by Pulp client
#
 
[myRepo]
name = myRepo
enabled = 1
sslverify = 0
gpgcheck = 0
baseurl = https://localhost/pulp/repos/myRepo

Next you need to copy the ca, entitlement certificate and key (from steps 2 & 3) to the /etc/pki/content directory on the consumer. Then add the following three attributes to the [myRepo] section:

sslclientkey=/etc/pki/content/client.key
sslclientcert=/etc/pki/content/client.crt
sslcacert=/etc/pki/content/caPulp.crt

That’s it! You should now be able to yum install packages from the authenticated repository on your pulp server.

Demo

A simple screen-cast walking you through steps 4-7 from above.

Open in New Window