Reprepro: Difference between revisions

Reprepro is a tool for managing APT repositories.

Reprepro is able to manage multiple repositories for multiple distribution versions and one package pool. It can process updates from an incoming directory, copy package (references) between distribution versions, list all packages and/or package versions available in the repository, etc.

Reprepro maintains an internal database (a .DBM file) of the contents of the repository, which makes it quite fast and efficient.

It's installed from the Debian package reprepro, and is configured using the files in /srv/wikimedia/conf/. Running

# export REPREPRO_BASE_DIR=/srv/wikimedia
# export GNUPGHOME=/root/.gnupg

might be quite useful. One example is https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/admin/files/home/akosiaris/.variables;e86a9f707eadfef8bbfe23e314324f13750a1e36$3 and using

  sudo -E reprepro <etc..etc>

to make life better.

HOWTO

This section explains the most commonly needed actions/tasks involving reprepro. reprepro is running on install1002.wikimedia.org.

When modifying reprepro content adding/upgrading/removing packages, always log it in the Server Admin Log (SAL)

List all package versions in the repositories

For a given package name, use

reprepro ls PACKAGE_NAME

For example:

# reprepro ls puppet
puppet | 4.8.2-5~trusty1 |  trusty-wikimedia | amd64, i386, source
puppet |  4.8.2-5~bpo8+1 |  jessie-wikimedia | amd64, i386, source
puppet |  3.8.5-2~bpo8+2 |  jessie-wikimedia | amd64, i386, source
puppet |         4.8.2-5 | stretch-wikimedia | amd64, i386, source

This shows that there are two different builds of the same package version in the repositories hardy-wikimedia and lucid-wikimedia. There is clearly no puppet package in the karmic-wikimedia repository.

To see all packages in a given distribution, use

reprepro list DISTRIBUTION_NAME

To find all packages in all repositories, use

reprepro dumpreferences

or a variant thereof (see reprepro --help or man reprepro).

Building an unmodified third-party package for import

1. set up a Labs instance for building and select the role::package::builder role. You could use the VMs in the packaging project.
2. Alternatively if you are ops, just logging into boron.eqiad.wmnet. It is set up in exactly the same way but is faster and is already set up.
3. fetch the package source to that instance and review it. dget, wget, curl are all valid options, dget is probably the faster.
4. build the package for the target distribution using https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/package_builder/README.md$30
5. copy the build to the repo server (i.e. host with the install-server roles, install1002/2002 on 20170214). On boron there is an rsync server that can be used directly from install1002. Example sudo rsync -va boron.eqiad.wmnet::pbuilder-result/trusty-amd64/apertium* .
6. proceed with reprepro as documented below

Building a patched package for import

(e.g. when backporting a package from a more recent Debian release)

1. import the package into git (usually operations/debs/SOURCEPACKAGENAME)
2. apply your patch(es)
3. set up a Labs instance for building and select the role::package::builder role.
4. Alternatively if you are ops, just logging into boron.eqiad.wmnet. It is set up in exactly the same way but is faster and is already set up
5. check out your package on the labs host
6. build the package for the target distribution using https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/package_builder/README.md$30
7. copy the build to the repo server (i.e. host with the install-server roles, install1002/2002 on 20170214).On boron there is an rsync server that can be used directly from install1002. Example sudo rsync -va boron.eqiad.wmnet::pbuilder-result/trusty-amd64/apertium* .
8. proceed with reprepro as documented below

Automatically import files from an incoming/ directory

Reprepro can automatically import packages from an upload directory, as long as all the package fields are setup correctly with the right distribution and component names. It's also vital that the .changes files are present. When all these conditions are met, and all these files have been uploaded to /srv/wikimedia/incoming (e.g. using dupload), you can use:

# reprepro processincoming default

It uses the rules defined in the file /srv/wikimedia/conf/incoming

If the package is rejected by reprepro because one of the package control fields are wrong, or you want to override them for some other reason, use an override file (see below).

It's best to check whether the /srv/wikimedia/incoming/ directory is empty after using procesincoming, because reprepro should have moved/deleted all imported files. Any remaining files have not been processed.

Importing packages

You will need three things:

1. Component
   1. main: for Wikimedia native packages, as well as Debian/Ubuntu packages that have had source-modifications
   2. universe: for existing Ubuntu packages that just have been recompiled or backported for the given distribution.
2. Distribution
   1. Usually: stretch-wikimedia, jessie-wikimedia, or trusty-wikimedia. This is the distribution that the package has been compiled for, and under. This should match the field in the package's Changelog.
   2. If your package was specifically built for Wikimedia and does not have a distribution of CODENAME-wikimedia listed in the changes file, then you should force reprepro to accept a CODENAME-wikimedia distribution. Add --ignore=wrongdistribution flag to the reprepro command to do so.
3. Changes file
   1. If building on the packaging server, the changes file is most likely in /var/cache/pbuilder/result/CODENAME-amd64/ along with the dsc, buildinfo, tar.xz, deb, and orig.tar.gz.
   2. You will want to bring all of these files over to the reprepro server.

It's best to have reprepro fully manage all package aspects using the changes file that was created during the build of the package (e.g. using Pbuilder). When the changes file is present along with all files list therein, reprepro can handle it all with:

# reprepro -C COMPONENT include DISTRIBUTION CHANGES_FILE

For example:

# reprepro -C main include stretch-wikimedia nagios-nrpe-server_3.0.1-3+deb9u1+wmf1_amd64.deb

When no changes file is available, for example because you didn't build the package yourself, you can use includedsc and includedeb:

# reprepro -C universe includedsc lucid-wikimedia varnish_2.1.2-1.dsc
# reprepro -C universe includedeb lucid-wikimedia varnish_2.1.2-1_amd64.deb
# reprepro -C universe includedeb lucid-wikimedia libvarnish1_2.1.2-1_amd64.deb
# reprepro -C universe includedeb lucid-wikimedia libvarnish-dev_2.1.2-1_amd64.deb

Be aware that reprepro will remove older versions of packages without asking. They are no longer available in the pool (/srv/wikimedia/pool) either. However, /srv/wikimedia/ is backed up using Amanda on tridge, and many packages should be available in subversion as well.

Missing orig tarball

The original tarball should be listed in the changes file when package is built. Often times, this is accomplished with a build flag: dpkg-buildpackage -sa, debuild -sa, or pdebuild -- --debbuildopts -sa

If it is missing though, you can tell reprepro to ignore it and find it in the current working directory with the --ignore=missingfile flag.

Removing packages

A given binary package can be removed from a distribution using

# reprepro remove distribution-name package-name

For example:

# reprepro remove jessie-wikimedia facter

However, usually you want to remove all binary packages from a source package, that can be done with:

# reprepro removesrc distribution-name package-name

For example:

# reprepro removesrc trusty-wikimedia openjdk-8

Using the override file

When we are building our own packages, we should make sure that all control fields (such as the distribution name, component, priority etc.) are set correctly. Please rebuild your package if not.

However, occasionally it is necessary to override fields on a previously built package, which we don't want to modify the source of and/or rebuild. Ubuntu often does the same, and just retrieves packages from Debian Unstable and overrides a few fields using an override file.

We have an override file as well, in /srv/wikimedia/conf/deb-override. It's format is:

# packagename	fieldname	newvalue

As an example, our Varnish packages are coming straight from Debian Unstable (like in Ubuntu), and can be imported fine into Lucid as long as we override some package fields:

varnish		Distribution	lucid
libvarnish1	Distribution	lucid
libvarnish-dev	Distribution	lucid

Copying between distributions

In some cases, notably when no compiled binaries are involved, a given package build can be used for multiple distribution versions. This is for example the case with most native Wikimedia packages, which just contain (shell) scripts and can easily support multiple distribution versions (e.g. Hardy to Lucid). It would be a waste of time and work to make separate builds for these packages, so we include only one copy of these packages into multiple distributions.

To do this, build the package for the oldest distribution that is supported, e.g. hardy-wikimedia. Then, import it into this distribution:

# reprepro -C main include hardy-wikimedia wikimedia-base wikimedia-base_0.26_amd64.changes
# reprepro ls wikimedia-base
wikimedia-base | 0.26 |  hardy-wikimedia | amd64, source

Then, copy it to the other supported distributions, e.g. karmic-wikimedia and lucid-wikimedia:

# reprepro copy karmic-wikimedia hardy-wikimedia wikimedia-base
# reprepro copy lucid-wikimedia hardy-wikimedia wikimedia-base
# reprepro ls wikimedia-base
wikimedia-base | 0.26 |  hardy-wikimedia | amd64, source
wikimedia-base | 0.26 | karmic-wikimedia | amd64, source
wikimedia-base | 0.26 |  lucid-wikimedia | amd64, source

Updating external repositories

Reprepro has the ability to pull packages from other APT repositories automatically, this has added benefits like verifying signatures, easy management and so on. It is configured via conf/updates configuration file.

To check which updates are available:

 # reprepro --restrict cassandra checkupdate
 Calculating packages to get...
 Updates needed for 'jessie-wikimedia|thirdparty|source':
 'cassandra': '2.1.5' will be upgraded to '2.1.6' (from 'cassandra'):
 files needed: pool/thirdparty/c/cassandra/cassandra_2.1.6.dsc pool/thirdparty/c/cassandra/cassandra_2.1.6.orig.tar.gz pool/thirdparty/c/cassandra/cassandra_2.1.6.diff.gz
 ...

Remember to use --restrict to limit your update only the packages you are interested in, otherwise all available updates will be brought in!

To pull in the updates for real:

 # reprepro --restrict cassandra update
 Calculating packages to get...
 Getting packages...
 Installing (and possibly deleting) packages...
 Exporting indices...
 Deleting files no longer referenced...

NOTE: Sometimes --restrict will not actually update your package. For confluent-kafka-2.11, I had to instead use --component thirdparty/confluent without a --restrict option to get reprepro to actually pull the new version of the package.

In the example below, the custom component thirdparty/mono-project-stretch in the stretch-wikimedia repository is updated:

user@install1002:~$ sudo -i reprepro --noskipold -C 'thirdparty/mono-project-stretch' update stretch-wikimedia

If signing fails

If you get errors such as:

Error: gpgme created no signature!
This most likely means gpg is confused or produces some error libgpgme is
not able to understand.

Make sure you are running as root AND you have exported its environment variables to point to the right gpg keyring (at least until other method of signing is setup). This usually means:

sudo -i

or, better,

export REPREPRO_BASE_DIR=/srv/wikimedia
export GNUPGHOME=/root/.gnupg
sudo -E ...

Additional info

Some additional bits you may find useful.

dupload

To upload .changes files with dupload you will likely need a configuration like this in /etc/dupload.conf:

[...]
$cfg{'wmf'} = {
    fqdn => 'install1002.wikimedia.org',
    method => 'scp',
    incoming => '/srv/wikimedia/incoming',
    login => 'yourusername',
};
[...]

And then, you will be able to upload to incoming using a command like:

$ dupload --to wmf ../pkg_version_amd64.changes

External links

• Debian Reprepro (Upstream documentation and source code)