5 # Update node package repository metadata and sign packages
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
9 # Thierry Parmentelat <thierry.parmentelat@inria.fr>
12 # Source function library and configuration
13 . /etc/plc.d/functions
14 . /etc/planetlab/plc_config
21 # (*) sometimes we have yum issuing errors like 'package does not match intended content'
22 # this means that the sha256 checksum of the downloaded pkg does not match
23 # the sha256 checksum advertised in filelists.xml
24 # if you did run 'yum clean all' on the node,
25 # this means that the repodata/ dir. on the server side is out of date
26 # forcing a createrepo should solve this
28 # (*) also sometimes the node complains that a package is not signed
30 # so there quite obviously are some corner cases that are not well handled
31 # hopefully the following subforms may be helpful to recover in these cases
33 # /etc/plc.d/packages clean
34 # performs cleanup of the yum repositories and signed-stamps
35 # thus forcing the next 'start' command to re-sign and re-index everything
36 # /etc/plc.d/packages superclean
37 # like 'clean', plus this will reinstall the noderepo rpms that you have,
38 # that is to say restart from unsigned rpms
39 # /etc/plc.d/packages start
40 # this is the usual form, it should be smart enough to only sign the packages that need to,
41 # and to rerun createrepo when useful
42 # /etc/plc.d/packages force
43 # same as 'start' but createrepo is run unconditionnally
45 # PS. I suspect sometimes the signing fails and the script does not notice properly
49 # helper for hacking yumgroups
50 # if we've installed for several flavours
51 # we create cross links in install-rpms like this one
52 # ./onelab-f8-i386/sliceimage-onelab-f12-i386-5.0-6.2011.02.03.i686.rpm
53 # -> /var/www/html/install-rpms/onelab-f12-i386/sliceimage-onelab-f12-i386-5.0-6.2011.02.03.i686.rpm
55 # but this won't make it to the nodes until they are insered in yumgroups.xml in the PlanetLab group
58 function hack_yumgroups () {
61 pushd $repo >& /dev/null
63 sirpms=$(find . -name 'sliceimage*rpm')
64 echo found sirpms $sirpms
65 if [ ! -f yumgroups.xml ] ; then
66 echo "hack_yumgroups: could not find yumgroups in $(pwd)"
67 elif [ -z "$sirpms" ] ; then
68 echo "No need to hack yumgroups, no foreign sliceimage package found"
70 cp yumgroups.xml yumgroups.xml.hacking
71 # remove references to package sliceimage-
72 grep -v '>sliceimage-' yumgroups.xml.hacking > yumgroups.xml
73 # build a list of lines with corresponding rpm names
75 for sirpm in $sirpms; do
76 rpmname=$(rpm -q --qf '%{name}' -p $sirpm)
77 echo found file $sirpm with name $rpmname
78 insert="$insert<packagereq type=\"mandatory\">$rpmname</packagereq>"
80 echo 'inserting' $insert
81 # insert in yumgroups at the right place -- first packages in the PlanetLab group
82 ed yumgroups.xml <<EOF
100 if [ "$PLC_BOOT_ENABLED" != "1" ] ; then
104 MESSAGE=$"Signing and indexing node packages"
112 # there are some very old repos there, as well as some sensitive areas
113 # so by convention the repositories that have a 'PRESERVE' file won't
114 # be touched by the cross-flavour stuff
115 # i.e. no symlinks get created to or from there,
116 # and yumgroups is untouched
118 # use argv if provided
119 if [[ -n "$@" ]] ; then
122 # consider all subdirs in install-rpms by default, except the slice repos
123 # use find instead of ls - for the corner case where the dir. is empty
124 # (thanks Thomas Dreibholz for the heads up)
125 repositories=$(find /var/www/html/install-rpms -maxdepth 1 -mindepth 1 -type d \! -name 'slice-*' 2> /dev/null)
128 # filter out PRESERVE'd repos
129 cross_repositories=""
130 for repository in $repositories; do
131 [ -f $repository/PRESERVE ] || cross_repositories="$cross_repositories $repository"
135 # deal with the sliceimage packages
136 # symlink all instances of plain 'sliceimage-*rpm' in all repos
137 # and cleanup old links
138 sirpms=$(find $cross_repositories -name 'sliceimage*rpm' -a -type f)
139 # for nicer upgrades, also remove symlinks from 5.0
140 silinks=$(find $cross_repositories '(' -name 'sliceimage*rpm' -o -name 'vserver*rpm' ')' -a -type l)
142 for silink in $silinks; do
143 [ ! -e $silink ] && { echo removing old $silink; rm $silink; }
146 for repository in $cross_repositories; do
147 for sirpm in $sirpms; do
148 # if in the repository we're dealing with, ignore
149 if [ "$(echo $sirpm | sed -e s,^$repository,,)" != $sirpm ] ; then
154 if [ ! -e $link ] ; then
155 echo "creating symlink $link towards $sirpm"
162 # now that the symlinks are OK, we can tweak yumgroups
163 for repository in $cross_repositories; do
164 hack_yumgroups $repository
167 ########## sign plain packages
168 for repository in $repositories ; do
170 [ -d $repository ] || continue
171 # the rpms that need signing
173 # and the corresponding stamps
175 # is there a need to refresh yum metadata
176 # a safe approach would be to always run createrepo
177 # however this is painfully slow with multi-flavour installed
179 # however if we run this script like
180 # /etc/plc.d/packages force
181 # then we force a createrepo
182 [ "$mode" == force ] && need_createrepo=true
184 # right after installation, no package is present
185 # but we still need to create index
186 [ ! -f $repository/repodata/repomd.xml ] && need_createrepo=true
188 # it's not helpful to sign symlinks that will get signed on their own
189 for package in $(find $repository/ -name '*.rpm' -a \! -type l) ; do
190 stamp=$repository/signed-stamps/$(basename $package).signed
191 # If package is newer than signature stamp
192 if [ $package -nt $stamp ] ; then
193 new_rpms="$new_rpms $package"
194 new_stamps="$new_stamps $stamp"
196 # Or than createrepo database
197 [ $package -nt $repository/repodata/repomd.xml ] && need_createrepo=true
198 [ $package -nt $repository/repodata/filelists.xml.gz ] && need_createrepo=true
201 if [ -n "$new_rpms" ] ; then
202 # Create a stamp once the package gets signed
203 mkdir $repository/signed-stamps 2> /dev/null
205 # Sign RPMS. setsid detaches rpm from the terminal,
206 # allowing the (hopefully blank) GPG password to be
207 # entered from stdin instead of /dev/tty.
209 --define "_signature gpg" \
210 --define "_gpg_path /etc/planetlab" \
211 --define "_gpg_name $PLC_MAIL_SUPPORT_ADDRESS" \
212 --resign $new_rpms && touch $new_stamps
214 # if we sign at least one package then we need to reindex
218 # Update repository index / yum metadata.
220 if [ -n "$need_createrepo" ] ; then
221 if [ -f $repository/yumgroups.xml ] ; then
222 createrepo --quiet -g yumgroups.xml $repository
225 createrepo --quiet $repository
235 if [[ -z "$@" ]] ; then
236 # use all subdirs in install-rpms by default
237 repositories=/var/www/html/install-rpms/*
243 for repository in $repositories ; do
244 rm -rf $repository/signed-stamps
245 rm -rf $repository/repodata
246 find $repository -type l | xargs rm
249 # (use this only if you have noderepos installed)
252 find /var/www/html/install-rpms -name signed-stamps | xargs rm -rf
253 find /var/www/html/install-rpms -name repodata | xargs rm -rf
254 find /var/www/html/install-rpms -type l | xargs rm
255 rpm -aq | grep noderepo | xargs yum -y reinstall
258 echo "Usage: $0 start|force|clean [repo ..]"