diff options
| -rw-r--r-- | README | 6 | ||||
| -rw-r--r-- | rpki-pbuilder.py | 12 | ||||
| -rwxr-xr-x | rpki-pbuilder.sh | 2 | ||||
| -rw-r--r-- | rpki-pbuilder.ssh_config | 34 |
4 files changed, 42 insertions, 12 deletions
@@ -1,9 +1,3 @@ Tools and scripts related to automated building of Debian packages and maintenance of an APT repository containing the result. At present, this is based on pbuilder and reprepro running on Ubuntu. - -This used to be part of the buildtools/ directory in the main -repository, but the build automation isn't really tied to any -particular branch, and now that it has to maintain packages from -multiple branches it's less confusing to put it in its own little -corner of the repository. diff --git a/rpki-pbuilder.py b/rpki-pbuilder.py index 4ae0823..942782e 100644 --- a/rpki-pbuilder.py +++ b/rpki-pbuilder.py @@ -51,8 +51,6 @@ parser.add_argument("--git-tree", default = os.path.expanduser("~/source/master/ help = "git tree") parser.add_argument("--apt-tree", default = os.path.expanduser("~/repository/"), help = "reprepro repository") -parser.add_argument("--apt-user", default = "aptbot", - help = "username for uploading apt repository to public web server") parser.add_argument("--url-host", default = "download.rpki.net", help = "hostname of public web server") parser.add_argument("--url-scheme", default = "http", @@ -103,7 +101,7 @@ except (IOError, OSError), e: sys.exit(0 if e.errno == errno.EAGAIN else "Error {!r} opening lock {!r}".format(e, args.lockfile)) run("git", "fetch", "--all", "--prune", cwd = args.git_tree) -run("git", "pull", cwd = args.git_tree) +run("git", "pull", cwd = args.git_tree) source_version = subprocess.check_output((sys.executable, os.path.join(args.git_tree, "buildtools/make-version.py"), "--build-tag", "--stdout"), cwd = args.git_tree).strip() @@ -334,12 +332,16 @@ for r in args.releases: Release.do_all_releases() +# Push any tags created above to the public git repository. + +if upload: + run("git", "push", "--tags", cwd = args.git_tree) + # Upload results, maybe. We do this in two stages, to minimize the window # during which the uploaded repository might be in an inconsistent state. def rsync(*flags): - cmd = ["rsync", "--archive", "--itemize-changes", - "--rsh", "ssh -l {}".format(args.apt_user)] + cmd = ["rsync", "--archive", "--itemize-changes", "--rsh", "ssh"] cmd.extend(flags) cmd.append(args.apt_tree) cmd.append("rsync://{host}/{path}/".format(host = args.url_host, diff --git a/rpki-pbuilder.sh b/rpki-pbuilder.sh index 106db4b..29c62a1 100755 --- a/rpki-pbuilder.sh +++ b/rpki-pbuilder.sh @@ -9,7 +9,7 @@ set -x cd $HOME python rpki-pbuilder.py \ - --git-tree $HOME/source.ng/master/ \ + --git-tree $HOME/source.ng/rpki.net/ \ --apt-tree $HOME/repository.ng/ \ --url-path /APTng \ --releases debian/jessie ubuntu/xenial diff --git a/rpki-pbuilder.ssh_config b/rpki-pbuilder.ssh_config new file mode 100644 index 0000000..6084fc1 --- /dev/null +++ b/rpki-pbuilder.ssh_config @@ -0,0 +1,34 @@ +# Fake hostnames here correspond to git remote URLs, which turns out +# to be the easy way to use separate keys for push and fetch: +# +# $ git remote -v +# origin pull.download.rpki.net:/usr/local/git/repositories/rpki.net.git/ (fetch) +# origin push.download.rpki.net:/usr/local/git/repositories/rpki.net.git/ (push) +# +# The third key is used for rsync daemon-mode-over-ssh, as the name suggests: +# +# $ rsync --rsh ssh rsync://download.rpki.net/ +# APT APT repository for old stable RPKI code (trunk) +# APTng APT repository for new development RPKI code +# +# The reason for using three separate keys is simple: this is a robot, keys are cheap, +# and using a separate key for each allowed action gives us a trivial way to lock down +# the server side. + +Host pull.download.rpki.net + HostName download.rpki.net + User aptbot + IdentityFile ~/.ssh/id_rsa_pull + IdentitiesOnly yes + +Host push.download.rpki.net + HostName download.rpki.net + User aptbot + IdentityFile ~/.ssh/id_rsa_push + IdentitiesOnly yes + +Host download.rpki.net + HostName download.rpki.net + User aptbot + IdentityFile ~/.ssh/id_rsa_rsync + IdentitiesOnly yes |