Problems with Poudriere

[green post-it]

I wanted to create some packages with different options from binary packages, so I set up poudriere.

pourdriere.conf

##
## poudriere.conf
##
NO_ZFS=yes
FREEBSD_HOST=ftp://ftp.freebsd.org
RESOLV_CONF=/etc/resolv.conf

# The directory where poudriere will store jails and ports
BASEFS=/poudriere

# The directory where the jail will store the packages and logs
# by default a zfs filesystem will be created and set to
# ${BASEFS}/data
#
POUDRIERE_DATA=${BASEFS}/data

# Use portlint to check ports sanity
USE_PORTLINT=no

USE_TMPFS=no

DISTFILES_CACHE=/poudriere/distfiles

CHECK_CHANGED_OPTIONS=verbose
CHECK_CHANGED_DEPS=yes

SAVE_WRKDIR=yes
KEEP_OLD_PACKAGES=no

BUILDER_HOSTNAME=lrepo.test.local
PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/certs/poudriere.cert

USE_COLORS=yes

I create that certs for poudriere using OpenSSL.

I create jail with:

[I]poudriere jail -c -j R11x64 -v 11.1-RELEASE[/I]

I create ports tree with

poudriere ports -c -p HEAD

create list of ports to build in /usr/local/etc/poudriere.d/buildlist/portlist

run command
poudriere options -j [I]R11x64[/I] -p HEAD -f /usr/local/etc/poudriere.d/buildlist/portlist

poudriere creates options directory with my options

run command
poudriere bulk -j [I]R11x64[/I] -p HEAD -f /usr/local/etc/poudriere.d/buildlist/portlist

poudriere successfully build all packages and then reports

[00:50:51] Creating pkg repository
Creating repository in /tmp/packages: 100%
Packing files for repository:   0%
pkg-static: can't load key from /tmp/repo.key
Packing files for repository: 100%
[00:50:52] Cleaning up
[00:50:52] Unmounting file systems

I check logs and they indicate that all packages were built, but when I goto /poudriere/data/packages/R11x64-HEAD there are 3 directories:
.latest
.real_1516828511
.building

The first two directories are empty and the last has what appears to be packages. Is .building the "normal" location for packages? TIA

 

[asteriskRoss]

The error is here:

poudriere successfully build all packages and then reports

pkg-static: can't load key from /tmp/repo.key

poudriere.conf

PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/certs/poudriere.cert

I create that certs for poudriere using OpenSSL.

How did you create your signing key? I suspect that your usr/local/etc/ssl/certs/poudriere.cert doesn't contain what you need. There is an example in the man page for pkg-repo(8), which boils down to running
openssl genrsa -out repo.key 2048
to create a private RSA key. This is the file that should be listed as PKG_REPO_SIGNING_KEY.

 

[SirDice]

I would try to get things working without signing the packages first. There's no requirement for the packages to be signed. Once everything works you can look into signing them.

 

[asteriskRoss]

green post-it, I see that was your first post. Welcome to the forums

Adding to SirDice's post, perhaps you don't need ports-mgmt/poudriere for your purposes. If you are building for a single system, perhaps building from ports would be adequate. ports-mgmt/portmaster is a very helpful tool for building and upgrading ports. Alternatively ports-mgmt/synth might be an easier option than poudriere.

 

[green post-it]

Thank you to the two of you. I was able to compile the packages with Poudriere without any further problems.

@ astreriskRoss, I am trying to learn how to use Poudiere. It is quite the nifty piece of software!

 

[Simon Wagner]

Sorry for hijacking/resurrecting this thread, but this sounds quite familiar. I'll elaborate on my journey:

I created key and cert:
openssl genrsa -out /usr/local/etc/ssl/keys/poudriere.key 4096
openssl rsa -in /usr/local/etc/ssl/keys/poudriere.key -pubout -out /usr/local/etc/ssl/certs/poudriere.cert

I put the key into poudriere.conf:

   PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key

I put the cert on the client:
#Making our local server the only source, putting the current FreeBSD version into the path

   myRepo: {
     url: "pkg+http://<IP>/repository/FreeBSD/freebsd_11-2x64-QUARTERLY",
     mirror_type: "srv",
     signature_type: "pubkey",
     pubkey: "/usr/local/etc/ssl/certs/poudriere.cert",
     enabled: yes
   }

Building, uploading to Webserver, pkg installing.. all work like a charm. Much easier than expected.

Then I tried verifying my setup. I fiddled with the certificate on the client, turning a b into a B. This should invalidate the key/cert combo.

BUT... pkg still installs like nothing happened.

I'm very very very sure that I have something misconfigured. But crosschecking with about every tutorial I can find, it does not look like I made a mistake.

How can I check whether poudriere signs the packages in the first place? Can I look for something in the log?
How can I monitor whether pkg checks the signatures?

Following the 'example' in the first post, I renamed poudriere.key to poudriere.ke, and got an error message.

   [00:00:00] Starting jail freebsd_11-2x64-QUARTERLY
   [00:00:01] Error: PKG_REPO_SIGNING_KEY defined but the file is missing.

So that part of the config seems ok.

When I re-renamed the file, the bulk build went through. Nothing in the output contained {key|cert|sign}. Should it? Or is this quietness expected?

Thanks for pointing me in the right direction.

best regards
simon

 

[Datapanic]

There is a bug on FreeBSD_12.0-RELEASE and poudriere with a Fresh install of the OS and poudriere in which it fails to sign the key.

The only work-around I have found is to disable SSL or to create a poudriere install with FreeBSD_11.2-RELEASE and then upgrade to 12 later.