×

[step by step系列8]openSUSE Leap 42.1下搭建OBS

96
顺ze
2016.01.25 21:11* 字数 777

说明

  • 在vitualbox下演示,基于最小化安装的openSUSE Leap 42.1构建
  • 由于我是在虚拟机上演示,所以偷懒把worker和server放在同一个机器中。真实的集群或网络中应该是不会这么做的,不仅worker和server不会在同一个host上,连server中不同的服务(比如dispatcher和publisher)都可能在不同的host中。
  • 本人菜渣,大神轻拍。

步骤

1. 安装virtualbox

这个不用讲吧,如果你用的openSUSE,打开终端
sudo zypper in virtualbox
如果用的windows或mac,到这里下载安装

2. 在virtualbox中安装openSUSE Leap 42.1

选择最小化安装 (minimal installation)

3. 配置obs-server

  • 配源
    由于国内网络原因,必然需要换源
sudo zypper lr
sudo zypper mr -d 1 3 #这个1 3对应我想禁用的源的标号
sudo zypper ar -f http://mirrors.ustc.edu.cn/opensuse/distribution/leap/42.1/repo/oss/ leap-oss
sudo zypper ar -f http://mirrors.ustc.edu.cn/opensuse/distribution/leap/42.1/repo/non-oss/ leap-non-oss
sudo zypper ar -f http://mirrors.hust.edu.cn/packman/suse/openSUSE_Leap_42.1/ packman
sudo zypper ref
  • 配服务
    mysql服务
sudo zypper in mariadb
sudo systemctl enable mysql.service
sudo systemctl start mysql.service
sudo systemctl status mysql.service
mysql_secure_installation  # 设一个数据库的root密码,一路选yes就行
sudo systemctl restart mysql.service

memcached服务

sudo zypper in memcached
sudo systemctl enable memcached.service
sudo systemctl start memcached.service

obs-backend服务
obs后端包含一组服务,在OBS:server这个project中,最新的稳定版本是OBS:server:2.6,是没有openSUSE_Leap_42.1这个Repository的。所以只能用unstable版本的了,这个repo里面得到的obs-server是20160121编译出来的。

sudo zypper ar http://download.opensuse.org/repositories/OBS:/Server:/Unstable/openSUSE_42.1/ obs-server
sudo zypper ref
sudo zypper in obs-server obs-worker #server worker放一个host上了,所以obs-worker也装上
sudo systemctl enable obsrepserver.service
sudo systemctl start obsrepserver.service
sudo systemctl enable obssrcserver.service
sudo systemctl start obssrcserver.service
sudo systemctl enable obsscheduler.service
sudo systemctl start obsscheduler.service
sudo systemctl enable obsdispatcher.service
sudo systemctl start obsdispatcher.service
sudo systemctl enable obspublisher.service
sudo systemctl start obspublisher.service
sudo systemctl enable obssigner.service
sudo systemctl start obssigner.service  #如果启动失败请看下面
sudo systemctl enable obswarden.service
sudo systemctl start obswarden.service
  • 关于obssigner服务
    如果obssigner这个服务没有正常启动,参考这里,不想看英文的话可以看我的说明:

生成GPG密钥:

第一步生成一个master key

#注意需要以root身份登陆session执行,并且不要使用远程ssh来执行,也不要使用su 来切换到root否则会出现下面的问题:
#gpg-agent[14392]: command get_passphrase failed: Operation cancelled
#gpg: cancelled by user
#gpg: Key generation canceled.
gpg --gen-key 
Please select what kind of key you want:
    (1) RSA and RSA (default)
     (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Tue Aug  4 12:15:28 2015 CEST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: My Build Service
Email address: obsrun@localhost
Comment:
You selected this USER-ID:
    "My Build Service <obsrun@localhost>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
(Passphrase dialog.)
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2015-08-04
pub   2048R/F86E2EDC 2010-08-05 [expires: 2015-08-04]
      Key fingerprint = E020 2A9C 1D89 662C A354  FB37 87DD A101 F86E 2EDC
uid                  My Build Service <obsrun@localhost>
sub   2048R/D849EAAB 2010-08-05 [expires: 2015-08-04]

第二步生成signing key

$ gpg --edit F86E2EDC
Secret key is available.
pub  2048R/F86E2EDC  created: 2010-08-05  expires: 2015-08-04  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/D849EAAB  created: 2010-08-05  expires: 2015-08-04  usage: E   
[ultimate] (1). My Build Service <obsrun@localhost>
Command> addkey
(Passphrase dialog.)
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2015-08-04 # 这里写master key的时间
Key expires at Mon Aug 24 11:59:24 2015 CEST
Is this correct? (y/N) y
Really create? (y/N) y
pub  2048R/F86E2EDC  created: 2010-08-05  expires: 2015-08-04  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/D849EAAB  created: 2010-08-05  expires: 2015-08-04  usage: E   
sub  2048D/D5C8DB1B  created: 2010-08-05  expires: 2015-08-24  usage: S   
[ultimate] (1). My Build Service <obsrun@localhost>

第三步生成encryption key

Command> addkey
(Passphrase dialog.)
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 5
后面跟第二步差不多,省略。。。

最后看到这样的结果:一个 master key,一个sub key,一个siging key,一个encryption key

pub  2048R/F86E2EDC  created: 2010-08-05  expires: 2015-08-04  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/D849EAAB  created: 2010-08-05  expires: 2015-08-04  usage: E   
sub  2048D/D5C8DB1B  created: 2010-08-05  expires: 2015-08-24  usage: S   
sub  2048g/D4A6E8F1  created: 2010-08-05  expires: 2015-08-24  usage: E   
[ultimate] (1). My Build Service <obsrun@localhost>
quit

导出密钥供obs使用

mkdir -v /root/.phrases
vim /root/.phrases/obsrun@localhost #在这个文件中写上你刚才设置的的GPG密码
ln -s /root/.gnupg /
gpg --armor --export F86E2EDC > /srv/obs/openSUSE-Build-Service.asc
gpg --armor --export F86E2EDC > /etc/obs-default-gpg.asc
vim /usr/lib/obs/server/BSConfig.pm
our $gpg_standard_key = '/etc/obs-default-gpg.asc';
our $sign = '/usr/bin/sign';
# Extend sign call with project name as argument "--project $NAME"
our $sign_project = 0;
# Global sign key
our $keyfile = '/srv/obs/openSUSE-Build-Service.asc';
# Create a key by default for new projects, if top level have not one
our $forceprojectkeys = 1;
vim /etc/sign.conf 
user: obsrun@localhost
allowuser: obsrun
allow: 127.0.0.1
phrases: /root/.phrases

启动obssigner服务

sudo systemctl enable obssigner obssignd
sudo systemctl start obssignd obssigner 

4. 配置obs-worker

前面已经安装obs-worker了,启动服务

sudo systemctl start obsworker.service
sudo systemctl enable obsworker.service

5. 配置前端

安装obs-api

sudo zypper in obs-api

设置数据库密码

vim /srv/www/obs/api/config/database.yml
production:
  adapter: mysql2
  database: api_production
  username: root
  password: YOUR_PASSWORD # 这里的密码是之前mysql_secure_installation设置的root密码
  encoding: utf8

允许匿名访问API

vim /srv/www/obs/api/config/options.yml
allow_anonymous: true
read_only_hosts: [ "127.0.0.1", 'localhost' ]

设置production database

RAILS_ENV=production rake -f /srv/www/obs/api/Rakefile db:create
RAILS_ENV=production rake -f /srv/www/obs/api/Rakefile db:setup
RAILS_ENV=production rake writeconfiguration
chown -R wwwrun.www log tmp

设置apache

vim /etc/sysconfig/apache2
APACHE_MODULES="... passenger rewrite proxy proxy_http xforward headers" # 添加这些模块
APACHE_SERVER_FLAGS="-DSSL" # 开启SSL支持
vim /etc/apache2/vhosts.d/obs.conf # 安装obs-api时提供了这个文件

如果启动apache2时报错,安装rubygem-passenger-apache2
sudo zypper in rubygem-passenger-apache2
开启xforward模式

vim /srv/www/obs/api/config/options.yml
use_xforward: true

创建一个自己创建的SSL证书

mkdir /srv/obs/certs
openssl genrsa -out /srv/obs/certs/server.key 1024
openssl req -new -key /srv/obs/certs/server.key -out /srv/obs/certs/server.csr
openssl x509 -req -days 365 -in /srv/obs/certs/server.csr -signkey /srv/obs/certs/server.key -out /srv/obs/certs/server.crt
cat /srv/obs/certs/server.key /srv/obs/certs/server.crt > /srv/obs/certs/server.pem

信任该证书

cp /srv/obs/certs/server.pem /etc/ssl/certs/
c_rehash /etc/ssl/certs/

开启web服务

systemctl enable apache2
systemctl start apache2

开启obsapidelayed服务

systemctl enable obsapidelayed.service
systemctl start obsapidelayed.service  # 没有启动成功

检查前端是否配置成功
在浏览器里输入https://你的IP:443https://你的IP:82
如图,我的IP是172.17.0.51, 注意82端口可能需要等你build出一些包后才有页面。这里我直接https://172.17.0.51就看到如下:

Local OBS
Local OBS

默认用户名密码为:
Admin
opensuse

我安装的跟obs相关的包

linux-dexl:~/.phrases # rpm -qa | grep obs
obs-server-2.6.51.git20160201.cac3343-1669.1.noarch
obs-signd-2.2.1-1.1.x86_64
obs-api-2.6.51.git20160201.cac3343-1669.1.noarch
obs-productconverter-2.6.51.git20160201.cac3343-1669.1.noarch
obs-worker-2.6.51.git20160201.cac3343-1669.1.noarch
obs-common-2.6.51.git20160201.cac3343-1669.1.noarch

Coffee Time

恭喜,终于大功告成,现在你拥有了自己的OBS咯!
可以在上面打包试试咯。

一些问题

  • 目前Log in并没有成功,看/srv/www/obs/api/log/apache_error.log,原因是跟SSL证书有关,[Wed Feb 03 02:21:42.613656 2016] [ssl:warn] [pid 2924] AH01909: api:443:0 server certificate does NOT include an ID which matches the server name,目前还没解决。
  • 如果obsapidelayed服务起不来可以看这里,主要就是改log文件的权限。

交流

openSUSE中文论坛
639304@icloud.com

致谢

Many thanks to MargueriteSu and Adrian Schroeter for their patience and help.

参考

openSUSE
Web note ad 1