A recipe for running your pkg.depotd(1) server with SSL and Apache 2.4
As part of my contribution to the darktable community, I provide the Solaris packages needed to run the application via a locally-hosted pkg repo. You can
# pkg set-publisher -g https://www.jmcpdotcom.com/packages/packages JMCP
and then install the bits very easily.
What was a little non-obvious (to me at least) was how to get the pkg.depotd process to only listen on a secured port.
If you look at the SMF properties for svc:/application/pkg/server
, you
will observe these two likely-looking candidates:
pkg/ssl_key_file pkg/ssl_cert_file
They are not, however, what you need. Running pkg/server
outside of
svc:/application/pkg/depot
is actually restricted to plain http because
the backing framework here is CherryPy – and the version which pkg.depotd
uses apparently has some issues with https.
Hmmph.
So I asked a few colleagues who have worked on our packaging system for assistance. Liane pointed me at https://docs.oracle.com/cd/E23824_01/html/E21803/apache-config.html, which was an excellent place to start. I did, however, need some handholding from Tim and eventually wound up with the following configuration which works with Apache v2.4.
Firstly, /etc/apache2/2.4/httpd.conf
:
Follow the Apache docs for enabling ssl
Once you’ve settled on the port to run your pkg.depotd on, add a
ReWriteRule
like this:
RewriteEngine On RewriteRule ^/packages$ https://%{SERVER_NAME}:83 [R,L]
Secondly, svc:/application/pkg/depot:default
:
# svccfg -s application/pkg/depot:default svc:/application/pkg/depot:default> setprop config/port = 83 svc:/application/pkg/depot:default> setprop config/ssl_ca_cert_file = "/path/to/your/SSL CA cert bundle" svc:/application/pkg/depot:default> setprop config/ssl_cert_file = "/path/to/your/SSL cert file" svc:/application/pkg/depot:default> setprop config/ssl_key_file = "/path/to/your/SSL key file" svc:/application/pkg/depot:default> refresh svc:/application/pkg/depot:default> quit
Thirdly, svc:/application/pkg/server
:
# svccfg -s application/pkg/server add packages # svccfg -s application/pkg/server:packages addpg pkg application # svccfg -s application/pkg/server:packages svc:/application/pkg/server:packages>addprop pkg/proxy_base = astring: "https://your.ssl.url.here/packages" svc:/application/pkg/server:packages>addprop pkg/inst_root = astring: "/path/to/your/REPO/on/disk" svc:/application/pkg/server:packages>addprop pkg/readonly = boolean: true svc:/application/pkg/server:packages>addprop pkg/log_access = astring: "/path/to/access/logfile" svc:/application/pkg/server:packages>addprop pkg/log_errors = astring: "/path/to/error/logfile" svc:/application/pkg/server:packages>addprop pkg/standalone = boolean: false svc:/application/pkg/server:packages>refresh svc:/application/pkg/server:packages>quit
Once you’ve got those steps completed, it’s time to enable the services and add the publisher:
# svcadm enable pkg/server:packages pkg/depot:default # pkg set-publisher -g https://your.ssl.url.here/packages/packages yourpublishername
Pretty simple (now that you know how).