Building an RPM package using Nginx as an example
10:35, 26.01.2023
RPM is a package manager used in Red Hat-based Linux operating systems. RPM data storage is performed using the cpio archive container, which compresses data using the gzip, bzip2, LZMA, XZ or XAR utility, depending on the version. The name of each RPM package includes 4 elements:
- program name;
- version;
- version number designation;
- the architecture under which the package was built.
In the following article we will tell you how to build your own RPM package for CentOS using Nginx with SPNEGO module as an example. We will move towards this goal in several steps: from creating a simple package to adding individual modules and editing the configuration file.
Preconfiguring the CentOS operating system
The first thing to do is to install a few important packages:
yum install wget rpm-build rpmdevtools gcc make
With this command alone, we load into the system a utility to download files over the network, a utility to build the installation package, a SI compiler, a utility to build source code, and a program to create a directory-based working environment. All of this we will need next.
Next, you need to set up the dependencies:
yum install openssl-devel zlib-devel pcre-devel
All the packages mentioned in the command are needed for our version of the RPM build. In your case, you may need other dependencies, just spell them with a space. If the required packages are not present on your system, you will get an error message the first time you try to build.
The last step of the operating system preconfiguration is to create a separate user. This should not be done as a user with root privileges, because any error in paths can cause some files or even entire directories to be lost. So, run the command:
useradd creator -m
In this way we have created the user creator and a separate home directory for him. In order to do all further actions on his behalf, write:
su - creator
Setting up a user environment
Make sure that you are in the correct directory. As this directory can be absolutely any folder created for this purpose. In this example, we use the home directory of the user creator, which was created earlier.
To make sure you are in the right directory, type the command:
$ pwd
If the console gives you the message "/home/creator", you are in the right place. If you see something else, just navigate to the home directory with the command:
$ cd ~
And then create a directory structure for the assembly:
$ rpmdev-setuptree
We will now have an rpmbuild folder in our creator user's home directory that contains this structure:
- BUILD – here are the files that appear during the creation of the RPM package.
- RPMS – this is where the finished packages will lie.
- SOURCES – contains sources for building RPM packages.
- SPECS – This is where the build description files are contained.
- SRPMS – contains the sources of the RPM files.
Now you and I are ready to load the source code and prepare it for further processes.
Creating RPM packages from source
Go to the Nginx package download page and select the packages you need specifically for your operating system. We are building RPM on CentOS 7. If you are too – you can go straight to the appropriate section. Here you will find sources for your particular OS version. Copy the link and then download the source via the console:
$ wget https://nginx.org/packages/mainline/centos/7/SRPMS/nginx-1.19.3-1.el7.ngx.src.rpm
And now install the source with the command:
$ rpm -Uvh nginx-1.19.3-1.el7.ngx.src.rpm
After that in the rpmbuild/SOURCES directory you will be able to see the source files for building the RPM with the desired Nginx web server version.
We go on to create the assembly of the installation RPM package:
$ rpmbuild -bb rpmbuild/SPECS/nginx.spec
The result will be a package in the rpmbuild/RPMS/x86_64 directory, which contains two files:
- nginx-1.19.3-1.el7.ngx.x86_64.rpm: installation package.
- nginx-debuginfo-1.19.3-1.el7.ngx.x86_64.rpm: installation package with debugging information.
Now we are ready to install.
Basic operations with the installation package
To install the assembled package, we write the command:
rpm -Uvh <path to compiled package>
The -Uvh keys provide sequential updates, installation progress information, and a status demonstration. You must be located in the directory where the RPM package is located when the command is initiated.
Next, to start Nginx, we type the commands one by one:
systemctl enable nginx systemctl start nginx
The first command is needed to start the web server automatically (https://www.hostzealot.com/servers ), while the second command initiates it here and now.
If you need to remove a package, you will also need to enter two commands:
systemctl disable nginx systemctl stop nginx
To get information about the full name of the package installed in your operating system, type this command:
rpm -qa | grep nginx
After stopping the web server, you can delete the package with the command:
rpm -e nginx-1.19.3-1.el7.ngx.x86_64
How do I add a SPNEGO module?
Adding the SPNEGO module to the assembly is easy. Enter a series of commands one by one:
yum install git su - creator $ cd ~ $ git clone https://github.com/stnoonan/spnego-http-auth-nginx-module.git /tmp/spnego-http-auth-nginx-module $ vi rpmbuild/SPECS/nginx.spec
The nginx.spec file opens in front of you:
- Find the line "%define BASE_CONFIGURE_ARGS ...".
- After --with-. add --add-dynamic-module=/tmp/spnego-http-auth-nginx-module.
Now find %description and add after it:
%package module-spnego Group: %{_group} Requires: nginx = %{?epoch:%{epoch}:}%{main_version}-%{main_release} Summary: nginx spnego module %description module-spnego Dynamic Spnego module for nginx.
Then we find %build and add:
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_auth_spnego_module.so";' \ > %{buildroot}%{_sysconfdir}/nginx/modules/spnego-http-auth-nginx-module.conf
Lastly, find %files and add it:
%files module-spnego %{_libdir}/nginx/modules/spnego-http-auth-nginx-module.conf %{_libdir}/nginx/modules/ngx_http_auth_spnego_module.so
Now, to start the build, enter the command:
$ rpmbuild -bb rpmbuild/SPECS/nginx.spec
To install an assembly, we need two RPM packages:
- nginx-1.19.3-1.el7.ngx.x86_64.rpm
- nginx-module-spnego-1.19.3-1.el7.ngx.x86_64.rpm
Both are located in the RPMS directory.
When the installation is complete, run the command:
nginx -V
Look for the option ... --add-dynamic-module=/tmp/spnego-http-auth-nginx-module ... - This is the option of your build.
To make the modules load, let's edit the Nginx config:
vi /etc/nginx/nginx.conf
The following text should be added to the root:
user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; include /etc/nginx/modules/*.conf; events { ...
Configuring the NGINX configuration
Next we will tell you how to make a package signature and verify it so that you can guarantee the authorship of the build. To create a signature, we will write a few commands as a user with root-level access:
# yum install rpm-sign pinentry
Next, switch to the creator user we created earlier and generate the key:
$ gpg2 --gen-key
You will be asked to answer "4", which means that the RSA key is for signing only. Leave the default key size, but set the validity period of the key to your liking.
You can confirm the correctness of the data with the standard "y".
Now you have to enter the key data. For example, like this:
Real name: Volt Email address: rpm@volt.com Comment:
The correctness of the data is confirmed with the "O" key. Then enter the password twice.
Finally, open the second version of SSH and enter three commands in sequence:
dd if=dev/sda of=/dev/zero $ gpg -K $ vi ~/.rpmmacros
Add the following lines to this file:
%_signature gpg %_gpg_name Volt %_gpgbin /usr/bin/gpg2 %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'
All that remains is to sign the package:
$ rpm --addsign rpmbuild/RPMS/x86_64/nginx-1.19.3-1.el7.ngx.x86_64.rpm
Confirm the action with the password.
Checking RPM package signature
To verify the signature, export the public key first:
gpg2 -a --export Volt > RPM-GPG-KEY-Volt
This will give you the RPM-GPG-KEY-Volt key, and you will need to transfer it to the target PC, where you can verify the signature. Import the key as a root user:
rpm --import RPM-GPG-KEY-Volt
And we check the signature:
rpm --checksig nginx-1.19.3-1.el7.ngx.x86_64.rpm
As a result, you will see a message similar to this in front of you:
nginx-1.19.3-1.el7.ngx.x86_64.rpm: digests signatures OK
We hope that our article has helped you to understand how to build an RPM package using Nginx as an example. If you encounter any difficulties, please do not hesitate to contact HostZealot. Take care!