Molior can be installed on a Debian distribution (buster/bullseye) from APT sources, or a VM can be installed via ISO installers. Molior and aptly can also run as containers via docker-compose.
Molior build nodes are using sbuild for building which cannot run in a container (i.e. docker, lxd) and need to run in a VM or on bare metal.
- Prerequisites
- Installation via APT sources
- ISO Installers / VMs
- Installation on docker
- Configuration
Debian installation (VM, bare metal, docker) for:
- molior server machine
- aptly server machine (might be on the same installation as molior server)
Debian installation (VM, bare metal) for:
- one or more build nodes (amd64 or arm64)
- Add the molior apt source:
cat >/etc/apt/sources.list.d/molior.list <<EOF
deb [arch=amd64,arm64] http://molior.info/1.4/buster stable main
EOF
- Add repository key
wget -q -O- http://molior.info/archive-keyring.asc | apt-key add -
- Update APT sources
apt update
apt install molior-server molior-web
apt install aptly
On your build machines (amd64 or arm64), install molior-client-http:
apt install molior-client-http
In your working environment (Debian/Ubuntu) configure the molior APT sources, and install:
apt install molior-tools
This will provide tools like:
- create-release
- molior-deploy
Molior is available as ISO installer for test and development purposes.
Install molior/aptly server and build node on VMs or bare metal and follow the Configuration chapter below.
User and Password for these installers are: admin/molior-dev (please change password after first login)
For development on molior or aptly, the following VM can be used:
Download molior and aptly server as VirtualBox Appliance:
Download amd64 build node installer:
Download EFI installer for amd64 or arm64:
- http://molior.info/installers/molior_1.4_1.4.1_efi-installer-node-amd64-UNATTENDED.iso
- http://molior.info/installers/molior_1.4_1.4.1_efi-installer-node-arm64-UNATTENDED.iso
Note: these are unattended installers, overwriting the disk without asking when booted
Molior server and aptly can be run in docker containers according to the following docker-compose example:
Set the following variables:
- DEBSIGN_NAME
- DEBSIGN_EMAIL
- REPOSIGN_NAME
- REPOSIGN_EMAIL
- MOLIOR_ADMIN_PASSWD
- APTLY_USER
- APTLY_PASS
and run docker-compose up. Molior Web is exposed on port 8000.
- Login to the molior server via SSH
- Change password:
passwd
- Create SSH and GPG Keys Molior uses 2 GPG key pairs, one for signing the source package (molior user) and one for signing the Debian repositories (aptly user). These keys cannot easily be changed once Molior has created and signed mirrors and packages. If desired, create custom gpg key pairs according to what the scripts below perform, or use the provided scripts directly for testing purposes. These scripts also create SSH keys used by molior for accessing the git repositories and the build nodes.
sudo create-molior-keys "Molior Debsign" debsign@molior.info
sudo create-aptly-keys "Molior Reposign" reposign@molior.info
sudo create-aptly-passwd molior molior-dev
sudo service nginx reload
- Edit /etc/molior/molior.yml and configure:
- hostname: the fqdn of the server or its IP address
- debsign_gpg_email: the email provided to create-molior-keys above
- admin/pass: set a new password
- aptly/apt_url: URL of molior repository server
- aptly/api_url: URL of aptly server
- aptly API user and passwd
- aptly/gpg_key: the email provided to create-aptly-keys above
- Remember the SSH public key of the molior user:
sudo -u molior cat ~molior/.ssh/id_rsa.pub
This key needs to be added to the ~molior/.ssh/authorized_keys on the build nodes (see below), and the git repositories need to grant read access to this key.
$ ssh admin@molior-node
admin@molior-node:~$ sudo su molior
$ cd
$ mkdir .ssh
$ chmod 700 .ssh
$ cat >.ssh/authorized_keys << EOF
[ paste SSH ub key above ]
EOF
If you run aptly on a separate machine, you might want to configure it:
- Login on a build node via SSH
- Change the password
- Change password:
passwd
- Configure your timezone if needed:
sudo dpkg-reconfigure tzdata
- Login on a build node via SSH
- Change password:
passwd
- Configure your timezone if needed:
sudo dpkg-reconfigure tzdata
- Copy the molior SSH public key from the molior server to the molior user on each build machine
sudo -u molior mkdir ~molior/.ssh
sudo chmod 700 ~molior/.ssh
sudo -u molior sh -c "cat >~molior/.ssh/authorized_keys" <<EOF
(paste the SSH public key of the molior user from the molior server)
EOF
- Edit /etc/default/molior-client and set the MOLIOR_SERVER (i.e. hostname of the molior server).
- Restart the client service on the build node:
sudo service molior-client-http restart
- Export source signing public key to the build nodes The build nodes need the public key which molior uses to sign the source packages. The build process will verify the signature of source packages.
From the molior server, execute the following for each build machine IP in order to add the gpg public key for source package verification (replace NODE_IPS, separated by blank):
DEBSIGN_KEY=debsign@molior.info
for molior_node in NODE_IPS
do
sudo -u molior gpg --armor --export $DEBSIGN_KEY | sudo -u molior ssh -o StrictHostKeyChecking=no $molior_node "gpg --import --no-default-keyring --keyring=trustedkeys.gpg"
done