Raspberry Pi Education server

mark_nl · July 30, 2021, 8:02pm

It turns out the repo_gpgcheck on arm-32bit for @danb35 's repo causes a problem , and cannot figure out why…

@danb35 in time (no hurry)
Just to be sure yum does not fail because of the mess rpm/yum makes for arm-32bit can you rename the directory for arm-32bit from armv7hl to armhfp and update the repo-metadata (ie run createrepo) ?
yum/dnf uses armhfp as basearch (distinction) for arm-32bit and rpm uses the isa distinction,

on a arm-32bit system:

# rpm --eval %{arm}
armv3l armv4b armv4l armv4tl armv5tel armv5tejl armv6l armv7l armv7hl armv7hnl

 # python -c 'import yum, pprint; yb = yum.YumBase(); pprint.pprint(yb.conf.yumvar, width=1)'
Loaded plugins: fastestmirror, nethserver_events
{'basearch': 'armhfp',
 'contentdir': 'altarch',
 'infra': 'stock',
 'kvariant': 'generic',
 'nsrelease': '7.9.2009',
 'releasever': '7',
 'uuid': '57546700-92e6-4222-8e8d-6fdb5406c78e'}

danb35 · July 30, 2021, 11:04pm

Done. Seems more than a little strange that gnupg’s behavior would be inconsistent.

Shane_Treweek · July 31, 2021, 12:43am

thank you
still complains of
https://repo.familybrown.org/nethserver/7/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for danb35
but still installs

mark_nl · July 31, 2021, 6:34pm

Sorry to have bothered you with such a long shot;

repo_gpgcheck=0 and gpgcheck=1 works for me on arm32 bit it chokes on repo_gpgcheck=1 …
Do not know why…

danb35 · July 31, 2021, 6:48pm

I remember when I set up the repo, I needed to use a DSA key for the repo metadata, so that the signatures could be generated non-interactively (i.e., without me needing to enter a passphrase). I expect that’s the source of the problem.

But I’m unsure why. I don’t have a Pi running Neth or even CentOS, but I do have one running Raspbian. I downloaded repomd.xml, repomd.xml.asc, and the key itself (it’s the -2 key that signs the repo data) to the Pi, and here was the result:

dan@wxbox:~ $ gpg --verify repomd.xml.asc repomd.xml
gpg: Signature made Sat 31 Jul 2021 02:01:09 PM EDT
gpg:                using DSA key DFBEED1D430C24B7
gpg: Good signature from "DanB35 Signing Key <dan@familybrown.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A43A 121D F1DF 4219 6F66  10B3 24CF 25C9 2D55 864B
     Subkey fingerprint: 78CC 64E3 C011 2B09 0E68  75E2 DFBE ED1D 430C 24B7
dan@wxbox:~ $ gpg --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/dan/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
dan@wxbox:~ $

Andy_Wismer · July 31, 2021, 6:52pm

@danb35

Raspbian would be a mite old…
It’s now officially called Raspberry OS…
(I think since Buster…)

My 2 cents
Andy

danb35 · July 31, 2021, 6:55pm

Same result with Ubuntu 20.10 on rPi:

dan@tinyca:~$ gpg --import RPM-GPG-KEY-2 
gpg: directory '/home/dan/.gnupg' created
gpg: keybox '/home/dan/.gnupg/pubring.kbx' created
gpg: /home/dan/.gnupg/trustdb.gpg: trustdb created
gpg: key 24CF25C92D55864B: public key "DanB35 Signing Key <dan@familybrown.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
dan@tinyca:~$ gpg --verify repomd.xml.asc repomd.xml
gpg: Signature made Sat Jul 31 14:01:09 2021 EDT
gpg:                using DSA key DFBEED1D430C24B7
gpg: Good signature from "DanB35 Signing Key <dan@familybrown.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A43A 121D F1DF 4219 6F66  10B3 24CF 25C9 2D55 864B
     Subkey fingerprint: 78CC 64E3 C011 2B09 0E68  75E2 DFBE ED1D 430C 24B7
dan@tinyca:~$ gpg --version
gpg (GnuPG) 2.2.20
libgcrypt 1.8.5
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/dan/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

mark_nl · July 31, 2021, 7:21pm

I’m quite unknowable about this stuff… if you want me to check something just ask I’ll run it here on a nethserver arm install.

danb35 · July 31, 2021, 7:24pm

Try downloading the three files in question:

curl https://repo.familybrown.org/nethserver/7/repodata/repomd.xml > repomd.xml
curl https://repo.familybrown.org/nethserver/7/repodata/repomd.xml.asc > repomd.xml.asc
curl https://repo.familybrown.org/RPM-GPG-KEY-2 > RPM-GPG-KEY-2

Import the key:

gpg --import RPM-GPG-KEY-2

And then see what happens when you try to verify the signature:

gpg --verify repomd.xml.asc repomd.xml

mark_nl · July 31, 2021, 7:28pm

# gpg --import RPM-GPG-KEY-2
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 2D55864B: public key "DanB35 Signing Key <dan@familybrown.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

# gpg --verify repomd.xml.asc repomd.xml
gpg: Signature made Sat 31 Jul 2021 09:01:08 PM CEST using DSA key ID 430C24B7
gpg: Good signature from "DanB35 Signing Key <dan@familybrown.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A43A 121D F1DF 4219 6F66  10B3 24CF 25C9 2D55 864B
     Subkey fingerprint: 78CC 64E3 C011 2B09 0E68  75E2 DFBE ED1D 430C 24B7

EDIT: included the output of gpg --import RPM-GPG-KEY-2

danb35 · July 31, 2021, 10:50pm

OK, so gpg on this system is able to verify this signature. I’m stumped. yum doesn’t like the metadata signature on ARM, but verifies it just fine on x86. gpg verifies it without complaint on both. Hopefully someone a bit smarter can weigh in, because I can’t imagine where the problem could be at this point.

In other news, two of the UPS boards from the link Shane posted arrived today, and I’ve already printed the cases–though I’m not planning on doing Neth on Pi, I have a couple of other Pi servers I’ll be setting up this way soon.

Shane_Treweek · July 31, 2021, 11:19pm

Using This how to I was able to setup mosquitto on my nethserverpi

mark_nl · August 8, 2021, 8:32am

14 posts were split to a new topic: Raspberry PI mini server with UPS

Shane_Treweek · August 25, 2021, 4:32am

Getting savapage running on pi with nethserver

robb · August 27, 2021, 5:20pm

I am really curious here. This amount of services seem to be rather resource intensive, exspecially considering the rpi as host.
Do you run into any resource problems anywhere with this set up?

Shane_Treweek · August 28, 2021, 1:37am

Surprisingly not although i have only have about 5 users at the moment I’m of the opinion in the end the project will need to be run on a few rpi’s in a cluster to be able to use all services smoothly.

Shane_Treweek · August 28, 2021, 1:49am

My old server i was using was a dual core 3.1ghz (i think) 8g ram with 1tb hdd and i had a lot of services running (still only for 5 users).

I was running zoneminder, ad, nextcloud, sso, zabbix, zammad, semi working glpi, media software(serviio), dhcp, and a few others I’ve forgotten, which ran fine the only issue was as the motherboard was old (2009 i think) the bios wasn’t fully compatible with the latest kernels so i ran into stability issues, on the rpi i actually haven’t had any stability or bottleneck issues that wasn’t the result of australia’s annoying nbn (my line still runs on copper phone line via vdsl i get about 90mbps down and i think around 8mbps up when everything is working).

Shane_Treweek · August 28, 2021, 2:41am

my roadmap for this project in a rough draft is

----------------Stage 1-------------------

Get the following software working in a proof of concept on rpi nethserver 32bit:

AD
SSO
DHCP
Savapage
Moodle
Email and Callander
MDM
Nextcloud
Web Proxy Filtering and Antivirus
Meshcentral and or Guacamole
LemonLDAP-NG
UPS working with builtin ups

--------------------------------------Stage 2----------------------------------------------------

still in draft

Shane_Treweek · September 2, 2021, 12:51am

Lemon-ldap-ng ✓
Automx ✓
Glpi, flyvemdm, fusion inventory
Savaprint ✓
Sogo ✓
WordPress ✓
Web filter and proxy ✓

I’m thinking of getting another raspberry pi
To install

Zammad
Guacamole
Meshcentral
Nextcloud ✓
Zabbix

Shane_Treweek · September 4, 2021, 1:50am

raspberry pi openwrt-router