Awasu » Using Nexus to proxy for RPM-based package managers
Using Nexus to proxy for RPM-based package managers
Tuesday 9th August 2022 10:53 AM

Nexus can also proxy for RPM repositories, that are typically accessed using yum. I use Fedora, which uses dnf[1]Which is a fork of yum. which, while not officially supported by Nexus, should work.

To configure Nexus to proxy for the Fedora package repo's, first create a new blob store for its artifacts[2]This step is optional, if you want to store the cached artifacts in their own sub-directory..

The tricky thing about proxying Fedora's packages is that there are two repositories, one for releases that are still supported, and one for those that have been EOL'ed. So, if you have a mix of newer and (cough) EOL'ed installations, it would be nice if Nexus could automatically figure out which repo to use.

We do this by creating two repo's in Nexus, one for each online Fedora repo, and then a group repository that wraps the two. Clients are configured to download from the group repo, which then figures out which real repo it should use.

First, create a new repository, of type yum (proxy).

To configure the repo:

  • Give the repo a name (e.g. fedora-current-proxy).
  • Set the URL for the remote repository to be https://dl.fedoraproject.org/pub/fedora/linux/.
  • If you want to make downloaded artifacts immutable, set the Maximum component age to -1.
  • Configure the blob store you want to keep downloaded artifacts in.
  • Disable[3]Fedora stores repo metadata in .zck files (a compressed file format), that Nexus doesn't appear to recognize. Strict Content Type Validation.

Then create a second yum (proxy) repo in exactly the same way, except call it e.g. fedora-archive-proxy, and set its remote repository URL to http://archives.fedoraproject.org/pub/archive/fedora/linux/.

Finally, create a third repository of type yum (group), and add the first two repo's as members.

Client configuration

On the client computer, we need to tell dnf that it should download packages from our instance of Nexus, instead of the usual Fedora servers.

In Fedora 36, the format of the gpgkey changed
to RPM-GPG-KEY-fedora-$releasever-primary.

Create a file called /etc/yum.repos.d/nexus3-proxy.repo that looks like this:

[nexus3-proxy-everything]
name=Nexus 3 Proxy - Everything (Fedora $releasever)
baseurl=http://nexus3:8081/repository/fedora-proxy/releases/$releasever/Everything/$basearch/os/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-$releasever-fedora
repo_gpgcheck=0
priority=1

[nexus3-proxy-everything-updates]
name=Nexus 3 Proxy - Everything Updates (Fedora $releasever)
baseurl=http://nexus3:8081/repository/fedora-proxy/updates/$releasever/Everything/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-$releasever-fedora
repo_gpgcheck=0
priority=1

The reason for disabling GPG checks is given here.

From Fedora 28, new repo's were made available for modular packages, so if you want to proxy these as well, add the following to the file: 

[nexus3-proxy-modular]
name=Nexus 3 Proxy - Modular (Fedora $releasever)
baseurl=http://nexus3:8081/repository/fedora-proxy/releases/$releasever/Modular/$basearch/os/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-$releasever-fedora
repo_gpgcheck=0
priority=1

[nexus3-proxy-modular-updates]
name=Nexus 3 Proxy - Modular Updates (Fedora $releasever)
baseurl=http://nexus3:8081/repository/fedora-proxy/updates/$releasever/Modular/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-$releasever-fedora
repo_gpgcheck=0
priority=1

If we now install a package, we can see it appear in the Nexus admin console, where it will be available the next time it is requested.

Note that the screenshot is of the fedora-proxy group repo, which provides a virtualized view of the two real repo's. At the time of writing, Fedora 35 is in-support while Fedora 30 is out-of-support, and after having installed the glances package on both releases, they both appear in the combined group repo.

Finally, the definitions above override[4]Because they have a higher priority. the standard ones in the following files:

  • fedora.repo
  • fedora-updates.repo
  • fedora-modular.repo
  • fedora-modular-updates.repo

but because these files are still there, the update process will break if there is no internet access (because dnf will be trying to update them). And even if you're online, doing this is a bit of a waste of time because anything in them will always be overridden by our Nexus proxy. So, assuming you don't want any of the debug or source stuff defined in them, you can disable these repo's by renaming the files to have a different extension[5]So that you can restore them, if there's a problem..

References

References
1 Which is a fork of yum.
2 This step is optional, if you want to store the cached artifacts in their own sub-directory.
3 Fedora stores repo metadata in .zck files (a compressed file format), that Nexus doesn't appear to recognize.
4 Because they have a higher priority.
5 So that you can restore them, if there's a problem.
Have your say