Overview

From version 4.4, Artifactory supports Opkg repositories. As a fully-fledged Opkg repository, Artifactory generates index files that are fully compliant with the Opkg client.

Artifactory support for Opkg provides:

  1. The ability to provision ipk packages from Artifactory to an Opkg client from local and remote repositories.
  2. Calculation of Metadata for ipk packages hosted in Local Repositories.
  3. Access to remote Opkg resources (such as downloads.openwrt.org) through Remote Repositories which provide the usual proxy and caching functionality.
  4. Providing GPG signatures that can be used by Opkg clients to verify packages.
  5. Complete management of GPG signatures using the Artifactory UI and the REST API.

 

 

Configuration

You can only deploy Opkg packages to a local repository that has been created with the Opkg Package Type.

You can download packages from a local or a remote Opkg repository.

Local Repositories

To create a new local repository that supports Opkg, under the Basic settings, set the Package Type to be Opkg.

Artifactory supports the common Opkg index scheme which indexes each feed location according to all ipk packages in it.

New Local Opkg Repository

Deploying a package using the UI

To deploy a Opkg package to Artifactory, in the Artifactory Repository Browser, click Deploy.

Select your Opkg repository as the Target Repository, and upload the file you want to deploy.

After you deploy the artifact, you need to wait about one minute for Artifactory to recalculate the repository index and display your upload in the Repository Browser.

Remote Repositories

You can download ipk packages from Local Opkg Repositories as described above, or from Remote Repositories specified as supporting Opkg packages.

To specify that a Remote Repository supports Opkg packages, you need to set its Package Type to Opkg when it is created.

Opkg New Remote Repository


You can either point the remote to a specific feed (location of a Packages file), i.e. http://downloads.openwrt.org/chaos_calmer/15.05/adm5120/rb1xx/packages/luci

Or you can specify some base level and point your client to the relevant feeds in it i.e. url is http://downloads.openwrt.org/chaos_calmer/15.05/ and your opkg.conf file has the entry src adm5120/rb1xx/packages/luci


Note that the index files for remote Opkg repositories are stored and renewed according to the Retrieval Cache Period setting.

Configuring the Opkg Client to Work with Artifactory

As there is no "release" of the Opkg client, to support gpg signature verification and basic HTTP authentication that are provided by Artifactory it has to be compiled with the following options:  --enable-gpg --enable-curl

For example, to compile Opkg on Ubuntu to support these you can use:

# Download opkg release (latest when this was written was 0.3.1):
wget http://downloads.yoctoproject.org/releases/opkg/opkg-0.3.1.tar.gz
tar -zxvf opkg-0.3.1.tar.gz
# Install compilation dependencies:
apt-get update && apt-get install -y gcc libtool autoconf pkg-config libarchive13 libarchive-dev libcurl3 libcurl4-gnutls-dev libssl-dev libgpgme11-dev
# Compile Opkg(compile with curl to support basic auth, and with gpg support for signature verification):
# Note: if there's no configure script in the release you downloaded you need to call ./autogen.sh first
./configure --with-static-libopkg --disable-shared --enable-gpg --enable-curl --prefix=/usr && make && sudo make install


Each Opkg feed corresponds to a path in Artifactory where you have chosen to upload ipk packages to.  This is where the Packages index is written.

For example, you can add each such feed to your opkg.conf (default location is /etc/opkg/opkg.conf)file with entries like: 

src artifactory-armv7a http://prod.mycompany:8080/artifactory/opkg-local/path/to/my/ipks/armv7a
src artifactory-i386 http://prod.mycompany:8080/artifactory/opkg-local/path/to/my/ipks/i386

Signing Opkg Package Indexes

Artifactory uses your GPG public and private keys to sign and verify Opkg package indexes.

To learn how to generate a GPG key pair and upload it to Artifactory, please refer to GPG Signing.

Once you have GPG key pair, to have Opkg verify signatures created with the private key you uploaded to Artifactory, you need to import the corresponding public key into Opkg's keychain (requires gnupg).

# Commands taken from opkg-utils package:
mkdir /etc/opkg
gpg --no-options --no-default-keyring --keyring /etc/opkg/trusted.gpg --secret-keyring /etc/opkg/secring.gpg --trustdb-name /etc/opkg/trustdb.gpg --batch --import key.pub

After the key is imported you need to add the check_signature option in your opkg.conf file by adding the following entry:

option check_signature true


Authenticated Access to Servers

If you need to access a secured Artifactory server that requires a username and password, you can specify these in your  opkg.conf file by adding the 'http_auth'  option:

option http_auth user:password

You can use your encrypted password as described in Using Your Secure Password.

REST API Support

The Artifactory REST API provides extensive support for signing keys and recalculating the repository index as follows: