RPM文件结构
RPM包文件一般包含4部分:Lead、Signature、Header、Payload
lead----开头的标识部分,用于标识此份文件为一个RPM包
Signature-----数字签名,通常包括针对头部的签名和针对载荷的签名
Header-------- 头部,通常包括版权信息,版本号,包描述等信息;有时还包含一些特定的
标签(Tag),比如PRE Tag就包含了rpm包在安装前需要执行的预安装脚本。
Payload-------载荷,包含实际安装的文件
RPM命令
安装及升级
安装的一般步骤
install a package, it goes through a number of steps:
1. Checking the package and the files it wants to install 2. Performing preinstallation tasks
3. Uncompressing the files and placing them in the proper locations 4. Performing post-processing tasks 5. Updating the RPM Database
RPM数据库的相关文件位于 /var/lib/rpm/目录下。
新安装
rpm -ivh package.rpm rpm -ivh ftp://hostname/path/to/file/filename.rpm rpm -ivh ftp://unclejoe:workers@www-126.ibm.com/pub/jikes/jikes-1.16-1.src.rpm @前面为用户名及密码,用户名uncljoe ,密码workers
升级
rpm -Uvh 无论软件包存在与否都执行升级 或
rpm -Fvh 仅针对已安装的软件包进行升级
升级时,RPM会对每个文件,比对三个版本的MD5校验值(old package file,current file,new package file)。 如果old package file与new package file 的MD5校验值一样,但current file不同,说明新老版本的文件是一样的,但管理员编辑过该文件(通常是一些配置文件),rpm会保留current file(保留管理员的所做的配置),而不会用新包中的文件覆盖。而如果old package file与new package file 的MD5校验值不一样,无论current file校验结果如何,都会用新包的文件覆盖,同时如果current file与old package file的MD5校验不一致(也就是管理员有做过配置),rpm会以 .rpmsave为后缀名自动备份current file文件
卸载
rpm -e aspell-en-ca-0.33.7.1-16 aspell-en-gb-0.33.7.1-16
移除rpm包是可以使用的选项: --test 移除前先测试
--allmatches 当有多个rpm包,匹配rpm命令给出的包名时,将所有匹配的包一并移除
--nodeps 忽略依赖性问题
--repackage 移除前先备份rpm包,并存放于/var/spool/repackage目录(注意:所备份的rpm包并非完整的rpm包,不能用于重新安装)
列出RPM包的文件列表,可以这样:
rpm -qpl bash-3.2-147.4.1.7407.1.PTF.8762.x86_.rpm 或者
rpm2cpio xcopilot-0.6.6-3.i386.rpm | cpio –t
从RPM包中提取文件
rpm2cpio xcopilot-0.6.6-3.i386.rpm | cpio –ivd ./usr/doc/xcopilot-0.6.6/README 此命令将在当前目录下生成/usr/doc/xcopilot-0.6.6/子目录及文件README
测试安装过程:
rpm -ivh --test
自定义安装目录:
前提是要安装的rpm包必须是relocatable(可重定位)的 rpm -Uvh --prefix /new/directory package.rpm 或
rpm -Uvh --relocate /old/directory=/new/directory package.rpm
注意两者的区别,--prefix是指修改文件安装时的默认路径前缀,默认前缀可以用命令 rpm -qpi package.rpm 查看relocation字段读出,如下图
--prefix 选项会把默认路径前缀替换为指定的目录。
而--relocate 则是将待安装文件路径的某一段替换为新的指定的目录,而要替换的部分可以是默认路径前缀也可以是其他。 比如:
rpm -ivh --prefix /opt bash-debuginfo-3.0-27.el4.4.x86_.rpm
rpm -ivh --relocate /usr=/opt bash-debuginfo-3.0-27.el4.4.x86_.rpm
安装效果都是一样的,都是把原路径中/usr部分替换为/opt,也就是安装到/opt目录下 另外,要注意的是,--relocate只会替换安装文件中标记为relocatable的文件的路径,也就是说不一定所有文件都是可以修改路径的,如果要强制替换所有文件路径,可结合使用--badreloc参数rpm -ivh --badreloc --relocate /old/directory=/new/directory package.rpm
在虚拟root环境安装rpm
rpm -U --root /tmp --dbpath /var/lib/rpm jikes-1.16-1.i386.rpm
--dbpath指明rpm数据库的位置,虚拟root环境(/tmp)下需包含RPM所依赖标准C函数库,否则会报错
error: Failed dependencies: ld-linux.so.2 is needed by jikes-1.16-1 libc.so.6 is needed by jikes-1.16-1 libm.so.6 is needed by jikes-1.16-1 libstdc++-libc6.2-2.so.3 is needed by jikes-1.16-1 libc.so.6(GLIBC_2.0) is needed by jikes-1.16-1 libc.so.6(GLIBC_2.1) is needed by jikes-1.16-1 libc.so.6(GLIBC_2.1.3) is needed by jikes-1.16-1
其它一些有用的选项参数
Option --replacepkgs --replacefiles Usage 重新安装一个包 当有文件冲突(待安装的文件已存在,并属于其他的包)时使用,用于替换另一个包的文件 --repackage 移除前先备份rpm包,并存放于/var/spool/repackage目录(注意:所备份的rpm包并非完整的rpm包,不能用于重新安装) --rcfile 指定初始化rpm系统所使用的文件,默认使用用户家目录下的.rpmrc文件。rc一词是run command的缩写,An rc is a file of commands that run when the application starts up --oldpackage --force --nodeps --nosignature --aid 安装老版本的rpm包 等同于-replacepkgs, --replacefiles, and --oldpackage 忽略依赖性问题,强制安装 安装前不进行签名校验 由系统自动添加必要的rpm包,解决依赖性问题 The --aid option depends on a separate package that contains an RPM database with all packages installed. For Red Hat Linux, this package is rpmdb-redhat. This separate database, built as if all packages were installed (all packages that come with Red Hat Linux in this case), allows the rpm command to search for which packages would solve dependencies. --nopre --nopost --nopreun --nopostun --noscripts Skip pre-installation scripts. Skip post-installation scripts. Skip pre-uninstallation scripts. Skip post-uninstallation scripts. Skip all the scripts; same as --nopre, --nopost, --nopreun, and --nopostun. 查询
查询谁依赖bash包
rpm -q --whatrequires bash
查询/bin/grep文件属于哪个包 rpm -qf /bin/grep rpm -qf `which grep` rpm -qf $(which grep)
查询rpm包的信息 rpm -qi package.rpm
查询包组信息
利用之前提到的rpm -qi命令可查询一个包所属的包组,如
进而可查询该包组的信息
rpm -qg “System Environment/Base”
查询一个包的文件列表 rpm -ql bash
或 rpm -qlv bash
查询一个包的配置文件 rpm -qc
查询一个包的文档文件 rpm -qd
查询文件状态
rpm –qs package_name Table 5-2 RPM File States State normal not installed replaced Usage The file has been installed. The file from the package is not installed. The file has been replaced. RPM数据库
RPM数据库的相关文件位于 /var/lib/rpm/目录下
验证&签名
验证RPM包
使用rpm -V (或--verify)验证一个rpm包的完整性及依赖性
正常情况下,无输出代表一切ok,例如 # rpm -V bash
S.5....T. /bin/bash
该命令输出中包含S、5、T三个标志,三者分别代表Size(大小)、MD5、Time(修改日期),说明/bin/bash文件的大小,MD5校验值、修改日期与初始安装时的不一致。 rpm验证输出代码的意义
Table 5-8 RPM verify output codes Code S M 5 D L U G T Meaning File size differs. File mode differs. The MD5 checksum differs. The major and minor version numbers differ on a device file. A mismatch occurs in a link. The file ownership differs. The file group owner differs. The file time (mtime) differs. 验证控制选项:
Table 5-9 Controlling the verification Option --nodeps --nodigest --nofiles --noscripts --nosignature --nolinkto --nomd5 --nosize --nouser --nogroup --nomtime --nomode --nordev -a -g group -p file Usage Don't verify dependencies. Don't verify the package or header digests. Don't verify the file attributes. Don't try to verify the scripts. Don't verify the package or header signatures. Don't verify the link file attribute. Don't verify the MD5 digest file attribute. Don't verify the file size attribute. Don't verify the file owner attribute. Don't verify the file group owner attribute. Don't verify the file mtime attribute. Don't verify the file mode attribute. Don't verify the file rdev attribute. Verify all packages in a given group. Verify all packages in a given group. Verify the given RPM file. 检查整个系统的rpm完整性
rpm -Va --nofiles
参考:http://www.linux178.com/linux/6.html
rpm --import <公钥> 导入rpm制作者发布的公钥,然后使用 rpm -K --nodigest <软件包名>
来检测来源的合法性,显示OK,就代表该rpm包来源合法 制作RPM包的数字签名过程
验证RPM包的数字签名
疑问:可不可以这样,直接在网上发布软件包的特征码并公布相应单向加密算法,让用户下载软件包后,用相同的加密算法重新计算一次特征码,然后与网上公布的特征码进行对比,如果一致则说明软件包是完整的,来源合法的;否则则不然。这么一来,相比原来的方式就少了一次加密步骤,操作起来也更简单,岂不更好? 答:的确,这样做也可以确保软件包的完整性,而且步骤也简单些。但前提是,你必须有一个公开的,稳定可靠的发布平台来发布你所制作的软件包的特征码,而这对于一般的发布者而言是不易做到的,而且如果那么做,意味着你每制作一个软件包都必须发布一次对应的特征码,而上面的方式只需发布一次公钥就行,显然更有可操作性
https://access.redhat.com/security/team/key/
常见RPM验证报错:
If verifying the signature fails, an error message such as the following is displayed:
error: V3 DSA signature: BAD, key ID 0352860f
If it is a new, header-only, signature, an error message such as the following is displayed:
error: Header V3 DSA signature: BAD, key ID 0352860f
If you do not have the appropriate key installed to verify the signature, the message contains the word NOKEY such as:
warning: V3 DSA signature: NOKEY, key ID 0352860f
Tips
话说rc文件
The --rcfile option tells the rpm command to use one or more other files to initialize the RPM system. These files tell the rpm command the system architecture, operating system, and default location of the RPM database, among a host of other settings.
The term rc comes from Unix shells, with initialization files such as .cshrc for the C shell, csh. The term rcwas originally a shorthand for run commands. An rc is a file of commands that run when the application starts up. For example, the C shell, csh, runs the commands in file named .cshrc when the shell starts.
In most cases, the application looks in the user home directory for a specific file tied to the application. For the rpmcommand, this file is .rpmrc. The leading period makes the file hidden for most directory listings.
In addition to the user-level file of commands, most applications supporting this mechanism have a way for site administrators to customize the command for all users. For example, your system may have a file named /etc/rpmrc(with no leading period) that customizes the rpm command for all users on your system. See Chapter 20, Customizing RPM Behavior for a more in-depth look at the chain of these files.
The syntax for the --rcfile option is
--rcfile filename
You can also supply more than one file name. This syntax follows:
--rcfile filename1:filename2:filename3
Separate each file name with a colon.
With Red Hat Linux, the default set of initialization files are:
/usr/lib/rpm/rpmrc:/usr/lib/rpm/redhat/rpmrc:/etc/rpmrc:~/.rpmrc
因篇幅问题不能全部显示,请点此查看更多更全内容