1.环境:
系统版本:CentOS Linux release 7.6.1810 (AltArch)、CentOS Linux release 7.6.1810 (Core)
系统架构:4.14.0-115.el7a.0.1.aarch64、3.10.0-957.el7.x86_64
软件版本:openssh-8.7p1.tar.gz、openssh-8.9p1.tar.gz、x11-ssh-askpass-1.2.4.1.tar.gz、openssl-1.1.1q.tar.gz
2.ARM架构rpmbuild制作openssh的rpm包
注意:ARM架构yum源配置暂时未能成功通过阿里云镜像、网易镜像成功创建
更新yum源:
1.清除缓存
yum clean all2.备份
mv /etc/yum.repos.d /etc/yum.repos.d.bak3.创建新的yum.repos.d目录
mkdir /etc/yum.repos.d4.在/etc/yum.repos.d目录下面创建以下三个文件,如下所示
cd /etc/yum.repos.d
touch CentOS-Base.repo
touch ceph.repo
touch epel.repo5.编辑CentOS-Base.repo、ceph.repo、epel.repo源文件
vi /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-7 - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.ustc.edu.cn/centos-altarch/7/os/$basearch/
#baseurl=http://mirrors.aliyun.com/centos/7/os/$basearch/
gpgcheck=1
enabled=1
#gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-AltArch-Arm32
#released updates
[updates]
#name=CentOS-7 - Updates - mirrors.aliyun.com
#failovermethod=priority
#baseurl=http://mirrors.aliyun.com/centos/7/updates/$basearch/
#gpgcheck=1
#gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
name=CentOS-$releasever - Updates
# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirrors.ustc.edu.cn/centos-altarch/$releasever/updates/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-AltArch-Arm32
#additional packages that may be useful
[extras]
#name=CentOS-7 - Extras - mirrors.aliyun.com
#failovermethod=priority
#baseurl=http://mirrors.aliyun.com/centos/7/extras/$basearch/
#gpgcheck=1
#gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that extend functionality of existing packages
name=CentOS-$releasever - Extras
# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirrors.ustc.edu.cn/centos-altarch/$releasever/extras/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-AltArch-Arm32
[centosplus]
#name=CentOS-7 - Plus - mirrors.aliyun.com
#failovermethod=priority
#baseurl=http://mirrors.aliyun.com/centos/7/centosplus/$basearch/
#gpgcheck=1
#enabled=0
#gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
name=CentOS-$releasever - Plus
# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirrors.ustc.edu.cn/centos-altarch/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-AltArch-Arm32
#contrib - packages by Centos Users
#[contrib]
#name=CentOS-7 - Contrib - mirrors.aliyun.com
#failovermethod=priority
#baseurl=http://mirrors.aliyun.com/centos/7/contrib/$basearch/
#gpgcheck=1
#enabled=0
#gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7vi /etc/yum.repos.d/ceph.repo
[ceph]
name=ceph
baseurl=http://mirrors.163.com/ceph/rpm-jewel/el7/aarch64/
gpgcheck=1
[ceph-noarch]
name=cephnoarch
baseurl=http://mirrors.163.com/ceph/rpm-jewel/el7/noarch/
gpgcheck=1vi /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://mirrors.aliyun.com/epel/7/$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
baseurl=http://mirrors.aliyun.com/epel/7/$basearch/debug
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1
[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
baseurl=http://mirrors.aliyun.com/epel/7/SRPMS
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=16.建立缓存
yum makecache安装基础依赖包和rpmbuild依赖包:
yum install rpm-build gcc gcc-c++ glibc glibc-devel openssl openssl-devel \
prce pcre-devel zlib zlib-devel perl perl-devel make imake wget xmkmf \
initscripts krb5-devel pam-devel krb5-devel libX11-devel libXt-devel gtk2-devel autoconf libtool unzip gdbyum install rpm-build rpmdevtools tree -y #安装rpmbuild和依赖创建rpmbuild目录
rpmdev-setuptree #创建rpmbuild目录
tree /root/rpmbuild #查看创建的rpmbuild目录下载openssh-8.7p1.tar.gz、openssh-8.9p1.tar.gz、x11-ssh-askpass-1.2.4.1.tar.gz的源码包,并将源码包放到/root/rpmbuild/SOURCES目录下
这里有两种方法下载openssh-8.7p1.tar.gz、openssh-8.9p1.tar.gz、x11-ssh-askpass-1.2.4.1.tar.gz的源码包:
第一种是在线下载,直接通过wget --no-check-certificate -c命令去下载
第二种是去openssh官网下载,然后将openssh-8.7p1.tar.gz、openssh-8.9p1.tar.gz的源码包上传或拷贝到/root/rpmbuild/SOURCES目录下
openssh官网:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.7p1.tar.gz
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.9p1.tar.gz
x11-ssh-askpass-1.2.4.1.tar.gz下载:
注意这里以openssh-8.9p1.tar.gz为例:
cd /root/rpmbuild/SOURCES #进到该目录下
#使用wget命令在线下载openssh-8.9p1.tar.gz源码包
wget --no-check-certificate -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.9p1.tar.gz
#使用wget命令在线下载x11-ssh-askpass-1.2.4.1.tar.gz源码包
wget --no-check-certificate -c https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz制作openssh.spec文件
一般这个openssh.spec文件会在openssh源码包里面,将openssh源码包里的openssh.spec文件拷贝到/root/rpmbuild/SPECS/目录下
tar -zxvf openssh-8.9p1.tar.gz #解压openssh-8.9p1源码包
#将openssh-8.9p1源码包中的openssh.spec文件拷贝到/root/rpmbuild/SPECS/目录下
cp openssh-8.9p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS 制作openssh的rpm包
cd /root/rpmbuild/SPECS #进入到该目录下,检查openssh.spec文件是否拷贝过来
#编辑openssh.spec文件(如果制作多个版本的openssh.spec文件,可以重命名openssh.spec文件用来区分)
vi /root/rpmbuild/SPECS/openssh8.9.spec
#注释掉BuildRequires: openssl-devel
sed -i -e "s/BuildRequires: openssl-devel < 1.1/# BuildRequires: openssl-devel < 1.1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
#在openssh8.9.spec文件中的%post server处添加以下内容
cp -r /etc/ssh /etc/ssh.bak
cp -r /usr/bin/ssh /usr/bin/ssh.bak
sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
sed -i -e "s/UsePAM yes/UsePAM no/g" /etc/ssh/sshd_config
systemctl restart sshd
#在openssh8.9.spec文件中添加openssl的安装路径
--with-openssl-includes=/usr/local/openssl/include \
--with-ssl-dir=/usr/local/openssl \
#开始编译openssh.spec文件
rpmbuild -ba /root/rpmbuild/SPECS/openssh8.9.spec 制作完成后,生成的rpm包在的目录/root/rpmbuild/RPMS/aarch64
cd /root/rpmbuild/RPMS/aarch64
注意:升级openssh只需要三个包:openssh-8.9p1-1.el7.aarch64.rpm、openssh-clients-8.9p1-1.el7.aarch64.rpm、openssh-server-8.9p1-1.el7.aarch64.rpm
安装升级测试
注意!!!:一定要先安装完openssl再安装openssh,顺序不能错。否则,如果先安装的openssh,再安装openssl,ssh -V时,openssl显示的还是原来的版本,openssl version显示的却是正确版本
这里展现openssh的升级安装步骤,在次安装前请先装openssl
#卸载openssh
rpm -e openssh --nodeps
rpm -e openssh-clients --nodeps
rpm -e openssh-server --nodeps
#检查openssh是否已经卸载
rpm -qa|grep openssh
ssh -V
#安装openssh
cd /root/rpmbuild/RPMS/aarch64
rpm -ivh openssh-8.9p1-1.el7.aarch64.rpm openssh-clients-8.9p1-1.el7.aarch64.rpm openssh-server-8.9p1-1.el7.aarch64.rpm --nodeps
#安装完成后,检查是否已经安装
rpm -qa|grep openssh
ssh -V3.ARM架构rpmbuild制作openssl的rpm包
下载openssl-1.1.1q.tar.gz的源码包,并将源码包放到/root/rpmbuild/SOURCES目录下
这里有两种方法下载openssl-1.1.1q.tar.gz的源码包:
第一种是在线下载,直接通过wget --no-check-certificate -c命令去下载
第二种是去openssl官网下载,然后将openssl-1.1.1q.tar.gz的源码包上传或拷贝到/root/rpmbuild/SOURCES目录下
openssl官网下载:https://www.openssl.org/source/openssl-1.1.1q.tar.gz
cd /root/rpmbuild/SOURCES #进到该目录下
#使用wget命令在线下载openssl-1.1.1q.tar.gz源码包
wget --no-check-certificate -c https://www.openssl.org/source/openssl-1.1.1q.tar.gz制作openssl.spec文件
由于openssl官方给的源码包中,没有openssl.spec文件,所以需要手动编写
cd /root/rpmbuild/SPECS #进入到该目录下
touch openssl.spec #新建openssl.spec文件
vi /root/rpmbuild/SPECS/openssl.spec #编辑openssl.spec文件,添加以下内容
Summary: OpenSSL 1.1.1q for CentOS
Name: openssl
Version: %{?version}%{!?version:1.1.1q}
Release: 1%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+
Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz
BuildRequires: make gcc perl perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%global openssldir /usr/local/openssl
%description
https://github.com/philyuchkoff/openssl-RPM-Builder
OpenSSL RPM for version 1.1.1q on CentOS
%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
OpenSSL RPM for version 1.1.1q on CentOS (development package)
%prep
%setup -q
%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make
%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib64/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib64/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}
%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libssl.so.1.1
%files devel
%{openssldir}/include/*
%defattr(-,root,root)
/usr/bin/openssl
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libssl.so.1.1
%post
cp -r /usr/bin/openssl /usr/bin/openssl.bak
cp -r /usr/lib64/openssl/ /usr/lib64/openssl.bak
cp -r /usr/lib64/openssl.so /usr/lib64/openssl.so.bak
ln -sf /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/
ln -sf /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/
/sbin/ldconfig
%postun -p /sbin/ldconfig
openssl.spec文件注意两个地方
1、安装路径
2、 路径备份和lib库文件软链接到/usr/lib64路径下
vi /root/rpmbuild/SPECS/openssl.spec
%post
cp -r /usr/bin/openssl /usr/bin/openssl.bak
cp -r /usr/lib64/openssl/ /usr/lib64/openssl.bak
cp -r /usr/lib64/openssl.so /usr/lib64/openssl.so.bak
ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/
ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/
/sbin/ldconfig
制作openssl的rpm包
cd /root/rpmbuild/SPECS #进入到该目录下
rpmbuild -ba openssl.spec #开始编译openssl.spec文件 制作完成后,生成的rpm包在目录/root/rpmbuild/RPMS/aarch64
cd /root/rpmbuild/RPMS/aarch64 #进入到该目录下,检查openssl的rpm包是否生成安装升级测试
注意!!!:一定要先升级openssl,再升级openssh。升级完成后,ssh -V检查版本,此时openssl的版本显示为现在升级后的版本
#查看已经安装的openssl版本
rpm -qa | grep openssl
openssl version
#卸载openssl,注意切记不要删除openssl-libs
rpm -e openssl --nodeps
#检查openssl是否已经卸载
openssl version
#安装openssl
cd /root/rpmbuild/RPMS/aarch64
rpm -ivh openssl-1.1.1q-1.el7.aarch64.rpm --nodeps
#升级完成后,检查openssl的版本
openssl version
ssh -V #使用该命令检查openssl版本是否显示为已安装的版本
rpm -qa|grep openssl4.X86_64架构rpmbuild制作openssh和opoenssl的rpm包
openssh.spec文件跟openssl.spec文件同ARM架构一样,不需要改动
openssh-8.7p1.tar.gz、openssh-8.9p1.tar.gz、x11-ssh-askpass-1.2.4.1.tar.gz、openssl-1.1.1q.tar.gz同ARM架构一样,在线下载或者使用wget在线下载,上传或拷贝到/root/rpmbuild/SOURCES目录下(此步骤同ARM架构一样)
制作X86_64架构的openssh和openssl的rpm包
cd /root/rpmbuild/SPECS
rpmbuild -ba openssl.spec
#如有多个版本openssh,可将openssh.spec文件重命名为该版本的openssh.spec如openssh8.7.spec
rpmbuild -ba openssh8.7.spec
rpmbuild -ba openssh8.9.spec
rpmbuild -ba openssl.spec制作完成后,生成的rpm包在的目录/root/rpmbuild/RPMS/x86_64
安装步骤同ARM架构一样,先安装openssl再安装openssh
安装openssl
#查看已经安装的openssl版本
rpm -qa | grep openssl
openssl version
#卸载openssl,注意切记不要删除openssl-libs
rpm -e openssl --nodeps
#检查openssl是否已经卸载
openssl version
#安装openssl
cd /root/rpmbuild/RPMS/x86_64
rpm -ivh openssl-1.1.1q-1.el7.x86_64.rpm --nodeps
#升级完成后,检查openssl的版本
openssl version
ssh -V #使用该命令检查openssl版本是否显示为已安装的版本
rpm -qa|grep openssl安装openssh
#卸载openssh
rpm -e openssh --nodeps
rpm -e openssh-clients --nodeps
rpm -e openssh-server --nodeps
#检查openssh是否已经卸载
rpm -qa|grep openssh
ssh -V
#安装openssh
cd /root/rpmbuild/RPMS/x86_64
rpm -ivh openssh-8.9p1-1.el7.x86_64.rpm openssh-clients-8.9p1-1.el7.x86_64.rpm openssh-server-8.9p1-1.el7.x86_64.rpm --nodeps
#安装完成后,检查是否已经安装
rpm -qa|grep openssh
ssh -V5.关闭selinux
setenforce 0 #临时关闭selinux
#找到SELINUX=enforcing,按i进入编辑模式,将参数修改为SELINUX=disabled即可(永久关闭)
vi /etc/selinux/config
SELINUX=disabled
或
sed -i -e "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
#查看selinux是否关闭,显示Disabled为关闭
getenforce