Configuring WAPT repositories

Repository location on server

Operating System

Value

Debian / Ubuntu

/var/www/wapt/

Centos / RedHat

/var/www/html/wapt/

Windows

C:\wapt\waptserver\repository

Replicating a repository WAPT Enterprise feature only

Functional overview

Hint

The method explained below is for the Enterprise version only.

The deprecated and unsupported Syncthing method may be used for the Discovery versions of WAPT.

WAPT agent replication role

Repository replication can be enabled using a WAPT agent installed on an existing machine, a dedicated appliance or a Virtual Machine.

The replication role is deployed through a WAPT package that enables the Nginx web server and configures scheduling, packages types, packages sync, and much more.

This feature allows WAPT agents to find dynamically their closest available WAPT repository from a list of rules stored on the WAPT server.

Replication behavior

Repository replication in WAPT is handled by WAPT agents natively.

It is based on a sync.json file which indexes every files present in these folders:

  • wapt;

  • waptwua;

  • wapt-host.

Enabling replication has the following effects:

  • Once enable_remote_repo is enabled on a WAPT agent, it will sync packages locally inside the local_repo_path folder.

  • It adds the WAPT agent in the Repositories tab as a Remote repository, enabling new actions such as Force Sync or Check files.

  • By default, only the wapt folder is synchronized, you can select which folder to sync by adding up elements in remote_repo_dirs parameters.

  • Synchronization period can be configured with local_repo_time_for_sync_start and local_repo_time_for_sync_stop parameters.

  • Bandwidth allocated to sync can be configured with local_repo_limit_bandwidth.

Every parameters of WAPT repository sync must be set in the [repo-sync] section of the WAPT agent’s wapt-get.ini configuration file.

WAPT agent replication behavior

WAPT Agent configuration

To enable replication on an existing WAPT Agent (Linux / Windows) you need to set in the [repo-sync] section in the wapt-get.ini configuration file.

WAPT Agent replication configuration

Options / Default value

Example

Definition

enable_remote_repo = False

Enables remote repository to synchronize with the main repository.

enable_remote_repo = True

local_repo_path = WAPT root dir/repository

Sets the path to the root directory of the local repository for WAPT packages.

local_repo_path = /var/www/

local_repo_time_for_sync_start = None

Sets synchronization start time (HH:MM / 24h format)

local_repo_time_for_sync_start = 22:30

local_repo_time_for_sync_end = None

Sets synchronization stop time (HH:MM / 24h format)

local_repo_time_for_sync_end = 05:30

local_repo_sync_task_period = None

Sets synchronization periodicity (minutes)

local_repo_sync_task_period = 25

local_repo_limit_bandwidth = None

Sets synchronization allowed bandwidth (Mbits/s)

local_repo_limit_bandwidth = 2

remote_repo_dirs = wapt,waptwua

Defines folders to synchronize

remote_repo_dirs = wapt,waptwua,wapt-host

use_repo_rules = False

Enable for use repository rules

use_repo_rules = True

Warning

If you modify manually wapt-get.ini on the remote repository, you need to restart the waptservice.

Note

A ready-to-use WAPT package is available in Tranquil IT public store to enable repository replication on Windows or Linux based WAPT agents.

This special package:

  • Installs and enables the Nginx web server on the remote repository.

  • Configures Nginx virtualhost environment.

  • Enables remote repository configuration in wapt-get.ini.

It is possible to automatically configure repositories with your own preferred values by editing this package.

Below is an example of wapt-get.ini.

[global]
...
use_repo_rules = True

[repo-sync]
enable_remote_repo = True
local_repo_path = D:\WAPT\
local_repo_time_for_sync_start = 20:30
local_repo_time_for_sync_end = 05:30
local_repo_sync_task_period = 25
local_repo_limit_bandwidth = 4
remote_repo_dirs = wapt,waptwua,wapt-host

WAPT Server configuration

By default, the WAPT server will know which WAPT agents are configured as remote repositories and it will list them in the WAPT console.

Repository rules

When a WAPT agent has been configured as a repository, it will automatically retrieve its rules.json file from the WAPT server.

The rules.json file is a signed .json file that contains a list of sorted rules to apply to the remote WAPT agents, so they may connect to their most appropriate repositories.

If no rules can be matched, the WAPT agent will fallback to the repo_url setting of the WAPT server defined in the wapt-get.ini configuration file.

WAPT agent replication behavior

WAPT agent

Warning

If you have configured GeoIP redirects on Nginx, you should disable it as it might conflict with repository rules.

To enable WAPT Agent repository rules, you must enable this setting in the [global] section of the wapt-get.ini configuration file of the WAPT agent.

Options / Default value

Description

Example

use_repo_rules = 0

For using replicating repository.

use_repo_rules = True

Below is an example of wapt-get.ini.

[global]
...
use_repo_rules = True

Note

It is possible to enable this option when generating a WAPT agent.

WAPT Server

On the WAPT Server, remote repositories functionality are automatically enabled.

For control, edit waptserver.ini and read remote_repo_support value.

Options / Default value

Example value

Definition

remote_repo_support

True

Enables repository usage

WAPT Console

Repository rules can be managed from the WAPT console and are based on several parameters:

Available parameters for repository rules

Options

Example value

Description

Agent IP

192.168.85.0/24

Rule based on Agent IP sub-network.

Domain

ad.mydomain.lan

Rule based on Active Directory domain name.

Hostname

desktop-04feb1

Rule based on the hostname of the WAPT agent.

Public IP

256.89.299.22/32

Rule based on the public IP address (NATed hosts).

Site

Paris-HQ

Rule based on Active Directory Sites and Services.

Adding a rule

In Repositories, click on the Add rule button. The following window appears.

Creating a new repository rule

Creating a new repository rule

Detail of values

Options

Example value

Description

Name

repo25

Defines the name for the rule.

Condition

AGENT IP

Defines the condition to match for the rule to apply (see above).

Value

192.168.25.0/24

Defines the value when the condition applies. If NOT checked, the value applies to the reverse of the condition.

Repository URL

https://repo25.domain.lan

Defines the list of available remote repositories. The list includes http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/ to allow directly downloading of Windows Updates by the remote repositories to preserve bandwidth.

Package type

WAPT

Defines what types of packages are replicated.

Other

No fallbacks

See below

  • The option No Fallback will prevent from falling back to the main WAPT server and will avoid undesired network congestion if the remote repository becomes temporarily unavailable.

  • The option Proxy will need to be set if the remote repository is required to connect via a proxy.

Using proxy on rule

You can then choose from the different above parameters and affect values to a specific secondary WAPT repository.

Warning

The rules are applied from top to bottom. The first rule that matches the conditions overrides all the other rules placed under.

Danger

Do not forget to save your replication rules.

Saving the configuration

Multiple repositories

Similar to Debian repositories, it is possible for the WAPT agent to use multiple repositories for updating package. The WAPT agents will check all repositories.

Danger

If you use this functionality, KNOW WHAT YOU ARE DOING.

When using repositories with different signers, the additional signer’s public certificates must be added to C:\Program Files (x86)\wapt\ssl on Windows or /opt/wapt/ssl on Linux and MacOS, therefore, you MUST trust their work and their signature.

You then must deploy WAPT agent with both keys.

Please refer to the documentation on creating the WAPT agent to add more trusted certificates.

WAPT Agent configuration

This parameters are modifiable on wapt-get.ini file.

Description of available parameters

  • [global]

    repositories parameter:

    The parameter repositories allows to set several options for package repositories, for example wapt-templates and private, where their settings are set in additional [section] of the file.

repositories=wapt-templates,private
  • [section]

    settings of secondary repositories

[wapt-templates]
repo_url=https://store.wapt.fr/wapt
verify_cert = 1

[private]
repo_url=https://srvwapt.mydomain.lan/wapt
verify_cert = 0

With that configuration, WAPT clients will now see packages from the main repository and from the secondary repository.

Description of available parameters

Description of available options for using multiple repositories

Options / Default value

Description

Example

http_proxy = None

Defines the HTTP proxy address.

http_proxy = http://user:pwd@host_fqdn:port

repo_url = None

Defines the address of the main WAPT repository.

repo_url = https://srvwapt.mydomain.lan/wapt

timeout = None

Defines the timeout when connecting to remote repositories. Value in miliseconds.

timeout = 5000

use_http_proxy_for_repo = False

Defines whether a proxy needs to be set to access the repositories.

use_http_proxy_for_repo = 1

verify_cert = None

Defines whether HTTPS certificates of the repository needs to be verified, and if so defines the path to the certificate bundle.

verify_cert = C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.crt (on Windows)

Note

The WAPT agents will look for updates on all repositories.

wapt-get search

More info on using WAPT with the command line interface.

Hint

Accessible packages from the all defined repositories will also be visible using the web interface http://127.0.0.1:8088 on WAPT equipped devices.

WAPT Console configuration

After having configured the WAPT agent for using multiple repositories, we can make the repositories show up in the WAPT console.

To do so, modify the %appdata%\local\waptconsole\waptconsole.ini file.

Example:

[wapt-template]
repo_url=https://wapt.tranquil.it/wapt
http_proxy=
verify_cert=1
public_certs_dir=
client_certificate=
client_private_key=
timeout=5

[private]
repo_url=https://srvwapt.mydomain.lan/wapt
http_proxy=
verify_cert=0
public_certs_dir=
client_certificate=
client_private_key=
timeout=5
Description of available options for external repositories

Options / Default value

Description

Example

client_certificate = None

Defines the folder that contains the certificates used to authenticate downloaded external packages.

client_certificate = C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.crt (on Windows)

client_private_key = None

Defines the folder that contains the private key.

client_private_key = C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.pem (on Windows)

http_proxy = None

Defines the address of the proxy to use to access the external repository referenced in the [section].

http_proxy = http://proxy.mydomain.lan:8080

public_certs_dir =

Defines the folder that contains the certificates used to authenticate downloaded external packages.

public_certs_dir = C:\private

repo_url = None

Defines the address of the external WAPT repository.

repo_url = http://srvwapt.mydomain.lan/wapt

timeout = None

Defines the timeout for the external repository referenced in the [section]. If left empty, the connection will not timeout.

timeout = 2

verify_cert = None

For verifying HTTPS certificates.

verify_cert = 1