Configuring WAPT repositories

Repository location on the WAPT Server

Operating System

Value

Debian / Ubuntu

/var/www/wapt/

Redhat and derivatives

/var/www/html/wapt/

Windows

C:\wapt\waptserver\repository

Replicating a repository WAPT Enterprise feature only

Functional overview

Hint

The method explained below is for the Enterprise version only.

The deprecated and unsupported Syncthing method may be used for the Discovery version of WAPT.

WAPT Agent replication role

Repository replication can be enabled using a WAPT Agent installed on an existing host, a dedicated appliance or a Virtual Host.

The replication role is deployed through a WAPT package that enables the Nginx web server and configures scheduling, packages types, packages sync, and much more.

This feature allows WAPT Agents to find dynamically their closest available WAPT repository from a list of rules stored on the WAPT Server.

Replication behavior

Repository replication in WAPT is handled by WAPT Agents natively.

It is based on a sync.json file which indexes every files present in these folders:

  • wapt;

  • waptwua;

  • wapt-host;

  • wads.

Enabling replication has the following effects:

  • Once enable_remote_repo is enabled on a WAPT Agent, it will sync packages locally inside the local_repo_path folder.

  • It adds the WAPT Agent in the Repositories tab as a Remote repository, enabling new actions such as Force Sync or Check files.

  • By default, only the wapt folder is synchronized, you can select which folder to sync by adding up elements in remote_repo_dirs parameters.

  • Synchronization period can be configured with local_repo_time_for_sync_start and local_repo_time_for_sync_stop parameters.

  • Bandwidth allocated to sync can be configured with local_repo_limit_bandwidth.

Every parameters of WAPT repository sync MUST be set in the [repo-sync] section of the WAPT Agent wapt-get.ini configuration file.

Flow diagram of the replication behavior of the WAPT Agent

Flow diagram of the replication behavior of the WAPT Agent

WAPT Agent configuration

To enable replication on an existing WAPT Agent (Linux / Windows), you need to set in the [repo-sync] section in the wapt-get.ini configuration file of the WAPT Agent.

Hint

If you use DNS, please remind to create a DNS entry for your WAPT agent.

WAPT Agent replication configuration

Options (Default Value)

Definition

Example

enable_remote_repo (default False)

Enables remote repository to synchronize with the main repository.

enable_remote_repo (default True)

local_repo_path (default WAPT root dir/repository)

Sets the path to the root directory of the local repository for WAPT packages.

local_repo_path = /var/www/

local_repo_time_for_sync_start (default None)

Sets synchronization start time (HH:MM / 24h format).

local_repo_time_for_sync_start = 22:30

local_repo_time_for_sync_end (default None)

Sets synchronization stop time (HH:MM / 24h format).

local_repo_time_for_sync_end = 05:30

local_repo_sync_task_period (default None)

Sets synchronization periodicity (minutes).

local_repo_sync_task_period = 25

local_repo_limit_bandwidth (default None)

Sets synchronization allowed bandwidth (Mbits/s).

local_repo_limit_bandwidth = 2

remote_repo_dirs (default wapt,waptwua)

Defines folders to synchronize.

remote_repo_dirs = wapt,waptwua,wapt-host

use_repo_rules (default False)

Enables for use repository rules.

use_repo_rules = True

sync_only_forced (default False)

Synchronizes the repository only if forced.

sync_only_forced = True

Warning

If you modify manually wapt-get.ini on the remote repository, you need to restart the WAPT service.

Note

A ready-to-use WAPT package is available in Tranquil IT public store to enable repository replication on Windows or Linux based WAPT Agents.

This way, the desktop of the welcome desk in a remote office of any organization may become a WAPT repository to distribute WAPT packages to the fleet of computers in the remote office.

This special package:

  • Installs and enables the Nginx web server on the remote repository.

  • Configures Nginx virtualhost environment.

  • Enables remote repository configuration in wapt-get.ini.

It is possible to automatically configure repositories with your own preferred values by editing this package.

Below is an example wapt-get.ini file for a WAPT Agent.

[global]
...
use_repo_rules = True

[repo-sync]
enable_remote_repo = True
local_repo_path = D:\WAPT\
local_repo_time_for_sync_start = 20:30
local_repo_time_for_sync_end = 05:30
local_repo_sync_task_period = 25
local_repo_limit_bandwidth = 4
remote_repo_dirs = wapt, waptwua, wapt-host

WAPT Server configuration

By default, the WAPT Server will know which WAPT Agents are configured as remote repositories and it will list them in the WAPT Console.

Repository rules

When a WAPT Agent has been configured as a repository, it will automatically retrieve its rules.json file from the WAPT Server.

The rules.json file is a signed .json file that contains a list of sorted rules to apply to the remote WAPT Agents, so they may connect to their most appropriate repositories.

If no rules can be matched, the WAPT Agent will fallback to the repo_url attribute defined in its wapt-get.ini configuration file.

Flow diagram for the replication behavior of the WAPT Agent

WAPT Agent

Warning

If you have configured GeoIP redirects on Nginx, you should disable it as it might conflict with repository rules.

To enable WAPT Agent repository rules, you MUST enable this setting in the [global] section of the wapt-get.ini configuration file of the WAPT Agent.

Options (Default Value)

Description

Example

use_repo_rules (default False)

For using replicating repository.

use_repo_rules = True

Below is an example wapt-get.ini file for a WAPT Agent.

[global]
...
use_repo_rules = True

Note

It is possible to enable this option when generating a WAPT Agent.

WAPT Server

On the WAPT Server, remote repositories functionality is automatically enabled.

To verify, edit waptserver.ini and read remote_repo_support value.

Options (Default Value)

Example value

Definition

remote_repo_support

True

Enables the WAPT Server to serve as a repository.

WAPT Console

Repository rules can be managed from the WAPT Console and are based on several parameters:

Available parameters for repository rules

Options

Example value

Description

Agent IP

192.168.85.0/24

Defines a repository rule based on Agent IP sub-network.

Domain

ad.mydomain.lan

Defines a repository rule based on Active Directory domain name.

Hostname

desktop-04feb1

Defines a repository rule based on the hostname of the WAPT Agent.

Public IP

256.89.299.22/32

Defines a repository rule based on the public IP address (NATed hosts).

Site

Paris-HQ

Defines a repository rule based on Active Directory Sites and Services.

Adding a repository rule

To add a new repository rule, go to the Repositories tab in the WAPT Console and click on the Add rule button.

Options for repository rules

Options

Example value

Description

Name

repo25

Defines the name for the repository rule.

Condition

AGENT IP

Defines the condition to match for the repository rule to apply (see above).

Value

192.168.25.0/24

Defines the value when the condition applies. If NOT is checked, the value applies to the reverse of the condition.

Repository URL

https://repo25.mydomain.lan

Defines the list of available remote repositories. The list includes http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/ to allow directly downloading of Windows Updates by the remote repositories to preserve WAPT Server bandwidth.

Package type

WAPT

Defines what types of packages are replicated.

Other

No fallbacks

The option No Fallback will prevent from falling back to the main WAPT Server and will avoid undesired network congestion if the remote repository becomes temporarily unavailable.

  • The option Proxy will need to be set if the remote repository is required to connect via a proxy.

Window for setting repository rules in the WAPT Console

Window for setting repository rules in the WAPT Console

You can then choose from the different above parameters and affect values to a specific secondary WAPT repository.

Warning

The rules are applied from top to bottom.

The first rule that matches the conditions overrides all the other rules placed under.

Danger

Do not forget to save the replication rules.

Multiple repositories

Similar to Debian repositories, it is possible for the WAPT Agent to use multiple repositories for updating package. The WAPT Agents will check all repositories.

Danger

If you use this functionality, KNOW WHAT YOU ARE DOING.

When using repositories with different signers, the additional signer’s public certificates MUST be added to C:\Program Files (x86)\wapt\ssl on Windows or /opt/wapt/ssl on Linux and macOS, therefore, you MUST trust their work and their signature.

You then MUST deploy the WAPT Agents with both keys.

Please refer to the documentation on creating the WAPT Agent to add certificates.

WAPT Agent configuration

This parameters are modifiable on wapt-get.ini file.

Description of available parameters

Options for defining multiple repositories

Options

Example value

Description

[global]

repositories = wapt-templates,private

Defines the repositories, for example wapt-templates and private, where their settings are set in additional [section] sections of the wapt-get.ini file.

[section]

[wapt-templates] repo_url=https://store.wapt.fr/wapt verify_cert = True

[private] repo_url=https://srvwapt.mydomain.lan/wapt verify_cert = False

Defines the properties of each repository declared in the [global] section of the wapt-get.ini file.

Options for repository properties

Options (Default Value)

Description

Example

http_proxy (default None)

Defines the HTTP proxy address.

http_proxy = http://user:pwd@host_fqdn:port

repo_url (default None)

Defines the address of the main WAPT repository.

repo_url = https://srvwapt.mydomain.lan/wapt

timeout (default None)

Defines the timeout when connecting to remote repositories (in miliseconds).

timeout = 5000

use_http_proxy_for_repo (default False)

Defines whether a proxy needs to be set to access the repositories.

use_http_proxy_for_repo = True

verify_cert (default None)

Defines whether HTTPS certificates of the repository needs to be verified, and if so defines the path to the certificate bundle.

verify_cert = True

Note

The WAPT Agent will look for updates in all repositories defined in its wapt-get.ini configuration file when doing a wapt-get search.

More info on using WAPT with the command line interface.

Configuring the WAPT Console for using multiple repositories

After having configured the WAPT Agent for using multiple repositories, we can make the repositories show up in the WAPT Console.

To do so, modify the %appdata%\local\waptconsole\waptconsole.ini file.

Example:

[wapt-template]
repo_url = https://wapt.tranquil.it/wapt
http_proxy =
verify_cert = True
public_certs_dir =
client_certificate =
client_private_key =
timeout = 5

[private]
repo_url = https://srvwapt.mydomain.lan/wapt
http_proxy =
verify_cert = False
public_certs_dir =
client_certificate =
client_private_key =
timeout = 5
Options for external repositories in the WAPT Console

Options (Default Value)

Description

Example

client_certificate (default None)

Defines the folder that contains the certificates used to authenticate downloaded external packages.

client_certificate = C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.crt (on Windows)

client_private_key = None

Defines the folder that contains the private key.

client_private_key = C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.pem (on Windows)

http_proxy (default None)

Defines the HTTP proxy address.

http_proxy = http://user:pwd@srvproxy.mydomain.lan:port

public_certs_dir =

Defines the folder that contains the certificates used to authenticate downloaded external packages.

public_certs_dir = C:\private

repo_url (default None)

Defines the address of the main WAPT repository.

repo_url = https://srvwapt.mydomain.lan/wapt

timeout (default None)

Defines the timeout when connecting to remote repositories (in miliseconds).

timeout = 5000

verify_cert (default None)

Defines whether HTTPS certificates of the repository needs to be verified, and if so defines the path to the certificate bundle.

verify_cert = True