Skip to content

RPM & Raw Artifact Repositories

Nexus hosts RPM packages for the Executor CLI and raw binaries for standalone deployments, both served from the yum-hosted-dev and raw-hosted-dev repositories on port 443.

RPM Packages (YUM)

Repository URLs

Operation URL
Upload (CI push) https://nexus.shared.cwiq.io/repository/yum-hosted-dev/
Install (server-side yum) https://nexus.shared.cwiq.io/repository/yum-group-{env}/

The yum-group-{env} repository combines the hosted repo with upstream mirrors. Replace {env} with the target environment: dev, demo, or production.

Primary Use: Executor CLI

The Executor CLI (orchestrator-executor) is the only CWIQ component distributed as an RPM. It runs on RHEL 9 (AlmaLinux 9) hosts and requires native OS integration for the 6-layer sandbox (cgroups, namespaces, seccomp, capabilities, filesystem, application layers).

RPM artifact path:

{repo}/orchestrator/executor/{filename}.rpm

Example: yum-hosted-dev/orchestrator/executor/orchestrator-executor-0.3.0-0.dev.el9.x86_64.rpm

Versioning

Field Value Notes
Version source executor/pyproject.toml version field
Format {major}.{minor}.{patch} Semver
RPM release (dev builds) 0.dev No pipeline IID suffix
RPM dist %{?dist} macro Do NOT add .${DIST} manually — causes double suffix
Tag format (releases) v{major}.{minor}.{patch} e.g., v0.3.0

RPM dist macro

Do not add .${DIST} to the --define argument in rpmbuild. The %{?dist} macro in the spec file already expands to .el9. Adding it manually produces a double suffix like .el9.el9 which breaks yum install.

Installing on Target Servers

Target servers are configured with a Nexus yum repository at Ansible provisioning time:

# /etc/yum.repos.d/cwiq-nexus.repo (managed by Ansible)
[cwiq-nexus]
name=CWIQ Nexus RPM Repository
baseurl=https://nexus.shared.cwiq.io/repository/yum-group-dev/
enabled=1
gpgcheck=0

Once the repo is configured, the Executor CLI installs and upgrades through the standard package manager:

# Install
sudo yum install orchestrator-executor

# Upgrade to a specific version
sudo yum install orchestrator-executor-0.3.0

# Check installed version
rpm -q orchestrator-executor

Uploading an RPM in CI/CD

# Upload via curl (credentials from Vault)
curl -u "${NEXUS_USER}:${NEXUS_PASSWORD}" \
  --upload-file "./dist/orchestrator-executor-${VERSION}-0.dev.el9.x86_64.rpm" \
  "https://nexus.shared.cwiq.io/repository/yum-hosted-dev/orchestrator/executor/"

The CI/CD pipeline uses the svc-executor service account (Vault path: secret/nexus/svc-executor) for RPM uploads. See Service Accounts.

Raw Artifacts

Repository URL

Operation URL
Upload / Download https://nexus.shared.cwiq.io/repository/raw-hosted-dev/

Raw artifacts store standalone binaries that do not fit RPM packaging — compiled executables, pre-built CLI tools, or build outputs that need to be distributed without an RPM spec.

Artifact Path Convention

raw-hosted-dev/orchestrator/executor/{binary}-{version}

Example: raw-hosted-dev/orchestrator/executor/orchestrator-executor-0.3.0

Uploading a Raw Binary

# Upload a compiled binary (credentials from Vault)
curl -u "${NEXUS_USER}:${NEXUS_PASSWORD}" \
  --upload-file ./orchestrator-executor \
  "https://nexus.shared.cwiq.io/repository/raw-hosted-dev/orchestrator/executor/orchestrator-executor-${VERSION}"

Downloading a Raw Binary

# Download a specific version
curl -u "${NEXUS_USER}:${NEXUS_PASSWORD}" -O \
  "https://nexus.shared.cwiq.io/repository/raw-hosted-dev/orchestrator/executor/orchestrator-executor-0.3.0"

# Make executable
chmod +x orchestrator-executor-0.3.0

When to use raw vs RPM

Prefer RPM for anything that needs to be installed on RHEL 9 hosts in production. RPM gives you clean install/upgrade/remove semantics, dependency management, and integration with the server's package audit trail. Raw artifacts are for one-off binaries, build tools, or components that will be consumed by another build step rather than installed on a server.

CI/CD Variables for Executor Pipelines

The executor project uses a different Vault path and Nexus URL set from the main platform services:

Variable Value Purpose
NEXUS_URL https://nexus.shared.cwiq.io Base URL for RPM and raw uploads
NEXUS_RPM_REPO ${NEXUS_URL}/repository/yum-hosted-dev RPM upload target
NEXUS_RAW_REPO ${NEXUS_URL}/repository/raw-hosted-dev/orchestrator/executor Raw binary upload target

These are defined in the executor's .gitlab-ci.yml and override the defaults from .gitlab-ci-common.yml.