-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, I find myself in a complicated situation and would like to ask the oracle (choke!) for help. I would like to install the packages from the continuous release repo and the yum config for this repo says
baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/
well, I definitely do not want to allow worldwide outgoing http so I try to find the IPs
# host mirror.centos.org mirror.centos.org has address 93.113.36.66
but! wait...
# host mirror.centos.org mirror.centos.org has address 88.198.211.197
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing? - -- Kind Regards, Markus Falb
Hi, I find myself in a complicated situation and would like to ask the oracle (choke!) for help. I would like to install the packages from the continuous release repo and the yum config for this repo says
baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/
well, I definitely do not want to allow worldwide outgoing http so I try to find the IPs
# host mirror.centos.org mirror.centos.org has address 93.113.36.66
but! wait...
# host mirror.centos.org mirror.centos.org has address 88.198.211.197
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
Kind Regards, Markus Falb
I think your best bet would be either 1) take a host you're more comfortable with having http access to the world, change it to run squid, perhaps putting limit rules in squid to only allow http requests to download.centos.org (or whatever), then point your more secured host to this machine as your proxy server. 2) find a likewise host that you can allow pretty much any outbout http traffic on that also has a pretty good amount of disk space free and usable, then use it to pull in a local mirror of the cent archives. and over ride DNS results with local /etc/host rules for dns results.
or just live dangerously and pick one host that you're pretty sure will be up and over ride the DNS rotor with your own local dns configs/etc/hosts entries... but that's kinda riding dirty. I probably shouldn't even suggest it.
but I'm far from being an oracle. not even a sybase.
On 15.1.2013 22:10, zGreenfelder wrote:
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
Kind Regards, Markus Falb
I think your best bet would be either
- take a host you're more comfortable with having http access to the
world, change it to run squid, perhaps putting limit rules in squid to only allow http requests to download.centos.org (or whatever), then point your more secured host to this machine as your proxy server. 2) find a likewise host that you can allow pretty much any outbout http traffic on that also has a pretty good amount of disk space free and usable, then use it to pull in a local mirror of the cent archives. and over ride DNS results with local /etc/host rules for dns results.
If I understood what you said I would rephrase it with less words like
1) set up a proxy and filter the host: header 2) do a local mirror
Thanks
in line editing.
If I understood what you said I would rephrase it with less words like
- set up a proxy [and filter the host: header (if you feel the need to]
- do a local mirror
3) bypass DNS and just use a particular mirror host (some better suggestions proposed for putting the IP in the repo files); this should probably be your least desirable path)
Thanks
but yes, that's what seems (at least to me) to the most reasonable ways to fix this problem.
Markus Falb wrote:
Hi, I find myself in a complicated situation and would like to ask the oracle (choke!) for help. I would like to install the packages from the continuous release repo and the yum config for this repo says
baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/
well, I definitely do not want to allow worldwide outgoing http so I try to find the IPs
# host mirror.centos.org mirror.centos.org has address 93.113.36.66
but! wait...
# host mirror.centos.org mirror.centos.org has address 88.198.211.197
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
pick a mirror that's close to you and trustworthy (ie stays up to date), and use that as your baseurl.
On 1/15/2013 1:18 PM, Nicolas Thierry-Mieg wrote:
pick a mirror that's close to you and trustworthy (ie stays up to date), and use that as your baseurl.
or build your own inhouse mirror, and aim the BaseURL at it instead. I use a script like this...
$ cat lftp.sh #!/bin/sh /usr/bin/lftp -c 'open ftp://mirrors.kernel.org && lcd /export/mirror && mirror --continue --verbose=1 -x ia64 -x s390 -x s390x -x alpha -x SRPMS centos'
(I'm pulling down all supported versions but not for itanic or alpha or s390 or source RPMs)
/export/mirror in turn is used as an apache vhost (as well as a nfs export), so my baseurl is http://mirror.myinternal.domain.com/centos/$releasever/cr/$basearch/
I cron that job once a week to update my mirror. I also use this mirror directly for nfs netinstalls.
On 15.1.2013 22:53, John R Pierce wrote:
On 1/15/2013 1:18 PM, Nicolas Thierry-Mieg wrote:
pick a mirror that's close to you and trustworthy (ie stays up to date), and use that as your baseurl.
or build your own inhouse mirror, and aim the BaseURL at it instead.
Yes, that sounds reliable although it takes a lot of disk space.
On 1/15/2013 2:07 PM, Markus Falb wrote:
Yes, that sounds reliable although it takes a lot of disk space.
disk is cheap. anyways, its peanuts.
$ du -hs centos/{5.8,6.3} 43G centos/5.8 66G centos/6.3
unless you rent your storage from {netapps,emc}, thats nothing. it doesn't have to be high performance, bulk nearline grade stuff is fine for this.
On 15.1.2013 22:18, Nicolas Thierry-Mieg wrote:
Markus Falb wrote:
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
pick a mirror that's close to you and trustworthy (ie stays up to date), and use that as your baseurl.
you mean per ip
mirror.centos.org has address 91.215.65.226 baseurl=http://91.215.65.226/centos/$releasever/cr/$basearch/
avoiding dns. yes, it would be possible, but how reliable it is?
I realise that the name based mirrorlist has the same problem with ip adresses going stale eventually.
The problem is that firewall is acting on ip adresses but mirrorlist is spitting out names. So what I did recently is periodically resolve the ips and update the firewall rules with the new ip list hoping that not all of them are stale until the next reload of firewall.
Hmm.
Markus Falb wrote:
On 15.1.2013 22:18, Nicolas Thierry-Mieg wrote:
Markus Falb wrote:
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
pick a mirror that's close to you and trustworthy (ie stays up to date), and use that as your baseurl.
you mean per ip
mirror.centos.org has address 91.215.65.226 baseurl=http://91.215.65.226/centos/$releasever/cr/$basearch/
avoiding dns. yes, it would be possible, but how reliable it is?
no, I meant choose a good one from the list: http://www.centos.org/modules/tinycontent/index.php?id=31
for example myself I could pick http://mirrors.ircam.fr/pub/CentOS/
then put that name (not IP) in your baseurl: baseurl=http://mirrors.ircam.fr/pub/Centos/$releasever/cr/$basearch/
and comment out mirrorlist= since you don't use it anymore.
Similar to what you're saying but no need to avoid DNS, and the choice of mirror is important.
It's reliable if the mirror you use is reliable. Not as much as mirrorlist, but some mirrors are quite solid. I've used this approach for some machines for many years without having to change my mirror. Just make sure you pick a good one.
Nicolas Thierry-Mieg wrote:
Markus Falb wrote:
On 15.1.2013 22:18, Nicolas Thierry-Mieg wrote:
Markus Falb wrote:
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
pick a mirror that's close to you and trustworthy (ie stays up to date), and use that as your baseurl.
you mean per ip
mirror.centos.org has address 91.215.65.226 baseurl=http://91.215.65.226/centos/$releasever/cr/$basearch/
avoiding dns. yes, it would be possible, but how reliable it is?
no, I meant choose a good one from the list: http://www.centos.org/modules/tinycontent/index.php?id=31
for example myself I could pick http://mirrors.ircam.fr/pub/CentOS/
then put that name (not IP) in your baseurl: baseurl=http://mirrors.ircam.fr/pub/Centos/$releasever/cr/$basearch/
and comment out mirrorlist= since you don't use it anymore.
Similar to what you're saying but no need to avoid DNS, and the choice of mirror is important.
It's reliable if the mirror you use is reliable. Not as much as mirrorlist, but some mirrors are quite solid. I've used this approach for some machines for many years without having to change my mirror. Just make sure you pick a good one.
I agree you will need to run a cron job to check that the IP of your mirror hasn't changed, and if it did update the firewall rule, although that won't happen often.
On 15.1.2013 23:28, Nicolas Thierry-Mieg wrote:
Markus Falb wrote:
On 15.1.2013 22:18, Nicolas Thierry-Mieg wrote:
Markus Falb wrote:
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
pick a mirror that's close to you and trustworthy (ie stays up to date), and use that as your baseurl.
you mean per ip
mirror.centos.org has address 91.215.65.226 baseurl=http://91.215.65.226/centos/$releasever/cr/$basearch/
avoiding dns. yes, it would be possible, but how reliable it is?
no, I meant choose a good one from the list: http://www.centos.org/modules/tinycontent/index.php?id=31
Oh, I was not aware that cr is mirrored! what I have in my yum config is
baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/
and it seems that cr is not in the mirrorlist system
$ wget -qO- http://mirrorlist.centos.org/?release=5%5C&arch=i386%5C&repo=updates http://... ...
but
$ wget -qO- http://mirrorlist.centos.org/?release=5%5C&arch=i386%5C&repo=cr Invalid repo
Markus Falb wrote:
On 15.1.2013 23:28, Nicolas Thierry-Mieg wrote:
Markus Falb wrote:
On 15.1.2013 22:18, Nicolas Thierry-Mieg wrote:
Markus Falb wrote:
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
pick a mirror that's close to you and trustworthy (ie stays up to date), and use that as your baseurl.
you mean per ip
mirror.centos.org has address 91.215.65.226 baseurl=http://91.215.65.226/centos/$releasever/cr/$basearch/
avoiding dns. yes, it would be possible, but how reliable it is?
no, I meant choose a good one from the list: http://www.centos.org/modules/tinycontent/index.php?id=31
Oh, I was not aware that cr is mirrored!
oops!! sorry, I wasn't thinking specifically CR. And since in the example mirror I picked there happens to be a CR subdir it didn't click...
On 01/15/2013 02:58 PM, Markus Falb wrote:
Hi, I find myself in a complicated situation and would like to ask the oracle (choke!) for help. I would like to install the packages from the continuous release repo and the yum config for this repo says
baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/
well, I definitely do not want to allow worldwide outgoing http so I try to find the IPs
# host mirror.centos.org mirror.centos.org has address 93.113.36.66
but! wait...
# host mirror.centos.org mirror.centos.org has address 88.198.211.197
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
mirror.centos.org is very dynamic ... not just round robin.
We add and remove machines from that name all the time and it picks a location based on GeoIP of the requester.
As you can imagine, with millions of machines using that name to get updates it needs to be more than one server ... and normally we have somewhere between 25 and 40 servers that can answer as mirror.centos.org worldwide.
Am 15.01.2013 21:58, schrieb Markus Falb:
I would like to install the packages from the continuous release repo and the yum config for this repo says
baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/
well, I definitely do not want to allow worldwide outgoing http so I try to find the IPs
# host mirror.centos.org mirror.centos.org has address 93.113.36.66
but! wait...
# host mirror.centos.org mirror.centos.org has address 88.198.211.197
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
You'll need an application level gateway (ALG) firewall. Simple packet filtering, even stateful, is not sufficient for this purpose.
On Fri, Jan 18, 2013 at 3:23 AM, Tilman Schmidt t.schmidt@phoenixsoftware.de wrote:
Am 15.01.2013 21:58, schrieb Markus Falb:
I would like to install the packages from the continuous release repo and the yum config for this repo says
baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/
well, I definitely do not want to allow worldwide outgoing http so I try to find the IPs
# host mirror.centos.org mirror.centos.org has address 93.113.36.66
but! wait...
# host mirror.centos.org mirror.centos.org has address 88.198.211.197
dns round robin is not very helpful for me doing firewall rules. How would you solve this yum and firewall thing?
You'll need an application level gateway (ALG) firewall. Simple packet filtering, even stateful, is not sufficient for this purpose.
If you have (or can have) a squid running somewhere that has the required outbound access, you can either configure yum to use it or just set http_proxy= and ftp_proxy= on the command line to export them. If you can't access the squid directly, but you are able to ssh from the squid host to the host that needs the update you can port-forward through ssh like: ssh -R3128:localhost:3128 root@host_needing_update and from there: http_proxy=http://localhost:3128 ftp_proxy=http://localhost:3128 yum update no permanent config changes should be needed and if you repeat it on multiple targets you might even re-use the copies that squiid will cache after you've pulled one from each mirror.
-
John R Pierce -
Johnny Hughes -
Les Mikesell -
Markus Falb -
Nicolas Thierry-Mieg -
Tilman Schmidt -
zGreenfelder