mirror March 2017

mirror@lists.centos.org

31 participants
42 discussions

ACL migration a.k.a. Unknown module 'CentOS' errors
by Anssi Johansson 02 Mar '17

02 Mar '17

Hello everyone. As some of you may have noticed, I have started helping Fabian Arrotin with mirrorlist management tasks. For example, I can now make changes to the list of CentOS mirrors myself. I will also continue maintaining the IPv6 mirror checker (see http://miuku.net/ipv6reach/ for stats), which runs separate from the main CentOS mirror checker. In order for me to change the access control list which specifies the IP addresses that can connect to msync.centos.org nodes, the ACL had to be moved from a separate configuration file to the main mirror database. This gives me easier access to the ACL. The ACL is exported from the database to msync nodes periodically. The reason why I'm writing this message is that it's possible that some of the IP addresses got accidentally assigned to mirrors that have been disabled, and this causes that IP address to be excluded from the ACL. I don't expect this to be a particularly widespread problem, but it is a possibility. If you have problems syncing (you get a message like Unknown module 'CentOS' and/or your timestamp.txt is too old), please let us know and we'll fix the problem ASAP. Please specify your mirror's http URL and IP addresses (IPv4, and if you're lucky enough to have IPv6, that too) so that we could locate your mirror's data from the database quickly. Thanks for your cooperation. If you have any other concerns or questions, feel free to send me an email or come to #centos-mirror on Freenode for a chat.

2 2

Re: [CentOS-mirror] [CentOS-devel] Getting content to mirrors faster
by Fabian Arrotin 01 Mar '17

01 Mar '17

On 01/03/17 14:44, Anssi Johansson wrote: > We have 600+ active CentOS mirrors[1] and sometimes there are critical > updates that would need to get published to the mirror network as > quickly as possible. As of now, it takes around five hours to go from 0 > up-to-date mirrors to 80% up-to-date mirrors, with a longer tail for the > remaining 20%. > > Current guidelines for setting up a mirror[2] specify that mirrors > should sync 2-4 times per day. Instead of telling mirrors to sync hourly > I thought we could come up with something smarter. > > One option that I have considered would be something similar to what the > ClamAV guys use to signal end users that there is new content. They use > a DNS TXT record for that purpose. For example, as of this writing "dig > txt +short current.cvd.clamav.net" produces > "0.99.2:57:23148:1488371340:1:63:45637:290", which shows the version > numbers for ClamAV itself, main virus database, daily virus database, > timestamp and other version numbers. > > We could have something similar, showing the timestamps when the content > for CentOS, CentOS AltArch and CentOS Vault was last modified, like > "1488372781:1487767981:1488113581". "Last modified" in the sense that > new packages got added at that time. The idea is that mirrors could set > up scripts to check that timestamp from DNS more frequently (such as > hourly) without causing load issues to msync nodes by rsyncing hourly. > The TTL for the TXT record could be relatively small, like 10 minutes. > > As you're all aware, DNS is a prime example of a very scalable system, > and that's why I'm fond of this solution. Another option would be to > publish the same data in a central location and served over http(s), if > relaying the timestamp data via DNS is not desired for some reason. > > The basic principle would be "if timestamp in TXT record > my current > timestamp (TIME file), synchronize the mirror". With more frequent > syncs, mirror admins would need to take care that no two rsync runs > would happen at the same time. Using lockfile in the scripts would help > with this. I hope that many of the mirror admins already use lockfiles, > but providing an example script might help for the newer mirror admins. > > The timestamps should be updated only after it has been verified that > all (or at least the majority) of msync nodes actually have the content. > It takes a while for the data to reach all the msync nodes from the master. > > On the other hand, this may cause some traffic peaks for the msync > nodes. I don't know how well they would handle the peaks. One obvious > way to alleviate the peaks would be to instruct mirror admins to pick a > random minute when to check for new content. echo $[ $RANDOM % 60 ] > works nicely for this. I don't have statistics, but I believe there > might be mirrors that sync at "0 */6" ie. at the top of the hour. > > > If the traffic peaks to msync nodes is deemed to be a problem, there > might be ways to reduce the load to msync nodes. The following idea > could be implemented separately from the above timestamp idea, if needed. > > There could be some sort of a "web service" which instructs mirrors > where to sync from. The core idea in this is that the source might not > always be a msync.centos.org server, but it could also be a nearby > public mirror that offers rsync and has been verified to have the new > content. If requested from Finland, that service could say "ok, you're > from .fi, go sync from ftp.funet.fi as it has the new content already" > or "uh oh, no nearby external mirrors have the new content, please rsync > from eu-msync.centos.org". It could simply return a list of rsync > servers in descending priority, with some msync.centos.org addresses at > the bottom as fallback. Once the mirror has rsynced, the mirror could > ping back and say "I have the content now, please check, and if OK, add > me to the list of mirrors that have the new content". > > One concern is that the list of rsync sources would need to be > protected, so that mirrors could not be tricked into syncing from a > malicious source (think DNS poisoning). Ways to protect from this > include DNSSEC, TLS and PGP signed data. > > > Any thoughts about this? > > > [1] http://mirror-status.centos.org/ > [2] https://wiki.centos.org/HowTos/CreatePublicMirrors Hi Anssi, Thanks a lot for all those ideas. While I understand your idea behind a TXT record at the DNS level, I'd say that I'm not a fan of that idea. Even with lower TTL, you'd be surprized how many hits we had on servers that were migrated to new ones, as it seems some ISPs aren't obeying the TTL and so were still serving wrong (and expired) A/AAAA records from their cache. DNS itself (currently for centos.org) isn't DNSSEC enabled too, so that would mean other protection, etc I'd prefer your alternative with "let's host this behind a https web server" and also for the reason that it's easier to have TLS for webserver, and that from the automation point-of-view, it's easier for people allowed to build/sign/push (two people) to just update/drop a file somewhere, than using DNS modification. For dns, as the zone is actually under git/puppet control, that would mean *not* using that, but rather having a delegated zone that would allow nsupdate with a key that those people would share, etc ... So the simple file served from https seems easier from my side. I'd like to get opinions from Johnny/KB (people able to sign/push) as they'd be directly concerned by that decision. From an "external mirror admin" PoV, we should also use the centos-mirror list to discuss this, to get their opinions ? Also, we can divide your proposal into two parts : - external mirrors can check a file they can compare against to sync "faster" than through their cron jobs (discussed above) - modifying completely the msync.centos.org network to have external mirrors not syncing from us, but betwen them (not sure how people feel about this) PS : Anssi is now part of the mirrors managers team for CentOS , for people not yet aware of that fact -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

mirror March 2017