On Fri, 25 Sep 2009, Marten Lehmann wrote:
Hello,
I am currently rsyncing the CentOS tree to one of our server. We are managing a few dozends of CentOS servers, so it surely will speed up updates and lead to less wasted bandwidth if we don't update from common public repositories any longer, but use an internal server instead, that only syncs once with the master server.
Now I'm in doubt wether I should make our own mirror public or not.
The first and main issue are the bandwidth costs. Can you give an estimate on how much traffic a typical European/German mirror generates per month?
The second issue is, that some kiddies might try to attack and hack our mirror to inject changed packages. Do you have statistics on this? Which FTP daemon do you recommend for a hardened anonymous-FTP only service?
Btw.: What do I have to change in the yum config on each server to use one specific repository server and not the mirrorlist system? Do I just have comment the mirrorlist line and uncomment the baseurl?
Since I'm not a German or European mirror, I don't have an answer to your bandwidth question.
As to the issue of being attacked, remember that the packages are signed, so if someone were to compromise your mirror, the changed package would not be signed and would give an error. (If your mirror is compromised, your other clients are still safe.)
vsftpd has a good reputation, and is the package provided by Red Hat and CentOS (disclaimer: I don't provide FTP service, just http and rsync).
To make your machines go straight to your mirror, yes, 1) comment out the mirrorlist, 2) uncomment the baseurl, and 3) change the baseurl to point to your mirror.
DR