On Tue, 2007-05-22 at 22:45 -0500, Matt Domsch wrote:
On Tue, May 22, 2007 at 05:58:03PM -0600, Dax Kelson wrote:
I mentioned on the list a few months back a technique for having YUM automatically use a local mirror without any configuration changes on the clients. A few people sent me emails asking for more details, so I was goaded/spurred into implementing it and have now documented the procedure in a new GURU GUIDE.
Dax, very cool. Thanks for posting this.
One thing I added to mirrormanager[1] was the ability for a mirror host to specify the set of IP netblocks that should use the local mirror. When a yum client hits the mirrorlist CGI, such as:
http://mirrors.fedoraproject.org/mirrorlist?repo=core-6&arch=i386
it looks up the client IP address in mirrormanager's database. If one or more of the hosts in that database claim that IP address as "local" to them, the CGI returns just those hosts.
In mirrormanager, you can have private mirror sites and private mirror hosts, so they never appear on the public list of servers, but the mirrorlist CGI can still handle them. The drawback is that mirrormanager can't crawl private mirror sites (generally). So, you have to use mirrormanager's report_mirror script[2], which runs on your private mirror, to tell the mirrormanager database what content you have. With this little bit of setup, you can get much the same benefit as your setup provides.
Matt, mirrormanager is very cool!
For YUM to automatically find a mirror I believe the cleanest and best solution is have it be done within Yum itself. Possibly with a WPAD-like or DNS SRV technique. It should be on default.
The idea of the main mirrorlist CGI having a database of local IPs and mirrors is actually a solution that I ran through mentally awhile back and came to the conclusion that security concerns and technical limitations made it unworkable.
When you attach your computer to a network there is some level of implicit trust in the local network (and whoever manages it). But this is a two party relationship and doesn't involve a third party who is a random stranger on the internet.
The main security concern I have with the DB of local IPs, is what is to prevent someone from listing my IP network as local to their mirror? This could be accidental via a netmask typo, or with a more sinister intent (cross your fingers that your users pay attention to gpg messages from yum).
IMHO, this should not be possible. If mirrormanager intends to maintain a DB of local IPs for a mirror, then the ownership/control of the IP range *must* be strongly authenticated. It should be done securely, or not at all.
Different people have different security requirements, but I believe that some people will be in for a shock and react poorly/predictably when they find out that their IP netblocks (or any portion thereof) could be redirected.
The technical limitation of the DB of local IPs is that it doesn't work for organizations who run their mirrors on a RFC1918 IP and use NAT to get out to the internet. This scenario is very common.
Dax Kelson Guru Labs
infrastructure@lists.fedoraproject.org