FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 03-23-2011, 08:35 AM
andreas palsson
 
Default Managing fedora installations behind firewall

Hello.

Imagine a fairly large network, with from 50-100 workstations running Fedora.
Due to security, none of these machines have access to Internet.

Now to the question; how to keep all those machines up to date with the latest packages?

First, I imagine I have to set up a complete package repository.
Using the contents of the Fedora DVD should be sufficient?


Next, since the server is not connected to Internet either..
How do I keep the repository manually updated and synchronized with the official mirrors?


Last, how can I make a package which users can simply install to point their machines to update from the above mentioned server only, and remove the other install sources?


Thank you.

// andreas



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 03-23-2011, 10:58 AM
Jonathan Underwood
 
Default Managing fedora installations behind firewall

On 23 March 2011 09:35, andreas palsson <wpt2097@hotmail.com> wrote:
> Hello.
>
> Imagine a fairly large network, with from 50-100 workstations running
> Fedora.
> Due to security, none of these machines have access to Internet.
>
> Now to the question; how to keep all those machines up to date with the
> latest packages?
>
> First, I imagine I have to set up a complete package repository.
> Using the contents of the Fedora DVD should be sufficient?
>
>
> Next, since the server is not connected to Internet either..
> How do I keep the repository manually updated and synchronized with the
> official mirrors?
>
>
> Last, how can I make a package which users can simply install to point their
> machines to update from the above mentioned server only, and remove the
> other install sources?

Cobbler will do much of this for you.

https://fedorahosted.org/cobbler/

J.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 03-23-2011, 12:25 PM
Tim
 
Default Managing fedora installations behind firewall

On Wed, 2011-03-23 at 10:35 +0100, andreas palsson wrote:
> Due to security, none of these machines have access to Internet.
>
> Now to the question; how to keep all those machines up to date with
> the latest packages?
>
> First, I imagine I have to set up a complete package repository.
> Using the contents of the Fedora DVD should be sufficient?

Not really. The DVD only has a small amount of the packages that are
available. The repos have many more packages than would fit on a DVD.
And this would only be useful for an initial install, not updates.
>
> Next, since the server is not connected to Internet either..
> How do I keep the repository manually updated and synchronized with
> the official mirrors?

At least one machine, somewhere, has access to the internet, so it can
get updates. If all the machines have the same packages installed, this
is fairly simple (you keep it up to date, and test that it doesn't
suddenly stop working, then you use its downloaded files to update the
rest of your computers). If the machines have different packages, then
the simple solution is to use a simple HTTP caching proxy to access just
one repo mirror, and have all your machines request packages through it.

Your server doesn't have to be the machine doing this. If you're
isolating your network from the internet, it makes sense to have one
machine that can connect to the internet, that's at arm's length from
the rest of your network. Only having the minimum of possible
communication between either side.

> Last, how can I make a package which users can simply install to point
> their machines to update from the above mentioned server only, and
> remove the other install sources?

I haven't kept up to date with the current systems, but the yum repo
files were set up by the various *release* packages. If you make your
own release package(s), which sets up the repo files with your local
mirror as the YUM package installing and updating server addresses, that
should configure the clients for you. Have a look at what owns the
various files inside: /etc/yum.repo

i.e. rpm -qf /etc/yum.repos.d/*

Since you haven't defined what you mean by "due to security" you're only
going to get vague advice, or a plethora of answers which you can't
actually implement. Some might be concerned about your clients being
able to make unauthorised connections to the internet, others about
random outsiders connecting to your network, still others about problem
update packages that leave a machine in a non-working state, and there's
a plethora of different security concerns. You've given no clues.

If you're not going to give more information, you're going to have to do
more research, yourself. Look into setting up local repo mirrors.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 03-23-2011, 12:41 PM
Richard Shaw
 
Default Managing fedora installations behind firewall

On Wed, Mar 23, 2011 at 4:35 AM, andreas palsson <wpt2097@hotmail.com> wrote:
[SNIP]
> Last, how can I make a package which users can simply install to point their
> machines to update from the above mentioned server only, and remove the
> other install sources?

I only manage my home environment so I can't answer most of your
questions but I'll tell you what I do.

I setup a "local" repo on my desktop computer that I copied all of the
DVD provided packages (and some others I've build myself) to. I don't
worry about making the other computers on my home network ONLY use my
local repo so I just add a repo config file pointing to my packages
(over NFS) and give it a lower "cost" which means if a package is
available on both my local repo and in the fedora repos then it will
install from my local repo.

You could remove the other repos so that only the one you create is
used. Then monitor updates and only download the ones you want and
copy them into your repo location. Then a simple "createrepo --update
/path/to/your/packages" and on the next yum update run (or PackageKit
update) will pick up the new packages and update them if they are
installed.

This would be very labor intensive but would give you a great deal of control.

HTH,
Richard
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 03-23-2011, 12:51 PM
Timothy Murphy
 
Default Managing fedora installations behind firewall

Richard Shaw wrote:

> I setup a "local" repo on my desktop computer that I copied all of the
> DVD provided packages (and some others I've build myself) to. I don't
> worry about making the other computers on my home network ONLY use my
> local repo so I just add a repo config file pointing to my packages
> (over NFS) and give it a lower "cost" which means if a package is
> available on both my local repo and in the fedora repos then it will
> install from my local repo.

This sounds interesting.
How exactly do you do it?
Is it all in /etc/yum.conf ?
If so, could we see yours, please.

--
Timothy Murphy
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 03-23-2011, 01:15 PM
Richard Shaw
 
Default Managing fedora installations behind firewall

On Wed, Mar 23, 2011 at 8:51 AM, Timothy Murphy <gayleard@eircom.net> wrote:
> Richard Shaw wrote:
>
>> I setup a "local" repo on my desktop computer that I copied all of the
>> DVD provided packages (and some others I've build myself) to. I don't
>> worry about making the other computers on my home network ONLY use my
>> local repo so I just add a repo config file pointing to my packages
>> (over NFS) and give it a lower "cost" which means if a package is
>> available on both my local repo and in the fedora repos then it will
>> install from my local repo.
>
> This sounds interesting.
> How exactly do you do it?
> Is it all in /etc/yum.conf ?
> If so, could we see yours, please.

Here's the short version:

1. Copy the packages somewhere, I use "/var/local/packages" as the
root of the repository and then have subdirectories, i.e.:

/var/local/packages/fedora for the DVD packages
/var/local/packages/local/{i686,x86_64,source} for my own packages.***

*** You don't have to separate the packages by the arch since it's one
big repo, I'm just being anal.

2. Run "createrepo" from the package repo root directory

# cd /var/local/packages
# createrepo

3. Setup a repo file (I call mine local.repo) in /etc/yum.repos.d/

[local]
name=Local Packages for $releasever - $basearch
baseurl=file:///var/local/packages/
enabled=1
gpgcheck=0
cost=500

For the "remote" computers I use autofs to the baserul line changes to:

baserul=file:///net/<server>/var/local/packages

But you could use whatever method you want (http, ftp, etc.)

4. When you add packages run "createrepo --update" otherwise it's
going to start from scratch which can take a while with all the DVD
packages. The other option would be to create two separate local
repos, one for the DVD packages which will not change and one for your
packages/updates. This would make "createrepo" faster so you wouldn't
have to use --update.

Other tips and tricks:
If you've recently added packages and you want a particular computer
to update immediately you need to run:

# yum clean expire-cache

Before doing "yum update". Otherwise it may not check the repo for
updates until the cache naturally expires.
This does not delete the metadata (the big repo data download) just
the file list I think, which is usually only a few KB.

HTH,
Richard
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 08:40 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org