[mirror-admin] rsync ACLs for tier1s
Matt Domsch
Matt_Domsch at dell.com
Sun Apr 13 08:29:23 EDT 2008
On Sun, Apr 13, 2008 at 09:52:34AM +0300, Axel Thimm wrote:
> On Sat, Apr 12, 2008 at 04:00:30PM -0500, Matt Domsch wrote:
> > > https://admin.fedoraproject.org/mirrormanager/rsync_acl
>
> > The drawback to using this list is that, honestly, anyone who has a
> > Fedora Account System account can create a Site and a Host in the MM
> > database, and add their addresses to the ACL. There are 283 entries
> > right now. In practice, it hasn't been a problem - we haven't had a
> > ton of people signing up as mirrors only to leech the bits before
> > they're announced but not truly acting as mirrors. If it becomes a
> > problem we may have to go back to people manually asking for entry to
> > specific Tier 1's ACLs.
>
> How about adding an approved-by-mirror-wrangler bit to signal that
> some registered mirror is trusted and remove that bit once some mirror
> shows that it was there for leeching purposes only?
I effectively have that - it's the whole user_active and admin_active
bits. By default they're true, but a fedora-infrastructure sysadmin
can mark a site or host as not admin_active, and bam, they're
removed from the results list. I prefer to trust folks until proven
otherwise. If this winds up being a problem in practice, we can
adjust.
I submitted a proposed patch to fedora-infrastructure-list last night
to update the rsync_acl query, so you can get back the list of all
mirrors, only those on internet2 (or peers), only those that are
public, or a combination thereof. We're in freeze, but it'll help
reduce the query load on the database (1 query instead of several
hundred for each person hitting that URL) so I want to see it in.
--
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux
--
More information about the Mirror-admin
mailing list