[mirror-admin] rsync ACLs for tier1s

Brian Long brilong at cisco.com
Mon Apr 14 08:31:00 EDT 2008 

On Sun, 2008-04-13 at 07:29 -0500, Matt Domsch wrote:
> On Sun, Apr 13, 2008 at 09:52:34AM +0300, Axel Thimm wrote:
> > On Sat, Apr 12, 2008 at 04:00:30PM -0500, Matt Domsch wrote:
> > > > https://admin.fedoraproject.org/mirrormanager/rsync_acl
> > 
> > > The drawback to using this list is that, honestly, anyone who has a
> > > Fedora Account System account can create a Site and a Host in the MM
> > > database, and add their addresses to the ACL.  There are 283 entries
> > > right now.  In practice, it hasn't been a problem - we haven't had a
> > > ton of people signing up as mirrors only to leech the bits before
> > > they're announced but not truly acting as mirrors.  If it becomes a
> > > problem we may have to go back to people manually asking for entry to
> > > specific Tier 1's ACLs.
> > 
> > How about adding an approved-by-mirror-wrangler bit to signal that
> > some registered mirror is trusted and remove that bit once some mirror
> > shows that it was there for leeching purposes only?
> 
> I effectively have that - it's the whole user_active and admin_active
> bits.  By default they're true, but a fedora-infrastructure sysadmin
> can mark a site or host as not admin_active, and bam, they're
> removed from the results list.  I prefer to trust folks until proven
> otherwise.  If this winds up being a problem in practice, we can
> adjust.
> 
> I submitted a proposed patch to fedora-infrastructure-list last night
> to update the rsync_acl query, so you can get back the list of all
> mirrors, only those on internet2 (or peers), only those that are
> public, or a combination thereof.  We're in freeze, but it'll help
> reduce the query load on the database (1 query instead of several
> hundred for each person hitting that URL) so I want to see it in.

Matt,

I also visited this URL to see if my private mirror was in the list (it
isn't) and it took almost one minute for the page to draw.  Would it
make sense to cache this page (and the parametrized results) every 15-30
minutes instead of using a live DB query each time?

/Brian/

-- 
       Brian Long                             |       |
                                          . | | | . | | | .
                                              '       '
                                              C I S C O

--

More information about the Mirror-admin mailing list