[mirror-admin] push mirroring plans

Jan ONDREJ (SAL) ondrejj at salstar.sk
Wed Dec 17 03:22:21 EST 2008 

On Wed, Dec 17, 2008 at 02:50:30AM -0500, Simon Valiquette wrote:
> Paulo Licio de Geus un jour écrivit:
>> Hiroyuki SHINBO wrote:
>>
>>> Hi Matt,
>>>
>>> I have one question about this. Will you stop the "pull mirror"  
>>> system after "push mirror" system works?
>>>
>>> In our network policy, SSH access from outside of our network
>>> is prohibitted. I can not change this because this policy is the 
>>> decision of our company. So, our server may be stopped the mirror if 
>>> only "push mirror" is provided for official mirror.
>>>
>>> I think that debian provides both pull and push miror. If possible, I 
>>> would like to use "pull mirror" continuously.
>
>   Exact, and I see no reasons why RedHat would want to prevent mirrors  
> from polling from the master.  Actually, it would even involve 
> unnecessary efforts to enforce it.

I think Matt is telling about a new feature of pushing data, not about
removing some features. I think standard pulling will be not changed.

>> Just out of curiosity, would a ssh connection through a reverse ssh
>> channel (the central mirror initiating a ssh connection to a local port
>> forwarded to your mirror over a ssh channel created by you to the
>> central mirror ssh server) satisfy your policy? Convoluted, but
>> functional...
>
>   Much better, much simpler and quite safe is to trigger the sync with an 
> email, like what kernel.org do. Configuring Postfix or something else to  
> trigger the sync when receiving the email is quite simple, and have far  
> better chance to comply with Shinbo-san company policy.

Heh, 3rd solution. :-)

I still prefer more push over ssh. What's are advantages:
  - I can set IP access filter for ssh on my server to only for RH IPs
  - I can set for a tier mirror's ssh key to run only specified command
    (for example a special rsync, where this server can't do more like
    sync content)
  - it's secure
  - it's simple (just one command)

Using email this need to be done:
  - procmail or something similar is required, need to define proper
    access right, adapt selinux policy to allow running rsync on ftp
    content from procmail
  - I need to open port 25 (smtp) for whole world, or at least for our
    SMTP gateway
  - make a script, which can do some GPG magic to test, if it's email
    is not a fake
  - easy to implement in mirrormanager

Using HTTP it's most complicated (using an http server, over which
master/tierX can report update):
  - httpd is running under apache/lighttpd, it's more complicated to run
    some jobs as a specified user without using special tricks like
    suexec or special httpd on another port

I think using ssh is still the easiest way to do push sync request.
Master/tierX mirror also can watch, what have been synced and make some
load balancing over these mirrors.

May be combination of ssh/email is a good idea.

			SAL

--

More information about the Mirror-admin mailing list