[mirror-admin] Outdated mirrors?

Wed Jul 16 15:19:16 EDT 2008

On Wed, Jul 16, 2008 at 01:36:49PM -0400, Brian Long wrote:
> Hello,
> I've been mirroring from
> rsync://archive.linux.duke.edu:874/fedora-enchilada/linux/ and I've just
> noticed their Fedora 9 i386 updates tree was last updated July 8.  This
> means we're now 8 days behind in updates.
> 
> When I rsync, I then run MirrorManager to check in.  I figured that if
> my private mirror was outdated, MirrorManager (and mirrorlist cgi) would
> drop my private mirror and people would get the latest updates from a
> public mirror.  This does not appear to be the case.

Thanks for bringing this to our attention.

> 1. Why is the Duke mirror lagging behind the Fedora master mirror?

A config change on the Duke mirror left the account running the
cronjobs unable to run cronjobs.  This has now been fixed.

Separately, the iBiblio mirror was also stale (since 9-July).  This
happened when the machine doing the downloads was rebooted during a
download run, leaving behind a stale lockfile that was not noticed as
being stale.  This has now been fixed too.

Both servers are presently resyncing.

> 2. How do I configure MirrorManager such that if my private mirror falls
> behind, clients automatically get the latest updates from a public
> mirror?

This came up as part of a security discussion about mirrors in general
recently.  We're formulating a plan to handle this, which will involve
several steps:

* use https to get the mirrorlist from mirrors.fp.o.
* make yum check https certs
* change the mirrorlist format to include info about recent repomd.xml
  files, including a hash and a timestamp.  If a mirror does not have
  a matching repomd.xml file, yum won't use it.  Recent will likely be
  7 days, but I'm open to options.  This solves the staleness problem.
* GPG-sign the repomd.xml file and check that in yum.  This solves the
  "is this a legit mirror" problem.

-- 
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux

--