[mirror-admin] master server sync stats and recommendations
Axel Thimm
Axel.Thimm at ATrpms.net
Thu Apr 23 06:54:01 EDT 2009
On Thu, Apr 23, 2009 at 06:34:39AM -0400, Simon Valiquette wrote:
>> If you can't make sure that the server has
>> always enough resources for all projects to do a push mirroring
>> simultaneously, then you get issues with traffic and high CPU loads.
>
> When pushing other mirror, if you push a high number of mirrors, it is
> quite easy not to send the PUSH signal to every mirrors at the same time,
> or to push let say 5 or 10 mirrors maximum at once if that is what your
> hardware/bandwidth allows you.
No, it's from the client perspective. As long as only one project like
Debian uses pushing it may not create peaks, but if you have a mirror
onto which you would allow Debian, Fedora, FreeBSD and so on to push
at random intervalls, you can have the servers push simultaneously.
IOW push mirroring is not scaling beyond one or two projects, and most
probably Debian and Ubuntu are coordinating their push intervalls to
avoid the above mentioned scenario.
> Well, even with that, it couldn't compromise a mirror that properly
> tied the ssh key with a specific command as it should when using the push
> mecanism
You would have an important (or the most important) security layer
stripped off. Now the attecker just needs to find vulnerabilities in
your script. If it is written by every admin, he will surely find a
couple of mirrors to crack. If it is a central script he will even
have the source to check it for vulnerabilities.
> (at most, it could create unnecessary load on the server, but not
> DoS it if the script is properly implemented).
I wonder what is easier, have the simple polling method as Chris and I
outlined or writing security hardened scripts? Chris' method already
works with a couple of lines.
--
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://mail.ale.org/pipermail/mirror-admin/attachments/20090423/4e56fe82/attachment.bin
-------------- next part --------------
--
More information about the Mirror-admin
mailing list