2021-02-10 01:53:23 -05:00
|
|
|
This is a caching proxy, based on apt-cacher-ng.
|
2019-08-05 07:18:03 -04:00
|
|
|
|
2022-07-28 12:21:06 -04:00
|
|
|
Config files are included, which will work out of the box for Debian,Ubuntu,Arch, and Fedora.
|
2019-08-05 07:18:03 -04:00
|
|
|
The cache and log directories are bind-mounted in /rw in the cacher qube.
|
|
|
|
|
2021-02-10 01:53:23 -05:00
|
|
|
Copy directory to /srv/salt, then run:
|
2022-05-15 10:36:33 -04:00
|
|
|
qubesctl state.apply cacher.create
|
2021-02-10 01:53:23 -05:00
|
|
|
qubesctl --skip-dom0 --targets=template-cacher state.apply cacher.install
|
2019-08-05 07:18:03 -04:00
|
|
|
qubesctl --skip-dom0 --targets=cacher state.apply cacher.configure
|
|
|
|
|
2021-02-10 01:53:23 -05:00
|
|
|
To automatically use the proxy run:
|
|
|
|
qubesctl state.apply cacher.use
|
2022-05-15 10:36:33 -04:00
|
|
|
This will configure /etc/qubes/policy.d/30-user.policy to use the caching proxy be default.
|
2021-02-10 01:53:23 -05:00
|
|
|
|
|
|
|
apt-cacher-ng will cache HTTPS requests if you change https:// to http://HTTPS/// in repo source lists.
|
2021-10-07 10:48:30 -04:00
|
|
|
To configure the templates to use the proxy in this way, run:
|
2021-02-10 01:53:23 -05:00
|
|
|
qubesctl --skip-dom0 --targets=Templates state.apply cacher.change_templates.sls
|
|
|
|
Or target individual templates, as you wish.
|
2019-08-05 07:18:03 -04:00
|
|
|
|
2021-02-10 01:53:23 -05:00
|
|
|
N.B
|
|
|
|
apt-cacher-ng works well for Debian,Ubuntu,and Arch.
|
2021-10-07 10:48:30 -04:00
|
|
|
It works reasonably well for Fedora, but may require tweaking of the apt-cacher-ng control file, and the fedora_mirrors lists.
|
2022-07-28 12:21:06 -04:00
|
|
|
|
|
|
|
Using apt-cacher-ng as caching proxy.
|
|
|
|
|
|
|
|
1. INSTALL AND CONFIGURE
|
|
|
|
apt-get install apt-cacher-ng, and mask in the template.
|
|
|
|
systemctl mask apt-cacher-ng
|
|
|
|
|
|
|
|
Create qube and give it plenty of space.
|
|
|
|
|
|
|
|
In caching qube, use bind-dirs:
|
|
|
|
binds+=( '/var/cache/apt-cacher-ng' )
|
|
|
|
binds+=( '/var/log/apt-cacher-ng' )
|
|
|
|
binds+=( '/etc/apt-cacher-ng' )
|
|
|
|
|
|
|
|
Use /rw/config/rc.local to start the apt-cacher-ng service:
|
|
|
|
systemctl unmask apt-cacher-ng
|
|
|
|
systemctl start apt-cacher-ng
|
|
|
|
/sbin/iptables -I INPUT -p tcp --dport 8082 -j ACCEPT
|
|
|
|
|
|
|
|
Edit /etc/apt-cacher-ng/acng.conf:
|
|
|
|
Port:8082
|
|
|
|
|
|
|
|
Restart service.
|
|
|
|
|
|
|
|
Set this as updateProxy in /etc/qubes-rpc/policy/qubes.UpdatesProxy
|
|
|
|
|
|
|
|
Debian templates will use this for updates with no further configuration.
|
|
|
|
|
|
|
|
|
|
|
|
2. FEDORA SUPPORT for build machines.
|
|
|
|
There is a mirrors list in /usr/lib/apt-cacher-ng/
|
|
|
|
Copy fedora_mirrors to /etc/apt-cacher-ng
|
|
|
|
|
|
|
|
Edit /etc/apt-cacher-ng/acng.conf:
|
|
|
|
Remap-fedora: file:fedora_mirrors
|
|
|
|
|
|
|
|
If requests fail because the file type is not allowed, create a pattern for
|
|
|
|
volatile data:
|
|
|
|
VfilePatternEx: .*metalink?repo=fedora*
|
|
|
|
|
|
|
|
|
|
|
|
3. TLS SUPPORT:
|
|
|
|
Two methods:
|
|
|
|
a.
|
|
|
|
Create new file in /etc/apt-cacher-ng/backends_qubes:
|
|
|
|
https://yum.qubes-os.org/
|
|
|
|
|
|
|
|
Edit /etc/apt-cacher-ng/acng.conf:
|
|
|
|
Remap-qubes: http://fake.qubes ; file:backends_qubes
|
|
|
|
|
|
|
|
Then in /etc/yum/yum.repos.d, change the repository URL to
|
|
|
|
http://fake.qubes/......
|
|
|
|
|
|
|
|
Now the qube will use HTTP to the proxy which will use TLS to pick up the
|
|
|
|
packages and cache any responses.
|
|
|
|
|
|
|
|
b.
|
|
|
|
Change the repository definition FROM:
|
|
|
|
https://yum.qubes-os.org/
|
|
|
|
TO:
|
|
|
|
http://HTTPS///yum.qubes-os.org/
|
|
|
|
|
|
|
|
Without any other changes to the apt-cacher configuration the qube will
|
|
|
|
use HTTP to the proxy which will use TLS to pick up the packages and
|
|
|
|
cache any responses.
|
|
|
|
|
|
|
|
This is the recommended approach.
|
|
|
|
Salt states, change_templates.sls, and restore_templates.sls, are provided to configure templates to use this scheme.
|