shaker/cacher/README

91 lines
2.9 KiB
Plaintext
Raw Normal View History

This is a caching proxy, based on apt-cacher-ng.
2019-08-05 07:18:03 -04:00
Config files are included, which will work out of the box for Debian,Ubuntu,Arch, and Fedora.
2019-08-05 07:18:03 -04:00
The cache and log directories are bind-mounted in /rw in the cacher qube.
Copy directory to /srv/salt, then run:
2022-05-15 10:36:33 -04:00
qubesctl state.apply cacher.create
qubesctl --skip-dom0 --targets=template-cacher state.apply cacher.install
2019-08-05 07:18:03 -04:00
qubesctl --skip-dom0 --targets=cacher state.apply cacher.configure
To automatically use the proxy run:
qubesctl state.apply cacher.use
2022-05-15 10:36:33 -04:00
This will configure /etc/qubes/policy.d/30-user.policy to use the caching proxy be default.
apt-cacher-ng will cache HTTPS requests if you change https:// to http://HTTPS/// in repo source lists.
To configure the templates to use the proxy in this way, run:
qubesctl --skip-dom0 --targets=Templates state.apply cacher.change_templates.sls
Or target individual templates, as you wish.
2019-08-05 07:18:03 -04:00
N.B
apt-cacher-ng works well for Debian,Ubuntu,and Arch.
It works reasonably well for Fedora, but may require tweaking of the apt-cacher-ng control file, and the fedora_mirrors lists.
Using apt-cacher-ng as caching proxy.
1. INSTALL AND CONFIGURE
apt-get install apt-cacher-ng, and mask in the template.
systemctl mask apt-cacher-ng
Create qube and give it plenty of space.
In caching qube, use bind-dirs:
binds+=( '/var/cache/apt-cacher-ng' )
binds+=( '/var/log/apt-cacher-ng' )
binds+=( '/etc/apt-cacher-ng' )
Use /rw/config/rc.local to start the apt-cacher-ng service:
systemctl unmask apt-cacher-ng
systemctl start apt-cacher-ng
/sbin/iptables -I INPUT -p tcp --dport 8082 -j ACCEPT
Edit /etc/apt-cacher-ng/acng.conf:
Port:8082
Restart service.
Set this as updateProxy in /etc/qubes-rpc/policy/qubes.UpdatesProxy
Debian templates will use this for updates with no further configuration.
2. FEDORA SUPPORT for build machines.
There is a mirrors list in /usr/lib/apt-cacher-ng/
Copy fedora_mirrors to /etc/apt-cacher-ng
Edit /etc/apt-cacher-ng/acng.conf:
Remap-fedora: file:fedora_mirrors
If requests fail because the file type is not allowed, create a pattern for
volatile data:
VfilePatternEx: .*metalink?repo=fedora*
3. TLS SUPPORT:
Two methods:
a.
Create new file in /etc/apt-cacher-ng/backends_qubes:
https://yum.qubes-os.org/
Edit /etc/apt-cacher-ng/acng.conf:
Remap-qubes: http://fake.qubes ; file:backends_qubes
Then in /etc/yum/yum.repos.d, change the repository URL to
http://fake.qubes/......
Now the qube will use HTTP to the proxy which will use TLS to pick up the
packages and cache any responses.
b.
Change the repository definition FROM:
https://yum.qubes-os.org/
TO:
http://HTTPS///yum.qubes-os.org/
Without any other changes to the apt-cacher configuration the qube will
use HTTP to the proxy which will use TLS to pick up the packages and
cache any responses.
This is the recommended approach.
Salt states, change_templates.sls, and restore_templates.sls, are provided to configure templates to use this scheme.