Git-Mirrors/shaker
1
0
Fork 0
mirror of https://github.com/unman/shaker.git synced 2025-01-12 07:49:28 -05:00
Code Issues Packages Projects Releases Wiki Activity

Salt - caching proxy -fix whitespace in baseurl definition.

Browse Source 
Closes #8
This commit is contained in:
NAME 2022-08-19 10:47:13 +00:00
parent 147c07e735
commit 3f59aacbad
No known key found for this signature in database
GPG Key ID: FDD1B8244731B36C
3 changed files with 27 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
cacher/README
View File

@ -10,81 +10,23 @@ qubesctl --skip-dom0 --targets=cacher state.apply cacher.configure
To automatically use the proxy run:
qubesctl state.apply cacher.use
This will configure /etc/qubes/policy.d/30-user.policy to use the caching proxy be default.
This will configure /etc/qubes/policy.d/30-user.policy to use the caching proxy by default.
apt-cacher-ng will cache HTTPS requests if you change https:// to http://HTTPS/// in repo source lists.
To configure the templates to use the proxy in this way, run:
qubesctl --skip-dom0 --targets=Templates state.apply cacher.change_templates.sls
Or target individual templates, as you wish.
To configure all templates to use the proxy in this way, run:
qubesctl --skip-dom0 --templates state.apply cacher.change_templates
Or target individual templates, as you wish:
qubesctl --skip-dom0 --targets=TEMPLATE1,TEMPLATE2 state.apply cacher.change_templates
N.B
apt-cacher-ng works well for Debian,Ubuntu,and Arch.
It works reasonably well for Fedora, but may require tweaking of the apt-cacher-ng control file, and the fedora_mirrors lists.
It works reasonably well for Fedora, but may require further tweaking of the apt-cacher-ng control file, and the fedora_mirrors lists.
Using apt-cacher-ng as caching proxy.
To restore a template to the default state, a state is provided, restore_templates.sls.
Apply it like this:
qubesctl --skip-dom0 --targets=TEMPLATE1,TEMPLATE2 state.apply cacher.restore_templates
1. INSTALL AND CONFIGURE
apt-get install apt-cacher-ng, and mask in the template.
systemctl mask apt-cacher-ng
Create qube and give it plenty of space.
In caching qube, use bind-dirs:
binds+=( '/var/cache/apt-cacher-ng' )
binds+=( '/var/log/apt-cacher-ng' )
binds+=( '/etc/apt-cacher-ng' )
Use /rw/config/rc.local to start the apt-cacher-ng service:
systemctl unmask apt-cacher-ng
systemctl start apt-cacher-ng
/sbin/iptables -I INPUT -p tcp --dport 8082 -j ACCEPT
Edit /etc/apt-cacher-ng/acng.conf:
Port:8082
Restart service.
Set this as updateProxy in /etc/qubes-rpc/policy/qubes.UpdatesProxy
Debian templates will use this for updates with no further configuration.
The qrexec policy file at /etc/qubes/policy.d/30-user.policy should be edited so that these templates use the default system proxy.
2. FEDORA SUPPORT for build machines.
There is a mirrors list in /usr/lib/apt-cacher-ng/
Copy fedora_mirrors to /etc/apt-cacher-ng
Edit /etc/apt-cacher-ng/acng.conf:
Remap-fedora: file:fedora_mirrors
If requests fail because the file type is not allowed, create a pattern for
volatile data:
VfilePatternEx: .*metalink?repo=fedora*
3. TLS SUPPORT:
Two methods:
a.
Create new file in /etc/apt-cacher-ng/backends_qubes:
https://yum.qubes-os.org/
Edit /etc/apt-cacher-ng/acng.conf:
Remap-qubes: http://fake.qubes ; file:backends_qubes
Then in /etc/yum/yum.repos.d, change the repository URL to
http://fake.qubes/......
Now the qube will use HTTP to the proxy which will use TLS to pick up the
packages and cache any responses.
b.
Change the repository definition FROM:
https://yum.qubes-os.org/
TO:
http://HTTPS///yum.qubes-os.org/
Without any other changes to the apt-cacher configuration the qube will
use HTTP to the proxy which will use TLS to pick up the packages and
cache any responses.
This is the recommended approach.
Salt states, change_templates.sls, and restore_templates.sls, are provided to configure templates to use this scheme.

10
cacher/change_templates.sls
View File

@ -10,6 +10,8 @@
- pattern: 'https://'
- repl: 'http://HTTPS///'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{% endfor %}
/etc/apt/sources.list:
@ -18,6 +20,7 @@
- pattern: 'https:'
- repl: 'http://HTTPS/'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{% elif grains['os_family']|lower == 'arch' %}
pacman:
@ -28,21 +31,24 @@
- pattern: 'https:'
- repl: 'http://HTTPS/'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{% elif grains['os_family']|lower == 'redhat' %}
{% for repo in salt['file.find']('/etc/yum.repos.d/', name='*repo*') %}
{{ repo }}_baseurl:
file.replace:
- name: {{ repo }}
- pattern: 'baseurl=https://'
- repl: 'baseurl=http://HTTPS///'
- pattern: 'baseurl(.*)https://'
- repl: 'baseurl\1http://HTTPS///'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{{ repo }}_metalink:
file.replace:
- name: {{ repo }}
- pattern: 'metalink=https://(.*)basearch'
- repl: 'metalink=http://HTTPS///\1basearch&protocol=http'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{% endfor %}
{% endif %}

10
cacher/restore_templates.sls
View File

@ -11,6 +11,7 @@
- pattern: 'http://HTTPS/'
- repl: 'https:'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{% endfor %}
/etc/apt/sources.list:
@ -19,6 +20,7 @@
- pattern: 'http://HTTPS/'
- repl: 'https:'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{% elif grains['os_family']|lower == 'arch' %}
pacman:
@ -29,6 +31,7 @@
- pattern: 'http://HTTPS///'
- repl: 'https://'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{% elif grains['os_family']|lower == 'redhat' %}
@ -36,15 +39,18 @@
{{ repo }}_baseurl:
file.replace:
- name: {{ repo }}
- pattern: 'http://HTTPS/'
- repl: 'https:'
- pattern: 'baseurl(.*)http://HTTPS/'
- repl: 'baseurl\1https:'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{{ repo }}_metalink:
file.replace:
- name: {{ repo }}
- pattern: 'metalink=http://HTTPS///(.*)basearch&protocol=http'
- repl: 'metalink=https://\1basearch'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{% endfor %}
{% endif %}