Hosting an Internal Cumulus Linux Repository

Follow

Many organizations forbid directly connecting network infrastructure to the Internet, due to security or other management requirements. For these or other reasons, you may need to host your Cumulus Linux repository internally in your infrastructure. 

Cumulus Linux is a derivative of Debian. All applications pre-installed in Cumulus Linux are comprised of Debian .deb software packages. apt-get is the standard utility for enabling the installation, upgrade, or downgrade of these packages. Cumulus Linux ships preconfigured-to-use Cumulus Networks hosted repositories. 

In this situation, two suggested alternatives exist to preserve the use of apt-get:

  • Utilizing an HTTP proxy such as Squid or Blue Coat. In this scenario, actions are relayed through a trusted host onto Internet-facing servers. 
  • Hosting an apt-compatible mirror within your environment.  This option has several advantages, such as faster deployment/upgrades due to local caching, along with not requiring external Internet connectivity for switches configured to utilize the local mirror.

Note: For more information on setting up a Debian repository, see wiki.debian.org/HowToSetupADebianRepository.

{{table_of_contents}}

Configuring the Proxy Server

The first approach is configuring a proxy server on the switches directly.

The proxy setup is enabled by adding the following line to the /etc/apt/apt.conf file.  This example assumes the hostname of proxy.example.com running on port 3128.

Acquire::http::Proxy "http://proxy.example.com:3128/";

Configuring an Internal apt Mirror

An internal apt mirror has a variety of uses:

  • Quicker deployment of switches
  • Caching of packages due to unreliable or slow Internet access
  • Offline demos of switch features and packages (for trade shows or traveling in an airplane, for example)
  • For switches that don't have routed/NAT'd Internet access

internal-repo.png

Configuring the Mirror Server

This example uses a virtual machine called mirror01 running Debian. Ubuntu also works fine for the server OS.

Install apt-mirror and Apache:

root@mirror01:~# apt-get update
root@mirror01:~# apt-get upgrade
root@mirror01:~# apt-get install apt-mirror apache2

Edit /etc/apt/mirror.list to set the architecture and upstream repository URLs:

############# config ##################
#
# set base_path /var/spool/apt-mirror
#
# set mirror_path $base_path/mirror
# set skel_path $base_path/skel
# set var_path $base_path/var
# set cleanscript $var_path/clean.sh
set defaultarch powerpc
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads 20
set _tilde 0
#
############# end config ##############
deb http://repo3.cumulusnetworks.com/repo CumulusLinux-3 cumulus upstream
#deb-src http://repo3.cumulusnetworks.com/repo CumulusLinux-3 cumulus upstream

deb http://repo3.cumulusnetworks.com/repo CumulusLinux-3-security-updates cumulus upstream
#deb-src http://repo3.cumulusnetworks.com/repo CumulusLinux-3-security-updates cumulus upstream

deb http://repo3.cumulusnetworks.com/repo CumulusLinux-3-updates cumulus upstream
#deb-src http://repo3.cumulusnetworks.com/repo CumulusLinux-3-updates cumulus upstream

#deb http://repo3.cumulusnetworks.com/repo CumulusLinux-3-early-access cumulus
#deb-src http://repo3.cumulusnetworks.com/repo CumulusLinux-3-early-access cumulus

Sync the repository manually:

root@mirror01:~# apt-mirror
root@mirror01:~# du -hs /var/spool/apt-mirror
383M /var/spool/apt-mirror 

If the mirror server is located behind a proxy server, additional configuration is required.

Configuring apt-mirror Using an Unauthenticated/Anonymous Proxy

apt-mirror uses the same proxy configuration as apt. If, during the Debian installation, you specified a proxy server, it should already be written to the configuration. If it is not, edit /etc/apt/apt.conf and specify the proxy server:

Acquire::http::Proxy "http://proxy.example.com:3128/";

While apt-mirror is running, as the apt-mirror user, you must add the following variable to /etc/environment:

http_proxy="http://proxy.example.com:3128/"

This doesn't use any authentication. The proxy might be configured with the IP address of the internal mirror server whitelisted, or *.cumulusnetworks / repo3.cumulusnetworks.com added to unauthenticated domain/hostname white lists.

Configuring apt-mirror Using an Authenticated Proxy

If the internal proxy requires authentication, the username and password can be specified as part of the URL:

Acquire::http::Proxy "http://username:password@proxy.example.com:3128/";

Configuring the Web Server

To serve the mirrored packages up to a switch running Cumulus Linux, a Web server is required. You can configure Apache by editing httpd.conf:

Alias /dists/ /var/spool/apt-mirror/mirror/repo3.cumulusnetworks.com/dists/
Alias /pool/ /var/spool/apt-mirror/mirror/repo3.cumulusnetworks.com/pool/

<Directory /var/spool/apt-mirror/mirror/repo3.cumulusnetworks.com/dists>
  AllowOverride None
  Options -MultiViews FollowSymLinks Indexes
  Order allow,deny
  Allow from all
</Directory> 
<Directory /var/spool/apt-mirror/mirror/repo3.cumulusnetworks.com/pool>
  AllowOverride None
  Options -MultiViews FollowSymLinks Indexes
  Order allow,deny
  Allow from all
</Directory>

Automating Mirror Sync

Edit /etc/cron.d/apt-mirror, and uncomment the last line:

# Regular cron jobs for the apt-mirror package
#
0 4 * * * apt-mirror /usr/bin/apt-mirror > /var/spool/apt-mirror/var/cron.log

Changing the Repository Used by the Switches

In Cumulus Linux the hostname of the public repository is repo3.cumulusnetworks.com. You can edit /etc/apt/sources.list to point at the hostname of internal apt mirror. This example uses mirror01.example.com.

After updating the repository name, you should update the list of available pages:

cumulus@switch:~$ apt-get update

Manually Changing the Repository

Edit /etc/apt/sources.list and replace repo3.cumulusnetworks.com/repo with mirror01.example.com.

Here's the original contents of sources.list:

cumulus@switch:~$ cat /etc/apt/sources.list
deb http://repo3.cumulusnetworks.com/repo CumulusLinux-3 cumulus upstream
#deb-src http://repo3.cumulusnetworks.com/repo CumulusLinux-3 cumulus upstream

deb http://repo3.cumulusnetworks.com/repo CumulusLinux-3-security-updates cumulus upstream
#deb-src http://repo3.cumulusnetworks.com/repo CumulusLinux-3-security-updates cumulus upstream

deb http://repo3.cumulusnetworks.com/repo CumulusLinux-3-updates cumulus upstream
#deb-src http://repo3.cumulusnetworks.com/repo CumulusLinux-3-updates cumulus upstream

#deb http://repo3.cumulusnetworks.com/repo CumulusLinux-3-early-access cumulus
#deb-src http://repo3.cumulusnetworks.com/repo CumulusLinux-3-early-access cumulus

Here's the modified version referencing the custom repository:

cumulus@switch:~$ cat /etc/apt/sources.list
deb http://mirror01.example.com CumulusLinux-3 cumulus upstream
#deb-src http://mirror01.example.com CumulusLinux-3 cumulus upstream

deb http://mirror01.example.com CumulusLinux-3-security-updates cumulus upstream
#deb-src http://mirror01.example.com CumulusLinux-3-security-updates cumulus upstream

deb http://mirror01.example.com CumulusLinux-3-updates cumulus upstream
#deb-src http://mirror01.example.com CumulusLinux-3-updates cumulus upstream

#deb http://mirror01.example.com CumulusLinux-3-early-access cumulus
#deb-src http://mirror01.example.com CumulusLinux-3-early-access cumulus

Automatically Changing the Repository

Changing the repository hostname can be easily automated as part of an autoprovisioning script. Add the following at the start of the script:

#!/bin/bash
sed -i /etc/apt/sources.list -e 's/repo3.cumulusnetworks.com\/repo/mirror01.example.com/'
apt-get update -y
Have more questions? Submit a request

Comments

Powered by Zendesk