Re: Managing fedora installations behind firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, 2011-03-23 at 10:35 +0100, andreas palsson wrote:
> Due to security, none of these machines have access to Internet.
> Now to the question; how to keep all those machines up to date with
> the latest packages?
> First, I imagine I have to set up a complete package repository.
> Using the contents of the Fedora DVD should be sufficient?

Not really.  The DVD only has a small amount of the packages that are
available.  The repos have many more packages than would fit on a DVD.
And this would only be useful for an initial install, not updates.
> Next, since the server is not connected to Internet either..
> How do I keep the repository manually updated and synchronized with
> the official mirrors?

At least one machine, somewhere, has access to the internet, so it can
get updates.  If all the machines have the same packages installed, this
is fairly simple (you keep it up to date, and test that it doesn't
suddenly stop working, then you use its downloaded files to update the
rest of your computers).  If the machines have different packages, then
the simple solution is to use a simple HTTP caching proxy to access just
one repo mirror, and have all your machines request packages through it.

Your server doesn't have to be the machine doing this.  If you're
isolating your network from the internet, it makes sense to have one
machine that can connect to the internet, that's at arm's length from
the rest of your network.  Only having the minimum of possible
communication between either side.

> Last, how can I make a package which users can simply install to point
> their machines to update from the above mentioned server only, and
> remove the other install sources?

I haven't kept up to date with the current systems, but the yum repo
files were set up by the various *release* packages.  If you make your
own release package(s), which sets up the repo files with your local
mirror as the YUM package installing and updating server addresses, that
should configure the clients for you.  Have a look at what owns the
various files inside:  /etc/yum.repo

i.e. rpm -qf /etc/yum.repos.d/*

Since you haven't defined what you mean by "due to security" you're only
going to get vague advice, or a plethora of answers which you can't
actually implement.  Some might be concerned about your clients being
able to make unauthorised connections to the internet, others about
random outsiders connecting to your network, still others about problem
update packages that leave a machine in a non-working state, and there's
a plethora of different security concerns.  You've given no clues.

If you're not going to give more information, you're going to have to do
more research, yourself.  Look into setting up local repo mirrors.

[[email protected] ~]$ uname -r

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.

users mailing list
[email protected]
To unsubscribe or change subscription options:

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux