[RndTbl] squid caching of Windblows Updates

Thu Apr 15 12:20:30 CDT 2010

On 2010-04-15 Mike Pfaiffer wrote:
> 	In addition to the Windows updates we also have firewall,
> anti-virus, and anti-spyware. We also install a ZIP package. It used

To save yourself time, you should do as someone mentioned and
slipstream at minimum SP3 into your XP install CD.  This sounds
daunting, but I will give you my cheatsheet and you can do it in 1 page
of commands without any thinking:

(install packages first: wine, convmv, cabextract; and find the
script on the net called geteltorito, or ask me for it)

tcsh
set workdir=/tmp/Slip
set  spfile="/tmp/WinXP_SP3.exe"
set   spdir=$workdir/sp
set   indir=$workdir/new
set   cdrom=/dev/sr0
set   cdmnt=/media/cdrecorder

mkdir $workdir
cd $workdir

cabextract -d $spdir "$spfile"

mkdir $indir

mount $cdrom $cdmnt

cp -r $cdmnt/* $indir
chmod -R 777 $indir

wine $spdir/i386/update/update.exe -s:$indir

convmv -r --upper --notest $indir/*

geteltorito $cdrom > $indir/boot.bin

find $indir | xargs touch -t 200804140000

umount $cdmnt
eject $cdrom

cd $indir
mkisofs -b boot.bin -hide boot.bin -hide boot.catalog -no-emul-boot \
-boot-load-size 4 -iso-level 4 -relaxed-filenames -D -V GRTMPVOL_EN -o \
$workdir/iso .

cdrecord dev=$cdrom $workdir/iso
eject $cdrom
rm $workdir/iso

============

Doing the above (on linux) never ceases to amaze me (I've never used
wine before).

> 	The thing is we are "lightweights" when it comes to how to
> install this sort of thing. The reason I suggested Ubuntu server is

Nothing wrong with Ubuntu at all, just use what you're fastest with
configuring, that's what I say.  You get used to a distro's way of
doing things (mostly file system layout and /etc arrangement), and for
me that's RedHat 6 (c 1999) or so :-)

> 	We don't control the AC Router. We can put in requests but
> they are having problems with Barracuda at the moment so it will be

If you don't control the router then probably best to do the
router-behind-router idea you outlined, just make sure to pick a
different local subnet IP range!

> 	My thoughts are if we can make the whole process transparent
> to the machines being installed/repaired it would save us a bunch of
> time. To do this I figured we'd need a router between the incoming
> connection and the hub. OTOH, if the machine were on the other side
> of the hub we'd end up having to configure the machines and restore
> them when we were done.

For easiest transparency (no settings to be made on client), you want
the wpad to work, which means you must control your DNS, web and squid
server.  If you can live with a 60sec tweak on every client (setting
proxy manually) then you can do away with DNS and web and just setup a
squid server that can be in your existing subnet (no need for another
router).

> 	This is what *I* think we'll have to do...
> AC Router <--> CLL Router/Squid <--> CLL Hub <--> Various machines

As above, best/transparent solution but a fair bit harder to initially
implement.

> 	I don't know enough about Squid to know if we can get rid of
> the router part of the machine then have it sit between the AC Router
> and our machines. Our machines are generally set up for DHCP so my
> concern would be where we get the IPs from.

If you did squid but no DNS/web then the squid server would just be
another peer on the LAN, just another box off the main switch.  Ideally
you'd want to assign it a static IP.

> out M$ machines the clients are mostly ignored. It would be very hard
> to justify coming up with money to pay someone to install it for us
> (I don't get paid and I'm the senior volunteer - I don't think the
> supervisor gets paid either). I think I could persuade them to buy
> you a lunch at Subway though... :-)

I hear ya.  I'm a bit over-subscribed for work, but I could possibly
squeeze in some moments here and there if you can arrange remote ssh
access from my IP.  Going onsite would be a royal pain given my schedule
though.  The roundtable (incl myself) is also here to help out with
questions.

If you've never done any BIND config before, that will probably be the
biggest challenge for you.  The apache stuff should be fairly easy and
the squid stuff extremely easy with my conf file.