[RndTbl] muug.ca debian mirror 403'ing

Wyatt Zacharias wyatt at magitech.ca
Tue Oct 4 12:19:07 CDT 2016


I switched the debian sync over to their main US site (ftp.us.debian.org).
Hopefully we don't get the same issues from the US country mirrors. I don't
know which is worse, using the round-robin country address, or a specific
mirror out of the country list. On the one hand you might get a bad mirror
in the list every once and a while. One the other hand, if you pick a
single mirror that becomes unreliable, then you have constant problems and
you're constantly reconfiguring to swap mirrors.

One of the most annoying things to deal with when running an independent
mirror is distros that want like 5 levels of mirror tiering and wont give
out master access to more than one or two country mirrors. There's
virtually no accountability on these country mirrors to provide reliable
service, and at the same time any offer of an additional country mirror is
generally scoffed at because "the current ones are good enough" even when
you're able to provide more space, and more bandwidth. Oh and don't get me
started on push mirroring...

I also resumed syncing of debian-archive and debian-backports, which are
also switched to the US country mirrors now.

--
Wyatt Zacharias


On Wed, Sep 28, 2016 at 5:53 PM, Trevor Cordes <trevor at tecnopolis.ca> wrote:

> On 2016-09-23 Theodore Baschak wrote:
> > Looks like this happened again, it must be an upstream permissions
> > error thats being propagated thru the mirroring process.
>
> OK, I spent a few minutes and whipped up a perl script (kludge) that
> should solve this problem until upstream mirrors get fixed.  Using
> inotify I watch for a perm change, check if the perms are not at least
> 755 and if not I chmod 755.  Using inotify should result in basically
> zero overhead (no polling, no cron-ing, etc).
>
> I also put in a systemd wrapper I like to use that allows me to capture
> all stdout/err to a central log file without having to program it in
> each script.  Not sure if systemd finally fixed this shortcoming, but
> at least check (maybe 1-2 years ago) they hadn't.  (Did I mention I hate
> systemd yet?)  Systemd unit is muug-debian-mirror-dir-perm-kludge.
>
> So this little script should restart on every reboot.
>
> It's logging all action to /var/log/debian-mirror-dir-perm-kludge.log
> so we can ensure it's not going wonky and/or pinpoint what rsync run /
> mirror is screwing it up by comparing times.
>
> You can easily test with (root)  chmod g-r /ARRAY/mirror/debian
> then  cat /var/log/debian-mirror-dir-perm-kludge.log
> then  ll -d /ARRAY/mirror/debian
>
> Note, I suppose there is a possibility that rsync could do something
> mental like recheck the perm immediately or fight with my script in
> some way.  That should show up in the logs.  Perhaps a short (5s?) delay
> in my script before chmod might alleviate any issue.  We'll see if it's
> required.
>
> The script could easily be expanded to watch all mirror dirs, but
> probably best to only use on an as-needed basis.  I was cautious about
> security but anything like this just adds complexity and thus decreases
> security.
>
>
> #cat /usr/local/sbin/debian-mirror-dir-perm-kludge
> #!/usr/bin/perl -w
>
> $naughtydir='/ARRAY/mirror/debian';
>
> use Linux::Inotify2;
> use POSIX qw(strftime);
> $|=1;
>
> printf strftime("%Y-%m-%d %H:%M:%S",localtime)." starting\n";
>
> my $inotify=new Linux::Inotify2 or die "unable to create new inotify
> object: $!";
>
> $inotify->watch($naughtydir,IN_ATTRIB|IN_ONLYDIR|IN_DONT_FOLLOW, sub {
>   my $e=shift;
>   print "events were lost\n" if $e->IN_Q_OVERFLOW;
>
>   ($perm)=(stat $naughtydir)[2] or die "cannot stat: $!";
>   $perm&=07777;
>
>   # see if perms got wonkyized
>   if (($perm&0755)!=0755) {
>     die "hanky panky" if !-d $naughtydir or -l $naughtydir;
>     printf strftime("%Y-%m-%d %H:%M:%S",localtime)." updated perms (was:
> %o)\n",$perm;
>     chmod 0755,$naughtydir or die "could not chmod:  $!";
>   }
> });
>
> 1 while $inotify->poll;
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20161004/ceaceadd/attachment.html>


More information about the Roundtable mailing list