centos public repo access via the proxy

Support for security such as Firewalls and securing linux
ithakur@toronto.ca
Posts: 1
Joined: 2017/09/19 15:08:46

centos public repo access via the proxy

Postby ithakur@toronto.ca » 2017/09/19 15:15:50

It is necessary for us to provide a list of links/ websites host names and ports on the outgoing network firewall and proxy to enable yum connections and installs from the centos public repositories:

For example, for redhat we are allowing the below
• subscription.rhn.redhat.com:443 [https] AND subscription.rhsm.redhat.com:443 [https]
• cdn.redhat.com:443 [https]
• *.akamaiedge.net:443 [https] OR *.akamaitechnologies.com:443 [https]

Please advise what websites/ links we have to allow for centos servers. I need to patch them.

User avatar
avij
Forum Moderator
Posts: 2176
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: centos public repo access via the proxy

Postby avij » 2017/09/19 15:27:06

There is mirrorlist.centos.org (port 80), but that is going to return a randomish selection of external mirrors.

It might be easier for you to keep your own private mirror of the CentOS repositories and point your servers to use that private mirror. That way you would only need to allow that private mirror server outbound rsync access to some mirror that provides rsync.

https://wiki.centos.org/HowTos/CreateLocalMirror has a lengthy description of the process, but in the end it probably boils down to running rsync -vaHz, with possibly some --exclude options if you don't need all the content.

For reference, I use this for my own needs:

Code: Select all

#!/bin/sh

MIRRORROOT=/path/to/my/mirror/html
MIRRORSUBDIR=centos
UPSTREAM=rsync://rsync.nic.funet.fi/ftp/pub/mirrors/centos.org/

if ! cd $MIRRORROOT
then
   echo "$MIRRORROOT does not exist"
   exit
fi

if [ ! -d $MIRRORSUBDIR ]
then
   echo "$MIRRORSUBDIR does not exist"
   exit
fi

rsync -vaHz --bwlimit=5000 --delete-delay --max-delete=5000 --contimeout=30 --timeout=300 --partial \
--exclude filelist.gz \
$UPSTREAM $MIRRORSUBDIR

# some excludes that I have used at some point (I keep a copy of all files now now):
#--exclude '*/centosplus/*/*/kernel-*' \
#--exclude '5*' \
#--exclude '6*' \
#--exclude '7.3.1611/cloud/*' \
#--exclude '*/atomic/*' \
#--exclude '*/drpms/*' \
#--exclude '*/sclo/*' \
#--exclude '*/centosplus/*' \
#--exclude '*/*/*/repodata/*' \
#--exclude '*/updates/*/*/kernel-*' \
#--exclude '*/xen4/*' --exclude '*/sclo/*' --exclude '*/storage/*' \
#--exclude '*/paas/*' --exclude '*/cloud/*' --exclude '*/virt/*' --exclude '*/opstools/*' \