CentOS 的系統/套件更新通常都是透過 yum 走 port 80 出去外面抓回來更新,但公司的資安規定多數的設備只能放在封閉的內網中出不去,只弄台機器去 mirror 回來, 其他設備依 mirror 回來的東西進行更新。而管理上,之後只要對這台進行管控就可以了。執行上很簡單,依著 http://wiki.centos.org/HowTos/CreateLocalMirror 就差不多了,以下除了記錄流程外,主要補充 autofs 的部份
架構 :
CentOS 官方站(或其他Mirror) <--> 本地鏡像機器 A (10.0.0.1) <----> 本地機器 B, C, D...
先建立要放檔案的目錄
shell> mkdir -p /home/share/yum/centos/
同步檔案,目前 5 的版本到 5.10 ,6的版本到 6.5 ,青春有限,就只 mi 這兩個回來就好
shell> cd home/share/yum/centos
shell> rsync -avSHP --delete --exclude "local*" --exclude "isos" rsync://ftp.isu.edu.tw:/centos/5.10 /home/share/yum/centos/
shell> rsync -avSHP --delete --exclude "local*" --exclude "isos" rsync://ftp.isu.edu.tw:/centos/6.5 /home/share/yum/centos/
p.s 可以透過 --list-only 選項看遠端的目錄結果再決定要 mi 那些回來
shell > rsync --list-only rsync://ftp.isu.edu.tw:/centos
p.s 不是每個站都支援透過 rsync mirror 檔案,支援的站的列表在
http://www.centos.org/download/mirrors/
由於 yum update 時只看主要版本($releasever),所以將最新的版本的目錄做個連結
shell> link -s 5.10 5
shell> link -s 6.5 6
Mirror 完就結束了,要的話可以寫個script 放 cron 裡定期更新。
#!/bin/bash
if [ -f /var/lock/subsys/yum_rsync_updates ]; then
echo "Yum updates via rsync already running."
exit 0
fi
if [ -d /home/share/yum/centos/ ] ; then
touch /var/lock/subsys/yum_rsync_updates
rsync -avSHP --delete --exclude "local*" --exclude "isos" rsync://ftp.isu.edu.tw:/centos/5.10 /home/share/yum/centos/
rsync -avSHP --delete --exclude "local*" --exclude "isos" rsync://ftp.isu.edu.tw:/centos/6.5 /home/share/yum/centos/
/bin/rm -f /var/lock/subsys/yum_rsync_updates
else
echo "Target directory /home/share/yum/centos/ not present."
fi
if [ -f /var/lock/subsys/yum_rsync_updates ]; then
echo "Yum updates via rsync already running."
exit 0
fi
if [ -d /home/share/yum/centos/ ] ; then
touch /var/lock/subsys/yum_rsync_updates
rsync -avSHP --delete --exclude "local*" --exclude "isos" rsync://ftp.isu.edu.tw:/centos/5.10 /home/share/yum/centos/
rsync -avSHP --delete --exclude "local*" --exclude "isos" rsync://ftp.isu.edu.tw:/centos/6.5 /home/share/yum/centos/
/bin/rm -f /var/lock/subsys/yum_rsync_updates
else
echo "Target directory /home/share/yum/centos/ not present."
fi
至於本地機器(B,C,D...)執行系統、套件更新的方式,原本是直接上internet去 CentOS 或其他 mirror 拿,現在可以透過區域網路跟機器 A 拿就好,走的協定可以走HTTP,也可以透過 NFS 分享,因為無聊,選了比較搞剛的方式
機器 A 安裝 NFS server
shell> yum install rpcbind
shell> yum install nfs-utils
設定分享的檔案目錄及權限,因為是 LAN 不對外,就設得鬆一點,要是有對外,這樣是不好的 XD
shell> vi /etc/exports
/home/share *(rw,no_root_squash)
由於 NFS server 需要 rpcbind ,先看看開起來了沒
shell> /etc/init.d/rpcbind status
要是 rpcbind 沒開,先打開它吧。
接著就可以打開 NFS server了
shell> /etc/init.d/nfs start
看看設定的目錄是否有分享出來
shell> showmount -e
要是有看到,那Serve的部份就算完工了
將 NFS 設定成開始就啟動的服務
shell> chkconfig nfs on
在機器B, C, D...的部份
如果很勤勞,可以手動透過 mount 的指令將機器 A 分享的目錄掛載上來,但基於人工 mount 的一些壞處,設個 autofs 自動掛載會比較好一點
先安裝備要的套件
shell> yum install nfs-utils
shell> yum install autofs
進行 autofs 的設定
shell>vi /etc/auto.master
/mnt/share /etc/auto.yum_repos
shell> vi /etc/auto.yum_repos
yum -rw,bg,soft,rsize=32768,wsize=32768 10.0.01:/home/share/yum
p.s 多半的系統都會預先建立 /mnt ,要是你要掛在其他目錄,請先確定寫在auto.master中的倒數第二層的目錄是存在的. 至於倒數第一層及寫在auto.yum_repos中最後一層的目錄不用建立,autofs 會自己建,而且要是先建了,autofs 可能會掛載失敗。
autofs 一樣是服務,要用得先打開它
shell> /etc/init.d/autofs start
要是設定沒錯,以後只要進入/使用該目錄,就會自動掛載上來
shell> cd /mnt/share/yum
要是 /mnt/share/yum 有之前 mirror 到機器 A 的檔案,那可以進行叫 yum 以檔案的方式進行更新了
修改 /etc/yum.repos.d/CentOS-base.repo 中baseurl的部份指到對應的目錄去
shell> vi /etc/yum.repos.d/CentOS-base.repo
[base]
name=CentOS-$releasever - Base
baseurl=file:/mnt/share/yum/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever
#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=file:/mnt/share/yum/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=file:/mnt/share/yum/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=file:/mnt/share/yum/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
baseurl=file:/mnt/share/yum/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever
name=CentOS-$releasever - Base
baseurl=file:/mnt/share/yum/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever
#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=file:/mnt/share/yum/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=file:/mnt/share/yum/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=file:/mnt/share/yum/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
baseurl=file:/mnt/share/yum/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever
0 意見:
張貼留言