Magnus wrote:
On Tuesday, August 26, 2003, at 07:17 PM, Jay Turner wrote:
Actually, following up on my own post, I need to clarify something. The license for RHEL 2.1 states that if you have support (which includes RHN) for one install, then you will have it for all installations. So, in that case, if you are in compliance, then all of your installations would have RHN support and there would be no need to download the errata from RHN then push it out to other machines. Sorry for the confusion.Well, there *is* a need actually.
Let's say Joe has 50 RHEL servers, all pretty much identical, and properly licensed. There is a flurry of security activity one week and it takes about 50MB of new packages to patch one system. That's not much of a reach. Each of the 50 servers downloads 50MB of packages through https (i.e. not cached anywhere) over Joe's single business class DSL connection. 2500MB of downloads, split up across 50 clients, all hitting a DSL connection at once (not to mention the RHN servers). This is lunacy.
Better than Daniel's recent suggestion, IMHO is the useNoSSLForPackages option. Point all of your servers at the same squid proxy, turn on the use no SSL option, and all is well.
On that note, there's no good reason for packages to be downloaded via SSL, since they're all GPG signed anyway. Can we have useNoSSLForPackages=1 made the default in the next version of RHL?
On Wednesday, August 27, 2003, at 08:47 AM, Paul Gear wrote:
Better than Daniel's recent suggestion, IMHO is the useNoSSLForPackages option. Point all of your servers at the same squid proxy, turn on the use no SSL option, and all is well.
On that note, there's no good reason for packages to be downloaded via SSL, since they're all GPG signed anyway. Can we have useNoSSLForPackages=1 made the default in the next version of RHL?
Well except that you're passing authentication data in the clear.
--
C. Magnus Hedemark http://trilug.org/~chrish "The only way to keep your health is to eat what you don't want, drink what you don't like, and do what you'd rather not." - Mark Twain
Magnus wrote:
On Wednesday, August 27, 2003, at 08:47 AM, Paul Gear wrote:
Better than Daniel's recent suggestion, IMHO is the useNoSSLForPackages option. Point all of your servers at the same squid proxy, turn on the use no SSL option, and all is well.
On that note, there's no good reason for packages to be downloaded via SSL, since they're all GPG signed anyway. Can we have useNoSSLForPackages=1 made the default in the next version of RHL?
Well except that you're passing authentication data in the clear.
What authentication data? All of the account stuff goes across https as normal - the No SSL is only used for the packages themselves. Here's a squid log of my most recent 'up2date -l' followed by 'up2date -u':
1062022929.581 1808 hostname TCP_MISS/200 3032 CONNECT xmlrpc.rhn.redhat.com:443 - DIRECT/66.187.232.101 - 1062022938.799 347 hostname TCP_MISS/200 24112 GET http://xmlrpc.rhn.redhat.com/XMLRPC/$RHN/redhat-linux-i386-9/listPackages/20... - DIRECT/66.187.232.101 application/binary 1062022939.710 159 hostname TCP_MISS/200 8027 GET http://xmlrpc.rhn.redhat.com/XMLRPC/$RHN/redhat-linux-i386-9/getObsoletes/20... - DIRECT/66.187.232.101 application/binary 1062022940.395 202 hostname TCP_MISS/200 4524 GET http://xmlrpc.rhn.redhat.com/XMLRPC/$RHN/redhat-linux-i386-9/getPackageHeade... - DIRECT/66.187.232.101 application/octet-stream ... 1062022961.126 1399 hostname TCP_MISS/200 3032 CONNECT xmlrpc.rhn.redhat.com:443 - DIRECT/66.187.232.101 - 1062022992.711 4751 hostname TCP_MISS/200 162298 GET http://xmlrpc.rhn.redhat.com/XMLRPC/$RHN/redhat-linux-i386-9/getPackage/cdda... - DIRECT/66.187.232.101 application/octet-stream 1062023001.233 8241 hostname TCP_MISS/200 395911 GET http://xmlrpc.rhn.redhat.com/XMLRPC/$RHN/redhat-linux-i386-9/getPackage/cdre... - DIRECT/66.187.232.101 application/octet-stream
Nothing critical there in my book...
-
Magnus Hedemark -
Paul Gear