mirroring for alternative content

Kevin Fenzi kevin at scrye.com
Sat Jun 21 17:35:24 UTC 2014 

On Sat, 21 Jun 2014 07:25:47 -0700
Colin Walters <walters at verbum.org> wrote:

> Hi,
> 
> We have several forms of non-Koji internal builds:
> 
> 1) COPR (the most visible)
> 2) http://alt.fedoraproject.org/pub/alt/rawhide-kernel-nodebug/  (this
> could be a COPR)
> 3) rpm-ostree: http://rpm-ostree.cloud.fedoraproject.org/#/
> 
> Now, I recently was allocated a new atomic01.qa.fedoraproject.org
> server dedicated to rpm-ostree composes, and I'm happy to announce I
> now have it composing trees:
> 
> fedora-atomic/rawhide/x86_64/server/docker-host =>
> 175510ab77ef39ec6000db2745c70444d55957e38c5ff28f890237e1f012ea5e
> fedora-atomic/rawhide/x86_64/workstation/gnome/core =>
> b6f3f3b53ef957c71e8d8bdc36c35519888d4177bf6a582ba37e33416ff84216
> 
> But it's on the QA network, and so I can't just serve the content
> directly from it.  Nor would I want to have the compose server doing
> double duty as a static webserver anyways.

Yeah, we can actually map an external IP into it if required, but I
agree it isn't great to have the build host also serving external
content. 

> I could just rsync this content to the current
> rpm-ostree.cloud.fedoraproject.org, but there are a few issues with
> that:
> 
> 1) It's a one off instance in the fedora cloud with no
> backup/monitoring 2) No redundancy
> 3) No tuning for static webserving
> 4) Most critically, no TLS

Yep. 
 
> COPR only relatively recently gained TLS, which is fundamentally
> necessary for retrieving arbitrary executable code that runs as root.
> 
> But COPR also (from what I understand from <puiterwijk>) is just one
> machine.

Correct. 
 
> What do you think about investing in having e.g.
> altcdn.fedoraproject.org be a load-balanced static webserver farm
> protected by TLS that could be written to by a trusted subset of
> non-Koji build/compose tooling?
> 
> "altcdn" is the first thing that came to mind offhand for a name, feel
> free to pick others =)
> 
> We'd need to determine the writing process; could be rsync-over-ssh
> access to specific subdirectories gated by ssh key?  Something else?

I think this is pretty much already in place with our /pub/alt/ space
(that the kernel nodebug uses above). 

This space is on a netapp. 
It is mirrored, but only by a few larger mirrors, most don't. 
It's served by our 5 download servers in phx2 and 3 on I2 in rdu2. 

So, we could sync the ostree stuff there as well... its a large number
of small files? Or can you expand on the size and content it will have
over time and how often updated?

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20140621/ad15488d/attachment.sig>

More information about the infrastructure mailing list