使用apt-mirror和simplestreams搭建本地源(by quqi99)
白高超
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明 (http://blog.csdn.net/quqi99)
问题
你懂的,国内环境访问ubuntu-cloud.archive.canonical.com会非常慢(注: 其实下列方法可以同步UA, UCA, PPA),本文将使用apt-mirror搭建一个本地apt服务器以提升办公效率。
- archive.ubuntu.com (UA, can use http://mirrors.cloud.tencent.com/ubuntu/ instead)
- security.ubuntu.com (UA, can use http://mirrors.cloud.tencent.com/ubuntu/ instead)
- ubuntu-cloud.archive.canonical.com (UCA)
- images.maas.io (juju , lxd, maas)
- cloud-images.ubuntu.com (juju , lxd, maas, http://mirrors.cloud.tencent.com/ubuntu-cloud-images/ instead)
- streams.canonical.com (juju , lxd, maas)
20230312更新 - 始终无法从images.maas.io下载镜像的原因是要确保该域名在路由器的whitelist中, 见: https://blog.csdn.net/quqi99/article/details/129445116
安装
sudo ufw disable
sudo apt -y install apache2 apt-mirror
mkdir -p /images/xenial-repo
$ cat /etc/apt/mirror.list
############# config ##################
#
set base_path /images/xenial-repo
#set defaultarch amd64
#
# set mirror_path $base_path/mirror
# set skel_path $base_path/skel
# set var_path $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch <running host architecture>
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads 30
set _tilde 0
#
############# end config ##############
#deb http://cn.archive.ubuntu.com/ubuntu xenial main restricted universe multiverse
#deb http://cn.archive.ubuntu.com/ubuntu xenial-security main restricted universe multiverse
#deb http://cn.archive.ubuntu.com/ubuntu xenial-updates main restricted universe multiverse
#deb http://cn.archive.ubuntu.com/ubuntu xenial-proposed main restricted universe multiverse
#deb http://cn.archive.ubuntu.com/ubuntu xenial-backports main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu xenial main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu xenial-security main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu xenial-updates main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu xenial-proposed main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu xenial-backports main restricted universe multiverse
#see http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/xenial-updates/
deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main
#deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/queens main
#clean http://archive.ubuntu.com/ubuntu
clean http://ubuntu-cloud.archive.canonical.com/ubuntu
运行
sudo touch /images/xenial-repo/var/postmirror.sh
sudo apt-mirror
或者运行“sudo crontab -e”添加下列crob在每天四点半运行:
30 4 * * * root /usr/bin/apt-mirror >> /var/log/apt-mirror.log
配置Apache
Apache的已有配置如下:
$ sudo grep -r 'DocumentRoot' /etc/apache2/sites-available/000-default.conf
DocumentRoot /var/www/html
$ grep -r '/var/www/' /etc/apache2/apache2.conf -A 4
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
创建软链及注意一个关键易犯问题
sudo ln -s /images/xenial-repo /var/www/html/apt-mirror
sudo chown -R www-data:www-data /images
sudo service apache2 reload
注:上面这一句"chown -R www-data:www-data /images"异常关键,网上几乎所有能搜寻的答案全部是关于添加’Options FollowSymLinks’的,其实如上/etc/apache2/apache2.conf文件中已经包含该设置。apache 2.4使用的目录的用户名和组必须全部是www-data,否则/var/log/apache2/error.log会报这个错误“Symbolic link not allowed or link target not accessible”(WEB页上看到的错误是‘You don’t have permission to access”)。可用该命令“sudo -u www-data ls /var/www/html/apt-mirror”验证它是否成功。之前我一直在这个地方犯错是因为我执行的是“chown -R www-data:www-data /images/xenial-repo”,这样导致仍然无法顺利执行““sudo -u www-data ls /var/www/html/apt-mirror”命令。
也可创建/etc/apache2/sites-available/ubuntu-mirror.conf使用VirtualHost同时支持对UA, UCA, PPT的同步:
<VirtualHost *:8080>
ServerName your-repo.yourdomain.com
DocumentRoot /var/spool/apt-mirror/mirror/archive.ubuntu.com/
LogLevel info
ErrorLog /var/log/apache2/mirror-archive.ubuntu.com-error.log
CustomLog /var/log/apache2/mirror-archive.ubuntu.com-access.log combined
<Directory /var/spool/apt-mirror/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:8080>
ServerName your-cloudrepo.yourdomain.com
DocumentRoot /var/spool/apt-mirror/mirror/ubuntu-cloud.archive.canonical.com/
LogLevel info
ErrorLog /var/log/apache2/mirror-cloudarchive.canonical.com-error.log
CustomLog /var/log/apache2/mirror-cloudarchive.canonical.com-access.log combined
<Directory /var/spool/apt-mirror/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:8080>
ServerName your-ppa.yourdomain.com
DocumentRoot /var/spool/apt-mirror/mirror/ppa.launchpad.net/
LogLevel info
ErrorLog /var/log/apache2/mirror-ppaarchive.canonical.com-error.log
CustomLog /var/log/apache2/mirror-ppaarchive.canonical.com-access.log combined
<Directory /var/spool/apt-mirror/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
或要支持ssl,再添加:
SSLCACertificatePath /etc/ssl/certs
SSLCertificateFile /etc/pki/tls/certs/mirror.crt
SSLEngine On
SSLCertificateKeyFile /etc/pki/tls/private/mirror.key
之后执行:
a2enmod ssl
a2ensite *
systemctl restart apache2
使用它
touch /etc/apt/sources.list.d/mymirror.list
cat > /etc/apt/sources.list.d/mymirror.list <<EOF
#deb http://node1/apt-mirror/mirror/cn.archive.ubuntu.com/ubuntu/ xenial main restricted universe multiverse
deb http://node1/apt-mirror/mirror/ubuntu-cloud.archive.canonical.com/ubuntu/ xenial-updates/ocata main
EOF
rm -rf /etc/apt/sources.list.d/cloudarchive-ocata.list*
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA
apt update
20171101更新
此次apt update慢的原因最后通过"Software & Update -> Ubuntu Software -> Download from Other - Select Best Server"将之前的mirrors.aliyun.com改成mirrors.yun-idc.com就好了。之前各种源也都换过,为什么这次行了具体原因不明待下次遇到了待查。
20171115更新
今天在安装libvirt0时总是发生包依赖问题(libvirt0: Depends: libxen-4.6 (>=4.6.5) but 4.6.0-1ubuntu4.3 is to be installed),原来是mirrors.aliyun.com的问题,这个源更新不及时会造成众多问题。
为了克服这种更新不及时造成的问题,看样子还是最好别搭私有源和使用国内源,所以换回官方源:
deb http://nova.clouds.archive.ubuntu.com/ubuntu/ xenial main restricted universe multiverse
deb-src http://nova.clouds.archive.ubuntu.com/ubuntu/ xenial main restricted universe multiverse
deb http://nova.clouds.archive.ubuntu.com/ubuntu/ xenial-updates main restricted universe multiverse
deb-src http://nova.clouds.archive.ubuntu.com/ubuntu/ xenial-updates main restricted universe multiverse
deb http://nova.clouds.archive.ubuntu.com/ubuntu/ xenial-security main restricted universe multiverse
20191106更新 - 搭建simplestreams本地源
20230312更新 - 对于snap安装的版本,keyring_filenamame并不是/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg而是/snap/maas/current/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg, 所以更新image mirror url最好别添加keyring_filename参数让它默认的即可(eg: maas root boot-source update 1 url=https://maas-images.yourdomain.com/ )
sudo apt -y install simplestreams
sudo mkdir -p /var/spool/sstreams/maas && sudo chown -R $USER /var/spool/sstreams/maas
#MAAS images simplestreams
workdir=/var/spool/sstreams/maas
sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg --progress --max=1 https://images.maas.io/ephemeral-v3/daily/ $workdir 'arch=amd64' 'release~(bionic)'
sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg --progress --max=1 https://images.maas.io/ephemeral-v3/daily/ $workdir 'os~(grub*|pxelinux)'
#Use MAAS images simplestreams
maas root boot-source update 1 url=https://maas-images.yourdomain.com/ keyring_filename=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
maas root domains create name="yourdomain.com"
maas root dnsresources create fqdn="maas-images.yourdomain.com" ip_addresses=<your-mirror-ip> #orconfigure the mirror in infra.yaml
#Juju agents simplestreams
workdir=/var/spool/sstreams/juju
sstream-mirror --no-verify --progress --max=2 --path=streams/v1/index2.sjson https://streams.canonical.com/juju/tools/ $workdir 'arch=amd64' 'release~(bionic)' 'version~(2.6)'
#Use Juju agents simplestreams
#let juju know where to get contrainers from, or defined it in juju-model-default.yaml
juju model-config container-image-stream=released container-image-metadata-url=https://lxd-images.yourdomain.com/ image-metadata-url=https://lxd-images.yourdomain.com
#let juju know where to fetach the agents, or defined it in juju-model-default.yaml
juju model-config agent-metadata-url=https://juju-agents.yourdomain.com/ agent-stream=released
#LXD and KVM images simplestreams
workdir=/var/spool/sstreams/lxdkvm
sudo sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg --progress --max=1 --path=streams/v1/index.json https://cloud-images.ubuntu.com/releases/ $workdir 'arch=amd64' 'release~(bionic)' 'ftype~(lxd.tar.xz|squashfs|root.tar.xz|root.tar.gz|disk1.img|.json|.sjson)'
sudo sstream-mirror --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg --progress --max=1 --path=streams/v1/index.sjson https://cloud-images.ubuntu.com/releases/ $workdir 'arch=amd64' 'release~(bionic)' 'ftype~(lxd.tar.xz|squashfs|root.tar.xz|root.tar.gz|disk1.img|.json|.sjson)'
https://cloud-images.ubuntu.com/releases/ $workdir 'arch=amd64' 'release~(bionic)' 'ftype~(lxd.tar.xz|squashfs|root.tar.xz|root.tar.gz|disk1.img|.json|.sjson)'
sudo apt install apache2 -y
cat <<EOF > /etc/apache2/sites-available/sstreams-mirror.conf
<VirtualHost *:443>
ServerName maas-images.yourdomain.com
DocumentRoot /var/spool/sstreams/maas
LogLevel info
ErrorLog /var/log/apache2/mirror-maas-images-error.log
CustomLog /var/log/apache2/mirror-maas-images-access.log combined
<Directory /var/spool/sstreams/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName lxdkvm-images.yourdomain.com
DocumentRoot /var/spool/sstreams/lxdkvm
LogLevel info
ErrorLog /var/log/apache2/mirror-lxdkvm-error.log
CustomLog /var/log/apache2/mirror-lxdkvm-access.log combined
<Directory /var/spool/sstreams/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName juju-agents.yourdomain.com
DocumentRoot /var/spool/sstreams/juju
LogLevel info
ErrorLog /var/log/apache2/mirror-juju-error.log
CustomLog /var/log/apache2/mirror-juju-access.log combined
<Directory /var/spool/sstreams/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
EOF
从cloud-images.ubuntu.com中mirrior想要的image如下:
#https://gist.github.com/ThinGuy/037ec9dc8e8519a54415d5121799f760
export workdir=/bak/images/cache/lxdkvm
export ARCHES='amd64'
export RELEASES='xenial'
export FTYPE_LIST='gz|xz|squashfs|img'
sudo sstream-mirror --progress --max=1 --path streams/v1/index.json https://cloud-images.ubuntu.com/releases/ $workdir 'release~('${RELEASES}')' 'arch~('${ARCHES}')' 'ftype~('${FTYPE_LIST}')'
改用nginx
在/etc/nginx/sites-available/default中可以修改:
#root /var/www/html;
root /mnt/ftp;
location / {
try_files $uri $uri/ =404;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
若是https则使用下面配置,注意一点,如果nginx不使用默认的/var/www/html作为root目录时会报forbiden错误,那是因为/etc/nginx/nginx.conf中的’user root;'这句,所以需要将新目录(如下面的/home/ubuntu/simplestreams)改成root用户或者修改nginx.conf中’user root;‘为’user ubuntu;’
#https://goharbor.io/docs/2.6.0/install-config/configure-https/
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=node1.lan" -key ca.key -out ca.crt
openssl genrsa -out node1.lan.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=node1.lan" -key node1.lan.key -out node1.lan.csr
#complies with the Subject Alternative Name (SAN) and x509 v3 extension requirements to avoid 'x509: certificate relies on legacy Common Name field, use SANs instead'
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=node1.lan
DNS.2=node1
DNS.3=hostname
EOF
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in node1.lan.csr -out node1.lan.crt
#for docker, the Docker daemon interprets .crt files as CA certificates and .cert files as client certificates.
openssl x509 -inform PEM -in node1.lan.crt -out node1.lan.cert
#add 'user ubuntu;' into /etc/nginx/nginx.conf to avoid forbidden error
curl --resolve quqi.com:443:10.230.65.104 --cacert ~/ca/ca.crt https://quqi.com:443/images/streams/v1/index.json
$ cat /etc/nginx/sites-available/default
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name node1.lan;
ssl_certificate /home/hua/ca/node1.lan.crt;
ssl_certificate_key /home/hua/ca/node1.lan.key;
#ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root /images/simplestreams;
autoindex on;
index index.html;
}
}
类似资料: