I have a problem that I think a lot of fellow developers probably have–I have enough computers (or virtual machines!) running the same operating system version(s) that I would benefit from a local mirror of them, but I don’t have so many systems that it’s actually reasonable for me to run a full mirror, which would entail rsyncing a bunch of content daily, much of which may be packages I would never use. And using a proxy server isn’t terribly practical, because with a bunch of semi-round-robin mirrors, it’s likely that two systems would pull the same package from different mirrors. A proxy server would have no way of knowing (ahead of time) that the two documents were actually the same.
What I wanted for a long time was a “lazy” mirror — something that would appear to my systems as a full mirror, but would act more as a proxy. When a client installed a particular version of a particular package for the first time, it would go fetch them from a “real” mirror, and then cache it for a long time. Subsequent requests for the same package from my “mirror” would be served from cache. I was convinced that this was impossible to do with a proxy server. Worse, I wanted to mirror multiple repos — Fedora and CentOS and EPEL, and maybe even Ubuntu. There’s no way squid can do that.
I was wrong. squid is pretty awesome. We just pull a few tricks:
- Instead of using squid as a traditional proxy server that listens on port 3128, use it as a reverse proxy / accelerator that listens on port 80. (This is, incidentally, what sites like Wikipedia do.)
AbuseMassage therefresh_pattern
rules to cache RPM files (etc.) for a very long time. Normally it is an awful, awful idea for proxy servers to do interfere with the Cache-Control / Expires headers that sites serve. But in the case of a mirror, we know that any updates to a package will necessarily bump the version number in the URL. Ergo, we can pretty safely cache RPMs indefinitely.- Set up name-based virtual hosting with squid, so that centos-mirror.lan and fedora-mirror.lan can point to different mirrors.
Two other important steps involve setting up cache_dir
reasonably (by default, at least in the packages on CentOS 6, squid will only cache data in RAM), and bumping up maximum_object_size
from the default of 4MB.
Here is the relevant section of my squid.conf. (The “irrelevant” section of my squid.conf is a bunch of acl lines that I haven’t really customized and can probably be deleted.)
# Listen on port 80, not 3128 # 'accel' tells squid that it's a reverse proxy # 'defaultsite' sets the hostname that will be used if none is provided # 'vhost' tells squid that it'll use name-based virtual hosting. I'm not # sure if this is actually needed. http_port 80 accel defaultsite=mirror.lowell.lan vhost # Create a disk-based cache of up to 10GB in size: # (10000 is the size in MB. 16 and 256 seem to set how many subdirectories # are created, and are default values.) cache_dir ufs /var/spool/squid 10000 16 256 # Use the LFUDA cache eviction policy -- Least Frequently Used, with # Dynamic Aging. http://www.squid-cache.org/Doc/config/cache_replacement_policy/ # It's more important to me to keep bigger files in cache than to keep # more, smaller files -- I am optimizing for bandwidth savings, not latency. cache_replacement_policy heap LFUDA # Do unholy things with refresh_pattern. # The top two are new lines, and probably aren't everything you would ever # want to cache -- I don't account for VM images, .deb files, etc. # They're cached for 129600 minutes, which is 90 days. # refresh-ims and override-expire are described in the configuration here: # http://www.squid-cache.org/Doc/config/refresh_pattern/ # but basically, refresh-ims makes squid check with the backend server # when someone does a conditional get, to be cautious. # override-expire lets us override the specified expiry time. (This is # illegal per the RFC, but works for our specific purposes.) # You will probably want to tune this part. refresh_pattern -i .rpm$ 129600 100% 129600 refresh-ims override-expire refresh_pattern -i .iso$ 129600 100% 129600 refresh-ims override-expire refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # This is OH SO IMPORTANT: squid defaults to not caching objects over # 4MB, which may be a reasonable default, but is awful behavior on our # pseudo-mirror. Let's make it 4GB: maximum_object_size 4096 MB # Now, let's set up several mirrors. These work sort of like Apache # name-based virtual hosts -- you get different content depending on # which hostname you use in your request, even on the same IP. This lets # us mirror more than one distro on the same machine. # cache_peer is used here to set an upstream origin server: # 'mirror.us.as6453.net' is the hostname of the mirror I connect to. # 'parent' tells squid that that this is a 'parent' server, not a peer # '80 0' sets the HTTP port (80) and ICP port (0) # 'no-query' stops ICP queries, which should only be used between squid servers # 'originserver' tells squid that this is a server that originates content, # not another squid server. # 'name=as6453' tags it with a name we use on the next line. # cache_peer_domain is used for virtual hosting. # 'as6453' is the name we set on the previous line (for cache_peer) # subsequent words are virtual hostnames it answers to. (This particular # mirror has Fedora and Debian content mirrored.) These are the hostnames # you set up and will use to access content. # Taken together, these two lines tell squid that, when it gets a request for # content on fedora-mirror.lowell.lan or debian-mirror.lowell.lan, it should # route the request to mirror.us.as6453.net and cache the result. cache_peer mirror.us.as6453.net parent 80 0 no-query originserver name=as6453 cache_peer_domain as6453 fedora-mirror.lowell.lan debian-mirror.lowell.lan # Another, for CentOS: cache_peer mirrors.seas.harvard.edu parent 80 0 no-query originserver name=harvard cache_peer_domain harvard centos-mirror.lowell.lan
You will really want to customize this. The as6453.net and harvard.edu mirrors happen to be geographically close to me and very fast, but that might not be true for you. Check out the CentOS mirror list and Fedora mirror list to find something close by. (And perhaps fetch a file or two with wget to check speeds.) And I’m reasonably confident that you don’t have a lowell.lan domain in your home.
If you can find one mirror that has all the distros you need, you don’t need to bother with virtual hosts.
You can edit the respective repos in /etc/yum.repos.d/ to point to the hostnames you set up. Pay attention to whether the mirror matches the URL structure the file defaults to or not.
You can just drop the hostnames in /etc/hosts if you don’t have a home DNS server, e.g.,:
172.16.1.100 fedora-mirror.lowell.lan centos-mirror.lowell.lan
Oh, a quick tip:
You can test if you’re properly caching things by running something like this:
wget -S http://fedora-mirror.lowell.lan/fedora/linux/releases/20/Fedora/x86_64/iso/Fedora-20-x86_64-netinst.iso
The
-S
flag shows HTTP headers, including the ones squid inserts (X-Cache, X-Cache-Lookup, Via). On the first run, X-Cache-Hit will be a MISS (since it’s presumably new), but if you re-run that command, it should be a HIT, and considerably faster.You might try that with something smaller than an ISO file, but I wanted to test that the maximum object size was set high enough as well.
Hey Matt, nice write up!
I added this to http://yum.baseurl.org/wiki/YumMultipleMachineCaching
(Feel free to add in Pros/Cons)
Thanks for the short, concise, working example. I only had to change like five chars and it worked out of the box.
Thank you! I was thinking of a way to do this with cgi, perl, php or even a custom executable. I also considered squid and other proxies, but thought to myself it would surely be a fail; however as a rule I spend at least a day searching before I reinvent the wheel, skip over it entirely, or press the ‘retail button’. I was about to move onto what my real projects are and just go the rsync full mirror route but you have laid test work that says this will not waist my time. Now I can have a small set of local repos which update only whats used and continue on to make my testing environment and things will be fast while using minimal WAN access. For this your getting a google+ post (that also copies to my Twitter, Linkedin, and Facebook profiles) as it’s the least I can do.
Pingback: RPMGOT | S12
Hi, nice setup. Only thing I didn’t like Is that fact you should make any changes on the target boxes, i.e. modifying
hosts
and stuff. Besides, it probably won’t handle downloads for the servers, which aren’t insquid.conf
. So my question is, is it possible to forcesquid
to hit the files in cache by name and size only, ignoring whole part of the URI, except the file name? And I also would like it running as a transparent (intercept) proxy.Thanks for figuring this out. I wanted to do the same thing and came across your config. I copied most of it and set this up as a docker container here:
https://github.com/EnigmaCurry/lazy-distro-mirrors
If squid doesn’t seem to cache large files, as it did for me, make sure that the max object size (
maximum_object_size 4096 MB
) is on a line before the disk cache (cache_dir ufs /var/spool/squid 10000 16 256
). Based on my experience and https://serverfault.com/questions/596890/squid3-not-caching-larger-files/596982#596982 the order of these directives matter. Tested on Centos 7/Squid 3.3.8Hi,
First of all thanks a lot for writing a simple approach to have mirror with squid. I was desperately searching for this kind of code for long time. Keep going the good work.
Issues with me: I am able to install the packages if I switch over to original source.list file and also I am able to browse to the errored link. So connectivity issues. I am clueless on whats wrong did I do? Please help.
(1) I have squid3 on Ubuntu_14.04_LTS
(2) My squid.conf
root@fab-stg-repo-h1:~#cat /etc/squid3/squid.conf
http_access allow all
http_port 80 accel defaultsite=fab-stg-repo-h1 vhost
This needs to be specified before the cache_dir, otherwise it’s ignored ?!
maximum_object_size 6144 MB
cache_dir ufs /squid3 50000 16 256
cache_replacement_policy heap LFUDA
refresh_pattern -i .rpm$ 129600 100% 129600 refresh-ims override-expire
refresh_pattern -i .iso$ 129600 100% 129600 refresh-ims override-expire
refresh_pattern -i .deb$ 129600 100% 129600 refresh-ims override-expire
refresh_pattern -i .gz$ 129600 100% 129600 refresh-ims override-expire
refresh_pattern -i .bz2$ 129600 100% 129600 refresh-ims override-expire
refresh_pattern -i .tar.xz$ 129600 100% 129600 refresh-ims override-expire
refresh_pattern -i .tar.gz$ 129600 100% 129600 refresh-ims override-expire
refresh_pattern -i .zip$ 129600 100% 129600 refresh-ims override-expire
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#
cache_peer us.archive.ubuntu.com parent 80 0 no-query originserver name=ubuntu
cache_peer_domain ubuntu fab-stg-repo-h1
(3) Client side sources.list
deb http://fab-stg-repo-h1/ubuntu/ precise main restricted universe
deb-src http://fab-stg-repo-h1/ubuntu/ precise main restricted universe
deb http://fab-stg-repo-h1/ubuntu/ precise-security main restricted universe
deb http://fab-stg-repo-h1/ubuntu/ precise-updates main restricted universe
deb http://fab-stg-repo-h1/ubuntu/ precise-backports main restricted universe
deb-src http://fab-stg-repo-h1/ubuntu/ precise-security main restricted universe
deb-src http://fab-stg-repo-h1/ubuntu/ precise-updates main restricted universe
deb-src http://fab-stg-repo-h1/ubuntu/ precise-backports main restricted universe
deb http://fab-stg-repo-h1/ubuntu/ precise partner
deb-src http://fab-stg-repo-h1/ubuntu/ precise partner
deb http://fab-stg-repo-h1/ubuntu precise main
deb-src http://fab-stg-repo-h1/ubuntu precise main
(4) Result of apt-get update on client side:
Ign http://fab-stg-repo-h1 precise-backports/main Translation-en_US
Ign http://fab-stg-repo-h1 precise-backports/restricted Translation-en_US
Ign http://fab-stg-repo-h1 precise-backports/restricted Translation-en
Ign http://fab-stg-repo-h1 precise-backports/universe Translation-en_US
Fetched 1,212 kB in 1s (1,043 kB/s)
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise/Release Unable to find expected entry ‘partner/source/Sources’ in Release file (Wrong sources.list entry or malformed file)
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise/universe/source/Sources 404 Not Found
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-security/main/source/Sources 404 Not Found
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-security/restricted/source/Sources 404 Not Found
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-security/universe/source/Sources 404 Not Found
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-security/main/binary-amd64/Packages 404 Not Found
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-security/restricted/binary-amd64/Packages 404 Not Found
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-security/universe/binary-amd64/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-security/main/binary-i386/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-security/restricted/binary-i386/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-security/universe/binary-i386/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-updates/main/source/Sources 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-updates/restricted/source/Sources 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-updates/universe/source/Sources 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-updates/main/binary-amd64/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-updates/restricted/binary-amd64/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-updates/universe/binary-amd64/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-updates/main/binary-i386/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-updates/restricted/binary-i386/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-updates/universe/binary-i386/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-backports/main/source/Sources 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-backports/restricted/source/Sources 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-backports/universe/source/Sources 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-backports/main/binary-amd64/Packages 500 Internal Server Error
W: Failed to fetch http://fab-stg-repo-h1/ubuntu/dists/precise-backports/restricted/binary-amd64/Packages 500 Internal Server Error
E: Some index files failed to download. They have been ignored, or old ones used instead.
root@fab-stage-stm-h5:/etc/apt/sources.list.d#
(5) Logs on squid server
root@fab-stg-repo-h1:~# tail /var/log/squid3/access.log
1461948485.306 0 10.100.163.162 TCP_MISS/500 4172 GET http://fab-stg-repo-h1/ubuntu/dists/precise-updates/main/i18n/Translation-en – HIER_NONE/- text/html
1461948485.306 0 10.100.163.162 TCP_MISS/500 4199 GET http://fab-stg-repo-h1/ubuntu/dists/precise-updates/restricted/i18n/Translation-en_US – HIER_NONE/- text/html
1461948485.307 0 10.100.163.162 TCP_MISS/500 4190 GET http://fab-stg-repo-h1/ubuntu/dists/precise-updates/restricted/i18n/Translation-en – HIER_NONE/- text/html
1461948485.307 0 10.100.163.162 TCP_MISS/500 4193 GET http://fab-stg-repo-h1/ubuntu/dists/precise-updates/universe/i18n/Translation-en_US – HIER_NONE/- text/html
1461948485.307 0 10.100.163.162 TCP_MISS/500 4184 GET http://fab-stg-repo-h1/ubuntu/dists/precise-updates/universe/i18n/Translation-en – HIER_NONE/- text/html
1461948485.307 0 10.100.163.162 TCP_MISS/500 4187 GET http://fab-stg-repo-h1/ubuntu/dists/precise-backports/main/i18n/Translation-en_US – HIER_NONE/- text/html
1461948485.307 0 10.100.163.162 TCP_MISS/500 4205 GET http://fab-stg-repo-h1/ubuntu/dists/precise-backports/restricted/i18n/Translation-en_US – HIER_NONE/- text/html
1461948485.308 0 10.100.163.162 TCP_MISS/500 4196 GET http://fab-stg-repo-h1/ubuntu/dists/precise-backports/restricted/i18n/Translation-en – HIER_NONE/- text/html
1461948485.308 0 10.100.163.162 TCP_MISS/500 4199 GET http://fab-stg-repo-h1/ubuntu/dists/precise-backports/universe/i18n/Translation-en_US – HIER_NONE/- text/html
1461948592.626 0 10.100.162.223 TCP_IMS_HIT/304 306 GET http://fab-stg-repo-h1/ubuntu/dists/precise/Release – HIER_NONE/- –
root@fab-stg-repo-h1:~# tail /var/log/squid3/cache.log
2016/04/29 09:48:04| TCP connection to us.archive.ubuntu.com/80 failed
2016/04/29 09:48:05| TCP connection to us.archive.ubuntu.com/80 failed
2016/04/29 09:48:05| TCP connection to us.archive.ubuntu.com/80 failed
2016/04/29 09:48:05| TCP connection to us.archive.ubuntu.com/80 failed
2016/04/29 09:48:05| TCP connection to us.archive.ubuntu.com/80 failed
2016/04/29 09:48:05| TCP connection to us.archive.ubuntu.com/80 failed
2016/04/29 09:48:05| TCP connection to us.archive.ubuntu.com/80 failed
2016/04/29 09:48:05| Detected DEAD Parent: ubuntu
2016/04/29 09:48:05| Detected REVIVED Parent: ubuntu
2016/04/29 09:53:09| temporary disabling (Not Found) digest from us.archive.ubuntu.com
root@fab-stg-repo-h1:~# tail /var/log/squid3/netdb.state
91.189.91.0 1 1 17.00000 77.00000 1461923671 1461923371 us.archive.ubuntu.com
91.189.91.0 1 1 17.00000 77.00000 1461923671 1461923371 us.archive.ubuntu.com
91.189.91.0 1 1 17.00000 77.00000 1461923671 1461923371 us.archive.ubuntu.com
91.189.91.0 1 1 17.00000 77.00000 1461923671 1461923371 us.archive.ubuntu.com
91.189.91.0 5 5 13.80000 78.60000 1461939067 1461938767 us.archive.ubuntu.com
10.100.161.0 1 1 1.00000 1.00000 1461936952 1461936652 fab-stg-repo-h1
91.189.91.0 6 6 14.44000 78.48000 1461941472 1461941172 us.archive.ubuntu.com
10.100.161.0 1 1 1.00000 1.00000 1461936952 1461936652 fab-stg-repo-h1
Thank you!!!!!!!
This is so helpful, was looking around for a long time to do this. Thank you.
What happens if the squid service dies? Do all your other boxes become unable to run yum?
Pingback: Pull-through mirrors – N1ZYY