Robert Nelson wrote:
For the yum-cache, I mount the /vz/template version of the cache
into the VE. I do the same for the apt/archives on Debian.
If you do it read-only, how do you handle the case yum/apt wants to
write something to it?
If you do it read-write, how can you make sure that an evil container
root will not put some home-baked Trojaned packages into that area?
Currently I mount it rw, but only while a vzpkg* command is running.
If the VE manages their own packages they don't get to share the
cache. There is still a window while the vzpkg command is running but
I don't know how to specify different access to a directory for the HN
versus the VE. Is there a way?
Long term, the best solution is probably implementing something like
Debian's apt-cacher for rpms and then running apt-cacher and
"rpm-cacher" on the HN.
I guess we can run a caching proxy on the host system, so the first time
any VE will need a package it will be downloaded and cached on the host
system; any subsequent requests will be served from cache. The only
problem is yum metadata which can become inconsistent; need to test it
extensively.
_______________________________________________
Devel mailing list
[email protected]
https://openvz.org/mailman/listinfo/devel
