Kir Kolyshkin wrote:
Robert Nelson wrote:
For the yum-cache, I mount the /vz/template version of the cache
into the VE. I do the same for the apt/archives on Debian.
If you do it read-only, how do you handle the case yum/apt wants to
write something to it?
If you do it read-write, how can you make sure that an evil
container root will not put some home-baked Trojaned packages into
that area?
Currently I mount it rw, but only while a vzpkg* command is running.
If the VE manages their own packages they don't get to share the
cache. There is still a window while the vzpkg command is running
but I don't know how to specify different access to a directory for
the HN versus the VE. Is there a way?
Long term, the best solution is probably implementing something like
Debian's apt-cacher for rpms and then running apt-cacher and
"rpm-cacher" on the HN.
I guess we can run a caching proxy on the host system, so the first
time any VE will need a package it will be downloaded and cached on
the host system; any subsequent requests will be served from cache.
The only problem is yum metadata which can become inconsistent; need
to test it extensively.
Agreed.
Are you familiar with apt-cacher? It understands the apt meta data and
handles it specially. That is why I mentioned it as a model for
handling the yum cache.
_______________________________________________
Devel mailing list
[email protected]
https://openvz.org/mailman/listinfo/devel
