-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Rusty Bird: > Hi folks, > > Updating my various templates was getting a little annoying with > all the redundant network traffic, so I set up a > qubes-updates-cache modeled on qubes-updates-proxy, using > standalone Squid (no Apache etc. involved). > > https://github.com/rustybird/qubes-updates-cache > > One caveat: If you want to use this, you need to (run a provided > script to) modify your client templates' repo configuration URLs > so that they explicitly point to the cache, and in some cases to a > specific mirror instead of the mirror rotation, e.g. > > Before: http://download.fedoraproject.org/... After: > http://10.137.255.254:8083/https://dl.fedoraproject.org/... > > As you can see, the advantage here is being able to download over > HTTPS (for privacy, not integrity) while still caching the > downloaded files, without any convoluted MitM setup. The provided > sed script switches several of the standard Fedora/Debian/Whonix > repositories to HTTPS. > > The downside is that those modified URLs may be overwritten during > some system updates, at which point you'd have to rerun the sed > script; which should be idempotent though. Eventually, a dnf/apt > plugin modifying URLs "just in time" without clobbering > configuration files would be good. > > > Installation > > Create a new ProxyVM, which currently should be based on Fedora 23 > (minimal is okay). Ensure it has a netvm and enable the updates > cache service: > > [dom0] $ qvm-create --proxy --label red --template fedora-23 squidp > [dom0] $ qvm-prefs --set squidp netvm default # or sys-whonix etc. > [dom0] $ qvm-service squidp --enable qubes-updates-cache > > Copy this directory (containing the README you're reading) into > your new ProxyVM's template, carefully inspect the install-server > script there and: > > [squidp's template] # dnf install squid [squidp's template] # > ./install-server [squidp's template] # poweroff > > For each of the client VMs whose package updates you want to cache > (in this example, a Debian template), copy the install-client > script into the client, carefully inspect it there -- the comments > explain what it does -- and: > > [debian-8] # ./install-client [debian-8] # poweroff > > Disable the (non-caching) updates proxy setup services on the > client, and make your new ProxyVM the client's netvm: > > [dom0] $ qvm-service debian-8 --disable updates-proxy-setup [dom0] > $ qvm-service debian-8 --disable yum-proxy-setup [dom0] $ > qvm-start squidp [dom0] $ qvm-prefs --set debian-8 netvm squidp > > If, like in this example, your client is a template (as opposed to > a StandaloneVM), then change its firewall settings to deny > absolutely all access except TCP connections to > 10.137.255.254:8083: > > [dom0] $ qvm-firewall debian-8 --policy deny [dom0] $ > qvm-firewall debian-8 --icmp deny [dom0] $ qvm-firewall > debian-8 --dns deny [dom0] $ qvm-firewall debian-8 > --yum-proxy deny [dom0] $ qvm-firewall debian-8 --add > 10.137.255.254 tcp 8083 [dom0] $ qvm-firewall debian-8 --list > --numeric # all good? > > That's it! Up to 4 GiB of package updates will be cached to > squidp's volatile storage in /var/lib/qubes/vm-updates/. If you > really want to keep them across reboots, bind mount a directory in > /rw/ owned by squid:squid to that destination. > > Rusty >
I don't know how I missed this before, but great work. I have yet to test it, but it's a great idea. It seems to me that most of the problems described in your post are the results of hacking this on top of a system that's trying to fight you. If Qubes integrates this, then everything should Just Work (tm), right? Are there any arguments for *not* integrating this into the base system? Andrew -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXohvTAAoJEKJgxxXeQHZV2KMQAIRtz8qRD0NPAyRnDM3Z4jIC auzeQoAIFMiE1VqYhUjTQMHHmmTDo/UUoTG7G4V0pty4nUtM7aqIcBi82N+vVzZO Tfxh4xXvdPcYZt76XiYb2V0OnG92OkEMUmErpbkatTPUbN0AovANFcCMVus9pfg8 c1HCMzRD/h3iPuQMkBml8ouFODH/Hj0j5sklt8xQe6u/xZLW9UwrSxAXh9O4Fw5C iIBPYuCwnMl75ug1wETzTRqiBOn4t7n6xhNj0MwOxP3nu8pBUXM88y1OEzOLh07G NCdXo1ozkO2PRaeuiiZnzFXOWSCdXEY1VxuFLOj1cBxGn1dkFCQNlEMAvnzmNSft oh/3n5Ue/6BKyG5+4xTkD4FsXbkrgzLH9BtYi7CNNH20rhasJ4pGYSGQ3AmoPUH1 pm+feYe2ZjKWWOKyqc3F2uLEAq9tz1nnLoquAQ2KwJrZhDCOVoXL92OOac0IjpM2 eXpW9rQ8H4u2TkA43amWsz8xPr1yQAMKAb3aY/qmeBWA3q6Ig5SKmiOvtl0gf5z9 ZGe6sjBac1dn5Tt2xhvCBBs85JcO8Y18nhweF8w3Osu2OrZL/d10Lnbg2D969pzE 42uBaGmSp/+QsMlRjEXYbER0QaAe6VARWl3nS02lZ3bxo0lagGPGRbjMt1tklDDM EteZBfWBJZrnPFq8mZYI =ZQn9 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/372f98c8-9b28-f639-82e9-edb4b0690700%40riseup.net. For more options, visit https://groups.google.com/d/optout.
