:: [devuan-mirrors] Making the Devuan …
Top Page
Delete this message
Reply to this message
Author: onefang
To: devuan-mirrors
New-Topics: Re: [devuan-mirrors] Making the Devuan package mirrors DNS-RR better.
Subject: [devuan-mirrors] Making the Devuan package mirrors DNS-RR better.
For a long time we have planned on automating who is in and who is out of
the deb.devuan.org DNS-RR for the Devuan package mirrors. The basic idea
is that trusted instances of apt-panopticon do their usual tests, and
report their results to the Devuan DNS server. Those package mirrors
that want to be part of the DNS-RR and that pass the tests, get to be in
the DNS-RR. The tests run every ten minutes.

In case it's not obvious, that means which mirrors are actually in the
deb.devuan.org DNS-RR gets updated every ten minutes.

Doing this helps to ensure that those mirrors that are currently healthy,
get to serve the deb.devuan.org package mirror. And any mirror that is
currently having troubles is automatically removed from the DNS-RR until
it gets better.

While we are at it, we also plan on bringing back the CC.deb.devuan.org
mirrors, again who is in and who is out at any given moment gets
controlled by this testing system.

Alas many things soaked up my time since we first planned this, but
hopefully I have time now to actually get it done.

apt-panopticon is currently running at -

    My own Devuan mirror.

And the issue tracker for it is

The first step is to make apt-panopticon better. It has some known bugs,
and maybe even some unknown bugs. It does manage to run in less than a
minute most of the time.

Second step is to get the "changing the DNS-RR" part implemented.

While I'm working on those things, there is a job for the mirror admins
to do. Clean up the errors and warnings apt-panopticon is reporting.

Mostly it's the Protocol warnings and URL sanity errors.

>From the Protocol hover help text of apt-panopticon -

"The Protocol test will give a WARNING if the protocol is changed during a
redirect, HTTP -> HTTPS for example. While apt HTTPS transport is now
the default in Beowulf / Buster, not everyone with an older release will
have that installed, so redirecting HTTP to HTTPS will break apt for
those people. An ERROR is given instead if that happens for mirrors in
the DNS round robin. Servers in the DNS round robin will not have the
HTTPS certificate for the round robin domain, so redirecting to HTTPS for
that is an ERROR"

I know some web server admins automatically redirect HTTP to HTTPS for
their entire web site (which is good in general), but due to that
potentially breaking apt for some people, it's best to NOT do that for
the apt mirror. There are people still using Jessie and ASCII that don't
have the apt HTTPS transport installed, since it's a separate package.
Beowulf and beyond have it installed by default.

Also, since we can't hand out a deb.devuan.org HTTPS cert, all the DNS-RR
mirrors answering to that should NOT use HTTPS.

This should be simple to fix.

>From the URL sanity hover help text of apt-panopticon -

"The URL sanity test replaces "/" in URLS with "///", to see if the
mirror can cope with that. This might happen due to a minor
mis-configuration by the apt user, but decent web servers should cope
with that. The result for a mirror that does not cope is a failed
download for that user, so this is an ERROR. We care about this coz apt
has had multiple bugs in the past where they might let URLs like that
slip through."

I'm not exactly sure how a web server can be configured to NOT cope with
that. It seems to be a variety of web server software doing this. So I
can't offer any clues about how to fix this issue. Please let us know if
you have any insight into this.

For the Updated tests, I'm not exactly sure how long some of the mirrors
wait between updates. I would really prefer updates every 30 minutes.
Some are failing coz I just assumed 30 minute updates, but they are on a
longer schedule. If your mirror has weekly update statistics less than
100%, please let me know what your update frequency is. If you are not
updating every 30 minutes, and you can, please speed that up.

In general, can everyone please check
https://pkgmaster.devuan.org/mirror_list.txt and let me know of any fixes

CountryCode: is the country code I figured out from the country the admin
told us they are in.

DNSRR: is if you want to be in the DNS-RR.

Rate: is the update rate mentioned above.

Thank you all.

A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.