Consider network with separate host used as compiling/build farm. All builded RPM packages are published in APT repository and deployed to another hosts over HTTP.
The problem is that build farm is not visible from servers in DMZ zone. This note explains simple solution based on SSH port redirection feature.
sudo apt-get' on DMZ host.
build.farmvia local port 8000.
Important note (12-Sep-2005): initial solution based on APT-via-FTP was completely unusable because FTP always establishes separate connection for data transfer (from server back to client in active mode, and from client to server in passive). This connection uses random port choiced from 48192-65535 values. There is no possibility to redirect data transfer to SSH channel. So you should use HTTP that's tunnelled with no problem. APT supports HTTP as client, and Mathopd or lighttpd are ideal answers on server side, even smaller and simpler than typical FTP daemon.
Step 1 [Intranet host]: Create SSH keypair for APT admin on DMZ host.
ssh-keygen -C "APT admin account" -f ssh-apt.key -t dsa chmod 600 ssh-apt.key*
Step 2 [DMZ host]: Create APT admin account.
useradd -c "Executes APT commands as root" -m -k /dev/null -s /bin/sh aptadmin mkdir -p -m700 ~aptadmin/.ssh cat /mnt/disk/ssh-apt.key.pub >> ~aptadmin/.ssh/authorized_keys2 chmod 600 ~aptadmin/.ssh/authorized_keys2 chown -R aptadmin:aptadmin ~aptadmin
Step 3 [DMZ host]: Enable SSH login for aptadmin without entering password. Edit your /etc/openssh/sshd_config:
Apply it:AllowUsers aptadmin <other users...> PubkeyAuthentication yes # enabled by default AllowTcpForwarding yes # enabled by default
root@dmzhost# service sshd reload.
root@intranet# ssh -l aptadmin -i ssh-apt.key dmzhost hostname
Step 4 [DMZ host]: Enable running APT commands by aptadmin under root privileges without entering password. Edit your /etc/sudoers by visudo command:
Test it:%aptadmin ALL = NOPASSWD: /usr/bin/apt-*
aptadmin@dmzhost$ sudo apt-cache search openssh
Step 5 [DMZ host]: Configure APT client. Edit your /etc/apt/sources.list:
# Line format: type url arch name # Consider this record is used on Intranet clients #rpm http://build.farm/pub/apt ix86 miscpkgs # This value should be used on DMZ hosts rpm http://localhost:8000/pub/apt ix86 miscpkgs
Step 6 [Intranet host]: Testing and scheduling.
When this command is executed on build farm, you can replace hostname 'ssh -l aptadmin -R 8000:build.farm:80 -i ssh-apt.key \ "sudo apt-get update && sudo apt-get upgrade"
build.farm' to '
Well, if this command works fine, add it to /etc/cron.daily.
Last changed at 12 September 2005 MSD 00:23
Have comments? Mail me.