Home / ubuntu / Questions / 1226857
In Process
0xC0000022L
Asked: 2020-04-14 13:28:57 +0800 CST

Possible to run (and update) Ubuntu with only access to an APT Cacher?

  • 772

I am setting up a number of VMs and containers and I am partitioning some private network ranges accordingly.

Suppose I have guests separated into a "frontend" (192.168.100.0/24) and "backend" (192.168.200.0/24) network (some may have access to both). The "frontend" network uses NAT and so guests do have access to the internet through that. However, some of the VMs are supposed to be as much separated and so the "backend" network only allows access between the guests on that network and the host. DNS lookups will also be strictly limited as well as outgoing traffic from these guests.

Let's now say I have an apt-cacher-ng instance running on 192.168.200.1 (backend), which happens to be the host. The name apt-cacher.backend.local resolves to that IP address and there are no other access restrictions.

If I would adjust all my sources.list snippets in /etc/apt of the VMs from:

deb http://us.archive.ubuntu.com/ubuntu/ focal main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ focal main restricted

... to (the hacky way):

deb http://apt-cacher.backend.local:3142/us.archive.ubuntu.com/ubuntu/ focal main restricted
deb-src http://apt-cacher.backend.local:3142/us.archive.ubuntu.com/ubuntu/ focal main restricted

... or choose the somewhat cleaner configuration stanza for APT:

Acquire::http { Proxy "http://apt-cacher.backend.local:3142"; };

So summarizing the facts:

  • apt-cacher.backend.local (= 192.168.200.1) and any names that may be needed by the "backend" VM will resolve fine, anything else won't
  • apt-cacher-ng will run listening on 192.168.200.1:3142
  • access from "backend" VM is limited to the backend network (192.168.200.1/24) entirely and netfilter rules will ensure only the services the VM offers will be available and only the apt-cacher-ng instance can be accessed

Will my system be able to update all its packages this way? (Nope, no other software will be used, or I'll package it myself.)

Bonus questions:

  • Suppose the updates would work this way, is there anything else to watch out for in such a configuration?
  • Is there a sensible way to deal with package repos that use https://? E.g. would it be viable to "simply" mirror the respective packages to a local repo which doesn't use https://?
networking updates apt

2 Answers

  1. I understand you want to completely limit access to the outside world for the backend. The host at 192.168.200.1 is part of the backend.

    Your idea will work but the ACNG host also needs access to the upstream repositories to proxy the request for packages for the backend (at least that's how I understand you want to do this). Thus, the host will also need to be part of the frontend or have some other way to connect to the internet. Alternatively, you can preload all necessary packages to the acng host repo. That looks like a cumbersome solution for little gain, though.

    I suggest you look into the /etc/apt-cacher-ng/backend* files to hardwire what upstream servers will be used.

    I also suggest you install the squid-deb-proxy-client package on the VM. This will allow you a fully transparent configuration of the VM without even fiddling with /etc/apt/sources.list. The magic happens via avahi and /etc/apt/apt.conf.d/30autoproxy. Run /usr/share/squid-deb-proxy-client/apt-avahi-discover from one of the VM to make sure you get the IP of the ACNG host back.

    If you change the sources.list files on the backend machines/VM to apt-cacher.backend.local no further changes are necessary. If you put us.archive.ubuntu.com in there, then you would need to resolve that via DNS (it can basically resolve to any IP you like as the request will be proxied to the ACNG host).

    Serving upstream repos accessible via https will require additional configuration.

    Some additional considerations added a day later

    • You mentioned that you will have some locally-produced packages to install. I assume you will serve them from $host inside the LAN. In that case I suggest to add a file /etc/apt/apt.conf.d/99proxy containing "Acquire::http::Proxy::$host "DIRECT";. This bypasses the acng proxy. Personally, I have included this file in a configuration deb-file I install in all machines, it is among the files I serve from $host. That configuration deb-file has another config snippet in /etc/apt/sources.list.d/private.list containing deb http://$host/repo/debs/ generic private pointing to a reprepro repository. Maybe this is something that would benefit you as well.

    • One thing I'd also like to make you aware of is that if avahi-browse or /usr/share/squid-deb-proxy-client/apt-avahi-discover list more than one instance of an apt_proxy service you might run into an issue depending on the version of your VM OS.

    • 3

  2. If you have allowed http tunnels in apt-cacher-ng then the answer to all your questions is yes, this is how apt-cacher-ng is used.

    After installation, on the apt-cacher-ng machine go to http://localhost:3142/ for instructions and http://localhost:3142/acng-report.html for reports.

    Edit the configuration file on the apt-cacher-ng machine like so:

    sudo nano /etc/apt-cacher-ng/acng.conf

    uncomment PassThroughPattern: .* to allow HTPS connection tunneling.

    then save the file and close the editor by pressing Ctrl + x then press y then press Enter.

    then restart apt-cacher-ng with the new configuration like so:

    sudo systemctl restart apt-cacher-ng

    Limiting connections to the backhand network on the apt-cacher-ng machine is also recommended. This can be done by editing the /etc/hosts.allow file and adding the following line to it:

    apt-cacher-ng: 192.168.200.0/24

    and editing /etc/hosts.deny file and adding the following line to it:

    ALL: ALL

    also consider adding rules to the firewall on the apt-cacher-ng machine to only allow connections to the needed repositories links only.

    You can find more in this link.

    However, if you want to have a local copy of the repositories for your clients to update from locally, then I would suggest using apt-mirror and proftpd-basic to do that on a local machine that has access to Internet and then use this machines IP in your clients' sources lists to update locally.

    To do this, please follow these steps:

    On the update machine:

    • Install apt-mirror and proftpd-basic like so:
    sudo apt install apt-mirror proftpd-basic
    • Edit /etc/apt/mirror.list so it contains the repositoris of the release you want to mirror ( eg. bionic ) like so:
    sudo nano /etc/apt/mirror.list

    and modify/add repositories accordingly so it looks like this:

    ############# config ##################
#
# set base_path    /var/spool/apt-mirror
#
# set mirror_path  $base_path/mirror
# set skel_path    $base_path/skel
# set var_path     $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch  <running host architecture>
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads     20
set _tilde 0
#
############# end config ##############

deb http://archive.ubuntu.com/ubuntu bionic main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu bionic-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu bionic-updates main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu artful-proposed main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu artful-backports main restricted universe multiverse

deb-src http://archive.ubuntu.com/ubuntu bionic main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu bionic-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu bionic-updates main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu artful-proposed main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu artful-backports main restricted universe multiverse

clean http://archive.ubuntu.com/ubuntu

    then save the file and close the editor by pressing Ctrl + x then press y then press Enter.

    • Start apt-mirror like so:
    sudo apt-mirror

    apt-mirror will download around 200 GB of data and that might take some time.

    • Create and edit the /etc/proftpd/conf.d/anonymous.conf configuration file like so:
    sudo nano /etc/proftpd/conf.d/anonymous.conf

    and copy and paste the following to the editor:

    <Anonymous ~ftp>
   User                    ftp
   Group                nogroup
   UserAlias         anonymous ftp
   RequireValidShell        off

   <Directory *>
     <Limit WRITE>
       DenyAll
     </Limit>
   </Directory>
 </Anonymous>

    then save the file and close the editor by pressing Ctrl + x then press y then press Enter.

    • Restart the proftpd process like so:
    sudo systemctl restart proftpd
    • Mount-bind the mirrored repositories directory to the ftp directory like so: 
    sudo mount --bind /var/spool/apt-mirror/mirror/archive.ubuntu.com/ /srv/ftp/

    On the clients to be updated:

    • Edit and modify the sources in the /etc/apt/sources.list file so that they point to ftp://Update_Machine_IP/ and change Update_Machine_IP to the IP of the update machine like so:
    sudo nao /etc/apt/sources.list

    so it will look like this:

    deb ftp://Update_Machine_IP/ubuntu/ bionic main universe multiverse restricted
deb ftp://Update_Machine_IP/ubuntu/ bionic-security main multiverse universe restricted
deb ftp://Update_Machine_IP/ubuntu/ bionic-updates main multiverse universe restricted

    then save the file and close the editor by pressing Ctrl + x then press y then press Enter.

    • Update as usual by running:
    sudo apt update
    • 1