Debian mirrors / Setting up a push server

Setting up a push server

Setting up a push server consists of two basic tasks: setting up rsync access (for normal, pull mirroring) and setting up ssh trigger mechanism (for pushing the pull mirroring).

(For more information on what a push server is, please read the explanation of push mirroring.)

• Setting up rsync
• Setting up ssh trigger mechanism

Setting up rsync

Install rsync 2.1.1 or greater. If your site is running Debian, just install the latest rsync package.

Create rsyncd.conf file and put something similar to this in it:

uid = nobody
gid = nogroup
max connections = 25
socket options = SO_KEEPALIVE

[debian]
  path = /srv/debian/mirror
  comment = The Debian Archive (~250 GB)
  auth users = authorized_account1,authorized_account2,authorized_accountN
  read only = true
  secrets file = /etc/rsyncd/debian.secrets

Add an entry for each site you are pushing to in the /etc/rsyncd/debian.secrets file:

authorized_account1:a_password
authorized_account2:another_password
authorized_accountN:password

You have now given the downstream mirrors access to the archive on your machine.

You will probably want to start the rsync daemon from inetd. To do this, you have to add rsync service in /etc/services file (if it isn't already there), like this:

rsync           873/tcp

To enable the daemon from inetd, add the following to your /etc/inetd.conf file:

rsync      stream      tcp         nowait      root /usr/bin/rsync rsyncd --daemon

(Remember to send inetd an HUP signal to tell it to reread its config file after modifying the file.)

Setting up ssh trigger mechanism

Create a new ssh key for the account that you use to mirror Debian. Make sure you don't overwrite your original ssh key by using the -f option, for example:

ssh-keygen -f ~/.ssh/identity.mysite

Make sure that the new public key (~/.ssh/identity.mysite.pub) contains this at the beginning, with IPADDRESS being the IP of your upstream mirror:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="~/bin/ftpsync",from="IPADDRESS"

You need to set up a script that will contact the downstream mirrors. The ftpsync tarball contains the script runmirrors which is handling all needed tasks for you. Simply change your ftpsync.conf to include the setting HUB=true, copy the runmirrors.conf.sample to runmirrors.conf and runmirrors.mirror.sample to runmirrors.mirror and configure the config file to suit your system. Then list all your downstream mirrors inside runmirrors.mirror and the ftpsync/runmirror duo will do all the heavy lifting for you.

The effect will be that your system will try to ssh to your downstream mirrors, after your own mirror updated, so they can start their own updates. This assumes you gave your downstream mirror operators the ssh key you told runmirrors to use and that they added it to their own ~/.ssh/authorized_keys as described above.

If you have any trouble with this, contact us.

Back to the Debian Project homepage.