Repository Mirror Server Deployment Guide

The following instructions are for deploying a repository mirror host. This node serves as a front end to the repository files which are stored on an NFS mount.

Prerequisites

This guide is written for a Red Hat Enterprise Linux 8 based operating system which is operating within a cluster of systems and the following are the prerequisites:

• Repository Mirror Server OS Installation Guide

• IdM Client Deployment Guide

• NFS Client Deployment Guide

Follow-on Deployments

The following guides can be applied after the deployment of their associated nodes.

• RSyslog Deployment Guide

• Telegraf Deployment Guide

References

Instructions are based on the following documentation:
https://www.golinuxcloud.com/local-offline-yum-dnf-repo-http-rocky-linux-8/

Deployment Scripts

Note

An example bash script of the instructions has been provided: deploy-mirror-server.sh

Deployment Steps

Note

Instructions assume execution using the root account.

1. Connect the system to the NFS Server:

See Guide: NFS Client Deployment Guide

2. Connect the system to the IdM Server:

See Guide: IdM Client Deployment Guide

3. Install dependencies:

dnf -y install nginx yum-utils

4. Create local directory for the repository mount:

mkdir -p /srv/repos/

5. Configure NFS mount:

Important

Replace engwsc.example.com with the domain name of your network.

cat >> /etc/fstab <<EOL

# Repository Mirror NFS Mount
nfs01.engwsc.example.com:/srv/nfs/mirror /srv/repos nfs4 defaults,tcp,soft,nfsvers=4 0 0
EOL

6. Mount the mirror path:

mount /srv/repos

7. Create repository paths:

Important

Replace almalinux with the rocky if using Rocky Linux.

mkdir -p /srv/repos/almalinux/8/BaseOS/x86_64/os/
mkdir -p /srv/repos/almalinux/8/AppStream/x86_64/os/
mkdir -p /srv/repos/almalinux/8/extras/x86_64/os/
mkdir -p /srv/repos/almalinux/8/PowerTools/x86_64/os/
mkdir -p /srv/repos/almalinux/8/HighAvailability/x86_64/os/

mkdir -p /srv/repos/epel/pub/epel/8/Everything/x86_64/
mkdir -p /srv/repos/epel/pub/epel/8/Modular/x86_64/

mkdir -p /srv/repos/gitlab/gitlab-ce/el/8/x86_64/

mkdir -p /srv/repos/mongodb/yum/redhat/8/mongodb-org/6.0/x86_64/
mkdir -p /srv/repos/elasticsearch/packages/oss-7.x/yum/
mkdir -p /srv/repos/graylog/repo/el/stable/4.3/x86_64/

mkdir -p /srv/repos/docker/linux/centos/8/x86_64/stable/
mkdir -p /srv/repos/influxdb/rhel/8/x86_64/stable/
mkdir -p /srv/repos/grafana/oss/rpm/

8. Install Extra Packages for Enterprise Linux (EPEL) Repository:

dnf -y install epel-release
dnf -y distro-sync
dnf -y clean all

9. Add GitLab Repository:

# Download and copy the GPG keys to the repository path
wget https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey \
    -O /srv/repos/RPM-GPG-KEY-gitlab

wget https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg \
    -O /srv/repos/RPM-GPG-KEY-gitlab-3D645A26AB9FBD22

# Import GPG key
rpm --import https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg

# Create repository file
cat > /etc/yum.repos.d/gitlab_gitlab-ce.repo <<EOF
[gitlab_gitlab-ce]
name=gitlab_gitlab-ce
baseurl=https://packages.gitlab.com/gitlab/gitlab-ce/el/\$releasever/\$basearch
repo_gpgcheck=1
gpgcheck=1
enabled=0
gpgkey=https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
       https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

[gitlab_gitlab-ce-source]
name=gitlab_gitlab-ce-source
baseurl=https://packages.gitlab.com/gitlab/gitlab-ce/el/\$releasever/SRPMS
repo_gpgcheck=1
gpgcheck=1
enabled=0
gpgkey=https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
       https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
EOF

# Disable this repository as it is not used locally
yum-config-manager --disable gitlab_gitlab-ce,gitlab_gitlab-ce-source

10. Add Graylog Repositories:

MongoDB

# Download and copy the GPG key to the repository path
wget https://www.mongodb.org/static/pgp/server-6.0.asc \
    -O /srv/repos/RPM-GPG-KEY-mongodb

# Import GPG key
rpm --import https://www.mongodb.org/static/pgp/server-6.0.asc

# Create repository file
cat > /etc/yum.repos.d/mongodb-org-6.0.repo <<EOF
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=0
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc
EOF

# Disable this repository as it is not used locally
yum-config-manager --disable mongodb-org-6.0

ElasticSearch

# Download and copy the GPG key to the repository path
wget https://artifacts.elastic.co/GPG-KEY-elasticsearch \
    -O /srv/repos/RPM-GPG-KEY-elasticsearch

# Import GPG key
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

# Create repository file
cat > /etc/yum.repos.d/elasticsearch.repo <<EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
EOF

# Disable this repository as it is not used locally
yum-config-manager --disable elasticsearch-7.x

Graylog

# Install Graylog repository RPM
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.rpm

# Copy the GPG key to the repository path
cp /etc/pki/rpm-gpg/RPM-GPG-KEY-graylog /srv/repos/RPM-GPG-KEY-graylog

# Import GPG key
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-graylog

# Disable this repository as it is not used locally
yum-config-manager --disable graylog

11. Add InfluxDB Repository:

# Download and copy the GPG key to the repository path
wget https://repos.influxdata.com/influxdb.key \
    -O /srv/repos/RPM-GPG-KEY-influxdb

# Import GPG key
rpm --import https://repos.influxdata.com/influxdb.key

# Create repository file
# influxdb.key GPG Fingerprint: 05CE15085FC09D18E99EFB22684A14CF2582E0C5
cat > /etc/yum.repos.d/influxdb.repo <<EOF
[influxdb]
name = InfluxDB Repository - RHEL \$releasever
baseurl = https://repos.influxdata.com/rhel/\$releasever/\$basearch/stable
enabled = 0
gpgcheck = 1
gpgkey = https://repos.influxdata.com/influxdb.key
EOF

# Enable this repository as it is used locally for telegraf
yum-config-manager --enable influxdb

12. Add Grafana Repository:

# Download and copy the GPG key to the repository path
wget https://rpm.grafana.com/gpg.key \
    -O /srv/repos/RPM-GPG-KEY-grafana

# Import GPG key
rpm --import https://rpm.grafana.com/gpg.key

# Create repository file
cat > /etc/yum.repos.d/grafana.repo <<EOF
[grafana]
name = grafana
baseurl = https://rpm.grafana.com
repo_gpgcheck = 1
enabled = 0
gpgcheck = 1
gpgkey = https://rpm.grafana.com/gpg.key
sslverify = 1
sslcacert = /etc/pki/tls/certs/ca-bundle.crt
exclude = *beta*
EOF

# Disable this repository as it is not used locally
yum-config-manager --disable grafana

13. Add Docker Repository:

# Download and copy the GPG key to the repository path
wget https://download.docker.com/linux/centos/gpg \
    -O /srv/repos/RPM-GPG-KEY-docker

# Import GPG key
rpm --import https://download.docker.com/linux/centos/gpg

# Create repository file
yum-config-manager --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo

# Disable this repository as it is not used locally
yum-config-manager --disable docker-ce-stable

14. Create a Cron Job to synchronize repositories:

Important

Replace almalinux with the rocky if using Rocky Linux.

cat > /etc/cron.daily/update-localrepos <<EOF
#!/bin/bash

/bin/dnf -y reposync --repoid=baseos            -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/almalinux/8/BaseOS/x86_64/os/
/bin/dnf -y reposync --repoid=appstream         -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/almalinux/8/AppStream/x86_64/os/
/bin/dnf -y reposync --repoid=extras            -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/almalinux/8/extras/x86_64/os/
/bin/dnf -y reposync --repoid=powertools        -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/almalinux/8/PowerTools/x86_64/os/
/bin/dnf -y reposync --repoid=ha                -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/almalinux/8/HighAvailability/x86_64/os/

/bin/dnf -y reposync --repoid=epel              -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/epel/pub/epel/8/Everything/x86_64/
/bin/dnf -y reposync --repoid=epel-modular      -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/epel/pub/epel/8/Modular/x86_64/

/bin/dnf -y reposync --repoid=gitlab_gitlab-ce  -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/gitlab/gitlab-ce/el/8/x86_64/

/bin/dnf -y reposync --repoid=mongodb-org-6.0   -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/mongodb/yum/redhat/8/mongodb-org/6.0/x86_64/
/bin/dnf -y reposync --repoid=elasticsearch-7.x -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/elasticsearch/packages/oss-7.x/yum/
/bin/dnf -y reposync --repoid=graylog           -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/graylog/repo/el/stable/4.3/x86_64/

/bin/dnf -y reposync --repoid=docker-ce-stable  -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/docker/linux/centos/8/x86_64/stable/
/bin/dnf -y reposync --repoid=influxdb          -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/influxdb/rhel/8/x86_64/stable/
/bin/dnf -y reposync --repoid=grafana           -g --delete --newest-only --norepopath --download-metadata -p /srv/repos/grafana/oss/rpm/
EOF

chmod 755 /etc/cron.daily/update-localrepos

15. Synchronize repositories:

dnf clean all
dnf -y distro-sync
/etc/cron.daily/update-localrepos

16. Configure Nginx to server the repository over http:

Important

Replace engwsc.example.com with the domain name of your network.

cat > /etc/nginx/conf.d/localrepos.conf <<EOF
server {
    listen      80;
    server_name mirror.engwsc.example.com;
    root        /srv/repos/;
    index       index.html;
    location / {
        autoindex on;
    }
}
EOF

17. Set SELinux context or SELinux boolean:

If using local storage for /srv/repos/:

# Permanently change the SELinux context of the local storage path
semanage fcontext -a -t httpd_sys_content_t "/srv/repos(/.*)?"

# Relabel files
restorecon -F -R -v /srv/repos/

If using NFS storage for /srv/repos/:

# Set SELinux boolen to allow httpd to use NFS
setsebool -P httpd_use_nfs=1

18. Enable Nginx service:

systemctl enable --now nginx
systemctl status nginx

19. Configure firewall rules:

Important

Replace the IPv4 Address and Subnet mask with the value of your network.

systemctl enable --now firewalld
firewall-cmd --zone=public --add-source=192.168.1.0/24 --permanent
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --reload