Possible to run (and update) Ubuntu with only access to an APT Cacher?
I am setting up a number of VMs and containers and I am partitioning some private network ranges accordingly.
Suppose I have guests separated into a "frontend" (192.168.100.0/24) and "backend" (192.168.200.0/24) network (some may have access to both). The "frontend" network uses NAT and so guests do have access to the internet through that. However, some of the VMs are supposed to be as much separated and so the "backend" network only allows access between the guests on that network and the host. DNS lookups will also be strictly limited as well as outgoing traffic from these guests.
Let's now say I have an apt-cacher-ng instance running on 192.168.200.1 (backend), which happens to be the host. The name apt-cacher.backend.local resolves to that IP address and there are no other access restrictions.
If I would adjust all my sources.list snippets in /etc/apt of the VMs from:
deb http://us.archive.ubuntu.com/ubuntu/ focal main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ focal main restricted
... to (the hacky way):
deb http://apt-cacher.backend.local:3142/us.archive.ubuntu.com/ubuntu/ focal main restricted
deb-src http://apt-cacher.backend.local:3142/us.archive.ubuntu.com/ubuntu/ focal main restricted
... or choose the somewhat cleaner configuration stanza for APT:
Acquire::http { Proxy "http://apt-cacher.backend.local:3142"; };
So summarizing the facts:
-
apt-cacher.backend.local(= 192.168.200.1) and any names that may be needed by the "backend" VM will resolve fine, anything else won't -
apt-cacher-ngwill run listening on 192.168.200.1:3142 - access from "backend" VM is limited to the backend network (192.168.200.1/24) entirely and netfilter rules will ensure only the services the VM offers will be available and only the
apt-cacher-nginstance can be accessed
Will my system be able to update all its packages this way? (Nope, no other software will be used, or I'll package it myself.)
Bonus questions:
- Suppose the updates would work this way, is there anything else to watch out for in such a configuration?
- Is there a sensible way to deal with package repos that use
https://? E.g. would it be viable to "simply" mirror the respective packages to a local repo which doesn't usehttps://?
I understand you want to completely limit access to the outside world for the backend. The host at 192.168.200.1 is part of the backend.
Your idea will work but the ACNG host also needs access to the upstream repositories to proxy the request for packages for the backend (at least that's how I understand you want to do this). Thus, the host will also need to be part of the frontend or have some other way to connect to the internet. Alternatively, you can preload all necessary packages to the acng host repo. That looks like a cumbersome solution for little gain, though.
I suggest you look into the /etc/apt-cacher-ng/backend* files to hardwire what upstream servers will be used.
I also suggest you install the squid-deb-proxy-client package on the VM. This will allow you a fully transparent configuration of the VM without even fiddling with /etc/apt/sources.list. The magic happens via avahi and /etc/apt/apt.conf.d/30autoproxy. Run /usr/share/squid-deb-proxy-client/apt-avahi-discover from one of the VM to make sure you get the IP of the ACNG host back.
If you change the sources.list files on the backend machines/VM to apt-cacher.backend.local no further changes are necessary. If you put us.archive.ubuntu.com in there, then you would need to resolve that via DNS (it can basically resolve to any IP you like as the request will be proxied to the ACNG host).
Serving upstream repos accessible via https will require additional configuration.
Some additional considerations added a day later
You mentioned that you will have some locally-produced packages to install. I assume you will serve them from $host inside the LAN. In that case I suggest to add a file /etc/apt/apt.conf.d/99proxy containing
"Acquire::http::Proxy::$host "DIRECT";. This bypasses the acng proxy. Personally, I have included this file in a configuration deb-file I install in all machines, it is among the files I serve from $host. That configuration deb-file has another config snippet in /etc/apt/sources.list.d/private.list containingdeb http://$host/repo/debs/ generic privatepointing to a reprepro repository. Maybe this is something that would benefit you as well.One thing I'd also like to make you aware of is that if
avahi-browseor/usr/share/squid-deb-proxy-client/apt-avahi-discoverlist more than one instance of an apt_proxy service you might run into an issue depending on the version of your VM OS.
If you have allowed http tunnels in apt-cacher-ng then the answer to all your questions is yes, this is how apt-cacher-ng is used.
After installation, on the apt-cacher-ng machine go to http://localhost:3142/ for instructions and http://localhost:3142/acng-report.html for reports.
Edit the configuration file on the apt-cacher-ng machine like so:
sudo nano /etc/apt-cacher-ng/acng.conf
uncomment PassThroughPattern: .* to allow HTPS connection tunneling.
then save the file and close the editor by pressing Ctrl + x then press y then press Enter.
then restart apt-cacher-ng with the new configuration like so:
sudo systemctl restart apt-cacher-ng
Limiting connections to the backhand network on the apt-cacher-ng machine is also recommended. This can be done by editing the /etc/hosts.allow file and adding the following line to it:
apt-cacher-ng: 192.168.200.0/24
and editing /etc/hosts.deny file and adding the following line to it:
ALL: ALL
also consider adding rules to the firewall on the apt-cacher-ng machine to only allow connections to the needed repositories links only.
You can find more in this link.
However, if you want to have a local copy of the repositories for your clients to update from locally, then I would suggest using apt-mirror and proftpd-basic to do that on a local machine that has access to Internet and then use this machines IP in your clients' sources lists to update locally.
To do this, please follow these steps:
On the update machine:
- Install
apt-mirrorandproftpd-basiclike so:
sudo apt install apt-mirror proftpd-basic
- Edit
/etc/apt/mirror.listso it contains the repositoris of the release you want to mirror ( eg.bionic) like so:
sudo nano /etc/apt/mirror.list
and modify/add repositories accordingly so it looks like this:
############# config ##################
#
# set base_path /var/spool/apt-mirror
#
# set mirror_path $base_path/mirror
# set skel_path $base_path/skel
# set var_path $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch <running host architecture>
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads 20
set _tilde 0
#
############# end config ##############
deb http://archive.ubuntu.com/ubuntu bionic main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu bionic-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu bionic-updates main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu artful-proposed main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu artful-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu bionic main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu bionic-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu bionic-updates main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu artful-proposed main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu artful-backports main restricted universe multiverse
clean http://archive.ubuntu.com/ubuntu
then save the file and close the editor by pressing Ctrl + x then press y then press Enter.
- Start
apt-mirrorlike so:
sudo apt-mirror
apt-mirror will download around 200 GB of data and that might take some time.
- Create and edit the
/etc/proftpd/conf.d/anonymous.confconfiguration file like so:
sudo nano /etc/proftpd/conf.d/anonymous.conf
and copy and paste the following to the editor:
<Anonymous ~ftp>
User ftp
Group nogroup
UserAlias anonymous ftp
RequireValidShell off
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
</Anonymous>
then save the file and close the editor by pressing Ctrl + x then press y then press Enter.
- Restart the
proftpdprocess like so:
sudo systemctl restart proftpd
- Mount-bind the mirrored repositories directory to the ftp directory like so:
sudo mount --bind /var/spool/apt-mirror/mirror/archive.ubuntu.com/ /srv/ftp/
On the clients to be updated:
- Edit and modify the sources in the
/etc/apt/sources.listfile so that they point toftp://Update_Machine_IP/and changeUpdate_Machine_IPto the IP of the update machine like so:
sudo nao /etc/apt/sources.list
so it will look like this:
deb ftp://Update_Machine_IP/ubuntu/ bionic main universe multiverse restricted
deb ftp://Update_Machine_IP/ubuntu/ bionic-security main multiverse universe restricted
deb ftp://Update_Machine_IP/ubuntu/ bionic-updates main multiverse universe restricted
then save the file and close the editor by pressing Ctrl + x then press y then press Enter.
- Update as usual by running:
sudo apt update