Control: tag -1 - patch Hello Trent,
Thanks for getting in touch. On Fri, Aug 23, 2019 at 05:55:45PM +1000, Trent W. Buck wrote: > Package: auto-apt-proxy > Version: 11 > Severity: wishlist > Tags: patch > > Currently auto-apt-proxy doesn't work for me because I run > apt-cacher-ng on a dedicated host, which is neither the client's > localhost, nor the client's default gateway. > > Currently squid-deb-proxy-client doesn't work for me because I run the > apt-cacher-ng and its clients on different LANs (e.g. DMZ and BYOD). > > squid-deb-proxy-client only uses avahi, and > avahi only queries MDNS (not regular DNS), and > MDNS does not propagate between LANs, and > I don't want to forward MDNS traffic between LANs for security reasons. > > > What I propose is to have static SRV records in normal DNS, similar to > _ldap._tcp and _krb._tcp in large corporate networks. Here is how it > would work: > > 1. I run a normal apt-cacher-ng on 203.7.155.214:3128. > > 2. I add a SRV record to my regular DNS zone (*not* avahi MDNS). > > dnsmasq --srv-host=_apt_proxy._tcp.cyber.com.au,203.7.155.214,3128 > > 3. I install auto-apt-proxy on all clients, and it does > > /usr/lib/apt/apt-helper srv-lookup _http._tcp."$(hostname --domain)" > > If that succeeds, it uses the output instead of guessing 127.1 or > default gateway. This sounds reasonable. > Someone else is already doing this strategy downstream of Debian: > > https://gist.github.com/stickystyle/ca2e64a4f7d247648b0c > > I have refined that above to use apt (not dig), and hostname (not awk) > to find the local domain. Note that resolv.conf supports separate > domain (one) and search (zero or more) domains; the gist is checking > only the first search domain; "hostname --domain" is the local domain. > > SRV can return >1 result, with a weighted preference. > In theory auto-apt-proxy should choose one based on the weighting. > I think it is good enough (for now) to just use the first result, > possibly after piping through "shuf" or "sort -R". This sounds reasonable. Some comments on the code based on a quick read: > > # NOTE: this only checks regular DNS/DNS-SD, e.g. in dnsmasq.conf: > # > srv-host=_apt_proxy._tcp.example.com,apt-cacher-ng.example.com,3128 > # will result in an apt proxy of > http://apt-cacher-ng.example.com:3128/. > # If you want to check MDNS/DNS-SD (avahi), use > squid-deb-proxy-client. > detect_dns_service_discovery() { > if stdout=$(/usr/lib/apt/apt-helper srv-lookup _http._tcp."$(hostname > --domain)") && s/_http/_apt_proxy/ ? > proxy=$( > echo "$stdout" | > shuf | # FIXME: use the priority ($2) and weight ($3)! > awk '/^[^#]/{print "http://"; $1 ":" $4;exit}') && > hit -o "Acquire::http::Proxy::${ip}=DIRECT" "$proxy" >/dev/null 2>&1 > && > [ -s "$tmpfile" ] && > # The response came from apt-cacher or apt-cacher-ng or approx. > grep -q -i "$tmpfile" -e '<title>Apt-cacher' -e > '406.*usage.information' -e '<title>approx\s*server</title>' this duplicates the check for those servers, and will make adding new ones error prone because we always need to remember to also include a duplicate of the check here. we would need to decouple hitting the server from detecting what it is to be able to reuse the detection part here. > then > # DNS-SD provided a working server, so use it. > echo "$proxy" > return 0 > fi > return 1 > } As you saw at the top of this message, I am removing the `patch` tag because this is not an actual patch, and also because it clearly won't work as described given the _http/_apt_proxy mismatch. Feel free to readd it when you post an actual, tested patch. Please also include a patch to the documentation. FWIW the git repository lives at https://salsa.debian.org/debian/auto-apt-proxy > PS: busybox also provides ip(1), and it is often installed for the ramdisk. > Therefore I suggest using it when available: > > detect() { > if command -v ip >/dev/null; then > gateway=$(ip route | awk '/default/ { print($3) }') > + elif busybox ip route >/dev/null 2>&1; then > + gateway=$(busybox ip route | awk '/default/{print $3}') > else > gateway='' > fi > > I did not use "command" because busybox might be compiled without > the ip applet (very unlikely on Debian, but theoretically possible). fair enough.
signature.asc
Description: PGP signature
