mirrors icon indicating copy to clipboard operation
mirrors copied to clipboard

Published 20 hours ago verified publisher icon AlmaLinux

Exclude the private mirrors from the mirrors list in the case of fallback behavior

Open soksanichenko opened this issue 2 years ago • 3 comments

Change https://github.com/AlmaLinux/mirrors/blob/mirrors_service/src/backend/api/handlers.py#L187-L190 to make the call with without_private_mirrors=True

soksanichenko avatar Jun 24 '22 19:06 soksanichenko

To expand on the context here, I noted that when a client doesn't match on the network service cone (subnets and/or ASNs) of any mirrors, it falls back to rely on geo data to find near-by mirrors.

The get_mirrors_list()→ _get_nearest_mirrors(without_private_mirrors=False)→_get_nearest_mirrors_by_geo_data() call chain then fails to account for private mirrors only servicing their specified network cones.

The failure modes here are:

  1. A client which fails geo match lookup receives a full list of mirrors, including private mirrors.
  2. A private mirror accidentally incudes geo data in their mirror.d configuration file, and starts matching as an option for other near-by clients outside their network service cone.

PhirePhly avatar Jun 24 '22 20:06 PhirePhly

Result from dev machine

[ec2-user@ip-172-31-90-25 ~]$ curl -H "X-Forwarded-For: 127.0.0.1" http://localhost/mirrorlist/8/appstream 2>&1 | grep "centos.corp.cloudlinux.com"
[ec2-user@ip-172-31-90-25 ~]$

For 127.0.0.1 the service should return full list and centos.corp.cloudlinux.com is private mirror

soksanichenko avatar Jul 04 '22 10:07 soksanichenko

The patch is deployed to production

soksanichenko avatar Jul 07 '22 11:07 soksanichenko