recently I improved my workflow of testing Foreman and Satellite 6 instances. I do a lot of provisioning and while I could maintain my own yum mirrors, I am lazy. So I decided to create a proxy setup for CentOS, Fedora and Red Hat CDN content. This should work also for other distributions, I haven’t tested. This post is heavily based on Setting up a local caching proxy for Fedora YUM repositories by Daniel Berrangé.
Pick a server, I am using my very own workstation as I want it to be the proxy for all my test VMs. Step one, install Apache httpd and Squid.
dnf install httpd squid
Step two. Create configuration. The idea is to proxy some URLs to Squid which will maintain cache of RPM and metadata files.
There is one snag - Red Hat CDN which is only available via HTTPS. I could not figure out how to configure Apache httpd as a man-in-the-middle for HTTPS with client certificates, so I decided to use one of our internal mirrors. It currently does not contain kickstart trees, those I needed to rsync and have locally (RHEL 7.0 kickstart). The rest is proxied to
pulp.dist.xxx.xxx.xxx.redhat.com which is RH internal server - find the proper hostname on Mojo.
I keep all my files in
/mnt/data/www volume, this will be different for you so modify this in the configuration. Also remember to use your closest mirror instead of
# cat > /etc/httpd/conf.d/yumcache.conf <<EOF ProxyPass /centos/ http://mirror.centos.org/centos/ ProxyPass /fedora/ http://dl.fedoraproject.org/pub/fedora/linux/releases/ ProxyPass /epel/ http://mirror.karneval.cz/pub/linux/fedora/epel/ <Directory "/mnt/data/www"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> DocumentRoot "/mnt/data/www" ProxyPass /cdn/content/dist/rhel/server/7/7.0/x86_64/kickstart/ ! Alias /cdn/content/dist/rhel/server/7/7.0/x86_64/kickstart/ /mnt/data/www/rh/rhel-7-server-kickstart/7.0/ ProxyPass /cdn/content/ http://pulp.dist.xxx.xxx.xxx.redhat.com/content/ ProxyRemote * http://localhost:3128/ EOF
Again, the kickstart tree for RHEL 7.0 is for some technical reasons missing from the internal mirror, sync it from somewhere:
rsync -avSHP --delete rsync://download.xxx.xxx.redhat.com/redhat/rhel/released/RHEL-7/7.0/Server/x86_64/os/ /mnt/data/www/rh/rhel-7-server-kickstart/7.0/
If you are using SELinux, then allow Apache to do network relaying and start the service.
setsebool -P httpd_can_network_relay=1 systemctl start httpd.service systemctl enable httpd.service
Step four, configure squid. It’s pretty much the default configuration plus little bit of changes for replacement policy and bumped minimum object size to 8 GB. Make sure you have enough space on
/var/spool/squid or change that path and set appropriate cache size (in the example it’s 200 GB).
cat >> /etc/squid/squid.conf <<EOF cache_replacement_policy heap LFUDA maximum_object_size 8192 MB cache_dir aufs /var/spool/squid 200000 16 256 max-size=8589934592 acl repomd url_regex /repomd\.xml$ cache deny repomd EOF
Last step, start service and enable port from incoming hosts (depends on the firewall zone of yours):
systemctl start squid.service systemctl enable squid.service firewall-cmd --add-service=http --permanent
Now, configure your Installation Media to:
In order to keep using proxy for installed systems (e.g. package updates, EPEL etc), add one line to yum configuration:
proxy = http://proxy:3128
In case of Katello/Satellite 6 you need to go to Subscriptions and update Base URL from
http://proxy/cdn. You can update even existing subcriptions any time you want which is great.
One more note, you can rarely experience timeout issues in yum/dnf or Pulp. Just start over and it will just fix itself once Squid caches the files. That’s the only drawback of this solution.
I am turning this into wiki if you want to enhance it, go ahead! Hit that like button. And enjoy.