폐쇄망에 구성 된 리눅스 서버의 보안 패치 적용을 위해 내부 repository 서버를 구성

  • 내부 repository 서버는 외부 mirror 서버에서 정기적으로 패치를 다운로드
  • 폐쇄망 서버는 sources.list 파일의 다운로드 서버 주소를 내부 repository 서버로 변경하여 패치 진행

 

구성 정보

  • OS: Ubuntu 22.04.3 LTS
  • 데이터 저장용 디스크 별도 구성
    • /dev/sdb1 - /apt-mirror (1TB)

 

모든 설치는 root 계정으로 진행했으며, 일반 계정 사용 시 sudo 를 통해 진행이 가능함

 

APT Mirror  구성

apt-mirror 패키지 설치

# apt install apt-mirror

 

atp-mirror 설치 위치 및 권한 확인

# which apt-mirror
/usr/bin/apt-mirror

# ls -al /usr/bin/apt-mirror
-rwxr-xr-x 1 root root 32351 May 29  2017 /usr/bin/apt-mirror

 

atp-mirror 파일은 github에 등록되어 있는 공식 파일을 다운로드 하여 사용 (2년전 마지막 커밋 진행)

 

apt-mirror 설치 원본 파일은 백업

# mv /usr/bin/apt-mirror /usr/bin/apt-mirror_20240130
# ls -al /usr/bin/apt-mirror_20240130
-rwxr-xr-x 1 root root 32351 May 29  2017 /usr/bin/apt-mirror_20240130

 

github에서 파일 다운로드

# git clone https://github.com/Stifler6996/apt-mirror
Cloning into 'apt-mirror'...
remote: Enumerating objects: 547, done.
remote: Counting objects: 100% (213/213), done.
remote: Compressing objects: 100% (55/55), done.
remote: Total 547 (delta 180), reused 178 (delta 158), pack-reused 334
Receiving objects: 100% (547/547), 177.23 KiB | 478.00 KiB/s, done.
Resolving deltas: 100% (303/303), done.

 

apt-mirror 파일 복사 및 권한 설정

# cp apt-mirror /usr/bin/apt-mirror
# chmod 755 /usr/bin/apt-mirror
# chown root:root /usr/bin/apt-mirror
# ls -al /usr/bin/apt-mirror
-rwxr-xr-x 1 root root 39029 Jan 30 21:46 /usr/bin/apt-mirror

 

mirror list 수정

  • /etc/apt/mirror.list

파일 수정 전 원본 파일 백업

# cp /etc/apt/mirror.list /etc/apt/mirror.list_20240130

 

mirror.list 수정

  • config 영역 
    • set base_path 주석 해제 후 미러 데이터가 저장되는 위치 등록
    • 나머지는 기본 값 유지
      • set nthreads 20 - wget으로 동시에 20개 세션을 열어서 다운로드 진행
      • set _tilde 0 - URL 또는 패키지 이름에 물결표가 있는 미러를 올바르게 다운로드할 수 있도록 지원
############# config ##################
#
set base_path    /apt-mirror
#
# set mirror_path  $base_path/mirror
# set skel_path    $base_path/skel
# set var_path     $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch  <running host architecture>
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads     20
set _tilde 0
#
############# end config ##############
#
#
# jammy - 22.04
deb http://archive.ubuntu.com/ubuntu jammy main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu jammy-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu jammy-updates main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu jammy-proposed main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse

deb-src http://archive.ubuntu.com/ubuntu jammy main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu jammy-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu jammy-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu jammy-proposed main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse

clean http://archive.ubuntu.com/ubuntu

 

  • Main : Ubuntu 공식 supported Software
  • Security : 중요 security update
  • Updates: : recommended update
  • Proposed : pre-relased update
  • Backports : unsupported update

 

미러 리스트에 우분투 20.04를 추가하고 싶은경우 아래 내용 추가

deb http://archive.ubuntu.com/ubuntu focal main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-proposed main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse

deb-src http://archive.ubuntu.com/ubuntu focal main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu focal-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu focal-proposed main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse

 

미러링 실행 

초기화 및 패키지 다운로드 단계로 시간이 오래 걸림.

# apt-mirror
Downloading 9 release files using 9 threads...
Begin time: Tue Jan 30 22:31:37 2024
[9]... [8]... [7]... [6]... [5]... [4]... [3]... [2]... [1]... [0]...
End time: Tue Jan 30 22:31:39 2024

Processing metadata files from releases [MMMMMM]

Downloading 500 index files using 20 threads...
Begin time: Tue Jan 30 22:31:39 2024
[20]... [19]... [18]... [17]... [16]... [15]... [14]... [13]... [12]... [11]... [10]... [9]... [8]... [7]... [6]... [5]... [4]... [3]... [2]... [1]... [0]...
End time: Tue Jan 30 22:31:54 2024

Processing indexes: [SSSPPP]

404.7 GiB will be downloaded into archive.
Downloading 193784 archive files using 20 threads...
Begin time: Tue Jan 30 22:32:02 2024
[20]... [19]... [18]... [17]... [16]... [15]... [14]... [13]... [12]... [11]... [10]... [9]... [8]... [7]... [6]... [5]... [4]... [3]... [2]... [1]... [0]...
End time: Wed Jan 31 03:30:36 2024

0 bytes in 0 files and 0 directories can be freed.
Run /apt-mirror/var/clean.sh for this purpose.

Running the Post Mirror script ...
(/apt-mirror/var/postmirror.sh)

/bin/sh: 0: cannot open /apt-mirror/var/postmirror.sh: No such file

Post Mirror script has completed. See above output for any possible errors.

 

 

 

웹서버 구성

nginx 설치

# apt install nginx
# systemctl enable nginx
# systemctl start nginx
# systemctl status nginx

 

웹서버 구성 (mirrors.conf 파일 생성)

# cat /etc/nginx/conf.d/mirrors.conf
server {
 listen 80;
 server_name 10.10.10.10;
 root /apt-mirror/mirror/archive.ubuntu.com/;

 location / {
   autoindex on;
 }
}

 

nginx 서비스 재실행

# systemctl restart nginx

 

 

 

클라이언트 설정 및 테스트

/etc/apt/sources.list 파일 수정

  • kr.archive.ubuntu.com -> 10.10.10.10 으로 변경

변경 전

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://kr.archive.ubuntu.com/ubuntu jammy main restricted
# deb-src http://kr.archive.ubuntu.com/ubuntu jammy main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://kr.archive.ubuntu.com/ubuntu jammy-updates main restricted
# deb-src http://kr.archive.ubuntu.com/ubuntu jammy-updates main restricted

 

변경 후

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://10.10.10.10/ubuntu jammy main restricted
# deb-src http://10.10.10.10/ubuntu jammy main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://10.10.10.10/ubuntu jammy-updates main restricted
# deb-src http://10.10.10.10/ubuntu jammy-updates main restricted

 

업데이트 진행

# apt update
Hit:1 http://10.10.10.10/ubuntu jammy InRelease
Hit:2 http://10.10.10.10/ubuntu jammy-updates InRelease
Get:3 http://10.10.10.10/ubuntu jammy-backports InRelease [109 kB]
Hit:4 http://10.10.10.10/ubuntu jammy-security InRelease
Get:5 http://10.10.10.10/ubuntu jammy-backports/main amd64 Packages [41.7 kB]
Get:6 http://10.10.10.10/ubuntu jammy-backports/main Translation-en [10.5 kB]
Get:7 http://10.10.10.10/ubuntu jammy-backports/main amd64 c-n-f Metadata [388 B]
Get:8 http://10.10.10.10/ubuntu jammy-backports/restricted amd64 c-n-f Metadata [116 B]
Get:9 http://10.10.10.10/ubuntu jammy-backports/universe amd64 Packages [24.2 kB]
Get:10 http://10.10.10.10/ubuntu jammy-backports/universe Translation-en [16.5 kB]
Get:11 http://10.10.10.10/ubuntu jammy-backports/universe amd64 c-n-f Metadata [644 B]
Get:12 http://10.10.10.10/ubuntu jammy-backports/multiverse amd64 c-n-f Metadata [116 B]
Fetched 203 kB in 1s (315 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
52 packages can be upgraded. Run 'apt list --upgradable' to see them.

 

# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  libintl-perl libintl-xs-perl libmodule-find-perl libmodule-scandeps-perl libproc-processtable-perl libsort-naturally-perl
  libterm-readkey-perl
Use 'apt autoremove' to remove them.
The following NEW packages will be installed:
  ubuntu-pro-client-l10n
The following packages will be upgraded:
  apparmor apt apt-utils base-files bind9-dnsutils bind9-host bind9-libs cloud-init cryptsetup cryptsetup-bin
  cryptsetup-initramfs distro-info distro-info-data git git-man initramfs-tools initramfs-tools-bin initramfs-tools-core
  irqbalance kpartx libapparmor1 libapt-pkg6.0 libcryptsetup12 libmm-glib0 libnetplan0 libnss-systemd libpam-systemd
  libsgutils2-2 libssl3 libsystemd0 libudev1 modemmanager motd-news-config multipath-tools netplan.io openssl
  python3-distro-info python3-software-properties python3-update-manager sg3-utils sg3-utils-udev software-properties-common
  sosreport systemd systemd-hwe-hwdb systemd-sysv systemd-timesyncd tzdata ubuntu-advantage-tools ubuntu-drivers-common udev
  update-manager-core
52 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 24.0 MB of archives.
After this operation, 5,532 kB disk space will be freed.
Do you want to continue? [Y/n]

 

저작자표시 비영리 변경금지 (새창열림)

티스토리툴바