General Maintenance

The Opmantek Machine is - like all networked computer systems - subject to the usual requirements wrt. patching software for security holes, general care and periodic adjustments and so on. The Machine comes with logrotation and other standard management services enabled, but this is no substitute for a trained system administrator's watchful eye.
For example it's very much recommended to run yum check-update periodically, e.g. once monthly, to learn of important software updates, and to apply them using yum upgrade.

Updating software on the Machine with limited Internet access

Some customers are reluctant to grant any of their servers (or the Opmantek Machine) direct access to the Internet. In normal operation that doesn't limit the Machine in any way (as long as there is a source of DNS and NTP available), but updating (our or other) software on the Machine would be made impossible.

To deal with software maintenance in such highly restrictive environments we do recommend that you provide a web proxy for servers that otherwise cannot download updated software packages; you might want to run said proxy only temporarily, with authentication required or filtering, e.g. only serving files from particular web locations. Setting up a proxy like the well-known and -tested Squid proxy server is a minimal effort (even with authentication) and well worth the improved maintainability of your infrastructure.

The packaging manager (yum) used by the underlying operating system (CentOS) can be configured easily to use a proxy server for Internet access, and the same is true for installing Perl modules via CPAN.

Yum configuration for proxy access

You need to edit /etc/yum.conf (nano is likely your best choice for a simple editor if you have no real preferences), and add a block like the following somewhere to the section labelled "[main]":

[main]
# lots of other directives
proxy=http://mycache.mydomain.com:3128
# The account details for yum connections, IF your proxy enforces authentication
proxy_username=yum-user
proxy_password=qwerty

After you've made those changes you should run  yum check-update to verify that it can access the package repositories in question.

CPAN configuration for proxy access

The following applies primarily to updating NMIS as all other software ships in compiled/stand-alone form.

If you decide to extend your deployed Opmantek Machine with new Opmantek packages (or update existing software packages), then it may be necessary occasionally to install extra Perl packages from CPAN (the Comprehensive Perl Archive Network).

The NMIS installer/updater automates these installation steps using the cpan tool, which is proxy-capable as well.

To configure cpan to use a proxy, you need to start the tool (as root) and tell it to run the proxy configuration dialog and it'll ask you for the relevant settings:

# become root, su or sudo bash
cpan
o conf init /proxy/
# and answer the questions as displayed

Updating software if the Machine has no Internet access, but your desktop has (via proxy)

A variation of the above is also possible, if (and only if) you are accessing the Internet (from your desktop) using a proxy server, and if (and only if) you are accessing the Machine via SSH. In that case you can use SSH port forwarding to temporarily grant the Machine access to your proxy.

You have to select an unused high port number, and you need to know your web proxy addess and port number. In this example I'll use 8888 as the high port number, and let's assume my proxy is at proxy.opmantek.com and works on port 3128.

With plain command-line ssh I'd use the following invocation to establish that port forwarding: ssh -v -R 8888:proxy.opmantek.com:3128 root@the_Machine_name_or_address
For PuTTy, I'd go to the configuration menu, SSH, Tunnels and add 8888 as source port, select "Remote" and add proxy.opmantek.com:3128 as destination. Then I'd connect to the Machine.

Configure the Machine's yum and cpan to use localhost:8888, possibly configure proxy authentication, and things will work as if the Machine had direct proxy access.

You'll be able to use localhost:8888 on the Machine as the proxy address, precisely while your SSH connection is open. Once you disconnect,  port 8888 closes down, and the proxy becomes inaccessible.

Installing or upgrading without any Internet access

If you have another (virtual) system that does  have Internet access, then it is possible to collect the pre-requisites on that system and then transfer them over onto the final server. This does, however, require some manual work on the command line and a small modicum of Linux skills. We've tested this with a CentOS 6 systems, but can't guarantee that it'll work precisely the same everywhere.

To do so you'll need another (temporary!) instance of the Opmantek Machine running with Internet access enabled, which could easily be just in VirtualBox on your desktop, for example; You would then have to follow the procedure described below:

  1. Start up a temporary instance of the Opmantek Machine
    It should be the same version of the non-networked Machine that you want to upgrade/install stuff on, and it should be unchanged and pristine.
  2. Enable yum caching on the temporary system
    Use nano or your editor of choice, and change the config file /etc/yum.conf so that there's a line like this:  keepcache=1
    This makes yum keep copies of everything it downloads in /var/cache/yum.
  3. Run the installer for the application you want to add or upgrade, but on the temporary system.
    Tell it that Internet access is available, and let it install all missing prerequisites.
  4. Zip up the collected packages on the temporary system
    You need the following files and directories: /etc/yum.repos.d,/var/cache/yum and /root/.cpan (primarily if you're upgrading NMIS).
    A command to capture that would be zip -r /tmp/captured.zip /etc/yum.repos.d /var/cache/yum /root/.cpan
  5. Transfer that ZIP file off the temporary system
    Use the scp client of your choice (or a shared folder if running in VirtualBox) to save the captured zip file somewhere off the temporary system.
  6. Transfer that ZIP file onto the final, non-internetted system
    Likely you will be using scp again.
  7. Unpack the captured files and overwrite the originals
    I'd unpack everything in /tmp, and then replace the originals like this:
    cd /tmp/; unzip captured.zip; rm -f /etc/yum.repos.d/*; mv ./etc/yum.repos.d/* /etc/yum.repos.d; rm -rf /var/cache/yum/*; mv ./var/cache/yum/* /var/cache/yum/; rm -rf /root/.cpan; mv ./root/.cpan /root
  8. At this point you should be able to run the installer again, but now on the non-internetted system
    It should now be able to find the manually transferred packages, and install from these; However, if yum balks simply install all the packages from that cache before running up the installer (again):
    yum -C -y install /var/cache/yum/x86_64/6/*/packages/*.rpm
  9. The installer should now run through without any missing prerequisites.
  10. Cleanup
    You can now remove  the termporary system, delete the captured.zip on your non-internetted system (and whereever you may have stored it temporarily).

Related Topics

  • No labels

1 Comment

  1. Mark Dueck

    I would like to expand on "Updating software if the appliance has no Internet access, but your desktop has (via proxy)" with more precise instructions as that seems to be something I run into a fair amount.

    • Get a proxy going, I have used Squidman for OSX.
    • Set your proxy to run on port 8080 (this can be any valid port number that's not in use, for these instructions I will use 8080)
    • Start your proxy
      • this means that anything can connect to your computer at port 8080 and the proxy will service the request and return back the info to whoever requested
    • Open an ssh session to the appliance that has no Internet access, the instructions below use port 9090 on the host appliance, this is just chosen randomly and can be any valid port number that's not in use (just like above)
      • ssh -v -R 9090:localhost:8080 root@the_appliance_name_or_address
      • This command will take any request made on the appliance to port 9090 and send it to localhost (your computer) at port 8080 (where the proxy is configured).  It will also show debug info which is quite handy as you can see forwarding connections being opened.
      • To be very clear
        • 8080 <- port on local computer (squidman)
        • localhost <- where the proxy is
        • 9090 <- port on appliance that will forward to proxy
    • Add the yum proxy config to /etc/yum.conf (in the main section)
      • proxy=http://localhost:9090
      • now yum will try accessing all repos using localhost:9090, which ssh will then forward to your proxy
      • Keep in mind here, localhost in this context refers to the appliance, not your desktop.  The appliance will connect to itself on port 9090, ssh will tunnel that request to your desktop at port 8080, squidman will receive the request and service it
    • You can now make any yum requests required, or start up the NMIS installer, which will say it has no internet connection but will still attempt to use yum, which should succeed
    • If CPAN is needed, add the proxy config there, setting the <http_proxy> setting
      • cpan
        o conf init /proxy/
      • skip <ftp_proxy>

      •  <http_proxy>

        Your http_proxy? [] localhost:9090 

      • now run any cpan installs required.  You can also save this setting so it is used next time you run CPAN  that info is above.

    Finally, this does not need to be done with a proxy running on localhost, it can be anywhere the desktop can reach.