-
-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The mirrors.jenkins-ci.org
is missing some necessary metadata files, which prevents it from being added as an apt/yum repo
#3636
Comments
Hi @ak1ra-komj , what is the reason for using the mirrors (which, by the way, should be using the get.jenkins.io domain)? The official documentation states that https://pkg.jenkins.io/redhat-stable/ should be used as a YUM repository. The mirrors are only designed to host the packages only. |
Accessing Instead of using If the mirrors are only designed to host the packages, what is the point of hosting mirrors for |
(transferred the issue the infrastructure issue tracker as it is not related to the jenkins.io website itself) |
As I stated earlier, today (but it has to change int eh future), only pkg.jenkins.io is supported as a source for YUM packages. I'm really sorry that Fastly's nodes are poorly accessible in China. We can and should improve the situation but it requires help. It's not as simple as "run a sync upstream mirror" as there are multiple security mechanisme at stake here to protect end users and avoid man in the middle scenarii. There are multiple different challenges in your problem, I'll try to separate them one by one to see what can we do on short term, and what requires more work to help you.
Interesting result. What error did you have? I'm interested in what is the problem with the tsinghua.edu.cn mirror (which is expected to be available in mainland China)? We've asked for sponsors to host mirrors in China since years and never had any feeback until recently: tsinghua.edu.cn is the only mirror that is generously maintained by sponsor): if you know any uniersity, company,organization who would be interested in helping us by running a mirror to improve the life of our China-located users, that would be awesome!
The main idea (at least initially) is to decrease the cost of hosting our own mirror because Jenkins is a community with limited funding. Outbound bandwidth is a source of great cost: adding packages to the mirror grid made sense to avoid the hugh bandwidth (package are binary files which weight a lot of Megabytes). On the other end, the package index for YUM, APT, etc. need some kind of control (due to metadata and their signature) in case a package has to be removed due to security issue (not mentioning signature of content): this is the initial reason why the design makes the pkg.jenkins.io to be the initial source of truth, and then delegates the "heavy" download to get.jenkins.io. This is a strategy built in on most of the package mirrors when facing large-scale download issues. That being explained, we had recent issues about the YUM repositories (#3183 and #3338) that shows we should work or challenge these initial assertions to work on the yum mirroring. => There is definitievely something to be done to help you, but it requires some work. A good first step would be to find a sponsor to help us setup an infrastructure inside China. |
Hi, @dduportal, thank you for such a detailed reply, I'll add some information here,
I know that
The TUNA mirrors sync is fine, it's just missing some necessary metadata files to be used as an apt/yum repo, as I said at the beginning. This can be reproduced in the following way. In Debian 11, for example, when trying to replace The first
|
I also considered the possibility of "man-in-the-middle" attacks on mirrors before submitting this issue. Comparing mirror sites across Linux distributions, the public key used to sign packages pre-installed in the OS solves the initial "trust" problem, whereas Jenkins pkg does not, and still requires a public key from somewhere, which is a real risk of MITM if it is a "third party" such as a mirror site. There's no good solution to this problem unless you require the public key to be retrieved from the As for the frequency of syncing, I think it should be the user's responsibility to choose a mirror site that is updated frequently enough. Currently mirrors status already has a last sync time, so users have a reason not to choose a mirror that doesn't update frequently enough.
Interestingly, I found on MirrorZ.org that more than just TUNA mirrors are currently synchronizing with |
mirrors.jenkins-ci.org
apt/yum repo is missing the necessary metadata filesmirrors.jenkins-ci.org
~apt/yum repo~ is missing some necessary metadata files
mirrors.jenkins-ci.org
~apt/yum repo~ is missing some necessary metadata filesmirrors.jenkins-ci.org
is missing some necessary metadata files, which prevents it from being added as an apt/yum repo
Thanks @ak1ra-komj for the feedbacks and explanations, it helps a lot! We've discussed this subject during today's Jenkins Infrastructure weekly meeting:
Does it make sense for you? |
Hi @ak1ra-komj , just a quick check to share the status with you: we are working hard on #2649 that should help for both problems (update center index in China and the package indexes which are incomplete in the mirrors). Please note it is a hard prerequisite: we need it before any other actions are started. Once done, we see the following potential improvements:
|
Hi @dduportal, sorry for the delay of reply, Thanks to you and the jenkins-infra team for all your hard work, however, I noticed that Cloudflare China Network Access requires Enterprise plans in order to use it, so I'm not sure if this will cost the jenkins-infra team more than they budgeted for? |
We plan to ask for Open Source sponsorship. Otherwise we'll have to look to another mirror in China (even one we could host ourselves). Good catch, thanks for the feedback! |
For the record, I've just applied to their sponsorship program for the Jenkins project via https://www.cloudflare.com/lp/oss-sponsorship/ |
Problem with this page
https://mirrors.jenkins-ci.org/
Expected behavior
mirrors.jenkins-ci.org
can be correctly added as an apt/yum repo.Actual behavior
The
apt/yum repo formirrors.jenkins-ci.org
is missing some necessary metadata files, which prevents it from being added correctly as an apt/yum repo.For example, following the instructions in debian-stable/ will configure the debian apt repo correctly, but the corresponding mirror
mirrors.jenkins-ci.org
is missing some of the necessary metadata files compared topkg.jenkins.io
, in the following two files, the latter does not exist.The mirrors run by third-party are upstream from
mirrors.jenkins-ci.org
, which prevents all the rest of the mirrors from being added as an apt/yum repo, an issue mentioned in tuna/issues jenkins-infra/jenkins.io#308, but they believe that the problem should be solved upstream.Possible solution
Do a full sync for
mirrors.jenkins-ci.org
withpkg.jenkins.io
as the upstream.The text was updated successfully, but these errors were encountered: