Access to download proxmox cdn is problematic

C

czechsys

Renowned Member
Nov 18, 2015
457
50
93
Hi,

i am again reporting problem with cdn used by proxmox for apt repository. Our firewalls just doesn't work reliable with it's 1 minute ip cycling.

Code: 
;; ANSWER SECTION:
download.proxmox.com.   635     IN      CNAME   download.cdn.proxmox.com. <---- there is 600+  TTL !
download.cdn.proxmox.com. 60    IN      CNAME   cz.eu.cdn.proxmox.com.
cz.eu.cdn.proxmox.com.  60      IN      CNAME   de3.cdn.proxmox.com.
de3.cdn.proxmox.com.    60      IN      A       45.84.67.184
[code]

After 5 seconds:
[code]
;; ANSWER SECTION:
download.proxmox.com.   54      IN      CNAME   download.cdn.proxmox.com. <--- there is 60 TTL !
download.cdn.proxmox.com. 54    IN      CNAME   cz.eu.cdn.proxmox.com.
cz.eu.cdn.proxmox.com.  54      IN      CNAME   de3.cdn.proxmox.com.
de3.cdn.proxmox.com.    54      IN      A       45.84.67.184

Code: 
root@proxmox-22:~# apt update
Hit:1 http://ftp.cz.debian.org/debian bookworm InRelease
Hit:2 http://ftp.cz.debian.org/debian bookworm-backports InRelease                                                                                                                      
Hit:3 http://repo.netdata.cloud/repos/stable/debian bookworm/ InRelease                                                                                                                 
Hit:4 https://download.bareos.org/current/Debian_12  InRelease                                                                                                                          
Hit:5 http://repo.zabbix.com/zabbix/6.4/debian bookworm InRelease                                                                                                                       
Ign:6 https://downloads.linux.hpe.com/SDR/repo/mcp bookworm/current InRelease                                                                                  
Hit:7 https://downloads.linux.hpe.com/SDR/repo/mcp bookworm/current Release                                                              
Ign:9 http://download.proxmox.com/debian/ceph-reef bookworm InRelease                                              
Ign:10 http://download.proxmox.com/debian/pve bookworm InRelease                                                   
Hit:11 http://security.debian.org/debian-security bookworm-security InRelease
Ign:9 http://download.proxmox.com/debian/ceph-reef bookworm InRelease
Ign:10 http://download.proxmox.com/debian/pve bookworm InRelease
Ign:9 http://download.proxmox.com/debian/ceph-reef bookworm InRelease
Ign:10 http://download.proxmox.com/debian/pve bookworm InRelease
Err:9 http://download.proxmox.com/debian/ceph-reef bookworm InRelease
  Could not connect to download.proxmox.com:80 (185.219.221.167), connection timed out
Err:10 http://download.proxmox.com/debian/pve bookworm InRelease
  Unable to connect to download.proxmox.com:http:
Reading package lists... Done                            
Building dependency tree... Done
Reading state information... Done
62 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: Failed to fetch http://download.proxmox.com/debian/ceph-reef/dists/bookworm/InRelease  Could not connect to download.proxmox.com:80 (185.219.221.167), connection timed out
W: Failed to fetch http://download.proxmox.com/debian/pve/dists/bookworm/InRelease  Unable to connect to download.proxmox.com:http:
W: Some index files failed to download. They have been ignored, or old ones used instead.

Code: 
root@proxmox-22:~# apt update
Hit:1 http://repo.netdata.cloud/repos/stable/debian bookworm/ InRelease
Hit:2 https://download.bareos.org/current/Debian_12  InRelease                                                                                                                          
Hit:3 http://ftp.cz.debian.org/debian bookworm InRelease                                                                                                                                
Hit:4 http://ftp.cz.debian.org/debian bookworm-backports InRelease                                                                                                
Hit:5 http://repo.zabbix.com/zabbix/6.4/debian bookworm InRelease                                                                       
Ign:6 https://downloads.linux.hpe.com/SDR/repo/mcp bookworm/current InRelease                                                                                             
Hit:7 https://downloads.linux.hpe.com/SDR/repo/mcp bookworm/current Release                                                             
Ign:9 http://download.proxmox.com/debian/ceph-reef bookworm InRelease                                             
Ign:10 http://download.proxmox.com/debian/pve bookworm InRelease                                                  
Hit:11 http://security.debian.org/debian-security bookworm-security InRelease
Ign:9 http://download.proxmox.com/debian/ceph-reef bookworm InRelease
Ign:10 http://download.proxmox.com/debian/pve bookworm InRelease
Ign:9 http://download.proxmox.com/debian/ceph-reef bookworm InRelease
Ign:10 http://download.proxmox.com/debian/pve bookworm InRelease
Err:9 http://download.proxmox.com/debian/ceph-reef bookworm InRelease
  Could not connect to download.proxmox.com:80 (212.224.123.70), connection timed out
Err:10 http://download.proxmox.com/debian/pve bookworm InRelease
  Unable to connect to download.proxmox.com:http:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
62 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: Failed to fetch http://download.proxmox.com/debian/ceph-reef/dists/bookworm/InRelease  Could not connect to download.proxmox.com:80 (212.224.123.70), connection timed out
W: Failed to fetch http://download.proxmox.com/debian/pve/dists/bookworm/InRelease  Unable to connect to download.proxmox.com:http:
W: Some index files failed to download. They have been ignored, or old ones used instead.

Do you really need 60 seconds ip swapping? Maybe with new firewall this problem will disappear, but we aren't there yet and i will likely to not use proxy.
 
You only filter by IP? For such setups, it's better to filter by URL e.g. with Squid. You will have a hard time e.g. on ip changes on security.debian.org
 
LnxBil said:
You only filter by IP? For such setups, it's better to filter by URL e.g. with Squid. You will have a hard time e.g. on ip changes on security.debian.org
Click to expand...
We filter by fqdn on firewall. We have rarely problem with any other repository, but PVE repo is standard for fail. Update? Fail. Dist-upgrade? Fail. Repeatedly fail, until firewall and apt are in sync. And all is connected to the same dns infra.
 
I have had similar issues going thru Squid, only works if I disable the proxy for proxmox updates.

Code: 
# set|grep prox
HOSTNAME=proxmox
ftp_proxy=http://192.168.1.251:3128
http_proxy=http://192.168.1.251:3128
https_proxy=https://192.168.1.251:3128

setproxy ()
    export http_proxy=http://$1:3128;
    export https_proxy=http://$1:3128;
    export ftp_proxy=http://$1:3128;
    set | grep proxy=

[ proxmox (scrn=1) ]
 2750 root # updt
Ign:1 https://enterprise.proxmox.com/debian/pve bookworm InRelease
Get:2 http://security.debian.org bookworm-security InRelease [48.0 kB]                 
Get:3 http://deb.debian.org/debian bookworm-backports InRelease [59.4 kB]                           
Hit:4 http://ftp.us.debian.org/debian bookworm InRelease                                                   
Hit:5 http://ftp.us.debian.org/debian bookworm-updates InRelease
Hit:6 http://packages.azlux.fr/debian bookworm InRelease
Ign:1 https://enterprise.proxmox.com/debian/pve bookworm InRelease
Ign:1 https://enterprise.proxmox.com/debian/pve bookworm InRelease
Err:1 https://enterprise.proxmox.com/debian/pve bookworm InRelease                                                                                                                                                       
  Could not handshake: An unexpected TLS packet was received. [IP: 192.168.1.251 3128]
Fetched 107 kB in 7s (15.0 kB/s)                                                                                                                                                                                         
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
16 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: Failed to fetch https://enterprise.proxmox.com/debian/pve/dists/bookworm/InRelease  Could not handshake: An unexpected TLS packet was received. [IP: 192.168.1.251 3128]
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  libhfsp0 libmodule-scandeps-perl libsctp1 mokutil proxmox-kernel-6.5.11-8-pve-signed proxmox-kernel-6.5.13-5-pve-signed proxmox-kernel-6.8.12-8-pve-signed proxmox-kernel-6.8.4-2-pve-signed sbsigntool
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
  gnutls-bin grub-common grub-efi-amd64 grub-efi-amd64-bin grub-pc-bin grub2-common libgnutls-dane0 libgnutls30 libgnutlsxx30 libpve-common-perl pve-container pve-firewall pve-qemu-kvm qemu-server rclone zfs-dkms
16 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 68.7 MB of archives.
After this operation, 512 kB of additional disk space will be used.
Do you want to continue? [Y/n] ^C
 
Last edited:
You must log in or register to reply here.
Top Bottom