Proxmox Offline Mirror released!

the repository line is wrong - it should be repository deb https://packages.linbit.com/public proxmox-7 drbd-9

but the repository is signed using a 1024-bit DSA key, which is consider insecure.
yes i have moved on
now do not like the key?

Code:
Fetching Release/Release.gpg files
-> GET 'https://packages.linbit.com/public/dists/proxmox-7/Release.gpg'..
-> GET 'https://packages.linbit.com/public/dists/proxmox-7/Release'..
Verifying 'Release(.gpg)' signature using provided repository key..
Error: Malformed Cert: Unrecognized token `Signature Packet` found at 0:0
Expected one of PUBLIC_KEY or SECRET_KEY
 
that seems like the key file you referenced is wrong? but like I said - the repository is signed by a key that is not accepted by POM because it uses a no-longer-trusted key size. it would require changes on the POM side to allow ignoring that check.
 
Folks - trying to get this working and it dies with the following each time:
Code:
Progress: 0 new files (0b), re-used 52 existing files (100.00% re-used)..
        Fetching 'main/i18n/Translation-zh'..
Progress: 0 new files (0b), re-used 53 existing files (100.00% re-used)..
        Fetching 'main/Contents-all'..
Killed
When issuing the following command:
Code:
proxmox-offline-mirror mirror snapshot create --config '/etc/proxmox-offline-mirror.cfg' 'debian_bullseye_main'

I used the documentation example repo for the pbs-client.list and I am not using keys.

Since I am not using keys, is that why it dies with the above message every single time I try ????

BTW - I have also tried the following:
Code:
nohup proxmox-offline-mirror mirror snapshot create --config '/etc/proxmox-offline-mirror.cfg' 'debian_bullseye_main' > sync.out 2>&1  &

And as root it LOGS ME OUT ENTIRELY when it's "killed"... ouch!

What am I doing wrong here?

Since I don't have keys and use the pve-no-subscription repo, should I nix the pbs-client.list repo and set up the others?

Bob
 
Okay... sorry to follow up my own post but I figured it out... I was doing the above in an lxc/pct/container.

The container was set to max RAM of 512MBs and that is apparently not enough.

Set RAM to 2GBs if you run proxmox-offline-mirror in a lxc/pct/container.

FYI.
 
Hi All

I have performed Proxmox Offline Mirror thorough tests for all used by me debian-based repositories. I have tried to replace my current tool Aptly. Unfortunately I have experienced the following similar issue for almost all cases.

Example error message:
Code:
Verifying 'Release(.gpg)' signature using provided repository key..
  Subkey of F51A91A5EE001AA5D77D53C4C6E319C334410682 not bound: No binding signature at time 2023-03-22T15:20:13Z
Error: encountered 1 error(s)

The issue concerns the following debian-based repositories for:
  • OSSEC
  • Icinga2
  • Microsoft
  • Kubernetes
  • Elasticsearch-8
  • Hashicorp
  • Xwiki LTS
  • Xpra
  • ArangoDB
  • Node 18
  • Node 19
  • NFS Ganesha
  • GlusterFS
  • Ceph Quincy
  • Citus
  • Zabbix 6.4
  • Syncthing
  • MongoDB 6.0
  • Graylog 5.0
  • OpenSearch
  • Opennebula
  • Mariadb
Probably the issue is related with old/revoked/deprecated GPG public sub-keys, which are present in specific Debian repository's public key, but not in Release file. I assume, existence of old gpg keys is normal behavior and old sub-keys shouldn't be verified by Proxmox Offline Mirror tool.
Currently, I couldn't find any workaround, so I reported the issue here. If you have any solution, I will be very grateful for share it.

I have also idea for improvement. When the repository data is published, the files hare copying into target directory in mount point, what makes them available twice. Does it possible to change behavior from copying data to create hard/soft link to mount point directory? This small change will release a lot of space.

Best Regards
 
Last edited:
Probably the issue is related with old/revoked/deprecated GPG public sub-keys, which are present in specific Debian repository's public key, but not in Release file. I assume, existence of old gpg keys is normal behavior and old sub-keys shouldn't be verified by Proxmox Offline Mirror tool.
Currently, I couldn't find any workaround, so I reported the issue here. If you have any solution, I will be very grateful for share it.

could you file a bug at bugzilla.proxmox.com for this? sounds like we need some extra code handling it, but should hopefully not be too hard.

I have also idea for improvement. When the repository data is published, the files hare copying into target directory in mount point, what makes them available twice. Does it possible to change behavior from copying data to create hard/soft link to mount point directory? This small change will release a lot of space.

I can see the use case (e.g., if your mirroring host and file server/repository host are the same machine). I have to think a bit how to implement it though, possibly just a way to say "the mirror base dir is also a medium" is the easiest, so that nothing except the medium metadata needs to be created/updated at all. please file an enhancement request for that as well!
 
could you file a bug at bugzilla.proxmox.com for this? sounds like we need some extra code handling it, but should hopefully not be too hard.



I can see the use case (e.g., if your mirroring host and file server/repository host are the same machine). I have to think a bit how to implement it though, possibly just a way to say "the mirror base dir is also a medium" is the easiest, so that nothing except the medium metadata needs to be created/updated at all. please file an enhancement request for that as well!
Done. Thank you!


Best Regards
 
  • Like
Reactions: fabian
Hi All,

this tool is pretty cool stuff. Thanks!
Unfortunately we are receiving the following error upon syncing to the medium.
error_40_2.png
Error: Too many levels of symbolic links (os error 40)

We are syncing PVE, Debian bullseye and Ubuntu jammy repos.

Any ideas? Probably the syncing could be done with rsync alternatively?

Thanks!
Best Regards
Sokoban
 
could you give your POM config? and maybe open a new thread and tag me there so we don't clutter this one here..
 
  • Like
Reactions: Sokoban
Hi

I add a new repository pbs Bookworm but he swears at the key
"Keyfile '/etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg' doesn't exist - make sure to install relevant keyring packages or update config to provide correct path!"

how to fix?
 
well does it exist? ;) it's shipped by "proxmox-archive-keyring", maybe your version of that package is not up to date?
 
Great, if you install the proxmox-archive-keyring package you can avoid this problem for the next major release.
it's installed
Code:
proxmox-archive-keyring is already the newest version (2.2).
The following packages were automatically installed and are no longer required:
  linux-image-5.10.0-18-amd64 linux-image-5.10.0-19-amd64
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
 
a new problem appeared when trying to update the debian bookworm security repository


proxmox-offline-mirror mirror snapshot create debian_bookworm_security

https://pastebin.com/Y40bDQkX

why does it skip packets?

/etc/proxmox-offline-mirror.cfg

Code:
mirror: debian_bookworm_security
        architectures amd64
        architectures all
        base-dir /var/lib/proxmox-offline-mirror/mirrors/
        ignore-errors false
        key-path /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg
        repository deb http://deb.debian.org/debian-security bookworm-security main contrib non-free
        sync true
        verify true
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!