Proxmox Offline Mirror released!

see https://pom.proxmox.com/offline-keys.html#register-refresh-keys and https://pom.proxmox.com/offline-media.html#activating-an-subscription-key

basically, you give POM the server IDs and subscription keys for the offline systems. it will then validate them (since it has network access), and store the validated copy on a medium. if you then give the offline system access to the medium, the helper binary can find the pre-validated subscription info there and add it to the system.
Thanks for the explanation Fabian, now it`s clear for me. Have a good day!
 
https://bugzilla.proxmox.com/show_bug.cgi?id=4379

you can just have your own symlink (outside of the POM managed directory for now) that you move whenever you make a new snapshot, until that gets implemented as a built-in feature.

note that the main use case for POM is not as an APT proxy (there are other solutions for that), but for updating air-gapped or heavily restricted installations (that usually don't get very frequent updates either).
Hi Fabian,

I really liked the tool, it is more efficient than the other tools I tested without a doubt.

I will apply some suggested scripts and try to find the best solution, as soon as I find it I will certainly share it here?

I need a mirror because I frequently carry out laboratories and updates require time that I don't have.

Thank you very much again Fabiam, I hope this solution is implemented soon.
 
Quick solution (maybe not the best).. create a soft link called latest which reads the latest snapshot file: used command is: ln -s ./`ls -rt | tail -n1` latest . You can create a bash routine/script which runs from time to time to validate if a new snapshot file appeared.

Hi Wonder,





I'll follow your tip.

It was really worth it.
 
Hey does Proxmox Offline Mirror have a webGUI? I can't really find screenshots for it, nor a "product page" like the other Proxmox suites. I for one love the Proxmox-y webGUIs in the various suites, and this sounds quite tasty as a possible tool to use :)
 
Hello all,

I am trying to implement POM in my airgapped environment and I'm not sure I'm clear on everything.

1. I'm running a VM on the non-airgapped environment with POM installed. I've added the mirrors I want and created a snapshot. The data is saved on a NAS via NFS.
2. I need to transfer this data to a portable disk connected to my windows computer, with WSL2. I am creating a file on the portable disk with a loopback fs using ext4.
3. Can I just use rsync to transfer the data from the NFS share to my loopback ext4 filesystem from the snapshot or do I need to create a media? 4379 seems to indicate I can just rsync the whole base-dir and then sym-link to the latest snapshot.
4. Another alternative seems that I can install the pom packages on my debian WSL2 installation and use it to create a media from the NFS share onto the ext4 filesystem, would that work?


I'm trying to figure out the best approach here. I was using apt-mirror and freefilesync to an ntfs folder on a portable disk, but with the hard links I understand that's not going to work. I'm also trying to avoid the duplication of the mirrors, as described in 4633, but I don't know the designed approach if the base-dir is on a server in a datacenter and the media is not.

Thanks for any insight!

Edit: I'm learning more now about the limitations with WSL2 and external disks, it seems I won't be able to create an ext4 loopback device or even access a separate partition on a portable disk. So I'm at a loss for this approach.

In any case, the questions in the two linked bugs remain, do I need to create a medium (i.e. what does it do more than rsync)?
 
Last edited:
if your target machine has access to the NFS export, you can point it at it directly for the APT mirror part of POM. if you want to also activate your subscription offline, you need a medium. but you can use the medium just for the subscription part (configure it without any mirrors).
 
Thanks Fabian,

No, unfortunately, the target machines are airgapped so I need to transfer the mirrors via sneaker net... on a removable disk.

I think the only way is to grab a new usb disk, format it all with ext4, expose it to the vm (e.g. plug it into the server in the datacenter and use usb pass-through) and then either create a medium on it or just run the mirror snapshot directly to that disk.

Or - the better, more appropriate approach - I set up two linux machines, install POM on the one not air-gapped and using udev rules initiate a sync to the usb disk as soon as it's plugged in, and an sync or rsync when it's plugged into the other machine.

For my other question, if I understand correctly, I would need the medium for the subscription, but not needed for just the mirror, right?
 
Last edited:
I'd use a medium in that case - it ensures the syncing happens correctly now, and also for future changes to POM.
 
  • Like
Reactions: oz1cw7yymn
Hi there,

I am trying to configure POM to have more repos, and I am having an issue with the Zabbix repo.

This is my configuration:

Code:
mirror: zabbix_7.0_bookworm_main
        architectures amd64
        architectures all
        base-dir /var/lib/proxmox-offline-mirror/mirrors/
        ignore-errors true
        key-path /etc/apt/trusted.gpg.d/zabbix-official-repo.gpg
        repository deb http://repo.zabbix.com/zabbix/7.0/debian bookworm main
        sync true
        verify true

I am getting an error:

Code:
debian@on-pom:~/zab$ sudo proxmox-offline-mirror mirror snapshot create --config '/etc/proxmox-offline-mirror.cfg' 'zabbix_7.0_bookworm_main'
Fetching Release/Release.gpg files
-> GET 'http://repo.zabbix.com/zabbix/7.0/debian/dists/bookworm/Release.gpg'..
-> GET 'http://repo.zabbix.com/zabbix/7.0/debian/dists/bookworm/Release'..
Verifying 'Release(.gpg)' signature using provided repository key..
Error: Malformed Message: Expected signature, got Public-Key Packet

I believe that's because the Zabbix repo's Release.gpg file doesn't contain the signature.
https://repo.zabbix.com/zabbix/7.0/debian/dists/bookworm/Release.gpg

However, there is the signature in the InRelease file.
https://repo.zabbix.com/zabbix/7.0/debian/dists/bookworm/InRelease

In mirror.rs:837, you assume that if the Release.gpg file is present, then it contains the signature, but that doesn't work for this repo.
Code:
// at least one must be available to proceed
    let release = release
        .or(in_release)
        .ok_or_else(|| format_err!("Neither Release(.gpg) nor InRelease available!"))?;
 
that repository is totally broken then, please report it to them. POM tries to be flexible and handle all sorts of somewhat garbage input, but that is too far off..
 
Dear Fabian, I very much appreciate your response. I am sure you are right, but the apt handles this situation without issues. Many thanks
 
yeah, apt supports lots of weird setups that POM doesn't.
 
It might be true, but it would be great if it was possible to specify in the parameter whether to fetch InRelease first (e.g. --detached=false). After all, it's a large repo and its Release.gpt files are all like that. Again, many thanks.
 
Hello,

I tried to use POM to download repos on a machine behind a proxy. I get an error in this thread. The thing is, wget and curl connect fine to the internet and download files with the same proxy settings. so my question is, how does POM connect to the internet ? and is there a way to instruct it to use wget for example ?
 
we need to update the used HTTP library, the version we are using now is using CONNECT for all connections, the newer ones only use it for HTTPS..
 
  • Like
Reactions: hpcre
we need to update the used HTTP library, the version we are using now is using CONNECT for all connections, the newer ones only use it for HTTPS..
my company's proxy connects over http only, as far as I know. it would also be great if you can add an internal thorough logging function. So we can trace the exact steps taken and troubleshoot any problems.
 
my company's proxy connects over http only, as far as I know. it would also be great if you can add an internal thorough logging function. So we can trace the exact steps taken and troubleshoot any problems.

For the sake of curiosity, what kind of log insights would be useful for you? Jumping in half-way here so sorry if I'm not up to speed on full context :P
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!