我创建了自己的 apt 镜像,可供所有服务器本地使用。为了不改变/etc/apt/sources.list我还运行了 dnsmasq,它可以解析deb.debian.org(和 security.debian.org)到私有 IP 地址,apt 镜像正在运行。
如此贴切的镜子客户配置:
root@apt-client:~# cat /etc/resolv.conf
nameserver 10.14.122.165
root@apt-client:~# cat /etc/apt/sources.list| grep -v '^#'
deb http://deb.debian.org/debian stretch main contrib non-free
deb-src http://deb.debian.org/debian stretch main contrib non-free
deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free
deb http://deb.debian.org/debian stretch-updates main contrib non-free
deb-src http://deb.debian.org/debian stretch-updates main contrib non-free
deb http://deb.debian.org/debian stretch-backports main contrib non-free
deb-src http://deb.debian.org/debian stretch-backports main contrib non-free
root@apt-client:~# ping deb.debian.org
PING deb.debian.org (10.14.122.165) 56(84) bytes of data.
64 bytes from deb.debian.org (10.14.122.165): icmp_seq=1 ttl=64 time=0.317 ms
^C
--- deb.debian.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.317/0.317/0.317/0.000 ms
root@apt-client:~# ping security.debian.org
PING security.debian.org (10.14.122.165) 56(84) bytes of data.
64 bytes from deb.debian.org (10.14.122.165): icmp_seq=1 ttl=64 time=0.274 ms
^C
--- security.debian.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.274/0.274/0.274/0.000 ms
root@apt-client:~# apt update
0% [Connecting to prod.debian.map.fastly.net (151.101.12.204)] [Connecting to prod.debian.map.fastly.net (151.101.12.204)]
我不知道为什么 apt 尝试连接产品.debian.map.fastly.net而不是deb.debian.org。在 /etc/apt.sources.list 中我有deb.debian.org. Ping 显示deb.debian.org已解析本地地址:10.14.122.165并且 apt 应该连接到那里。
apt镜像服务器和dnsmasq服务器是同一个服务器,IP地址为:10.14.122.165
root@apt-client# host deb.debian.org
deb.debian.org has address 10.14.122.165
deb.debian.org is an alias for debian.map.fastly.net.
debian.map.fastly.net has IPv6 address 2a04:4e42:3::645
deb.debian.org is an alias for debian.map.fastly.net.
答案1
原因是 APT 使用 SRV 记录以循环方式查找可用的主机名。这解决了两个问题:
- 如果使用 DNS 循环,则用户可能会连接到一台已更新的主机以下载清单,然后连接到另一台尚未更新的主机,从而导致失败。
- 对于 HTTPS 服务器,很难使用单个通用主机名,因为多个不同的方要么必须共享证书,要么为同一个名称颁发自己的证书。
因此,当您查找 DNS 条目时,您还需要查找 SRV 记录:
$ host -t srv _http._tcp.deb.debian.org
_http._tcp.deb.debian.org has SRV record 10 1 80 prod.debian.map.fastly.net.
$ host -t srv _https._tcp.deb.debian.org
_https._tcp.deb.debian.org has SRV record 10 1 443 debian.map.fastly.net.
您要么需要覆盖它们,要么在收到查询时返回 NXDOMAIN。