Our outsourced IT department has decided to use white listing on the firewalls for outbound ftp. I was given a list of sites our lab had accessed via ftp and eventually tracked them down to Linux machines running yum. They are all CentOS 5 or 6 with a smattering of 7. It is impractical to list all the possibilities since they change on a regular basis. Also any 3rd party repos we need are another ball of wax. Various Google searches and the manual page have not shown me how to avoid using ftp mirrors. I have considered taking out the ftp-proxy information so that the ftp cannot get out, but I suspect it will just hang waiting for a response. Does anyone have any suggestions on ways to tell yum not to use ftp as the download mechanism? Thank you in advance. Bob
On 10/19/2015 05:12 PM, Styma, Robert E (Robert) wrote:> Our outsourced IT department has decided to use white listing on the firewalls for outbound ftp. I was given a list of sites our lab had accessed via ftp and eventually tracked them down to Linux machines running yum. They are all CentOS 5 or 6 with a smattering of 7. It is impractical to list all the possibilities since they change on a regular basis. Also any 3rd party repos we need are another ball of wax. > > > > Various Google searches and the manual page have not shown me how to avoid using ftp mirrors. I have considered taking out the ftp-proxy information so that the ftp cannot get out, but I suspect it will just hang waiting for a response. > > > > Does anyone have any suggestions on ways to tell yum not to use ftp as the download mechanism? > > > > Thank you in advance. > > > > Bob >FWIW, my Centos 7 install doesn't have ftp installed and yum has no apparent issues. I also, mainly, use Fedora (22 currently) and it hasn't had ftp installed for a long time. Of course it uses dnf now, not yum. HTH> _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- Roger Wells, P.E. leidos 221 Third St Newport, RI 02840 401-847-4210 (voice) 401-849-1585 (fax) roger.k.wells at leidos.com
> > FWIW, my Centos 7 install doesn't have ftp installed and yum has no > apparent issues. > > I also, mainly, use Fedora (22 currently) and it hasn't had ftp > installed for a long time. Of course it uses dnf now, not yum. >If I understand you correctly, if I uninstall the ftp client, yum will not use it as it cannot. Is this the case? I had assumed that the code underlying yum had its own stack for dealing with ftp://... urls. I will try this on a couple of machines. Thank you, Bob
On Mon, 19 Oct 2015 23:28, Roger Wells <roger.k.wells at ...> wrote:> On 10/19/2015 05:12 PM, Styma, Robert E (Robert) wrote: >> Our outsourced IT department has decided to use white listing on the firewalls for outbound ftp. I was given a list of sites our lab had accessed via ftp and eventually tracked them down to Linux machines running yum. They are all CentOS 5 or 6 with a smattering of 7. It is impractical to list all the possibilities since they change on a regular basis. Also any 3rd party repos we need are another ball of wax. >> >> Various Google searches and the manual page have not shown me how to avoid using ftp mirrors. I have considered taking out the ftp-proxy information so that the ftp cannot get out, but I suspect it will just hang waiting for a response. >> >> Does anyone have any suggestions on ways to tell yum not to use ftp as the download mechanism? >> >> Thank you in advance. >> >> Bob > > > FWIW, my Centos 7 install doesn't have ftp installed and yum has no > apparent issues. > > I also, mainly, use Fedora (22 currently) and it hasn't had ftp > installed for a long time. Of course it uses dnf now, not yum.AFAIK yum and its successor dnf uses "libcurl" for the transfer, which has "curl" as cli. curl and wget both can use the ftp:// protocol, so the (non-)presence of "ftp" is not a deciding factor. Setting up a proxy that gives a "404"/deny on ftp:// is more helpful here. - Yamaban.
Hello Robert, On Mon, 2015-10-19 at 21:12 +0000, Styma, Robert E (Robert) wrote:> Various Google searches and the manual page have not shown me how to > avoid using ftp mirrors.When configuring your repo's using baseurl= instead of mirrorlist= you can pin the server being used. Find a http mirror at https://www.centos.org/download/mirrors/ or configure all hosts to use the same FTP mirror and white list that one. If you have many clients accessing the same mirror configuring a proxy (proxy= in yum.conf) to cache the downloaded rpms will reduce download time and load on the mirror you are using. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research
Denniston, Todd A CIV NAVSURFWARCENDIV Crane
2015-Oct-20 16:52 UTC
[CentOS] Can I force yum to only use http.
> -----Original Message----- > From: Styma, Robert E (Robert) [mailto:robert.styma at alcatel-lucent.com] > Sent: Monday, October 19, 2015 5:12 PM > To: CentOS at centos.org > Subject: [CentOS] Can I force yum to only use http. > > Our outsourced IT department has decided to use white listing on the firewalls for outbound ftp. I was given a list of sites our lab > had accessed via ftp and eventually tracked them down to Linux machines running yum. They are all CentOS 5 or 6 with a smattering > of 7. It is impractical to list all the possibilities since they change on a regular basis. Also any 3rd party repos we need are another > ball of wax. > > Various Google searches and the manual page have not shown me how to avoid using ftp mirrors. I have considered taking out the > ftp-proxy information so that the ftp cannot get out, but I suspect it will just hang waiting for a response. > > Does anyone have any suggestions on ways to tell yum not to use ftp as the download mechanism?On the machines that are using ftp, do the contents of /etc/yum.repos.d/Centos-Base.repo look the same as the machines that are not using FTP? Perhaps include the Centos-Base.repo file from ONE of the offending machines in an email. Baseurl can be used to force where and how to connect, but because are getting ftp instead of http connections I am suspecting someone has probably already forced it the other way, the files may tell. Another possibility is that on those machines once-upon-a-time they found that the ftp host had the fastest _ping_ time, and have used it ever since. You may be able to log into those machines, `cat /var/cache/yum/timedhosts.txt` and see ftp hosts listed. If so try [large hammer warning] `yum clean all; yum update` and see if they try going back to the ftp site or pick a new http one. Even when this disclaimer is not here: I am not a contracting officer. I do not have authority to make or modify the terms of any contract.