Daniel Gross's picture

I noticed while re-deploying an appliance that some of the updates said they were failing.

My guess is because we have to aggressively block things here at the high school. I can white list the URLs that I need to reach, if I know what they are. Installation goes so quickly, I can't quite figure out what all I need to open up.

Is there a list of URLs needed for the machines to be able to speak to once deployed?



Rather than seeking to whitelist the repos, is it possible with your proxy filter to whitelist the machines that seek to access the repos? We use Websense; ultimately whitelisting the machines didn't help. However, authenicating with the Websense using curl and a whitelisted user account has solved the problems for our Linux lab and TKL appliances.

Rik Goldman

Daniel Gross's picture

Certainly. I should have thought of that - at least to get these initially set up.

However, given my "Linux Skillz" I'm probably not at the point to feel too good about these guys being totally safe & having relatively unrestricted access - since I don't know what I'm giving them access to.

I still think knowing what servers are providing the updates is the better way to go. That way as I deploy more of these appliances, I don't have to worry about whitelisting them before I create them - or having students smart enough to try to bump & clone a machine on the network in order to get that access.

Your solution would help in the short term - but I think I would still like to narrow the entire scope down to just the addresses needed instead. Thanks though!

Daniel Gross's picture

While I'm using Rik's solution for now - allowing the appliance free reign to get out wherever it wants, I would prefer to close up that hole & have it only allowed to see the servers it needs for updates. Can I get a whitelist of any possible sites the appliances look for, please?

Alon Swartz's picture

On first boot, auto-apt-archive will configure the closest Ubuntu package archives, so you will need to check /etc/apt/sources.d/sources.list and security.sources.list to see what is set. The default is archive.ubuntu.com.

Additionally, you'll also want to add the TurnKey archive: archive.turnkeylinux.org

If you are using TKLBAM, then you'll need to add hub.turnkeylinux.org as well as which ever storage endpoint is used. Also, you'll need to add pool.ntp.org (note that this a round-robin address, which might complicate things depending on how your whitelisting works).

Depending on the appliances you're using, you might need to add others (e.g. DNS, SMTP) but the above should be mostly generic.

Daniel, all useful things for me to consider as well. Alon, thanks - I'm hoping cards will fall in place so I can use this information too, especially given Daniel's considerations.

Add new comment