I was implicitly referring to the hash validation that seems to be absent of lxc-download.
Thatâs because it always downloads over https, the hash validation is useful only if youâre going to fetch the data over http.
For firewalling, you can add every one of the servers listed above to your firewall rules.
You can alternatively force the us of https://ca.images.linuxcontainers.org which is a server that will not redirect.
The https brings transport protection, not hosting one. The hash permit to say :
We donât have to strictly trust our mirrors operators
Anyway, the force scenario proposed is a way to get around it for lxc-download.
1 Like
Could offer a mirror (on OVH infra) in EU (France), but wonât be 1 Gpbs symmetrical, 250Mbs up. Would that help?
Thatâs unlikely as we already have a sponsored one not far away in Frankfurt which has 2Gbps symmetric. Itâs one of our busiest mirrors but itâs nowhere close to reaching its bandwidth limit.
Given Europeâs routing, Iâd expect French customers to have excellent routes to Digital Ocean in Frankfurt, so adding another mirror in France itself wouldnât really make a visible difference.
Thatâs unless someone in France has seen performance issues downloading from the current European mirror in Germany, if thatâs the case for customers of one or more ISPs in France, then introducing a country-specific mirror may be useful.
1 Like
Thanks for providing https://ca.images.linuxcontainers.org. Bandwith is even OK here from Germany. One idea:
Since many companies can whitelist url patterns, I suggest to register mirrors in domain linuxcontainers.org instead of do.letsbuildthe.cloud. The later one could not be seen as linuxcontainers.org specific and therefore whitelisting *.do.letsbuildthe.cloud may not be an option.
I think we were looking at doing something like that with @mpontillo a little while back.
Basically delegating something like digitalocean.images.linuxcontainers.org over to the DO team and then they could run things on fra.digitalocean.images.linuxcontainers.org or similar.
Not something weâd necessarily want to do with anyone offering to run a public mirror for us, but something that may make sense in the case of DO as theyâre running a bunch of them.
We could also just deal with static records on our end, but then that removes flexibility on the mirror operator to rotate instances, put in load-balancing or the like.
Thatâs exactly what I meant.
With ca.images.linuxcontainers.org we have a work around. However, if the mirrors were accessible under the linuxcontainers.org domain, they could also reduce the load on your server.