Patch operations in the STEP system are defined by the specific component(s) being installed / upgraded. These component updates are downloaded either directly from one of the Stibo Systems Global Updates Mirrors (Release Server) or from a private updates mirror at the customer can be used to execute these operations. The connection to either of the two uses an encrypted network connection over HTTPS. Connections are always initiated from the customer side. The update mirror will at no time initiate a connection to the STEP environment.
Direct Connection to Release Server
Downloading updates directly from a Release Server is the default method for patching. Using this method, the STEP environment is configured to allow an encrypted connection by HTTPS to the release server. This method offers the best security.
Advantages to using the Direct Connection method include: faster support from Stibo Systems by providing complete version information and a simplified infrastructure.
Private Updates Mirror
As an alternative to accessing the release server directly, it is possible to set up a Private Updates Mirror and configure SPOT on the internal STEP servers to use the mirror instead.
Advantages
The advantages of using the Private Updates Mirror method are:
- If the internet connection or the global updates server breaks down, the already downloaded files will still be available.
- The internet connection bandwidth consumed is reduced by avoiding repeated downloads.
- The network configuration is simpler as only the mirror needs to access the updates server, while the individual SPOT instances can be configured to talk only to the private mirror on the internal network.
Requirements
To run a private mirror server, you need:
- A 64-bit Linux host, not shared with STEP.
- java 8 64-bit (and updated version will be installed by SPOT, so the OS version is okay for bootstrapping).
- Enough storage to hold the entire mirror (400 GB will suffice).
- Outgoing internet access to the Stibo Systems updates servers on port 443.
- Incoming aces from the private network on port 443 for the SPOT hosts.
- A DNS entry on the local network that can be expected to never change, so mirror.customer.com would be preferable to pc2016-02-13-room7-linux-test-dl120g9.dhcp.customer.com.
Upstream Root Mirrors
The root mirrors that the private mirror connects to can be listed using spot --mirrors, but these are the current hosts:
-
dk1.updates.stibosystems.com: Primary root mirror.
-
dk2.updates.stibosystems.com: Secondary root mirror.
-
updates.stibosystems.com: Fail-over mirror on a shared IP between the two root mirrors.
Outgoing TCP access on port 443 must be allowed to each of the root mirror IP addresses from the private mirror, this way the mirror has more upstream mirrors to pick from if one fails.