New Geo-Location Mirror Service

Hi @all, we’ve developed a new geo-location mirror service which should make things a lot faster, simpler and easier when installing packages, updates and downloading ISOs.

When hitting https://mirrors.almalinux.org It will allow you to:

• List the mirrors nearest to you when fetching a mirrorlist (https://images2.imgbox.com/b2/55/i0aCscHk_o.png)
• Give you a list of the nearest servers to you with ISO images (https://images2.imgbox.com/37/b1/oJHASQ4w_o.png)

You can help test it out. Add the following record in /etc/hosts on your server:

136.243.31.169 mirrors.almalinux.org

Now dnf will get the ten nearest mirrors from https://mirrors.almalinux.org/mirrorlist/8/<repo_name>.

Please discuss any feedback on the AlmaLinux Community , here in the forums or AlmaLinux Sub-Reddit

I tried from several locations in Beligum. It looks like the first Belgian mirror is in 9th position, followed by Bulgarian and Canadian servers, then a Chinese server before a Danish and a number of German servers.
Doesn’t seem very logical

Even when trying from our mirror server, we get that result.

you still get the problem when setting update-crypto-policies --set FUTURE

[root@alma8cis ~]# dnf -vvv search geoip
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, repoclosure, repodiff, repograph, repomanage, reposync
DNF version: 4.4.2
cachedir: /var/cache/dnf
AlmaLinux 8 - BaseOS                                                                                                                                                                                          0.0  B/s |   0  B     00:01    
Errors during downloading metadata for repository 'baseos':
  - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: EE certificate key too weak]
Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: EE certificate key too weak]

[root@alma8cis ~]# curl -vs https://mirrors.almalinux.org
* Rebuilt URL to: https://mirrors.almalinux.org/
*   Trying 136.243.31.169...
* TCP_NODELAY set
* Connected to mirrors.almalinux.org (136.243.31.169) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, bad certificate (554):
* SSL certificate problem: EE certificate key too weak
* Closing connection 0

FIPS mode and DEFAULT work fine.

its not the server cert (that’s 4096-bit rsa) its the letsencrypt intermediate (R3 ISRG Root X1) that is using 2048-bit rsa keys, seems that they’re only just starting to test E1 which is using ecdsa keys, but once they make that generally available it should sort itself next time you refresh your cert: Chain of Trust - Let's Encrypt

note that redhat advise against using FUTURE mode anyway and CIS say anything but LEGACY is fine.

Anyway, back on topic, how do we test this?

First time i tried a dnf search i saw this determining the fastest mirror (8 hosts).. done. but even if i run dnf clean all or --refresh i don’t see that anymore.

browsing to AlmaLinux ISOs links works kinda, like @wimrunner says i get 3 in the uk, then one in the netherlands then another uk one. so its not completely prioritizing the local country - what’s the algorithm, is it ping/hops/geography…?

also mirror.nl.fusioned. net is listed as UK not NL on the page, contrary to:

$ geoiplookup mirror.nl.fusioned.net
GeoIP Country Edition: NL, Netherlands

Looks fine from the UK. I get:

https://lon.mirror.rackspace.com/almalinux/8/AppStream/$basearch/os/
https://mirror.cov.ukservers.com/almalinux/8/AppStream/$basearch/os/
https://mirror.netweaver.uk/almalinux/8/AppStream/$basearch/os/
https://mirror.nl.fusioned.net/almalinux/8/AppStream/$basearch/os/
http://mirrors.coreix.net/almalinux/8/AppStream/$basearch/os/
https://almalinux.reloumirrors.net/8/AppStream/$basearch/os/
https://mirror.almalinux.ikoula.com/8/AppStream/$basearch/os/
https://mirror.crexio.com/almalinux/8/AppStream/$basearch/os/
http://almalinux.cu.be/8/AppStream/$basearch/os/
https://mirror.nl.altushost.com/almalinux/8/AppStream/$basearch/os/

The first three are all local which is good. Checking the list there are:
Local: 4
European: 5
Japanese: 1

Getting a few Europeans results makes geographic sense (though IME US servers give a better round trip and download times). Not sure about the Japanese one though!

This is awesome! One of them is in a geographic location mere minutes from where I work and live!

From a residential Belgian address, this is the result
Australia
Australia
Australia
Australia
Australia
Austria
Bangladesh
Bangladesh
Belgium (our mirror)
Brazil

Is it just me or are we just getting an alphabetically sorted listing ???

Actually I should have been more careful… hosts file wasn’t updated properly…
All is well, getting the right servers from Belgium. Our Belgian mirror, followed by a number of Dutch, UK and German…