Automated update checks fail if mirror not reachable or blocked due to company policy

[manfredw]

I'm operating several openSUSE systems in different environments and do not want to setup local mirrors (or have the necessary IT infrastructure).
To monitor possible (security) updates for the systems, zypper is called cyclic to see the number or details.

Sometimes the download from the via MirrorCache redirected http requests failed, reasons can be errors on the
mirror or also blocked access to the specific mirror due to customers security policy (i.e. websites from countries involved in wars or cyber attacks are not trusted).

It seems that the local systems are not able to tell MirrorCache to use alternative mirrors or limit mirror selection to specific regions or countries.

Is there a way to select specific mirrors or to change the behavior of zypper?
In most cases we have to use proxies for internet access and maybe we have to change the proxy response in such cases.

Example:

<server>:~ # zypper ref
Retrieving repository 'Monitoring Repo for openSUSE 15.4' metadata ..........................................................[error]
Repository 'Monitoring Repo for openSUSE 15.4' is invalid.
[monitoring|https://download.opensuse.org/repositories/server:/monitoring/15.4/] Valid metadata not found at specified URL
History:
 - Download (curl) error for 'https://download.opensuse.org/repositories/server:/monitoring/15.4/repodata/1927342524d02b5740b352c2ba848fc310e3cc40dc5bfbf1738273d2157cd50e-primary.xml.gz':
   Error code: HTTP response: 0
   Error message: The requested URL returned error: 500
 - Can't provide ./repodata/1927342524d02b5740b352c2ba848fc310e3cc40dc5bfbf1738273d2157cd50e-primary.xml.gz

Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'Monitoring Repo for openSUSE 15.4' because of the above error.
Some of the repositories have not been refreshed because of an error.

<server>:~ # wget https://download.opensuse.org/repositories/server:/monitoring/15.4/repodata/1927342524d02b5740b352c2ba848fc310e3cc40dc5bfbf1738273d2157cd50e-primary.xml.gz
--2023-11-16 12:39:15--  https://download.opensuse.org/repositories/server:/monitoring/15.4/repodata/1927342524d02b5740b352c2ba848fc310e3cc40dc5bfbf1738273d2157cd50e-primary.xml.gz
Connecting to <proxy>:8080... connected.
Proxy request sent, awaiting response... 302 Found
Location: https://mirror.tspu.ru/opensuse/repositories/server%3A/monitoring/15.4/repodata/1927342524d02b5740b352c2ba848fc310e3cc40dc5bfbf1738273d2157cd50e-primary.xml.gz [following]
--2023-11-16 12:39:15--  https://mirror.tspu.ru/opensuse/repositories/server%3A/monitoring/15.4/repodata/1927342524d02b5740b352c2ba848fc310e3cc40dc5bfbf1738273d2157cd50e-primary.xml.gz
Connecting to <proxy>:8080... connected.
Proxy tunneling failed: Internal Server ErrorUnable to establish SSL connection.

[andrii-suse]

For this specific problem you can add ?AVOID_COUNTRY=ru to urls in /etc/zypp/repos.d/*.repo files.
So corresponding line in .repo file will look something like:
baseurl=https://download.opensuse.org/repositories/server:/monitoring/15.4/?AVOID_COUNTRY=ru

Unfortunately I don't have easier solution at the moment, but let me know if such workaround is possible for you.

[manfredw]

Thx, I will try it. :-)

Is this a documented parameter?
Are there multiple values allowed? (separator?)

But as you said this is only a workaround.
I would prefer a positive logic like PREFER_COUNTRY or PREFER_REGION to avoid the maintenance of a blacklist...

[andrii-suse]

Unfortunately no much documentation atm besides unit tests, e.g.

MirrorCache/t/environ/03-geo.sh

Line 71 in 863fb70

echo test get parameter AVOID_COUNTRY

Separator is coma (see example below)

COUNTRY and REGION are detected automatically, and they are preffered when possible, you can check that such detection works properly using route /rest/myip , e.g.:

curl download.opensuse.org/rest/myip

If that info in output of that command is incorrect - you can add REGION and COUNTRY the same way to url. So it will try to find the closest mirror. You might try combining these variables like

?REGION=eu&COUNTRY=be&AVOID_COUNTRY=de,ru

[andrii-suse]

Closing this because of inactivity, but feel free to reopen if more assistance is needed