ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to create a local mirror of Endpoint Protection Linux repository

book

Article ID: 228295

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to create a local mirror of the Symantec Endpoint Protection (SEP) Linux repository

Cause

A local mirror of the SEP Linux repository may be desired when installing and updating SEP Linux Agent on machines that do not have connections to the internet.

Environment

SEP 14.3 RU1 and newer on Linux

Resolution

WARNING: Using these scripts as-is will download gigabytes of data! You must edit the for-loops in the scripts to remove undesired SEP versions and Linux releases, or add new versions that may not be listed here. These scripts are provide only as convenient examples and it is the customer's responsibility for the support and implementation of any repository mirroring scheme. The supported alternative for a Linux system without an internet connection is to create a repackaged offline LinuxInstaller.

The two scripts below are examples that will create a "sep_linux" folder (if not present) in current working directory and mirror there the selected branches of the SEP Linux repository. The selection of packages is determined by which script is used, and refined further by editing the OS and SEP product versions in the script. How these mirrors are shared (file/web/ftp/etc) is left up to the customer. See How to create Local Linux Repo on CentOS/RHEL 7 and 8 for an alternate set of instructions that uses recursive wget and includes also an example of web server hosting. 

RPM-based Linux 

This script can be used to mirror all of the SEP *.rpm packages for RHEL, SLES, and Amazon Linux. It is recommended you run this in RHEL 8+

#!/bin/bash

# there are yum-utils packages for deb-based Linux but reposync command in this script works best on rpm-based Linux
# required: install reposync command - sudo yum install yum-utils
# it is recommended you run this script on RHEL8+ because reposync -repofrompath option isn't supported on older versions

# WARNING: edit the for-loops below to remove undesired SEP versions and Linux releases;
#          using this script as-is will download gigabytes of data!

repo=linux-repo.us.securitycloud.symantec.com
arch=x86_64
prod=sep_linux
for vers in 14.3RU1 14.3RU2 14.3RU3; do
  for linux in amazonlinux2 rhel6 rhel7 rhel8 sles12 sles15; do
    reposync --repofrompath $arch,https://$repo/$prod/$vers/$linux/$arch --download-metadata --repo=$arch -p $prod/$vers/$linux
  done
done

 

DEB-based Linux (Debian and Ubuntu)  

This script can be used to mirror all of the SEP *.deb packages for Ubuntu and Debian. It has been tested OK on Ubuntu 20.04, Debian 10, and RHEL 8.

#!/bin/bash

# on deb-based Linux, install debmirror command to use this script:
# - sudo apt install debmirror

# or on rpm-based Linux, enable EPEL repository and install debmirror and perl https protocol:
# - sudo yum install debmirror perl-LWP-Protocol-https
# - and edit /etc/debmirror.conf and comment out the @dists, @sections, and @arches configuration lines

# WARNING: edit the for-loops below to remove undesired SEP versions and Linux releases;
#          using this script as-is will download gigabytes of data!

repo=linux-repo.us.securitycloud.symantec.com
arch=amd64
prod=sep_linux
for vers in 14.3RU1 14.3RU2 14.3RU3; do
  for linux in debian9 debian10 ubuntu14 ubuntu16 ubuntu18 ubuntu20; do
    # debmirror behaves oddly with slash in distribution name and must be URL-encoded as %2F
    dist=$prod%2F$vers
    debmirror -v --method=https -h $repo -r $prod/$vers/$linux -a $arch -s main -d $dist --rsync-extra=none --nosource --no-check-gpg  $prod/$vers/$linux
  done
done

 

Using the SEP LinuxInstaller command with a local repository mirror

Use the -h (--local-repo) option. 

To install SEP Linux Agent and configure it to use a local repository mirror in a local folder or file share: 

./LinuxInstaller -- -h /path/to/sep_linux/14.3RU3

For mirror shared by a https web server:

./LinuxInstaller -- -h https://path/to/sep_linux/14.3RU3

NOTE the repository folder version referenced (14.3RU3 in examples above) must also match the version of LinuxInstaller otherwise it will return "No packages found that need update". If LinuxInstaller version is 14.3RU2, then use 14.3RU2 in repository URL. And etc.

 

To perform GPG signature checks when the packages are mirrored

Download SEP-GPG-KEY-SDCSS attached at bottom of this article, and...

  • On RPM-based Linux:

sudo rpm --import SEP-GPG-KEY-SDCSS

in reposync command, add option "--gpgcheck"

  • On Ubuntu and other Debian-based Linux:

sudo gpg --import SEP-GPG-KEY-SDCSS

in debmirror command, replace "--no-check-gpg" with "--keyring ~/.gnupg/pubring.kbx"

 

References

https://www.redhat.com/sysadmin/how-mirror-repository

https://help.ubuntu.com/community/Debmirror

Attachments

1640030601042__SEP-GPG-KEY-SDCSS get_app