wiki:Admin Guides/Shared Repository Mirror

In development, see #156

Shared Repository Mirror

To support usage of the UM shared repository system at NCI we provide a local repository mirror. This mirror is read-only, and provided primarily so that the FCM build system can run unattended without needing to store authentication.

Using the Mirror

The mirror is available on Accessdev, using the FCM keywords:

  • fcm:um.xm: Unified Model
  • fcm:jules.xm: JULES
  • fcm:gcom.xm: GCOM

The mirror repositories are synchronised with the main server every 10 minutes

Implementation Details

The mirror is a read-only copy of the repositories at, it is synchronised with the main repository every 10 minutes. No password is required to read the code, but the repository can only be accessed from Accessdev.

The mirror runs on the NCI openstack cloud under the account, as the server at IP address

The mirror was configured using the Puppet repository at

The mirror uses the account 'coecssro' to synchronise with the Met Office server

A self-signed SSL certificate was used for the service according to the instructions at, this is installed on Accessdev by the accessdevnode::devtools Puppet class.

To create a new admin account send a Github pull request changing the file to add your username and public ssh key

Updating certificate

Generate a new certificate with (

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650 -subj '/CN=metoffice-mirror' -nodes -sha256

Set mirror_cert: in hieradata/project.yaml to the contents of cert.pem, should look like

# Mirror cert
mirror_cert: |
  ... # Bunch of letters & numbers

The certificate key is encrypted, and can only be edited on accessdev or accessdev-test, using sudo eyaml edit hieradata/node/metoffice-mirror.yaml

Set nic::pki::tls::certs_hash: "metoffice-mirror": private_key: to the contents of key.pem, surrounded with DEC(1)::PKCS7[ key goes here ]!, so it should look like

     certificate: "%{hiera('mirror_cert')}"
     private_key: |
        DEC(1)::PKCS7[-----BEGIN PRIVATE KEY-----
        ... # Bunch of letters & numbers
        -----END PRIVATE KEY-----]!

Important** Look at the file after it's been edited with eyaml, the private key should have been replaced with an encrypted version that looks like

     certificate: "%{hiera('mirror_cert')}" 
     private_key: |

Log on to metoffice-mirror. If you're using a test branch, deploy with

sudo puppet-update --environment mirror-cert
sudo service restart httpd

If the branch has been applied on both metoffice-mirror and accessdev-test, you should be able to run

fcm info fcm:um.xm

on accessdev-test and not receive any certificate message

You can then merge into production, apply the update to accessdev and switch metoffice-mirror back to the production branch.

Last modified 5 months ago Last modified on Oct 1, 2018 10:40:42 AM