Is there a way to set up a local update site for both DSM and package updates ?

[kraal]

Hello,

This is my first message on this forum so I hope I'm writing it in the right forum.

I own a Synology DS920+ NAS. It is part of a VLAN which is not allowed to access the WAN. This causes obvious issues related to DSM updates and package updates. I would like to be able to set up some kind of local mirror update site on my network for both DSM and package updates. (something like a local docker registry, the machine hosting the mirror would be able to access the WAN, would be updated on a daily basis and the NAS would be able to reach this local mirror but not the WAN)

Is there a way / tool (opensource) to achieve this ?

Thank you in advance !

Note: Initially, I allowed access to the addresses listed in the KB [1], but I'm not satisfied with it. What the device is doing under the hood is not clear and as such not acceptable from a security perspective for a device hosting sensitive data. As such I currently have to manually configure routers/firewalls to allow the NAS to access the WAN for the duration of the updates, then block it again... which is not viable.

[1] What websites does my Synology NAS connect to when running services or updating software? - Synology Knowledge Center

 

[Robbie]

May I ask what problem you are experiencing when manually updating, as DSM is not picky about what stores the update in the interim?

 

[kraal]

Well no "problem" wth manual updates, however manual updates imply having to check manually for DSM updates + packages updates, having to download everything manually, having to upload manually.

Having a mirror of update sites and being able to stage DSM / package files at the mirror level (i.e. make them only visible to production devices once tested/accepted) would IMHO greatly streamline the process.

 

[SynoMan]

however manual updates imply having to check manually for DSM updates + packages updates,

FYI, @fredbert regularly publishes updates in this resource so it's easier to track: Info - Latest versions of DSM/SRM and packages

 

[Robbie]

Well no "problem" wth manual updates, however manual updates imply having to check manually for DSM updates + packages updates, having to download everything manually, having to upload manually.

Understood and I know I'm not answering your original question - but only because I do not have a direct answer.

If the other device you wish to use as a mirror is a Syno NAS then you could set an alert on that for updates. Effectively it would be a dedicated sheep-dip unit, with no sensitive data on it, just serving the non-DMZ side of your network.

Another option would be to split-off a spare ethernet port (if you have one) on the DS920+ and have it on a different subnet than your protected network and just screw-down that more external-facing interface so that it cannot gain access to the directories with all the sensitive stuff. Effectively you are making one NAS behave as 2 different NASes. This would also make it easy to set external firewalls to only accept packets needed for DSM update checking and only at times of your choosing.

I can appreciate your lack of trust in what Synology does in the shadows when it 'phones home' as it does not honour some of the user settings in the GUI (eg IP check even when 'disabled' or not needed, or pinging my own domain when not set to do so). DNS controls can help there too.

️

 

[fredbert]

I believe that CMS will download updates and then update the NAS it is managing. The help says it works except for updates that require intervention via user dialogues. A two port NAS running CMS could mostly work, with a leg in each LAN.

FYI, @fredbert regularly publishes updates in this resource so it's easier to track: Info - Latest versions of DSM/SRM and packages

That's my intention. My scripts get the top-most version listed of each OS/package. So that's usually the latest package version for the most recent major version of DSM/SRM/etc. But it's better than trawling through every package every time you want to check for updates.

 

[kraal]

I believe that CMS will download updates and then update the NAS it is managing. The help says it works except for updates that require intervention via user dialogues. A two port NAS running CMS could mostly work, with a leg in each LAN.


That's my intention. My scripts get the top-most version listed of each OS/package. So that's usually the latest package version for the most recent major version of DSM/SRM/etc. But it's better than trawling through every package every time you want to check for updates.

That's interesting. What information source is your script using ? would you mind sharing it ?

As there is a way to easily retrieve DSM upgrade files (can be done using the RSS feed and parsing it), if package upgrade files can be retrieved based on your script, I could write an ansible role to connect to the NAS retrieve the model, the dsm version, list of installed package with version, then have the ansible controller check if upgrades are available, download them, upload them to the NAS and upgrade everything using synopkg and synoupgrade CLI commands.

This would be even better than an update mirror. And no need to have access to the internet from the NAS as it would be the controller which would retrieve the files and send them to it.

Just need to make sure that package upgrade from local spk is doable from CLI (install is possible from what I saw, but I'm not sure if package upgrade using local files is) + would have to deal with packages needing user interaction (some kind of admin notification, and storage of spk files on the NAS for manual update)

Maybe someone has already tried this...

 

[fredbert]

That's interesting. What information source is your script using ? would you mind sharing it ?

I was reading the help page.

Package | Central Management System - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.

kb.synology.com

Oops! I misread you.

The starting point is Synology Archive Download Site - Index of /download and then using curl to get pages, parse them for various pieces of info, drill down to the next level.

 

[kraal]

I was reading the help page.

Package | Central Management System - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.

kb.synology.com

Oops! I misread you.

The starting point is Synology Archive Download Site - Index of /download and then using curl to get pages, parse them for various pieces of info, drill down to the next level.

Ok thank you, I was hoping for an easily parsable RSS feed, guess that I was a bit optimistic
I created a support ticket to check if they can give access to such an RSS feed. Who knows...

 

[kraal]

Ok got an answer from Synology:

Thank you for contacting Synology Support Team. We regret to inform you that the function you inquired about is not currently supported. However, we have submitted a Feature Inquiry Form for you to ensure your feedback is heard and used as a reference for future product feature planning. Our Product Management Team will follow up with your inquiry, thank you.

So no RSS feed for packages for now.

 

[fredbert]

Thank you for contacting Synology Support Team. We regret to inform you that the function you inquired about is not currently supported. However, we have submitted a Feature Inquiry Form for you to ensure your feedback is heard and used as a reference for future product feature planning. Our Product Management Team will follow up with your inquiry, thank you.

<sound="on" audio="crickets chirping"/>