Ubuntu
maas package

MAAS could be more helpful with scripted installation scenarios to cover common network setups

Bug #1304613 reported by Jeff Lane  on 2014-04-08

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Won't Fix	Wishlist	Unassigned
	maas (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

by default, there's no way for a node started by maas to talk to the internet. There is also no way on the maas dashboard that I can see that allows me to control this sort of network behaviour either.

For now, we are using a shell script to start NAT rules in iptables so that a node can actually talk to the internet.

Scenario one:

node commissioned and started, uses d-i to do a basic install. This works fine however, if you have the pressed do something like add a PPA for some different packages during late_command, you can never complete installation because add-apt-repository can't talk to the outside. And if you add the repo manually, I do not believe you can actually pull the packages from ppa.launchpad.net.

Scenario two:
node commissioned and started, using fast-path install. After fast-path is done and note reboots, you ssh into the node and want to add the PPA manually and install packages. This is impossible because again, add-apt-repository fails to get stuff from launchpad.net.

Solution to both, for now, is to set up NAT with the following rules:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
/sbin/iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: maas 1.5+bzr2227-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-23.45-generic 3.13.8
Uname: Linux 3.13.0-23-generic x86_64
ApportVersion: 2.14.1-0ubuntu1
Architecture: amd64
Date: Tue Apr 8 15:11:12 2014
InstallationDate: Installed on 2014-01-13 (85 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140113)
PackageArchitecture: all
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: maas
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Revision history for this message

Jeff Lane  (bladernr) wrote on 2014-04-08:

Dependencies.txt Edit (12.6 KiB, text/plain; charset="utf-8")

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-04-09:

Hi Jeff,

My nodes can access the Internet perfectly well, which demonstrates that your problem is entirely dependent on each kind of network set up.

This is partly why there is a proxy setting on the region controller, but this is not used after the node is installed.

So I think MAAS can do better in a couple of ways:
1. Set up the proxy on installed nodes if it's set on the region's settings
2. Allow admins to configure ip forwarding on the region controller

However #2 is problematic because the region controller is not really a single machine on scaled-out installation, there could be many appservers and Postgres slaves.

How do you think MAAS could help in that scenario where the region is not a single machine?

Cheers.

Changed in maas (Ubuntu):
status:	New → Incomplete

Revision history for this message

Jeff Lane  (bladernr) wrote on 2014-04-22:

Download full text (7.5 KiB)

Hi Julian,

I've got several MAAS servers that seem to suffer the same fate, depending on what your definition of "Access the internet" is.

We first saw this at the Orange Box sprint in london where nodes could be deployed via d-i which was pulling packages from MAAS's squid-deb-proxy, IIRC, however they couldn't pull packages afterwards from ppa.launchpad.net or "the internet" in general (e.g. I couldn't ssh to a node and they wget a file from somewhere else).

A good example of this was when we tried usign juju to deploy certain charms that pull from places like github, the charms would fail because those sites were unreachable from the node itself (but not from the MAAS Server). So we configured NAT to allow the nodes to pass through to the internet to reach "anywhere".

In our immediate case with certification, we have several NUCs that are configured as MAAS servers for deploying both the OS and certification tools.

So here is IP Tables after a fresh reboot of my NUC running the latest 14.04 MAAS:
ubuntu@critical-maas:~$ sudo iptables -L
[sudo] password for ubuntu:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ubuntu@critical-maas:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ubuntu@critical-maas:~$
ubuntu@critical-maas:~$ COLUMNS=150 dpkg -l |grep maas
ii maas 1.5+bzr2252-0ubuntu1 all MAAS server all-in-one metapackage
ii maas-cli 1.5+bzr2252-0ubuntu1 all MAAS command line API tool
ii maas-cluster-controller 1.5+bzr2252-0ubuntu1 all MAAS server cluster controller
ii maas-common 1.5+bzr2252-0ubuntu1 all MAAS server common files
ii maas-dhcp 1.5+bzr2252-0ubuntu1 all MAAS DHCP server
ii maas-dns 1.5+bzr2252-0ubuntu1 all MAAS DNS server
ii maas-region-controller 1.5+bzr2252-0ubuntu1 all MAAS server complete region controller
ii maas-region-controller-min 1.5+bzr2252-0ubuntu1 all MAAS Server minimum region controller
ii maas-test 0.1+bzr147+150+10~pp all Utility to test hardware compatibility with MAAS
ii python-django-maas 1.5+bzr2252-0ubuntu1 all MAAS server Django web framework
ii python-maas-client 1.5+bzr2252-0ubuntu1 all MAAS python API client
ii python-maas-provisioningserver 1.5+bzr2252-0ubuntu1 all MAAS server provisioning libraries

Now I have the server inst...

Hi Julian,

I've got several MAAS servers that seem to suffer the same fate, depending on what your definition of "Access the internet" is.

A good example of this was when we tried usign juju to deploy certain charms that pull from places like github, the charms would fail because those sites were unreachable from the node itself (but not from the MAAS Server).  So we configured NAT to allow the nodes to pass through to the internet to reach "anywhere".

In our immediate case with certification, we have several NUCs that are configured as MAAS servers for deploying both the OS and certification tools.

So here is IP Tables after a fresh reboot of my NUC running the latest 14.04 MAAS:
ubuntu@critical-maas:~$ sudo iptables -L
[sudo] password for ubuntu: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ubuntu@critical-maas:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
ubuntu@critical-maas:~$ 
ubuntu@critical-maas:~$ COLUMNS=150 dpkg -l |grep maas
ii  maas                            1.5+bzr2252-0ubuntu1 all                  MAAS server all-in-one metapackage
ii  maas-cli                        1.5+bzr2252-0ubuntu1 all                  MAAS command line API tool
ii  maas-cluster-controller         1.5+bzr2252-0ubuntu1 all                  MAAS server cluster controller
ii  maas-common                     1.5+bzr2252-0ubuntu1 all                  MAAS server common files
ii  maas-dhcp                       1.5+bzr2252-0ubuntu1 all                  MAAS DHCP server
ii  maas-dns                        1.5+bzr2252-0ubuntu1 all                  MAAS DNS server
ii  maas-region-controller          1.5+bzr2252-0ubuntu1 all                  MAAS server complete region controller
ii  maas-region-controller-min      1.5+bzr2252-0ubuntu1 all                  MAAS Server minimum region controller
ii  maas-test                       0.1+bzr147+150+10~pp all                  Utility to test hardware compatibility with MAAS
ii  python-django-maas              1.5+bzr2252-0ubuntu1 all                  MAAS server Django web framework
ii  python-maas-client              1.5+bzr2252-0ubuntu1 all                  MAAS python API client
ii  python-maas-provisioningserver  1.5+bzr2252-0ubuntu1 all                  MAAS server provisioning libraries

Now I have the server installed and try a couple things to see if my node can talk to the internet:
ubuntu@supermicro:~$ host ubuntu.com
ubuntu.com has address 91.189.94.156
ubuntu.com mail is handled by 10 mx.canonical.com.

ubuntu@supermicro:~$ sudo ping -c 10 www.ubuntu.com
PING www.ubuntu.com (91.189.89.103) 56(84) bytes of data.

--- www.ubuntu.com ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9071ms

I am able to install something:
ubuntu@supermicro:~$ sudo apt-get install ksh
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  ksh
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 1,583 kB of archives.
After this operation, 3,229 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com//ubuntu/ trusty/universe ksh amd64 93u+20120801-1 [1,583 kB]
Fetched 1,583 kB in 7s (223 kB/s)                                                                                                        
Selecting previously unselected package ksh.
(Reading database ... 69996 files and directories currently installed.)
Preparing to unpack .../ksh_93u+20120801-1_amd64.deb ...
Unpacking ksh (93u+20120801-1) ...
Processing triggers for man-db (2.6.7.1-1) ...
Setting up ksh (93u+20120801-1) ...
update-alternatives: using /bin/ksh93 to provide /bin/ksh (ksh) in auto mode

but is that going through the squid deb proxy?

Because I am unable to manually touch archive.ubuntu.com:
--2014-04-22 18:38:29--  http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.92.200, 91.189.91.13, 91.189.91.14, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.92.200|:80... failed: Connection timed out.
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.13|:80... failed: Connection timed out.
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.14|:80... failed: Connection timed out.

So now I start NAT:
ubuntu@critical-maas:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere

And try again:
ubuntu@supermicro:~$ wget http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb
--2014-04-22 18:46:23--  http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.14, 91.189.92.201, 91.189.92.200, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.14|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1583190 (1.5M) [application/x-debian-package]
Saving to: ‘ksh_93u+20120801-1_amd64.deb’

100%[================================================================================================>] 1,583,190    173KB/s   in 5.9s

2014-04-22 18:46:29 (262 KB/s) - ‘ksh_93u+20120801-1_amd64.deb’ saved [1583190/1583190]

et voila!

I don't have anything fancy set up here... my setup is literally:

node <--1Gb--> Cheap 8port Switch <--1Gb--> NUC <--1Gb--> Ext. LAN cheap 8 port swtich <-- 1Gb --> Gateway <--10Mb DSL --> Internet

I am not doing any weird packet filtering or other firewalling on my external connection, nor anywhere else.  Nothing sitting in a DMZ.

So my theory is that by default, I am able to install things via archive.ubuntu and maybe even ppa.launchpad because of the deb proxy running on the MAAS server, however, as soon as I try any other type of request directly from the node, it fails without something like NAT on the MAAS server to pass traffic.

Changed in maas (Ubuntu):
status:	Incomplete → New

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-04-22:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in maas (Ubuntu):
status:	New → Confirmed

Revision history for this message

Jeff Lane  (bladernr) wrote on 2014-04-22:

As for your question about the region... I don't know... that's operating at scale. The question there is probably one of hierarchy... for example, would you have multiple, linked region controllers, or more like a few region controllers and several cluster controllers under each?

And in that case, perhaps you'd want to be able to arbitrarily set this assuming each region and cluster controller is a physical machine:

So perhaps you would want to be able to, via the dashboard, or some other means say, Cluster 1 shoud be segregated and never pass packets out, but cluster 4 are all web-servers and associated servers and DO need to be able to send and recieve from the internet and cluster 3 contains the things teh web servers need on the back end (SQL, etc) so Cluster 3 should only talk to cluster 4 and NEVER talk to the internet.

Or I don't know, that's really a VERY ugly example.

My original point was just that, by default on my very simple use case (and also as seen with the Orange Boxes), the deployed nodes can't talk to the internet without some manual futzing behind the scenes, and there's no simple way to fix that if you don't know iptables scripting and what bits to flip.

Revision history for this message

Jeff Lane  (bladernr) wrote on 2014-04-22:

Then again, perhaps something as simple as a 'maas-enable-nat' command for these simple cases would be sufficient so new users don't have to also understand iptables... and makes it optional on the maas server so you can or can not enable it... maybe it is a per-cluster-controller thing, as my understanding is that the region controller just handles certain things whie the clusters do the bulk of the work for the nodes...

I dont have the hardware really to set up a different cluster controller... for now.

Revision history for this message

Mark Brown (mstevenbrown) wrote on 2014-04-22:

To add to this, as I also am experiencing this problem:

My maas has 2 nics and 2 networks:
Outbound eth1: talks to the world (or in thsi case my partner OEM's lab network
Private eth0: talks only to maas-create nodes. Call it 10.0.0.0/24 .

I've set up maas as DHCP & DNS manager for eth0. I have *not* NATed eth0 as the Partner OEM does not like private NATs on its lab network. My /etc/resolv.conf, /etc/maas/dhcp.conf and /etc/dhcp/dhclient.conf are saying the right things.

When I create node1 (using fastpath install) I can ping other things on the 10.0.0.0/24 network (by name or address) but cannot ping google.com (even though the name resolves correctly). If I turn on NAT this works.

This makes post-node-startup installation and configuration very problematic.

Revision history for this message

Mark Brown (mstevenbrown) wrote on 2014-04-22:

Actually, my last comment encompasses a different problem (that of isolation), so ignore it.

But do count this as a vote to some kind of "NAT on/off" tooling in MAAS.

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-04-24:

Jeff,

Everyone's network setup can be different and MAAS tries not to be prescriptive at all but does assume that anyone setting this stuff up will know a bit about networks. If you are hiding your nodes from the internet behind your MAAS server then I don't think I'd say that MAAS is actively doing anything to harm you here, you just need to know to enable ip_forward and NAT.

As I said in my first reply, I think MAAS can do a bit better at helping these simple "seed cloud" setups and encourage a scripted installation that will configure everything for you. This sort of thing would rarely get used on large installs though as most large users will be a bit more paranoid about explicitly configuring every tiny detail themselves. Many of them don't even want MAAS to manage DHCP.

I'll amend the title of this bug now to reflect the fact that we want MAAS to do some scripted installation scenarios to cover common "small" use cases.

Thanks for filing this!

summary:	- nodes can't get out to the internet beyond the maas server by default + MAAS could be more helpful with scripted installation scenarios to cover + common network setups
Changed in maas:
status:	New → Triaged
importance:	Undecided → Wishlist
Changed in maas (Ubuntu):
status:	Confirmed → Invalid

Andres Rodriguez (andreserl) on 2016-10-03

Changed in maas:
status:	Triaged → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Dependencies.txt Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntumaas package

MAAS could be more helpful with scripted installation scenarios to cover common network setups

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
maas package