<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hey all,<br>
<br>
I've been working on fixing the problem(s) with deploying juju
behind a proxy [1]. This involved creating kvm instances (using
virt-manager), firewalling them off to only have access to the
network through a proxy (squid running on the host) and
bootstrapping with the manual provider. As this is a generally
useful technique for testing bootstrap (etc) without using the local
provider (which is a special snowflake in many ways and can't always
be used for testing).<br>
<br>
There's nothing new or complex here, but it's a nice technique. I'll
also describe the firewall rules needed for simulating a machine
behind a proxy. Useful if you ever need to test this scenario.<br>
<br>
First of all create a new kvm instance from 14.04 server, and
pre-select openssh to be installed. You shouldn't need to install
anything else. <br>
<br>
If you're going to be running behind a proxy then clone the kvm
instance (probably a good technique anyway) and use the clone. This
is because you can't reprovision a machine with the manual provider
when it's behind a proxy [2].<br>
<br>
If you want to run behind a proxy then install squid3 on your host
and edit the squid.conf to allow access from the local network (or
from everywhere). The default squid port is 3128. <br>
<br>
iptables rules for the kvm instance are easiest to setup with ufw,
which should be installed by default. Run the following commands as
root:<br>
<br>
<div aria-haspopup="true" class="ajy"><img aria-label="Show details"
data-tooltip="Show details" class="ajz" id=":24m" role="button"
src="cid:part1.06000902.00000102@canonical.com" alt=""></div>
<span class="il">ufw</span> enable<br>
<span class="il">ufw</span> default deny outgoing<br>
<span class="il">ufw</span> allow out 22<br>
<span class="il">ufw</span> allow in 22<br>
<span class="il">ufw</span> allow out 17070<br>
<span class="il">ufw</span> allow in 17070<br>
<span class="il">ufw</span> allow out 67/udp<br>
<span class="il">ufw</span> allow in 67/udp<br>
<span class="il">ufw</span> allow out 3128/tcp<br>
<span class="il">ufw</span> allow in 3128/tcp<br>
<span class="il">ufw</span> allow out 53/udp<br>
<br>
This permits ssh access, the apiserver, dns and dhcp, plus access to
the squid proxy, but blocks everything else.<br>
<br>
You can then edit environments.yaml as normal for the manual
provider (run "ip addr" in the kvm instance to get the IP address of
course):<br>
<br>
manual:
<br>
type:
manual
<br>
bootstrap-host:
192.168.178.190 <br>
bootstrap-user: username
<br>
#http-proxy:
<a class="moz-txt-link-freetext" href="http://192.168.178.103:3128/">http://192.168.178.103:3128/</a> <br>
#https-proxy: <a class="moz-txt-link-freetext" href="http://192.168.178.103:3128/">http://192.168.178.103:3128/</a> <br>
<br>
Followed by:<br>
<br>
juju switch manual<br>
juju bootstrap --upload-tools<br>
<br>
This will "just work"...<br>
<br>
If you also wish to deploy units to a separate machine (you can
deploy to the state server instance with "--to 0" of course) you'll
need another kvm instance and use the form:<br>
<br>
juju deploy wordpress --to ssh:user@<ip addr><br>
<br>
<br>
Warm regards,<br>
<br>
Michael Foord<br>
<br>
[1] <a class="moz-txt-link-freetext"
href="https://bugs.launchpad.net/juju-core/+bug/1403225">https://bugs.launchpad.net/juju-core/+bug/1403225</a><br>
[2] <a class="moz-txt-link-freetext"
href="https://bugs.launchpad.net/juju-core/+bug/1418139">https://bugs.launchpad.net/juju-core/+bug/1418139</a>
</body>
</html>