[Bug 1304613] Re: nodes can't get out to the internet beyond the maas server by default
Jeff Lane
jeffrey.lane at canonical.com
Tue Apr 22 18:50:38 UTC 2014
Hi Julian,
I've got several MAAS servers that seem to suffer the same fate,
depending on what your definition of "Access the internet" is.
We first saw this at the Orange Box sprint in london where nodes could
be deployed via d-i which was pulling packages from MAAS's squid-deb-
proxy, IIRC, however they couldn't pull packages afterwards from
ppa.launchpad.net or "the internet" in general (e.g. I couldn't ssh to a
node and they wget a file from somewhere else).
A good example of this was when we tried usign juju to deploy certain
charms that pull from places like github, the charms would fail because
those sites were unreachable from the node itself (but not from the MAAS
Server). So we configured NAT to allow the nodes to pass through to the
internet to reach "anywhere".
In our immediate case with certification, we have several NUCs that are
configured as MAAS servers for deploying both the OS and certification
tools.
So here is IP Tables after a fresh reboot of my NUC running the latest 14.04 MAAS:
ubuntu at critical-maas:~$ sudo iptables -L
[sudo] password for ubuntu:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ubuntu at critical-maas:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ubuntu at critical-maas:~$
ubuntu at critical-maas:~$ COLUMNS=150 dpkg -l |grep maas
ii maas 1.5+bzr2252-0ubuntu1 all MAAS server all-in-one metapackage
ii maas-cli 1.5+bzr2252-0ubuntu1 all MAAS command line API tool
ii maas-cluster-controller 1.5+bzr2252-0ubuntu1 all MAAS server cluster controller
ii maas-common 1.5+bzr2252-0ubuntu1 all MAAS server common files
ii maas-dhcp 1.5+bzr2252-0ubuntu1 all MAAS DHCP server
ii maas-dns 1.5+bzr2252-0ubuntu1 all MAAS DNS server
ii maas-region-controller 1.5+bzr2252-0ubuntu1 all MAAS server complete region controller
ii maas-region-controller-min 1.5+bzr2252-0ubuntu1 all MAAS Server minimum region controller
ii maas-test 0.1+bzr147+150+10~pp all Utility to test hardware compatibility with MAAS
ii python-django-maas 1.5+bzr2252-0ubuntu1 all MAAS server Django web framework
ii python-maas-client 1.5+bzr2252-0ubuntu1 all MAAS python API client
ii python-maas-provisioningserver 1.5+bzr2252-0ubuntu1 all MAAS server provisioning libraries
Now I have the server installed and try a couple things to see if my node can talk to the internet:
ubuntu at supermicro:~$ host ubuntu.com
ubuntu.com has address 91.189.94.156
ubuntu.com mail is handled by 10 mx.canonical.com.
ubuntu at supermicro:~$ sudo ping -c 10 www.ubuntu.com
PING www.ubuntu.com (91.189.89.103) 56(84) bytes of data.
--- www.ubuntu.com ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9071ms
I am able to install something:
ubuntu at supermicro:~$ sudo apt-get install ksh
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ksh
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 1,583 kB of archives.
After this operation, 3,229 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com//ubuntu/ trusty/universe ksh amd64 93u+20120801-1 [1,583 kB]
Fetched 1,583 kB in 7s (223 kB/s)
Selecting previously unselected package ksh.
(Reading database ... 69996 files and directories currently installed.)
Preparing to unpack .../ksh_93u+20120801-1_amd64.deb ...
Unpacking ksh (93u+20120801-1) ...
Processing triggers for man-db (2.6.7.1-1) ...
Setting up ksh (93u+20120801-1) ...
update-alternatives: using /bin/ksh93 to provide /bin/ksh (ksh) in auto mode
but is that going through the squid deb proxy?
Because I am unable to manually touch archive.ubuntu.com:
--2014-04-22 18:38:29-- http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.92.200, 91.189.91.13, 91.189.91.14, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.92.200|:80... failed: Connection timed out.
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.13|:80... failed: Connection timed out.
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.14|:80... failed: Connection timed out.
So now I start NAT:
ubuntu at critical-maas:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ubuntu at critical-maas:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
And try again:
ubuntu at supermicro:~$ wget http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb
--2014-04-22 18:46:23-- http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.14, 91.189.92.201, 91.189.92.200, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.14|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1583190 (1.5M) [application/x-debian-package]
Saving to: ‘ksh_93u+20120801-1_amd64.deb’
100%[================================================================================================>]
1,583,190 173KB/s in 5.9s
2014-04-22 18:46:29 (262 KB/s) - ‘ksh_93u+20120801-1_amd64.deb’ saved
[1583190/1583190]
et voila!
I don't have anything fancy set up here... my setup is literally:
node <--1Gb--> Cheap 8port Switch <--1Gb--> NUC <--1Gb--> Ext. LAN cheap
8 port swtich <-- 1Gb --> Gateway <--10Mb DSL --> Internet
I am not doing any weird packet filtering or other firewalling on my
external connection, nor anywhere else. Nothing sitting in a DMZ.
So my theory is that by default, I am able to install things via
archive.ubuntu and maybe even ppa.launchpad because of the deb proxy
running on the MAAS server, however, as soon as I try any other type of
request directly from the node, it fails without something like NAT on
the MAAS server to pass traffic.
** Changed in: maas (Ubuntu)
Status: Incomplete => New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to maas in Ubuntu.
https://bugs.launchpad.net/bugs/1304613
Title:
nodes can't get out to the internet beyond the maas server by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/maas/+bug/1304613/+subscriptions
More information about the Ubuntu-server-bugs
mailing list