Hi Vladimir,
I would white-list at least the following:
ubuntu-cloud.archive.canonical.com - TCP/80, TCP/443
cloud-images.ubuntu.com - TCP/80, TCP/443
keyserver.ubuntu.com - TCP/80, TCP/11371
archive.ubuntu.com - TCP/80, TCP/443
launchpad.net - TCP/22, TCP/80, TCP/443
launchpadlibrarian.net - TCP/80, TCP/443
jujucharms.com - TCP/80, TCP/443
entropy.ubuntu.com - TCP/443
streams.canonical.com - TCP/80, TCP/443
Also:
access to internal NTP server or access to ntp.ubuntu.com - UDP/123, TCP/123
access to internal DNS server or access to root DNS servers - UDP/53
If anything snap-related is used, it might be harder as multiple backend
instances are used judging by an strace of snapd.
nslookup search.apps.ubuntu.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: search.apps.ubuntu.com
Address: 162.213.33.196
Name: search.apps.ubuntu.com
Address: 162.213.33.200
nslookup public.apps.ubuntu.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: public.apps.ubuntu.com
Address: 162.213.33.91
Name: public.apps.ubuntu.com
Address: 162.213.33.92
During the installation of a snap a bunch of other addresses are used:
69.88.149.x
RDNS for all of them points to cdce.ams002.internap.com which seems to be a
CDN provider's name (DNS load-balancing).
nslookup cdce.ams002.internap.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: cdce.ams002.internap.com
Address: 69.88.149.137
Name: cdce.ams002.internap.com
Address: 69.88.149.141
Name: cdce.ams002.internap.com
Address: 69.88.149.135
Name: cdce.ams002.internap.com
Address: 69.88.149.138
Name: cdce.ams002.internap.com
Address: 69.88.149.136
Name: cdce.ams002.internap.com
Address: 69.88.149.140
Name: cdce.ams002.internap.com
Address: 69.88.149.142
Name: cdce.ams002.internap.com
Address: 69.88.149.139
You can get those by running something like the following and a `snap
install` or `snap find` commands in parallel:
sudo strace -f -s512 -p `pgrep -f snapd` |& grep -i 'connect'
[pid 24765] connect(11, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("69.88.149.138")}, 16) = 0
[pid 24765] connect(11, {sa_family=AF_INET, sin_port=htons(443),
sin_addr=inet_addr("69.88.149.139")}, 16 <unfinished ...>
I'd start with those but there might be others depending on which charms do
you use (some non-core charms require external repositories so additional
addresses might need to be white-listed).
Best Regards,
Dmitrii Shcherbakov
Field Software Engineer
IRC (freenode): Dmitrii-Sh
On Tue, Mar 28, 2017 at 4:40 PM, Vladimir Burlakov <[email protected]> wrote:
> Hello guys,
> I wonder, if you can you tell, is there any way to get a list of domains
> (urls), where maas/juju getting os images, services etc. by default.., i
> mean something like "whitelist"..
> Now, i'm in a process of getting this from our firewall, but maybe such
> list is already there..
> just, in our enviroinment, we have some security restrictions, and we
> should provide white list to our security team..
>
> Thanks,
> Vladimir
>
> 21 февр. 2017 г., в 4:49, Menno Smits <[email protected]>
> написал(а):
>
> On 10 February 2017 at 19:07, Mark Shuttleworth <[email protected]> wrote:
>
>> On 09/02/17 12:27, Vladimir Burlakov wrote:
>> > Hi Guys,
>> > Thank you a lot, it’s worked, you really helped me. :) as said my
>> > friend: "community - is the power !"
>>
>> :)
>>
>> Welcome aboard, Vladimir!
>>
>> One question - are we good about passing this proxy information on to
>> the various machines that get spun up? Ubuntu, CentOS, Windows etc all
>> have ways to use proxy info, and I'm interested in whether we rigorously
>> pass this to them via cloud-init.
>>
>
> Proxy information is passed to cloud-init for Ubuntu and CentOS machines
> but doesn't appear to be used for Windows machines. I've filed this ticket
> regarding that: https://bugs.launchpad.net/juju/+bug/1666351
>
> It's also worth noting that we recently identified and fixed a
> long-standing issue with respect to handling of proxy configuration. In
> Juju versions before 2.1-rc2 it was possible for the intended proxy
> configuration to sometimes not be in place due to the way that Go handles
> the various proxy environment variables. See https://bugs.launchpad.
> net/juju/+bug/1654591
>
> - Menno
>
>
>
> --
> Juju mailing list
> [email protected]
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/juju
>
>
--
Juju mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/juju
