Hi Julian, I've got several MAAS servers that seem to suffer the same fate, depending on what your definition of "Access the internet" is.
We first saw this at the Orange Box sprint in london where nodes could be deployed via d-i which was pulling packages from MAAS's squid-deb- proxy, IIRC, however they couldn't pull packages afterwards from ppa.launchpad.net or "the internet" in general (e.g. I couldn't ssh to a node and they wget a file from somewhere else). A good example of this was when we tried usign juju to deploy certain charms that pull from places like github, the charms would fail because those sites were unreachable from the node itself (but not from the MAAS Server). So we configured NAT to allow the nodes to pass through to the internet to reach "anywhere". In our immediate case with certification, we have several NUCs that are configured as MAAS servers for deploying both the OS and certification tools. So here is IP Tables after a fresh reboot of my NUC running the latest 14.04 MAAS: ubuntu@critical-maas:~$ sudo iptables -L [sudo] password for ubuntu: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ubuntu@critical-maas:~$ sudo iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination ubuntu@critical-maas:~$ ubuntu@critical-maas:~$ COLUMNS=150 dpkg -l |grep maas ii maas 1.5+bzr2252-0ubuntu1 all MAAS server all-in-one metapackage ii maas-cli 1.5+bzr2252-0ubuntu1 all MAAS command line API tool ii maas-cluster-controller 1.5+bzr2252-0ubuntu1 all MAAS server cluster controller ii maas-common 1.5+bzr2252-0ubuntu1 all MAAS server common files ii maas-dhcp 1.5+bzr2252-0ubuntu1 all MAAS DHCP server ii maas-dns 1.5+bzr2252-0ubuntu1 all MAAS DNS server ii maas-region-controller 1.5+bzr2252-0ubuntu1 all MAAS server complete region controller ii maas-region-controller-min 1.5+bzr2252-0ubuntu1 all MAAS Server minimum region controller ii maas-test 0.1+bzr147+150+10~pp all Utility to test hardware compatibility with MAAS ii python-django-maas 1.5+bzr2252-0ubuntu1 all MAAS server Django web framework ii python-maas-client 1.5+bzr2252-0ubuntu1 all MAAS python API client ii python-maas-provisioningserver 1.5+bzr2252-0ubuntu1 all MAAS server provisioning libraries Now I have the server installed and try a couple things to see if my node can talk to the internet: ubuntu@supermicro:~$ host ubuntu.com ubuntu.com has address 91.189.94.156 ubuntu.com mail is handled by 10 mx.canonical.com. ubuntu@supermicro:~$ sudo ping -c 10 www.ubuntu.com PING www.ubuntu.com (91.189.89.103) 56(84) bytes of data. --- www.ubuntu.com ping statistics --- 10 packets transmitted, 0 received, 100% packet loss, time 9071ms I am able to install something: ubuntu@supermicro:~$ sudo apt-get install ksh Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ksh 0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded. Need to get 1,583 kB of archives. After this operation, 3,229 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com//ubuntu/ trusty/universe ksh amd64 93u+20120801-1 [1,583 kB] Fetched 1,583 kB in 7s (223 kB/s) Selecting previously unselected package ksh. (Reading database ... 69996 files and directories currently installed.) Preparing to unpack .../ksh_93u+20120801-1_amd64.deb ... Unpacking ksh (93u+20120801-1) ... Processing triggers for man-db (2.6.7.1-1) ... Setting up ksh (93u+20120801-1) ... update-alternatives: using /bin/ksh93 to provide /bin/ksh (ksh) in auto mode but is that going through the squid deb proxy? Because I am unable to manually touch archive.ubuntu.com: --2014-04-22 18:38:29-- http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.92.200, 91.189.91.13, 91.189.91.14, ... Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.92.200|:80... failed: Connection timed out. Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.13|:80... failed: Connection timed out. Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.14|:80... failed: Connection timed out. So now I start NAT: ubuntu@critical-maas:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ubuntu@critical-maas:~$ sudo iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere And try again: ubuntu@supermicro:~$ wget http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb --2014-04-22 18:46:23-- http://archive.ubuntu.com/ubuntu/pool/universe/k/ksh/ksh_93u+20120801-1_amd64.deb Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.14, 91.189.92.201, 91.189.92.200, ... Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.14|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1583190 (1.5M) [application/x-debian-package] Saving to: ‘ksh_93u+20120801-1_amd64.deb’ 100%[================================================================================================>] 1,583,190 173KB/s in 5.9s 2014-04-22 18:46:29 (262 KB/s) - ‘ksh_93u+20120801-1_amd64.deb’ saved [1583190/1583190] et voila! I don't have anything fancy set up here... my setup is literally: node <--1Gb--> Cheap 8port Switch <--1Gb--> NUC <--1Gb--> Ext. LAN cheap 8 port swtich <-- 1Gb --> Gateway <--10Mb DSL --> Internet I am not doing any weird packet filtering or other firewalling on my external connection, nor anywhere else. Nothing sitting in a DMZ. So my theory is that by default, I am able to install things via archive.ubuntu and maybe even ppa.launchpad because of the deb proxy running on the MAAS server, however, as soon as I try any other type of request directly from the node, it fails without something like NAT on the MAAS server to pass traffic. ** Changed in: maas (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1304613 Title: nodes can't get out to the internet beyond the maas server by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/maas/+bug/1304613/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
