MAAS

Peer proxy for maas-proxy

Bug #1276945 reported by Ante Karamatić
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
Wishlist
Björn Tillenius
MAAS 2.3.0alpha1

Bug Description

Sometimes MAAS controlled nodes need to use proxy to fetch packages. This can be resolved by adding option of 'Peer cache', which would arrange squid-deb-proxy.conf to use it. Something like:

cache_peer PEER_PROXY_IP parent PEER_PROXY_PORT 0 no-query default
never_direct allow all

Related branches

lp:~bjornt/maas/peer_proxy
Mike Pontillo (community): Approve
Diff: 646 lines (+363/-16)
17 files modified
src/maasserver/api/tests/test_maas.py (+11/-0)
src/maasserver/compose_preseed.py (+2/-1)
src/maasserver/forms/settings.py (+12/-0)
src/maasserver/models/config.py (+1/-0)
src/maasserver/proxyconfig.py (+17/-0)
src/maasserver/service_monitor.py (+2/-1)
src/maasserver/tests/test_compose_preseed.py (+23/-11)
src/maasserver/tests/test_preseed.py (+36/-0)
src/maasserver/tests/test_proxyconfig.py (+68/-0)
src/maasserver/tests/test_service_monitor.py (+21/-0)
src/maasserver/triggers/system.py (+42/-0)
src/maasserver/triggers/testing.py (+14/-0)
src/maasserver/triggers/tests/test_init.py (+2/-0)
src/maasserver/triggers/tests/test_system_listener.py (+97/-1)
src/provisioningserver/templates/proxy/maas-proxy.conf.template (+4/-0)
src/provisioningserver/utils/service_monitor.py (+4/-2)
src/provisioningserver/utils/tests/test_service_monitor.py (+7/-0)
Revision history for this message
Julian Edwards (julian-edwards) wrote :

Is this a maas bug? Doesn't look like it.

Changed in maas:
status: New → Incomplete
Revision history for this message
Ante Karamatić (ivoks) wrote :

Oh, no, it's not a bug, rather a feature request. Since maas-region-controller pulls in squid-deb-proxy and uses it as a proxy, it would be nice if it could configure it. Common deployment is behind a firewall/proxy. Having a GUI option of setting proxy for MAAS's squid-deb-proxy would help a lot.

Julian Edwards (julian-edwards)
Changed in maas:
status: Incomplete → Triaged
importance: Undecided → Wishlist
Andres Rodriguez (andreserl)
Changed in maas:
milestone: none → 2.1.0
Andres Rodriguez (andreserl)
Changed in maas:
milestone: 2.1.0 → 2.1.1
Blake Rouse (blake-rouse)
Changed in maas:
milestone: 2.1.1 → 2.1.2
Andres Rodriguez (andreserl)
Changed in maas:
milestone: 2.1.2 → 2.1.3
Andres Rodriguez (andreserl)
Changed in maas:
milestone: 2.1.3 → 2.2.0
Revision history for this message
Ante Karamatić (ivoks) wrote :

Can we please have SQUID snippets? Without these we need to deploy additional squid (and turn off maas squid). All we need to be able to do is configure peer cache:

acl local-urls dstdomain .local-archive.lan
always_direct allow local-urls
cache_peer proxy.company.com parent 3128 0 default
never_direct allow all

This allows us to host local archives that are not accessible from proxy.company.com, which we *need* to use to get any other object.

Revision history for this message
Gavin Panella (allenap) wrote :

Snippets are bad for many reasons and good for few, so can we narrow this down to just the problems that need to be solved and design something around that?

My understanding is: you'd like a way to point MAAS's HTTP proxy at an upstream proxy, but with a list of exceptions, addresses that should be fetched directly by MAAS's proxy.

That should be fairly easy to accomplish, and configurable via MAAS, but it also introduces the idea of MAAS as a general purpose front-end to SQUID, and I don't think that's a road we want to travel.

We could solve this discreetly by adding "include /var/lib/maas/maas-proxy.conf.d/*.conf" to the end of the template we use to generate the proxy configuration. I haven't tried it but, supposing it works, would that be acceptable?

Revision history for this message
Ante Karamatić (ivoks) wrote : Re: [Bug 1276945] Re: Peer proxy for squid-deb-proxy

Including conf files would be excellent, yes.

On Tue, Mar 14, 2017 at 12:20 PM Gavin Panella <email address hidden>
wrote:

> Snippets are bad for many reasons and good for few, so can we narrow
> this down to just the problems that need to be solved and design
> something around that?
>
> My understanding is: you'd like a way to point MAAS's HTTP proxy at an
> upstream proxy, but with a list of exceptions, addresses that should be
> fetched directly by MAAS's proxy.
>
> That should be fairly easy to accomplish, and configurable via MAAS, but
> it also introduces the idea of MAAS as a general purpose front-end to
> SQUID, and I don't think that's a road we want to travel.
>
> We could solve this discreetly by adding "include /var/lib/maas/maas-
> proxy.conf.d/*.conf" to the end of the template we use to generate the
> proxy configuration. I haven't tried it but, supposing it works, would
> that be acceptable?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1276945
>
> Title:
> Peer proxy for squid-deb-proxy
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/maas/+bug/1276945/+subscriptions
>
--
Ante Karamatić
<email address hidden>
Canonical

Revision history for this message
Gavin Panella (allenap) wrote : Re: Peer proxy for squid-deb-proxy

> Including conf files would be excellent, yes.

Thanks.

To anyone wondering how this differs from snippets (hi, future me) there
are a few things to bear in mind:

* This will either remain undocumented or be documented with large
  warnings.

* By not providing UI or API to manipulate extra configuration we are
  signalling that this is not supported by MAAS.

* This is orders of magnitude less work.

Next we need to discuss this as a team. I doubt it'll be controversial,
but you never know. There is a risk that bugs introduced by misuse or
misconfiguration will ultimately reflect badly on MAAS and/or introduce
a support burden.

Revision history for this message
Gavin Panella (allenap) wrote :

(Where "snippets" would mean something similar to the DHCP snippets feature already in MAAS, which has UI and API support.)

Andres Rodriguez (andreserl)
Changed in maas:
milestone: 2.2.0 → 2.3.0
Revision history for this message
Mike Pontillo (mpontillo) wrote :

It seems like we should automatically configure this on the Squid proxy if the user has set up a "Proxy for APT and HTTP/HTTPS" in the global settings.

Or is there a reason that won't work?

Revision history for this message
Andres Rodriguez (andreserl) wrote : Re: [Bug 1276945] Re: Peer proxy for squid-deb-proxy

No. The user had to specifically select this and there are different
considerations. This has already been discussed before.

On Thu, Apr 27, 2017 at 7:04 PM Mike Pontillo <email address hidden>
wrote:

> It seems like we should automatically configure this on the Squid proxy
> if the user has set up a "Proxy for APT and HTTP/HTTPS" in the global
> settings.
>
> Or is there a reason that won't work?
>
> --
> You received this bug notification because you are subscribed to MAAS.
> https://bugs.launchpad.net/bugs/1276945
>
> Title:
> Peer proxy for squid-deb-proxy
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/maas/+bug/1276945/+subscriptions
>
--
Andres Rodriguez (RoAkSoAx)
Ubuntu Server Developer
MSc. Telecom & Networking
Systems Engineer

Andres Rodriguez (andreserl)
summary: - Peer proxy for squid-deb-proxy
+ Peer proxy for maas-proxy
Björn Tillenius (bjornt)
Changed in maas:
assignee: nobody → Björn Tillenius (bjornt)
status: Triaged → In Progress
Björn Tillenius (bjornt)
Changed in maas:
status: In Progress → Fix Committed
Andres Rodriguez (andreserl)
Changed in maas:
milestone: 2.3.0 → 2.3.0alpha1
Andres Rodriguez (andreserl)
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.