MAAS

MAAS has no way to set a global, upstream proxy

Bug #1904064 reported by Jeff Lane 
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Invalid
Medium
Unassigned

Bug Description

So it seems that while I can set a proxy in MAAS, that proxy only applies to snap and apt, it does not set a proxy for other things like non apt/snap http/https/ftp/sftp requests.

Use case: In my DC Lab, I need to be able to set an internal IS proxy so I can pull packages from external sites via http/https. Locally, I can manually export http_proxy and https_proxy and that allows my node to reach through that upstream proxy to make those requests.

But this becomes problematic in that I need to have this set on EVERY deployment, and I shouldn't have to do something like this by hand every time, that kinda moots the biggest advantage to MAAS in the first place.

Additionally, this falls apart when MAAS provides its own proxy because that ignores the proxy I had to set on the SUT:

1: SUT has http_proxy and https_proxy set to external proxy
2: MAAS has own internal proxy running
3: curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
    sudo add-apt-repository \
    "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

These steps fail because while the curl works, the add-apt-repository fails because once a-a-r does an apt update, the maas internal proxy takes over and fails since the maas-internal proxy can't reach docker.com.

So now I must not only export the proxy on my SUT locally, by hand after every deployment, but I must also tell MAAS to use that proxy for apt as well so things I do later don't fail because the MAAS internal proxy is different.

Its a bit of a mess, it seems.

At the very least MAAS itself should have a mechanism for setting an external proxy for nodes repeatably.

In my particular configuration, all nodes have 1 NIC that has an externally accessible address and all remaining NICs are on a non-routed MAAS only data network, fwiw.

Revision history for this message
Lee Trager (ltrager) wrote :

As you mentioned MAAS only sets the proxy for apt/snap. My understanding is that this was done because we have users who need to use a proxy for apt/snap but don't want to use a proxy for other traffic. This has come up in LP:1900822 for the ephemeral environment.

I think we should solve this with a new global config option, set_proxy_globally. We should be able to use Curtin to apply this[1].

[1] https://curtin.readthedocs.io/en/latest/topics/config.html?highlight=proxy#proxy

Lee Trager (ltrager)
Changed in maas:
milestone: none → 2.9.x
status: New → Triaged
importance: Undecided → Medium
Adam Collard (adam-collard)
Changed in maas:
milestone: 2.9.2 → 2.9.x
Mauricio Faria de Oliveira (mfo)
Changed in maas:
milestone: 2.9.x → none
Revision history for this message
Jerzy Husakowski (jhusakowski) wrote :

Proxy for deployed nodes can be set via cloud-init. Proxy configurations differ between data centres, there's no good default that will satisfy all use cases.

Changed in maas:
status: Triaged → Invalid
Revision history for this message
Jeff Lane  (bladernr) wrote :

Sorry maybe I misunderstand...

I can go into MAAS and tell everything to use a built in MAAS proxy for APT usage, or an "external" proxy for APT usage...

e.g.: http://IPADDR:5240/MAAS/r/settings/network/proxy

So does "External" on that page set a global (e.g. whole DC) upstream proxy server for egress, or only for APT?

The docs now seem to be saying that "External" does, indeed, set an upstream proxy for an entire DC:

https://maas.io/docs/how-to-connect-maas-networks#heading--how-to-manage-proxies

So perhaps it already does this and I misunderstood the Proxy setting, thinking it was for specifically an APT Cache.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.