MAAS

squid-deb-proxy returns 403 when admin configures a custom APT archive

Bug #1300266 reported by Rod Smith on 2014-03-31

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	High	Unassigned

Bug Description

When MAAS is configured (via the http://{maasserver}/MAAS/settings/ page) to use anything but an APT repository that squid-deb-proxy recognizes as a valid destination, starting a node will fail with 403 errors. (Starting becomes possible using the fastpath installer, but thereafter 403 errors occur when doing an "apt-get update".) The specific use case in which I encountered this bug was when using a local APT mirror on the MAAS server computer, but I expect the same would be true with any other mirror that's not listed as an acceptable destination in /etc/squid-deb-proxy/mirror-dstdomain.acl or the files in /etc/squid-deb-proxy/mirror-dstdomain.acl.d/.

Adding the IP address or hostname of the non-standard repository to /usr/share/maas/conf/99-maas, which is symlinked to /etc/squid-deb-proxy/mirror-dstdomain.acl.d/99-maas, or to any other file in that directory, works around this problem.

Note that this bug has similar symptoms to bug 1297008, but the two bugs are independent of one another; it's necessary to fix both problems to get things working adequately in some scenarios.

Tags:

Revision history for this message

Rod Smith (rodsmith) wrote on 2014-03-31:

Contents of /var/log/maas Edit (52.5 KiB, application/x-tar)

Revision history for this message

Rod Smith (rodsmith) wrote on 2014-03-31:

/var/log/squid-deb-proxy/access.log file, showing 403 errors on certain attempts, and successful accesses on others (when the problem was fixed). Edit (194.0 KiB, text/plain)

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-03-31:

> anything but an APT repository
and
> squid-*deb*-proxy

This proxy is not meant for general use like that, you should set up a different one. The setting in MAAS is meant to be pointed at corporate proxies and the like.

Changed in maas:
status:	New → Won't Fix

Revision history for this message

Rod Smith (rodsmith) wrote on 2014-04-01:

MAAS sets up and configures squid-deb-proxy automatically, so switching to another proxy server is not a practical solution.

Revision history for this message

Rod Smith (rodsmith) wrote on 2014-04-01:

Note that the use *IS* pointing at an APT repository -- it's just not one on the squid-deb-proxy list of approved mirrors.

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-04-02:

Apologies I think I was a bit hasty in marking this bug, I misunderstood what you were trying to say because the title of the bug states the desired solution rather than the actual problem (I'll change if after I post this comment).

So I think the bug here is that the proxy continues to be used when a specialised archive is configured. The way to fix that is to bypass the proxy in this case.

summary:	- MAAS should configure itself as acceptable destination domain for squid- - deb-proxy + squid-deb-proxy returns 403 when admin configures a custom APT archive
Changed in maas:
status:	Won't Fix → Triaged
importance:	Undecided → High

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-04-02:

(I should say, bypass the *default* proxy, unless someone configures a custom proxy)

Revision history for this message

Stefan Alfredsson (alfs) wrote on 2014-04-24:

I'm too bitten by this.

I configured http://ftp.se.debian.org/ubuntu/ as the local archive (which, btw, is the same host as se.archive.ubuntu.com), and then spent many hours trying to figure out why i got "Bad archive mirror" errors in failed nodes.
Virtual console 4 just reported that it was running wget ..., and there was a 403 Forbidden error. Running manually it worked fine. This was before I found out there was an automatic cache involved in the path.

Anyway.

> The way to fix that is to bypass the proxy in this case.

Would not a better fix be to add the custom archive domain to the acl?
When an archive is configured in the MAAS settings, put the archive domain in a file in
/etc/squid-deb-proxy/mirror-dstdomain.acl.d, or have a symlinked to /usr/share/maas/conf/ like the 99-maas config
(and restart the proxy service to regenerate config files).

It could also be nice to include a checkbox to let the admin choose if caching for the archive should be enabled or not, instead of implicitly set depending on custom/default archives.

James Troup (elmo) on 2014-04-24

tags:

added: canonical-is

Julian Edwards (julian-edwards) on 2014-04-27

Changed in maas:
milestone:	none → 14.10

Julian Edwards (julian-edwards) on 2014-07-07

Changed in maas:
milestone:	1.6.0 → none

Revision history for this message

Jeff Lane  (bladernr) wrote on 2015-01-07:

This is still present in 1.5.4. I am pretty sure this was fixed in 1.7, but not positive. Any chance this can/will be fixed for 1.5.4??

Revision history for this message

Rod Smith (rodsmith) wrote on 2015-01-07:

#10

MAAS 1.7 no longer uses squid-deb-proxy, so it's no longer an issue there. A fix for 1.5.x would still be desirable.

Revision history for this message

Blake Rouse (blake-rouse) wrote on 2015-06-05:

#11

Marking this fixed released since this is fixed in 1.7 and 1.7 is in proposed for trusty.

Changed in maas:
status:	Triaged → Fix Released

James Hebden (ec0) on 2017-02-10

tags:

added: canonical-bootstack

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1354153

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.