MAAS enlistment fails when region is behind a NAT

Hi Scott,

IIRC, enlistment would always use the IP address of rackd.conf maas_url field. If this one was set to localhost, MAAS would use the IP of maas_url on regiond.conf. This typically means both region and rack are in the same machine.

The bugfix you referenced, should fix situations which rackd.conf is set as localhost but we know that the machine pxe booted from an IP, and instead of blindly giving the IP of maas_url on reiond.conf, we give the right IP address of the region controller. That said, if rackd.conf has a proper maas_url, it will use that instead.

Now, if you hit the metadata directly with curl it may not give you the information you are looking for. So, to better debut this, can you also attach:

1. Rackd.conf
2. A console log when the machine is pxe booting of MAAS (which would give the kernel parameters) or the kernel log of the ephemeral environment which should also contain the Params.

Can you be more specific about what you mean by "no longer allows explicit configuration of the metadata_url used for cloud-init"? Where were you configuring this before?

The branch you referenced fixed a bug that caused incorrect source address selection, but it does not prevent a MAAS admin for defining the `maas_url` in the rackd.conf file; rather, it intentionally preserves that behavior.

That is, you should be able to edit `/etc/maas/rackd.conf` and define `maas_url: <your-desired-url>`, and the region will use that URL when hosts boot from that rack controller. (If you have done that and it still doesn't work, then this bug is valid and should be fixed, but it's not clear to me from the bug description.)

In `src/maasserver/server_address.py` you can see that `get_maas_facing_server_host(...)` checks if `rack_controller.url` is defined and uses that as a first-priority rather than the new `default_region_ip` determined by source address selection.

By the way, a couple other points:

 - You can also configure the URL by running `sudo dpkg-reconfigure -plow maas-rack-controller`.
 - You must restart the maas-rackd service after configuring the URL for the region to recognize the URL. (If you use `dpkg-reconfigure`, this should happen automatically.)

This issue separate from anything in rackd as far as I can tell. The initial URL given to cloud-init is correct and used for the 'get_enlist_preseed' operation. In the response to this call the metadata server provides another url as 'metadata_url' and this is where the issue lies. We previously (MaaS 2.2) were specifying this by shoving in an explicit IP-based URL in /etc/maas/regiond.conf:maas_url. That value is now ignored in favor of the results of inspecting the route table. I can look into the dpkg-reconfigure option at some point.

@Scott,

For us to be able to better debug this issue, can you please share your rackd.conf or confirm the value /etc/maas/rackd.conf:maas_url of the rack controller the machine is pxe booting from? Again, if it is set to localhost it a single region/rack controller, and this is the only time MAAS should fallback to the value of /etc/maas/regiond.conf:maas_url.

There should not be any situation in which a split rack controller that points to the IP of the region, would fallback to the IP /etc/maas/regiond.conf:maas_url, provided that MAAS would give the IP of the region specified in /etc/maas/rackd.conf:maas_url.

Known how the rack controller is configured will let us determine where the issue could be, because what I'm thinking is happening, is that when the node access the metadata, it doesn't really know which rack it pxe booted from and tries to obtain the best address instead of falling back to /etc/maas/regiond.conf:maas_url. However, depending on how the rack is configure is that we see such behavior.

It is the same as regiond.conf

root@node1:/# cat /etc/maas/rackd.conf
cluster_uuid: 422cc156-d4e5-43a6-b200-2507c3e7ec37
maas_url: http://172.24.1.100:31900/MAAS

This patch is our current workaround and solves the problem in our environment:

https://review.gerrithub.io/#/c/394591/3/images/maas-region-controller/2.3_nat_fix.patch

Thanks for posting your workaround for this. I'll think about if we can do a more general fix for this. Right now I'm leaning toward a configuration option, but we'll try to avoid that if possible. The original fix is a great help for most customers setting up MAAS, since the default URL chosen for the configuration file is arbitrary and often incorrect or unreachable.

After looking closer at this, it seems the best way to fix this may be to make use of the 'Host' header. That is, if the HTTP request included a 'Host' header, then rather than trying to guess what the best IP address is, we already know how the client reached the metadata server. This way, the URL stays consistent no matter what.

@mpontillo I believe the Host header solution would work in our environment, good idea.

I've got a branch in-progress that should fix this in the correct way; if you'd like to test it early, I've posted it here:

https://code.launchpad.net/~mpontillo/maas/+git/maas/+merge/336152

Unit test updates are necessary (and code review/approvals) are required before it can land and be backported.

I'll try to get a test with this. I'm tracing some code around building the APT proxy URL and not sure if it might suffer some of the same issues. Unrelated, but would be nice to make the maas-proxy port configurable.

Were you able to get a test run with this fix? We've landed it now, so I hope this will work for you.