Air-gapped MAAS

Docs
1

Many MAAS users maintain their data centres in an air-gapped environment that does not have an external Internet connection. MAAS runs well in this configuration, though keeping MAAS supplied with updates and images requires a bit of extra effort.

There are essentially four things that must be available to an air-gapped MAAS for smooth operation:

  1. Snap updates (via the snap proxy)
  2. Packages (via a local repo, possibly with a transparent proxy)
  3. MAAS-maintained images (via local mirror, possibly with a transparent proxy)
  4. Other OS images (various methods)

There is at least one way to make each of these things available in an air-gapped environment. Some of these can be set up to use a transparent proxy, which minimises changes to other components of the MAAS environment.

This article will help you learn:

About the snap proxy

Using snaps in an air-gapped environment is possible with the Snap Store Proxy, which can be deployed in networks that are disconnected from the Internet. Currently, the features required to use this proxy in an air-gapped mode are part of a password-protected internal Beta.

Client devices connect to the air-gapped proxy and never contact the general Snap Store nor the Internet. Proxy operators will need to side-load all needed snaps and updates into the proxy. To use this proxy, you must:

  1. Register an offline Snap Store Proxy on an Internet-connected machine.
  2. Set up HTTPS access to ensure adequate security.
  3. Fetch the necessary snaps as needed by your MAAS environment (on the Internet-connected machine).

This proxy requires a properly configured PostgreSQL database – see the setup instructions for the Snap Store Proxy for more details.

About air-gapped package updates

The simplest way to use local package repos is via the reprepro command. There is an older command, apt-mirror, which is no longer maintained; it’s not recommended.

The reprepro command manages a local repository of Debian packages. You can add files manually or download them from some other repository. It does not require an external database. This command also handles signatures of mirrored repos, and can create signatures for the generated package indices, if desired.

You may wish to create a transparent proxy to make using your local repo easier.

About local image mirroring

MAAS has an established process for mirroring images locally. In general, you must:

  1. Install the simplestreams package.
  2. Define some variables to simplify CLI usage.
  3. Create the desired mirrors, specifying where you want your images stored.
  4. Set up a new boot source on your local server, referring to the local mirror.

See the local image mirror for details. Note that you can use the menu at the top of that page to switch to specific instructions for the version, build-type, and interface you prefer.

About non-MAAS images

MAAS allows you to deploy many types of OSes, and, once deployed, install specific software. MAAS can configure a user specified repository for Ubuntu, so a user can mirror the Ubuntu apt repositories and point MAAS at those repos. When Ubuntu deploys apt will automatically be configured to use the user defined apt mirrors.

MAAS only does this for Ubuntu, not CentOS or RHEL. If you deploy CentOS or RHEL with MAAS, the repos that built the image will be deployed. But this won’t work in an air -gapped environment. To access non-MAAS-maintained images in an air-gapped environment, you will need to use one of two methods:

  • Use user_data. A user can create custom user_data which will configure CentOS or RHEL to use a specific mirror. Check out the machine customisation page for details on how to make this work.

  • Create custom images and store them in your local mirror. You can also create custom images and store them in your local mirror. Once you have the image built, consult the page on local image mirrors to see how to incorporate your newly-built image into the local stash.

About transparent proxies

If you don’t wish to disturb the default configurations for Ubuntu and MAAS, you can create a transparent proxy for Debian packages and images, via the following general steps:

  1. Configure Ubuntu to get packages via HTTP.
  2. Configure MAAS to get packages via HTTP.
  3. Create a local mirror repo for archive.ubuntu.com.
  4. Create a local image mirror for images.maas.io.
  5. Configure DNS to point to the local mirrors for both of those URLs.

This avoids any need to change the default settings for MAAS or Ubuntu.

2

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.