MaaS behind firewall with no egress - suggestions to make work

We’re setting up maas behind a FW with no egress to the Internet. This is an interesting thing which is a requirement for this project I’m currently on.

The immediate issues I’ve observed from maas here are:

  1. ntp is blocked (low risk – fix by setting up internal ntp or open fw to allow ntp)
  • this doesn’t block a machine deployment
  1. apt update during deployment of custom image (high risk)
  • this blocks by way of deployed machines timing out while waiting to ignore apt updates.
  • attempted to turn off apt updates by editing curtin_userdata on maas controller. No dice.
  • so far, I have not found a way around this yet.
  1. TBD

The question I have right now is how to get passed bullet #2. We could set up an internal apt repo, but I’d really like to not have to do that. How do we turn off apt for OS deployment (Ubuntu).

Access to the Ubuntu repositories is required for MAAS. The tools used to gather commissioning data, run tests, and finalize Ubuntu installations all require access to apt. You can configure MAAS to use a local apt mirror so MAAS does not require an Internet connection. MAAS does not require that mirror to ever be updated but be aware you will not receive security updates without updating the mirror and MAAS images.

I figured as much but attempts at getting boot stages to properly point to the internal repo have been futile. Does documentation exist for maas for this topic?

Yes see package repositories.

This is great. It just barely misses the mark, unfortunately. It seems there’s no way to disable the default repos. Given our maas is behind a FW which blocks egress requests, machines that boot and attempt to apt up* timeout very slowly causing the deployment to fail as maas doesn’t get a response from the newly deployed machine fast enough to continue the deployment process.

It would be amazing if we could disable default repos and use our internal repo exclusively.

As long as you have a mirror of the default repos you can edit and replace the ones pointing to archive.ubuntu.com with your own. Once you do that MAAS should be able to run completely isolated from the Internet.

1 Like