Copyright @ Lenovo US

    Canonical MAAS is a deployment tool that can give a bare metal life by putting an OS on it. Working together with Juju, they can setup a cluster of applications quite quickly. Think of them as a package manage like Ubuntu's apt-get, but in the context of a cloud. Interesting.

    This article shows how to setup a virtual lab so one can play with these two tools and get a sense of what they do. The whole setup is based on Virtualbox. One thing I found out the hard way is that despite their nice looking website and rather recent project history, there is no single document that can bring this environment live from A to Z. All official documents have out-of-date commands here and there which made following them useless. I consulted countless blogs, posts, chasing down bugs (or I thought they were bugs), and finally when everything works, it became so obvious and simple. Hopefully this article will shorten this journey for readers and they can have this environment easily.

    Baseline environment

    Virtualbox 5.1.10 and its extension pack. I could not verify why this particular version worked. I had 5.1.8 and the first successful trial occurred after I upgraded to 5.1.10. Was that a coincidence? Without being able to reproduce this, I am merely documenting what I have.

    Network topology

    Getting network configurations right is the key for success. The biggest gotcha is that MAAS server must be the DHCP server on its managing subnet! The official document talks about "if there is an existing DHCP, points it to the MAAS server", huh? I never figured that out, so don't listen to that.

    There will be two VMs and one internal network, intnet1.

    1. VM #1: is the MAAS server. Use Xenial 16.04 desktop image.
    2. VM #2: is an emulated BM.
    3. intnet1: is a subnet (192.168.8.0/24) that MAAS server will live together with its managed nodes (I call them targets).
    MAAS Virtualbox lab networking topology

    Setup instructions

    Personally I dislike those step-by-step instructions because first of all, it is intimidating; secondly, each environment is a bit different, so how confident user will feel to duplicate other's success? Not much. I'll explain thoughts and lessons learned along the way. I think that is more useful even from the point that Google may pick up a few words here and will help others if they search.

    Install MAAS server, admin account, subnet

    MAAS server uses Ubuntu 16.04 Xenial image. Setup the networking to have two interfaces — one uses default NAT so you have internet access, while the other uses Internal Network with name intnet1.

    Defining the subnet managed by MAAS server is the most imporant step in MAAS configuration.

    1. Config subnet intnet1. Define it as 192.168.8.x (This is completly arbitrary. Use whatever network range you want to use). Use ifconfig to find out interface name that corresponds to intnet1 (a clue: the one that has no IP assigned):

      ```shell
      $ nano /etc/network/interfaces
      
      auto enp0s9
      iface enp0s9 inet static
      address 192.168.8.1
      netmask 255.255.255.0
      gateway 192.168.8.1 # this will be setup in MAAS as default gateway!
      ```
      

      At Virtualbox level we have added an interface to this VM using Internal Network, we need then define this network in VM. Also, defining this before installing MAAS will have MAAS installer pick up this subnet automatically so to save some manual work down the road.

    2. Install MAAS is simple. Don't bother with other methods.

      ```shell
      sudo add-apt-repository ppa:maas/stable
      sudo apt update
      sudo apt install maas
      ```
      
    3. Create MAAS admin:

      ```shell
      sudo maas createadmin
      ```
      
    4. Create SSH key and copy content from ~/.ssh/id_rsa.pub:

      ```shell
      mkdir .ssh
      ssh-keygen -t rsa
      less ~/.ssh/id_rsa.pub
      ```
      
    5. Login in http://localhost:5240/MAAS using admin created in step 3, goto user preference (click user name). select upload and paste step 4's content into the text box. This is the public key that will be copied to each MAAS target at deployment so later you can SSH into these targets without knowing the password.

      MAAS upload SSH key

    6. Setup MAAS gateway. This was actually asked when installing MAAS server. But I missed this and ended up spending 5 days debugging a strange issue where provisioned node can not ping outside world. In short, set MAAS default gateway to be the IP of the MAAS server, in our case, 192.168.8.1!

      MAAS default gateway

    At this point, the MAAS server is installed and user can login the web admin console. Next, setup firewall rules on MAAS server so it can be the router for managed subnet.

    MAAS server firewall rules

    Install UFW. UFW is infinitely easier to use than iptables. Making the MAAS server as a router is necessary because targets, once acquired an OS, will need internet access in order to APT other things. (If using real metal server, the server can be connected to multiple VLANs among which one is providing internet access.)

    Masquerading

    Following the instructions to enable default port forwarding:

    1. Packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to ACCEPT:

      ```shell
      DEFAULT_FORWARD_POLICY="ACCEPT"
      ```
      
    2. Then edit /etc/ufw/sysctl.conf and uncomment:

      ```shell
      net/ipv4/ip_forward=1
      net/ipv6/conf/default/forwarding=1
      ```
      

    Firewall policies

    Enabling UFW will deny all access (except the current ssh session). So before anything, allow port 22!

    To config MAAS server to route 192.168.8.x subnet traffic to internet using UFW is simple. Using ifconfig to find the interface name that is connected to the internet(NAT), in this example, enp0s3:

        ```shell
        nano /etc/ufw/before.rules
        ```
    

    Paste this at the bottom of the file, after the COMMIT that has already been in that document:

        ```shell
        # nat Table rules
        *nat
        :POSTROUTING ACCEPT [0:0]
        -A POSTROUTING -s 192.168.8.0/24 -o enp0s3 -j MASQUERADE
        COMMIT
        ```
    

    What this does is to make enp0s3 as the router for subnet 192.168.8.x ← welcome the internet!

    Ports

    UFW will erect a firewall that blocks everything by default! We have poked holes for port 22 to allow SSH. More need to be done:

    1. Allow http 80: ufw allow http
    2. Allow ping: ufw allow 53
    3. Allow region controller API port: 5240
    4. Allow Bootp server and client: 67, 68
    5. Allow Img service: 5248
    6. Allow tftp: 69, 5244
    7. Allow domain service: 5246
    8. Allow rndc service: 5247
    9. Allow iscsi: 3260
    10. Allow ntp: 123
    11. Allow MAAS bootstrap sever: 8000

    Finally, sudo ufw enable. Our GFW is up.

    MAAS as DHCP server

    As I have mentioned, the MAAS server node must be the DHCP server on subnet 192.168.8.x. No exception!

    MAAS admin web is the tool to use for this configuration.

    1. Login into http://192.168.8.1/MAAS/, goto Subnets and select the VLAN ← this is how you can turn on DHCP on a subnet:


      MAAS DHCP config

    2. Click Vlan column on 192.168.8.0/24 subnet row to get to the Vlan configuration page. Take action to enable DHCP. Change the gateway to 192.168.8.1, which is this server's static IP on this subnet.

      MAAS admin DHCP config

    We have done the hard part — setting up the MAAS server. In our next article, I'll show you what MAAS can do for fun → brining up a bare metal machine to life. Stay tuned.

    — by Feng Xia

    Related:

      2017-10-22
    Juju GUI nginx proxy

    In LXD on localhost we introduced using LXD container to bootstrap a Juju controller. But how to access the Juju GUI? Launching it is easy enough with $ juju gui from juju host;...

      2017-09-06
    Juju local LXD

    Using Juju's LXD provider is the least-hassle way to start an experience of Juju and its charms. However, if you have done charm development for a while, you know making a one line of code...

      2017-07-06
    Charm Ansible integration

    Let's face it. Ansible has the mouth (and market) share these days. For our modeling purpose, we are to utilize its procedural strength to carry out actions, which provides an abstraction instead of coding in charm's Python files.

    Design...