Private discovery subnet with NAT fails to make wget requests to http://archive.ubuntu.com

Problem:
During deployment of Ubuntu 18.04 using installation media with the public mirror the install fails to execute.

Expected outcome:

Provisioning is able to reach the public mirror with HTTP requests

Foreman and Proxy versions:

Foreman 2.4 and Katello 4

wget http://archive.ubuntu.com/ubuntu/dists/bionic/Release -O - | grep -E '^(Suite|Codename|Architecture):'

But by opening the shell provided by the install I am able to ping archive.ubuntu.com:

On Foreman I have masquerade enable for the subnet:

[root@foreman pub]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.45.222.0/24

and I am able to execute this wget command:

[root@foreman pub]# wget http://archive.ubuntu.com/ubuntu/dists/bionic/Release -O - | grep -E '^(Suite|Codename|Architecture):'
--2021-06-15 15:21:49--  http://archive.ubuntu.com/ubuntu/dists/bionic/Release
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.88.142, 91.189.88.152, 2001:67c:1360:8001::23, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.88.142|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 241180 (236K)
Saving to: ‘STDOUT’

 0% [                                                                                                                                                                     ] 0           --.-K/s              Suite: bionic
Codename: bionic
100%[====================================================================================================================================================================>] 241,180      582KB/s   in 0.4s

2021-06-15 15:21:49 (582 KB/s) - written to stdout [241180/241180]

Could it be HTTP-Proxy that is causing a problem with HTTP requests destined for WAN?

First off, this is not related to Foreman and you should be probably asking in some generic Linux administrator list of forums to get faster feedback. Anyway, I don’t know what is wrong with your host, but configuring NAT with masquerade on a modern OS with firewalld is as easy as:

# nmcli c mod eth0 connection.zone internal
# nmcli c mod eth1 connection.zone external

On CentOS or Red Hat compatible systems, there is nothing else to do, external zone is already pre-configured with masquerade. If it does not work, then you probably need to enable it:

# firewall-cmd --zone=external --add-masquerade

More details: Linux as NAT server in two easy steps - Lukáš Zapletal

If you have more hosts to provision, consider doing a proper Ubuntu repository mirror and update the Installation Media URL to point your hosts to the mirror. Or if you want to do advanced content management, consider installing the Katello plugin.

I already have Katello installed, but from what I have found, creating deb content seems like you need to do many manual steps directly with Pulp and then mix and match with some Foreman steps.

I had started creating a local mirror, but it got big fast.

Can Katello manage the installation media as content also or just the packages once deployed?

Thank you.

I am not really sure about Debian capabilities in Katello, but in general once you install Katello you do not use Installation Media page anymore, Katello provides its own source (it is called Products, Repositories and Content Sources). See documentation:

https://docs.theforeman.org/nightly/Content_Management_Guide/index-katello.html

Did not know that, for my RHEL 8.3 deployment I creted an Installation Media for base provisioning and then I created a Content View for the packages, did not think that the a Content View could also be used for the PXE deployment of the OS.

Will look into that.

For RH systems this is how it works, you select Synced media on the Host page to select Kikcstart repository. Not sure about Debian tho.

Thank you for the help!

Debian/Ubuntu installations are not currently possible from synced content alone. (Though we do have this on our roadmap). What you can do is install a Debian/Ubuntu host using the normal installation media way, and then have it use content that was synchronized to Katello from there. I am not sure how out of the box the configuration is, since you will need to add a client repository so your host can register with Katello. Some relevant docs can be found here: apt.atix.de

1 Like

Ah thanks for pointing that out.

So mirror the selected repositories or do NAT are your choices I guess.