§ Wiki · Wiki entry

RMU Build: MaaS Setup

Provision the MaaS (Metal as a Service) container on the Gen-1.5 RMU, install MaaS, share it via Teleport, perform the initial configuration, and reserve a DHCP range for BMCs.

·May 4, 2026·5 min read

This page covers section IV of the Gen-1 to Gen-1.5 RMU build runbook. MaaS (Metal as a Service) provides DHCP/DNS and device discovery on the management network.

Complete the Teleport setup before starting.

A. Create Proxmox CT

  1. From the main Proxmox page, click Create CT to open the Create: LXC Container dialog.

  2. Tick Advanced and configure:

    • CT ID: 120
    • Hostname: <dc>-maas
    • Set a non-trivial password for root and store it in your password manager as MaaS {ICR}. Optionally add your SSH public key.

    Click Next.

  3. Select the ubuntu-22.04-standard template. Click Next.

  4. Set the disk size to 30 GB. Click Next.

  5. Set Cores to 8. Click Next.

  6. Set Memory and Swap to 4096. Click Next.

  7. Configure the network:

    • Bridge: vmbr1 (LAN)
    • Uncheck Firewall.
    • IPv4: Static, IP 10.10.100.20/24 (CIDR is required)
    • Gateway: 10.10.100.1
    • IPv6: SLAAC

    Click Next.

  8. No changes are required on the DNS tab. Click Next.

  9. Tick Start after created and click Finish.

  10. When complete, close the dialog window.

  11. Ensure Proxmox is configured to start the VM at boot. Select the VM in the left navigation, click Options, double-click Start at Boot, tick the box, and click OK.

B. Install MaaS software via APT

  1. Open the console: RMU > 120 (maas) > Console. Update the server software:

    apt update && apt upgrade -y
reboot

  2. Add a generic admin account. Replace <admin> with your admin username — this account will be used to log in to the MaaS web GUI:

    useradd -u1000 -U -m -c "Admin" -s /bin/bash <admin>

  3. Install software tools (so that apt-add-repository works):

    apt install software-properties-common curl -y

  4. Install MaaS 3.3, running these commands one at a time:

    apt-add-repository ppa:maas/3.3
apt update
apt remove systemd-timesyncd -y
apt install maas-region-controller -y
apt install maas-rack-controller -y
maas createadmin --username=<admin> --email=<email address>

    Replace <admin> and <email address>. Set a non-trivial password and store it in your password manager. Optionally import an SSH public key.

C. Share services via Teleport

Reference video: Sharing services via Teleport.

On the Teleport server

  1. Create a short-lived token to "invite" the MaaS application:

    tctl tokens add \
    --type=app,node \
    --app-name=<dc>-maas \
    --app-uri=http://localhost:5240

    Take note of the token and ca_pin values.

On the MaaS server

  1. Install the Teleport agent (use the same Teleport version installed earlier):

    sudo curl https://goteleport.com/static/install.sh | bash -s <teleport version>

  2. Create the Teleport application config:

    sudo teleport configure --output=file \
    --proxy=<domain name>:443 \
    --token=/var/lib/teleport/token \
    --roles=app,node \
    --app-name=<dc>-maas \
    --app-uri=http://localhost:5240

  3. Save the token generated on the Teleport server:

    sudo vi /var/lib/teleport/token

  4. Save the ca_pin:

    sudo vi /var/lib/teleport/ca_pin

  5. Edit /etc/teleport.yaml to update the ca_pin resource:

    sudo vi /etc/teleport.yaml

    • Set the ca_pin resource path to /var/lib/teleport/ca_pin.

    • Add a labels: section under ssh_service::

      labels:
    dc: "<dc>"
    login: "<admin user login>"

    • Remove the commands: section under ssh_service::

      commands:
  - name: hostname
    command: [hostname]
    period: 1m0s

    • Add labels: under app_service: -> apps: -> <dc>-maas service:

      - name: <dc>-maas
    uri: http://localhost:5240
    public_addr: ""
    insecure_skip_verify: false
    labels:
      dc: "<dc>"
      type: "maas"

    Sample /etc/teleport.yaml:

    version: v3
teleport:
  nodename: maas
  data_dir: /var/lib/teleport
  join_params:
    token_name: /var/lib/teleport/token
    method: token
  proxy_server: teleport.<domain>:443
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: /var/lib/teleport/ca_pin
  diag_addr: ""
auth_service:
  enabled: "no"
ssh_service:
  enabled: "yes"
  labels:
    dc: "<dc>"
    login: "maas"
proxy_service:
  enabled: "no"
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}
app_service:
  enabled: "yes"
  debug_app: false
  apps:
  - name: bo1-maas
    uri: http://localhost:5240
    public_addr: ""
    insecure_skip_verify: false
    labels:
      dc: "<dc>"
      type: "maas"

  6. Add Teleport to /etc/hosts:

    sudo vi /etc/hosts

    Add an entry:

    10.10.100.22 <Domain name of your teleport server>

    Save and quit the file.

  7. Start the Teleport agent:

    sudo systemctl enable teleport
sudo systemctl start teleport

D. Initial configuration of MaaS server

  1. Log in to the Teleport server and click Launch next to the new MaaS resource to perform the initial MaaS configuration.
  2. Sign in to the MaaS web GUI using the credentials you created in the previous section.
  3. Set the DNS forwarder list to 1.1.1.1 8.8.8.8 and click Save and continue.
  4. Select the Ubuntu release 22.04 LTS and architecture AMD64, click Update selection, then Continue.
  5. Click Finish setup.
  6. Import any additional SSH keys for the dfnadmin user, then click Finish setup again.

E. Configure DHCP subnet on MaaS

  1. Click Subnets in the top navigation bar.

  2. Click 10.10.100.0/24.

  3. Click Reserve Range > Reserve dynamic range.

  4. Configure the dynamic range:

    • Start IP address: 10.10.100.53
    • End IP address: 10.10.100.99

    Click Reserve.

  5. Click Subnets in the top navigation bar.

  6. Click untagged.

  7. Click Configure DHCP.

  8. Ensure MAAS provides DHCP is ticked.

  9. Select Provide DHCP from rack controller(s).

  10. In the Rack controller drop-down, select <dc>-maas and click Configure DHCP.

Continue

Proceed to Best Practices: Proxmox Security.

Related