MAAS

Merge lp:~lamont/maas/create-maas-proxy.conf into lp:~maas-committers/maas/trunk

create-maas-proxy.conf
Merge into trunk

Proposed by LaMont Jones on 2016-03-25

Status:	Merged
Approved by:	LaMont Jones on 2016-04-01
Approved revision:	no longer in the source branch.
Merged at revision:	4862
Proposed branch:	lp:~lamont/maas/create-maas-proxy.conf
Merge into:	lp:~maas-committers/maas/trunk
Prerequisite:	lp:~lamont/maas/bug-1379567
Diff against target:	793 lines (+521/-14) 13 files modified etc/maas/templates/dns/zone.template (+0/-3) src/maas/demo.py (+3/-0) src/maas/development.py (+4/-0) src/maas/settings.py (+5/-0) src/maasserver/migrations/builtin/maasserver/0048_add_subnet_allow_proxy.py (+5/-2) src/maasserver/proxyconfig.py (+86/-0) src/maasserver/region_controller.py (+34/-4) src/maasserver/tests/test_proxyconfig.py (+111/-0) src/maasserver/tests/test_region_controller.py (+96/-5) src/maasserver/triggers/system.py (+50/-0) src/maasserver/triggers/tests/test_system.py (+6/-0) src/maasserver/triggers/tests/test_system_listener.py (+76/-0) src/provisioningserver/templates/proxy/maas-proxy.conf.template (+45/-0)
To merge this branch:	bzr merge lp:~lamont/maas/create-maas-proxy.conf
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
LaMont Jones (community)		Approve on 2016-04-01
Blake Rouse (community)	2016-03-25	Needs Fixing on 2016-03-28
Review via email: mp+290154@code.launchpad.net

Commit message

Create /var/cache/maas/maas-proxy.conf for maas-proxy to use.

Description of the change

Create /var/cache/maas/maas-proxy.conf for maas-proxy to use.

Revision history for this message

Blake Rouse (blake-rouse) wrote on 2016-03-28:

Overall this looks really good. The service reloading needs an improvement to use the serviceMonitor so the service status is kept in sync with what as known about the service.

review: Needs Fixing

Revision history for this message

LaMont Jones (lamont) wrote on 2016-04-01:

Marking this approved since merging Blake's changes that were the cause of his "needs fixing".

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andres Rodriguez

Blake Rouse

Brendan Donegan

Dave Walker

Deepa

Enrique Chirivella Pérez

Fumihito YOSHIDA

LaMont Jones

MAAS Committers

Mike Pontillo

james beedy

 === modified file 'etc/maas/templates/dns/zone.template'
 --- etc/maas/templates/dns/zone.template	2016-02-03 09:11:25 +0000
 +++ etc/maas/templates/dns/zone.template	2016-03-31 23:44:54 +0000
@@ -1,7 +1,4 @@
  ; Zone file modified: {{modified}}.
--; Note that the modification time of this file doesn't reflect
--; the actual modification time.  MAAS controls the modification time
--; of this file to be able to force the zone to be reloaded by BIND.
  $TTL {{ttl}}
  @   IN    SOA {{domain}}. nobody.example.com. (
                {{serial}} ; serial
 === modified file 'src/maas/demo.py'
 --- src/maas/demo.py	2016-03-25 14:52:23 +0000
 +++ src/maas/demo.py	2016-03-31 23:44:54 +0000
@@ -27,6 +27,9 @@
  # Connect to the DHCP server. TODO: Use the signals manager instead.
  DHCP_CONNECT = True
++# Connect to the PROXY server. TODO: Use the signals manager instead.
++PROXY_CONNECT = True
++
  MAAS_CLI = abspath("bin/maas-region")
  # For demo purposes, give nodes unauthenticated access to their metadata
 === modified file 'src/maas/development.py'
 --- src/maas/development.py	2016-03-28 20:03:45 +0000
 +++ src/maas/development.py	2016-03-31 23:44:54 +0000
@@ -33,6 +33,10 @@
  # basis. TODO: Use the signals manager instead.
  DHCP_CONNECT = False
++# Don't setup PROXY servers in tests, this will be enabled on a case per case
++# basis. TODO: Use the signals manager instead.
++PROXY_CONNECT = False
++
  # Invalid strings should be visible.
  TEMPLATE_STRING_IF_INVALID = '#### INVALID STRING ####'
 === modified file 'src/maas/settings.py'
 --- src/maas/settings.py	2016-03-25 14:52:23 +0000
 +++ src/maas/settings.py	2016-03-31 23:44:54 +0000
@@ -78,6 +78,11 @@
  # machinery. TODO: Use the signals manager instead.
  DHCP_CONNECT = True
++# Should the PROXY features be enabled?  Having this config option is a
++# debugging/testing feature to be able to quickly disconnect the PROXY
++# machinery. TODO: Use the signals manager instead.
++PROXY_CONNECT = True
++
  # The MAAS CLI.
  MAAS_CLI = 'sudo maas-region'
 === renamed file 'src/maasserver/migrations/builtin/maasserver/0046_add_subnet_allow_proxy.py' => 'src/maasserver/migrations/builtin/maasserver/0048_add_subnet_allow_proxy.py'
 --- src/maasserver/migrations/builtin/maasserver/0046_add_subnet_allow_proxy.py	2016-03-31 23:44:54 +0000
 +++ src/maasserver/migrations/builtin/maasserver/0048_add_subnet_allow_proxy.py	2016-03-31 23:44:54 +0000
@@ -1,13 +1,16 @@
  # -*- coding: utf-8 -*-
  from __future__ import unicode_literals
--from django.db import migrations, models
++from django.db import (
++    migrations,
++    models,
++)
  class Migration(migrations.Migration):
      dependencies = [
--        ('maasserver', '0045_add_node_to_filesystem'),
++        ('maasserver', '0047_fix_spelling_of_degraded'),
+     ]
      operations = [
 === added file 'src/maasserver/proxyconfig.py'
 --- src/maasserver/proxyconfig.py	1970-01-01 00:00:00 +0000
 +++ src/maasserver/proxyconfig.py	2016-03-31 23:44:54 +0000
@@ -0,0 +1,86 @@
++# Copyright 2016 Canonical Ltd.  This software is licensed under the
++# GNU Affero General Public License version 3 (see the file LICENSE).
++
++"""Proxy config management module."""
++
++__all__ = [
++    'proxy_update_config',
++    ]
++
++import datetime
++import os
++import socket
++import sys
++
++from django.conf import settings
++from maasserver.models.subnet import Subnet
++from maasserver.service_monitor import service_monitor
++from maasserver.utils.orm import transactional
++from maasserver.utils.threads import deferToDatabase
++from provisioningserver.logger import get_maas_logger
++from provisioningserver.utils import locate_template
++from provisioningserver.utils.fs import atomic_write
++from provisioningserver.utils.twisted import asynchronous
++import tempita
++from twisted.internet.defer import succeed
++
++
++maaslog = get_maas_logger("dns")
++MAAS_PROXY_CONF_NAME = 'maas-proxy.conf'
++MAAS_PROXY_CONF_TEMPLATE = 'maas-proxy.conf.template'
++
++
++def is_proxy_enabled():
++    """Is MAAS configured to manage the PROXY?"""
++    return settings.PROXY_CONNECT
++
++
++class ProxyConfigFail(Exception):
++    """Raised if there is a problem with the proxy configuration."""
++
++
++def get_proxy_config_dir():
++    """Location of bind configuration files."""
++    setting = os.getenv("MAAS_PROXY_CONFIG_DIR", "/var/lib/maas")
++    if isinstance(setting, bytes):
++        fsenc = sys.getfilesystemencoding()
++        return setting.decode(fsenc)
++    else:
++        return setting
++
++
++@asynchronous
++def proxy_update_config(reload_proxy=True):
++    """Regenerate the proxy configuration file."""
++
++    @transactional
++    def write_config():
++        allowed_subnets = Subnet.objects.filter(allow_proxy=True)
++        cidrs = [subnet.cidr for subnet in allowed_subnets]
++        context = {
++            'allowed': allowed_subnets,
++            'modified': str(datetime.date.today()),
++            'fqdn': socket.getfqdn(),
++            'cidrs': cidrs,
++        }
++        template_path = locate_template('proxy', MAAS_PROXY_CONF_TEMPLATE)
++        template = tempita.Template.from_filename(
++            template_path, encoding="UTF-8")
++        try:
++            content = template.substitute(context)
++        except NameError as error:
++            raise ProxyConfigFail(*error.args)
++        # Squid prefers ascii.
++        content = content.encode("ascii")
++        target_path = os.sep.join(
++            [get_proxy_config_dir(), MAAS_PROXY_CONF_NAME])
++        atomic_write(content, target_path, overwrite=True, mode=0o644)
++
++    if is_proxy_enabled():
++        d = deferToDatabase(write_config)
++        if reload_proxy:
++            d.addCallback(
++                lambda _: service_monitor.reloadService("proxy", if_on=True))
++        return d
++    else:
++        return succeed(None)
 === modified file 'src/maasserver/region_controller.py'
 --- src/maasserver/region_controller.py	2016-03-28 20:03:45 +0000
 +++ src/maasserver/region_controller.py	2016-03-31 23:44:54 +0000
@@ -11,6 +11,12 @@
      'sys_dns'. Any time a message is recieved on that channel the DNS is marked
      as requiring an update. Once marked for update the DNS configuration is
      updated and bind9 is told to reload.
++
++Proxy:
++    The regiond process listens for messages from Postgres on channel
++    'sys_proxy'. Any time a message is recieved on that channel the maas-proxy
++    is marked as requiring an update. Once marked for update the proxy
++    configuration is updated and maas-proxy is told to reload.
  """
  __all__ = [
@@ -18,6 +24,7 @@
+ ]
  from maasserver.dns.config import dns_update_all_zones
++from maasserver.proxyconfig import proxy_update_config
  from maasserver.utils.orm import transactional
  from maasserver.utils.threads import deferToDatabase
  from provisioningserver.utils.twisted import (
@@ -26,6 +33,7 @@
+ )
  from twisted.application.service import Service
  from twisted.internet import reactor
++from twisted.internet.defer import DeferredList
  from twisted.internet.task import LoopingCall
  from twisted.python import log
@@ -51,6 +59,7 @@
          self.processing.clock = self.clock
          self.processingDefer = None
          self.needsDNSUpdate = False
++        self.needsProxyUpdate = False
          self.postgresListener = postgresListener
      @asynchronous(timeout=FOREVER)
@@ -58,15 +67,18 @@
          """Start listening for messages."""
          super(RegionControllerService, self).startService()
          self.postgresListener.register("sys_dns", self.markDNSForUpdate)
++        self.postgresListener.register("sys_proxy", self.markProxyForUpdate)
--        # Update DNS on first start.
++        # Update DNS and proxy on first start.
          self.markDNSForUpdate(None, None)
++        self.markProxyForUpdate(None, None)
      @asynchronous(timeout=FOREVER)
      def stopService(self):
          """Close the controller."""
          super(RegionControllerService, self).stopService()
          self.postgresListener.unregister("sys_dns", self.markDNSForUpdate)
++        self.postgresListener.unregister("sys_proxy", self.markProxyForUpdate)
          if self.processingDefer is not None:
              self.processingDefer, d = None, self.processingDefer
              self.processing.stop()
@@ -77,13 +89,19 @@
          self.needsDNSUpdate = True
          self.startProcessing()
++    def markProxyForUpdate(self, channel, message):
++        """Called when the `sys_proxy` message is received."""
++        self.needsProxyUpdate = True
++        self.startProcessing()
++
      def startProcessing(self):
          """Start the process looping call."""
          if not self.processing.running:
              self.processingDefer = self.processing.start(0.1, now=False)
      def process(self):
--        """Process the DNS update."""
++        """Process the DNS and/or proxy update."""
++        defers = []
          if self.needsDNSUpdate:
              self.needsDNSUpdate = False
              d = deferToDatabase(transactional(dns_update_all_zones))
@@ -93,8 +111,20 @@
              d.addErrback(
                  log.err,
                  "Failed configuring DNS.")
--            return d
--        else:
++            defers.append(d)
++        if self.needsProxyUpdate:
++            self.needsProxyUpdate = False
++            d = proxy_update_config(reload_proxy=True)
++            d.addCallback(
++                lambda _: log.msg(
++                    "Successfully configured proxy."))
++            d.addErrback(
++                log.err,
++                "Failed configuring proxy.")
++            defers.append(d)
++        if len(defers) == 0:
              # Nothing more to do.
              self.processing.stop()
              self.processingDefer = None
++        else:
++            return DeferredList(defers)
 === added file 'src/maasserver/tests/test_proxyconfig.py'
 --- src/maasserver/tests/test_proxyconfig.py	1970-01-01 00:00:00 +0000
 +++ src/maasserver/tests/test_proxyconfig.py	2016-03-31 23:44:54 +0000
@@ -0,0 +1,111 @@
++# Copyright 2016 Canonical Ltd.  This software is licensed under the
++# GNU Affero General Public License version 3 (see the file LICENSE).
++
++"""Tests for the proxyconfig."""
++
++__all__ = []
++
++import os
++
++from crochet import wait_for
++from django.conf import settings
++from fixtures import EnvironmentVariableFixture
++from maasserver import proxyconfig
++from maasserver.testing.factory import factory
++from maasserver.testing.testcase import (
++    MAASServerTestCase,
++    MAASTransactionServerTestCase,
++)
++from maasserver.utils.orm import transactional
++from maasserver.utils.threads import deferToDatabase
++from maastesting.matchers import (
++    MockCalledOnceWith,
++    MockNotCalled,
++)
++from testtools.matchers import (
++    Contains,
++    FileContains,
++    Not,
++)
++from twisted.internet.defer import inlineCallbacks
++
++
++wait_for_reactor = wait_for(30)  # 30 seconds.
++
++
++class TestGetConfigDir(MAASServerTestCase):
++    """Tests for `maasserver.proxyconfig.get_proxy_config_dir`."""
++
++    def test_returns_default(self):
++        self.assertEquals(
++            "/var/lib/maas", proxyconfig.get_proxy_config_dir())
++
++    def test_env_overrides_default(self):
++        os.environ['MAAS_PROXY_CONFIG_DIR'] = factory.make_name('env')
++        self.assertEquals(
++            os.environ['MAAS_PROXY_CONFIG_DIR'],
++            proxyconfig.get_proxy_config_dir())
++        del(os.environ['MAAS_PROXY_CONFIG_DIR'])
++
++
++class TestProxyUpdateConfig(MAASTransactionServerTestCase):
++    """Tests for `maasserver.proxyconfig`."""
++
++    def setUp(self):
++        super(TestProxyUpdateConfig, self).setUp()
++        self.tmpdir = self.make_dir()
++        self.service_monitor = self.patch(proxyconfig, "service_monitor")
++        self.useFixture(
++            EnvironmentVariableFixture('MAAS_PROXY_CONFIG_DIR', self.tmpdir))
++
++    @transactional
++    def make_subnet(self, allow_proxy=True):
++        return factory.make_Subnet(allow_proxy=allow_proxy)
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test__only_enabled_subnets_are_present(self):
++        self.patch(settings, "PROXY_CONNECT", True)
++        disabled = yield deferToDatabase(self.make_subnet, allow_proxy=False)
++        enabled = yield deferToDatabase(self.make_subnet)
++        yield proxyconfig.proxy_update_config(reload_proxy=False)
++        # enabled's cidr must be present
++        matcher = Contains("acl localnet src %s" % enabled.cidr)
++        self.assertThat(
++            "%s/%s" % (self.tmpdir, proxyconfig.MAAS_PROXY_CONF_NAME),
++            FileContains(matcher=matcher))
++        # disabled's cidr must not be present
++        matcher = Not(Contains("acl localnet src %s" % disabled.cidr))
++        self.assertThat(
++            "%s/%s" % (self.tmpdir, proxyconfig.MAAS_PROXY_CONF_NAME),
++            FileContains(matcher=matcher))
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test__calls_reloadService(self):
++        self.patch(settings, "PROXY_CONNECT", True)
++        yield deferToDatabase(self.make_subnet)
++        yield proxyconfig.proxy_update_config()
++        self.assertThat(
++            self.service_monitor.reloadService,
++            MockCalledOnceWith("proxy", if_on=True))
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test__doesnt_call_reloadService_when_PROXY_CONNECT_False(self):
++        self.patch(settings, "PROXY_CONNECT", False)
++        yield deferToDatabase(self.make_subnet)
++        yield proxyconfig.proxy_update_config()
++        self.assertThat(
++            self.service_monitor.reloadService,
++            MockNotCalled())
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test__doesnt_call_reloadService_when_reload_proxy_False(self):
++        self.patch(settings, "PROXY_CONNECT", True)
++        yield deferToDatabase(self.make_subnet)
++        yield proxyconfig.proxy_update_config(reload_proxy=False)
++        self.assertThat(
++            self.service_monitor.reloadService,
++            MockNotCalled())
 === modified file 'src/maasserver/tests/test_region_controller.py'
 --- src/maasserver/tests/test_region_controller.py	2016-03-28 20:03:45 +0000
 +++ src/maasserver/tests/test_region_controller.py	2016-03-31 23:44:54 +0000
@@ -12,16 +12,22 @@
  from maasserver.testing.testcase import MAASServerTestCase
  from maastesting.matchers import (
      MockCalledOnceWith,
++    MockCallsMatch,
      MockNotCalled,
+ )
  from mock import (
      ANY,
++    call,
      MagicMock,
      sentinel,
+ )
  from testtools.matchers import MatchesStructure
  from twisted.internet import reactor
--from twisted.internet.defer import inlineCallbacks
++from twisted.internet.defer import (
++    fail,
++    inlineCallbacks,
++    succeed,
++)
  wait_for_reactor = wait_for(30)  # 30 seconds.
@@ -45,22 +51,34 @@
          service.startService()
          self.assertThat(
              listener.register,
--            MockCalledOnceWith("sys_dns", service.markDNSForUpdate))
++            MockCallsMatch(
++                call("sys_dns", service.markDNSForUpdate),
++                call("sys_proxy", service.markProxyForUpdate)))
--    def test_startService_sets_needsDNSUpdate_calls_startProcessing(self):
++    def test_startService_calls_markDNSForUpdate(self):
          listener = MagicMock()
          service = RegionControllerService(listener)
          mock_markDNSForUpdate = self.patch(service, "markDNSForUpdate")
          service.startService()
          self.assertThat(mock_markDNSForUpdate, MockCalledOnceWith(None, None))
++    def test_startService_calls_markProxyForUpdate(self):
++        listener = MagicMock()
++        service = RegionControllerService(listener)
++        mock_markProxyForUpdate = self.patch(service, "markProxyForUpdate")
++        service.startService()
++        self.assertThat(
++            mock_markProxyForUpdate, MockCalledOnceWith(None, None))
++
      def test_stopService_calls_unregister_on_the_listener(self):
          listener = MagicMock()
          service = RegionControllerService(listener)
          service.stopService()
          self.assertThat(
              listener.unregister,
--            MockCalledOnceWith("sys_dns", service.markDNSForUpdate))
++            MockCallsMatch(
++                call("sys_dns", service.markDNSForUpdate),
++                call("sys_proxy", service.markProxyForUpdate)))
      @wait_for_reactor
      @inlineCallbacks
@@ -71,7 +89,7 @@
          yield service.stopService()
          self.assertIsNone(service.processingDefer)
--    def test_markDNSForUpdate_sets_needsDNSUpdate_and_starts_processing(self):
++    def test_markDNSForUpdate_sets_needsDNSUpdate_and_starts_process(self):
          listener = MagicMock()
          service = RegionControllerService(listener)
          mock_startProcessing = self.patch(service, "startProcessing")
@@ -79,6 +97,14 @@
          self.assertTrue(service.needsDNSUpdate)
          self.assertThat(mock_startProcessing, MockCalledOnceWith())
++    def test_markProxyForUpdate_sets_needsProxyUpdate_and_starts_process(self):
++        listener = MagicMock()
++        service = RegionControllerService(listener)
++        mock_startProcessing = self.patch(service, "startProcessing")
++        service.markProxyForUpdate(None, None)
++        self.assertTrue(service.needsProxyUpdate)
++        self.assertThat(mock_startProcessing, MockCalledOnceWith())
++
      def test_startProcessing_doesnt_call_start_when_looping_call_running(self):
          service = RegionControllerService(sentinel.listener)
          mock_start = self.patch(service.processing, "start")
@@ -107,6 +133,17 @@
      @wait_for_reactor
      @inlineCallbacks
++    def test_process_doesnt_proxy_update_config_when_nothing_to_process(self):
++        service = RegionControllerService(sentinel.listener)
++        service.needsProxyUpdate = False
++        mock_proxy_update_config = self.patch(
++            region_controller, "proxy_update_config")
++        service.startProcessing()
++        yield service.processingDefer
++        self.assertThat(mock_proxy_update_config, MockNotCalled())
++
++    @wait_for_reactor
++    @inlineCallbacks
      def test_process_stops_processing(self):
          service = RegionControllerService(sentinel.listener)
          service.needsDNSUpdate = False
@@ -132,6 +169,24 @@
      @wait_for_reactor
      @inlineCallbacks
++    def test_process_updates_proxy(self):
++        service = RegionControllerService(sentinel.listener)
++        service.needsProxyUpdate = True
++        mock_proxy_update_config = self.patch(
++            region_controller, "proxy_update_config")
++        mock_proxy_update_config.return_value = succeed(None)
++        mock_msg = self.patch(
++            region_controller.log, "msg")
++        service.startProcessing()
++        yield service.processingDefer
++        self.assertThat(
++            mock_proxy_update_config, MockCalledOnceWith(reload_proxy=True))
++        self.assertThat(
++            mock_msg,
++            MockCalledOnceWith("Successfully configured proxy."))
++
++    @wait_for_reactor
++    @inlineCallbacks
      def test_process_updates_zones_logs_failure(self):
          service = RegionControllerService(sentinel.listener)
          service.needsDNSUpdate = True
@@ -146,3 +201,39 @@
          self.assertThat(
              mock_err,
              MockCalledOnceWith(ANY, "Failed configuring DNS."))
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_process_updates_proxy_logs_failure(self):
++        service = RegionControllerService(sentinel.listener)
++        service.needsProxyUpdate = True
++        mock_proxy_update_config = self.patch(
++            region_controller, "proxy_update_config")
++        mock_proxy_update_config.return_value = fail(factory.make_exception())
++        mock_err = self.patch(
++            region_controller.log, "err")
++        service.startProcessing()
++        yield service.processingDefer
++        self.assertThat(
++            mock_proxy_update_config, MockCalledOnceWith(reload_proxy=True))
++        self.assertThat(
++            mock_err,
++            MockCalledOnceWith(ANY, "Failed configuring proxy."))
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_process_updates_bind_and_proxy(self):
++        service = RegionControllerService(sentinel.listener)
++        service.needsDNSUpdate = True
++        service.needsProxyUpdate = True
++        mock_dns_update_all_zones = self.patch(
++            region_controller, "dns_update_all_zones")
++        mock_proxy_update_config = self.patch(
++            region_controller, "proxy_update_config")
++        mock_proxy_update_config.return_value = succeed(None)
++        service.startProcessing()
++        yield service.processingDefer
++        self.assertThat(
++            mock_dns_update_all_zones, MockCalledOnceWith())
++        self.assertThat(
++            mock_proxy_update_config, MockCalledOnceWith(reload_proxy=True))
 === modified file 'src/maasserver/triggers/system.py'
 --- src/maasserver/triggers/system.py	2016-03-30 13:57:14 +0000
 +++ src/maasserver/triggers/system.py	2016-03-31 23:44:54 +0000
@@ -880,6 +880,21 @@
      """)
++# Triggered when a subnet is updated. Increments notifies that proxy needs to
++# be updated. Only watches changes on the cidr and allow_proxy.
++PROXY_SUBNET_UPDATE = dedent("""\
++    CREATE OR REPLACE FUNCTION sys_proxy_subnet_update()
++    RETURNS trigger as $$
++    BEGIN
++      IF OLD.cidr != NEW.cidr OR OLD.allow_proxy != NEW.allow_proxy THEN
++        PERFORM pg_notify('sys_proxy', '');
++      END IF;
++      RETURN NEW;
++    END;
++    $$ LANGUAGE plpgsql;
++    """)
++
++
  def render_sys_dns_procedure(proc_name, on_delete=False):
      """Render a database procedure with name `proc_name` that increments
      the zone serial and notifies that a DNS update is needed.
@@ -899,6 +914,23 @@
          """ % (proc_name, 'NEW' if not on_delete else 'OLD'))
++def render_sys_proxy_procedure(proc_name, on_delete=False):
++    """Render a database procedure with name `proc_name` that notifies that a
++    proxy update is needed.
++
++    :param proc_name: Name of the procedure.
++    :param on_delete: True when procedure will be used as a delete trigger.
++    """
++    return dedent("""\
++        CREATE OR REPLACE FUNCTION %s() RETURNS trigger AS $$
++        BEGIN
++          PERFORM pg_notify('sys_proxy', '');
++          RETURN %s;
++        END;
++        $$ LANGUAGE plpgsql;
++        """ % (proc_name, 'NEW' if not on_delete else 'OLD'))
++
++
  @transactional
  def register_system_triggers():
      """Register all system triggers into the database."""
@@ -1115,3 +1147,21 @@
          "maasserver_config", "sys_dns_config_insert", "insert")
      register_trigger(
          "maasserver_config", "sys_dns_config_update", "update")
++
++    # Proxy
++
++    ## Subnet
++    register_procedure(
++        render_sys_proxy_procedure("sys_proxy_subnet_insert"))
++    register_trigger(
++        "maasserver_subnet",
++        "sys_proxy_subnet_insert", "insert")
++    register_procedure(PROXY_SUBNET_UPDATE)
++    register_trigger(
++        "maasserver_subnet",
++        "sys_proxy_subnet_update", "update")
++    register_procedure(
++        render_sys_proxy_procedure("sys_proxy_subnet_delete", on_delete=True))
++    register_trigger(
++        "maasserver_subnet",
++        "sys_proxy_subnet_delete", "delete")
 === modified file 'src/maasserver/triggers/tests/test_system.py'
 --- src/maasserver/triggers/tests/test_system.py	2016-03-29 20:35:17 +0000
 +++ src/maasserver/triggers/tests/test_system.py	2016-03-31 23:44:54 +0000
@@ -50,11 +50,17 @@
              "dnsdata_sys_dns_dnsdata_insert",
              "dnsdata_sys_dns_dnsdata_update",
              "dnsdata_sys_dns_dnsdata_delete",
++            "subnet_sys_dns_subnet_insert",
++            "subnet_sys_dns_subnet_update",
++            "subnet_sys_dns_subnet_delete",
              "node_sys_dns_node_update",
              "node_sys_dns_node_delete",
              "interface_sys_dns_interface_update",
              "config_sys_dns_config_insert",
              "config_sys_dns_config_update",
++            "subnet_sys_proxy_subnet_insert",
++            "subnet_sys_proxy_subnet_update",
++            "subnet_sys_proxy_subnet_delete",
+             ]
          sql, args = psql_array(triggers, sql_type="text")
          with closing(connection.cursor()) as cursor:
 === modified file 'src/maasserver/triggers/tests/test_system_listener.py'
 --- src/maasserver/triggers/tests/test_system_listener.py	2016-03-30 13:57:14 +0000
 +++ src/maasserver/triggers/tests/test_system_listener.py	2016-03-31 23:44:54 +0000
@@ -2966,3 +2966,79 @@
              yield self.assertZoneSerialIncrement(zone_serial)
          finally:
              yield listener.stopService()
++
++
++class TestProxySubnetListener(
++        MAASTransactionServerTestCase, TransactionalHelpersMixin):
++    """End-to-end test for the proxy triggers code."""
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_sends_message_for_subnet_insert(self):
++        yield deferToDatabase(register_system_triggers)
++        dv = DeferredValue()
++        listener = self.make_listener_without_delay()
++        listener.register(
++            "sys_proxy", lambda *args: dv.set(args))
++        yield listener.startService()
++        try:
++            yield deferToDatabase(self.create_subnet)
++            yield dv.get(timeout=2)
++        finally:
++            yield listener.stopService()
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_sends_message_for_subnet_cidr_update(self):
++        yield deferToDatabase(register_system_triggers)
++        subnet = yield deferToDatabase(self.create_subnet)
++        dv = DeferredValue()
++        listener = self.make_listener_without_delay()
++        listener.register(
++            "sys_proxy", lambda *args: dv.set(args))
++        yield listener.startService()
++        try:
++            network = factory.make_ip4_or_6_network()
++            yield deferToDatabase(self.update_subnet, subnet.id, {
++                "cidr": str(network.cidr),
++                "gateway_ip": factory.pick_ip_in_network(network),
++                "dns_servers": [],
++            })
++            yield dv.get(timeout=2)
++        finally:
++            yield listener.stopService()
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_sends_message_for_subnet_allow_proxy_update(self):
++        yield deferToDatabase(register_system_triggers)
++        subnet = yield deferToDatabase(
++            self.create_subnet, {"allow_proxy": False})
++        dv = DeferredValue()
++        listener = self.make_listener_without_delay()
++        listener.register(
++            "sys_proxy", lambda *args: dv.set(args))
++        yield listener.startService()
++        try:
++            yield deferToDatabase(self.update_subnet, subnet.id, {
++                "allow_proxy": True,
++            })
++            yield dv.get(timeout=2)
++        finally:
++            yield listener.stopService()
++
++    @wait_for_reactor
++    @inlineCallbacks
++    def test_sends_message_for_subnet_delete(self):
++        yield deferToDatabase(register_system_triggers)
++        subnet = yield deferToDatabase(self.create_subnet)
++        dv = DeferredValue()
++        listener = self.make_listener_without_delay()
++        listener.register(
++            "sys_proxy", lambda *args: dv.set(args))
++        yield listener.startService()
++        try:
++            yield deferToDatabase(self.delete_subnet, subnet.id)
++            yield dv.get(timeout=2)
++        finally:
++            yield listener.stopService()
 === added directory 'src/provisioningserver/templates/proxy'
 === added file 'src/provisioningserver/templates/proxy/maas-proxy.conf.template'
 --- src/provisioningserver/templates/proxy/maas-proxy.conf.template	1970-01-01 00:00:00 +0000
 +++ src/provisioningserver/templates/proxy/maas-proxy.conf.template	2016-03-31 23:44:54 +0000
@@ -0,0 +1,45 @@
++# DO NOT EDIT.  This file is automatically created by MAAS.
++# Last updated at {{modified}}.
++
++# Inspired by UDS's conference proxy
++
++acl maas_proxy_manager proto cache_object
++acl localhost src 127.0.0.1/32 ::1
++acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
++{{for cidr in cidrs}}
++acl localnet src {{cidr}}
++{{endfor}}
++acl SSL_ports port 443
++acl Safe_ports port 80          # http
++acl Safe_ports port 21          # ftp
++acl Safe_ports port 443         # https
++acl Safe_ports port 1025-65535  # unregistered ports
++acl CONNECT method CONNECT
++http_access allow maas_proxy_manager localhost
++http_access deny maas_proxy_manager
++http_access deny !Safe_ports
++http_access deny CONNECT !SSL_ports
++http_access allow localnet
++http_access allow localhost
++http_access deny all
++http_port 3128 transparent
++http_port 8000
++coredump_dir /var/spool/maas-proxy
++refresh_pattern ^ftp:           1440    20%     10080
++refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
++refresh_pattern \/Release(|\.gpg)$                        0    0%    0 refresh-ims
++refresh_pattern \/InRelease$                              0    0%    0 refresh-ims
++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$   0    0%    0 refresh-ims
++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$     0    0%    0 refresh-ims
++refresh_pattern .               0       20%     4320
++forwarded_for delete
++visible_hostname {{fqdn}}
++cache_mem 512 MB
++minimum_object_size 0 MB
++maximum_object_size 1024 MB
++maximum_object_size_in_memory 100 MB
++cache_dir aufs /var/spool/maas-proxy 40000 16 256
++# use different logs
++cache_access_log /var/log/maas/proxy/access.log
++cache_log /var/log/maas/proxy/cache.log
++cache_store_log /var/log/maas/proxy/store.log