From 214d5110878f23130f58f0b75760f0af9bf25606 Mon Sep 17 00:00:00 2001
From: "Anselme, Schubert (sa246v)" <sa246v@att.com>
Date: Mon, 14 Aug 2023 11:02:48 -0400
Subject: [PATCH] Upgrade MAAS to v3.3

Change-Id: If9e6ff377ec4d52c05194d353383090adaf40f61
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
---
 .gitignore                                    |  2 +
 .../3.3_allow_query.patch                     | 15 +++
 .../3.3_ipmi_error.patch                      | 27 ++++++
 .../3.3_nic_filter.patch                      | 13 +++
 .../3.3_redfish_retries.patch                 | 12 +++
 .../3.3_secure_headers.patch                  | 12 +++
 images/maas-rack-controller-jammy/Dockerfile  | 88 +++++++++++++++++
 images/maas-rack-controller-jammy/README.md   |  1 +
 .../scripts/journalctl-to-tty.service         | 13 +++
 .../scripts/register-rack-controller.service  | 12 +++
 .../3.3_allow_query.patch                     | 15 +++
 .../3.3_bios_grub_partition.patch             | 12 +++
 .../3.3_configure_ipmi_user.patch             | 52 ++++++++++
 .../3.3_kernel_package.patch                  | 31 ++++++
 .../3.3_partitiontable_does_not_exist.patch   | 13 +++
 .../3.3_proxy_acl.patch                       | 10 ++
 .../3.3_regex_tags.patch                      | 24 +++++
 .../3.3_route.patch                           | 17 ++++
 .../3.3_secure_headers.patch                  | 12 +++
 .../maas-region-controller-jammy/Dockerfile   | 94 +++++++++++++++++++
 images/maas-region-controller-jammy/README.md |  1 +
 .../journalctl-to-tty.service                 | 13 +++
 22 files changed, 489 insertions(+)
 create mode 100644 images/maas-rack-controller-jammy/3.3_allow_query.patch
 create mode 100644 images/maas-rack-controller-jammy/3.3_ipmi_error.patch
 create mode 100644 images/maas-rack-controller-jammy/3.3_nic_filter.patch
 create mode 100644 images/maas-rack-controller-jammy/3.3_redfish_retries.patch
 create mode 100644 images/maas-rack-controller-jammy/3.3_secure_headers.patch
 create mode 100644 images/maas-rack-controller-jammy/Dockerfile
 create mode 100644 images/maas-rack-controller-jammy/README.md
 create mode 100644 images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service
 create mode 100644 images/maas-rack-controller-jammy/scripts/register-rack-controller.service
 create mode 100644 images/maas-region-controller-jammy/3.3_allow_query.patch
 create mode 100644 images/maas-region-controller-jammy/3.3_bios_grub_partition.patch
 create mode 100644 images/maas-region-controller-jammy/3.3_configure_ipmi_user.patch
 create mode 100644 images/maas-region-controller-jammy/3.3_kernel_package.patch
 create mode 100644 images/maas-region-controller-jammy/3.3_partitiontable_does_not_exist.patch
 create mode 100644 images/maas-region-controller-jammy/3.3_proxy_acl.patch
 create mode 100644 images/maas-region-controller-jammy/3.3_regex_tags.patch
 create mode 100644 images/maas-region-controller-jammy/3.3_route.patch
 create mode 100644 images/maas-region-controller-jammy/3.3_secure_headers.patch
 create mode 100644 images/maas-region-controller-jammy/Dockerfile
 create mode 100644 images/maas-region-controller-jammy/README.md
 create mode 100644 images/maas-region-controller-jammy/journalctl-to-tty.service

diff --git a/.gitignore b/.gitignore
index 6ae6960..63d412f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
 # Distribution / packaging
 build/
 *.tgz
+charts/deps/
+!charts/deps/.gitkeep
diff --git a/images/maas-rack-controller-jammy/3.3_allow_query.patch b/images/maas-rack-controller-jammy/3.3_allow_query.patch
new file mode 100644
index 0000000..60d0bef
--- /dev/null
+++ b/images/maas-rack-controller-jammy/3.3_allow_query.patch
@@ -0,0 +1,15 @@
+diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+index d76fcfa..d198e90 100644
+--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+@@ -13,8 +13,8 @@ empty-zones-enable no;
+ allow-query { any; };
+ {{endif}}
+ {{if not upstream_allow_recursion}}
+-allow-recursion { trusted; };
++allow-recursion { any; };
+ {{endif}}
+ {{if not upstream_allow_query_cache}}
+-allow-query-cache { trusted; };
++allow-query-cache { any; };
+ {{endif}}
diff --git a/images/maas-rack-controller-jammy/3.3_ipmi_error.patch b/images/maas-rack-controller-jammy/3.3_ipmi_error.patch
new file mode 100644
index 0000000..1f9eb74
--- /dev/null
+++ b/images/maas-rack-controller-jammy/3.3_ipmi_error.patch
@@ -0,0 +1,27 @@
+diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py
+index 09f3295..c17213b 100644
+--- a/src/provisioningserver/drivers/power/ipmi.py
++++ b/src/provisioningserver/drivers/power/ipmi.py
+@@ -155,6 +155,13 @@ IPMI_ERRORS = {
+         ),
+         "exception": PowerConnError,
+     },
++    "BMC error": {
++        "message": (
++            "Device not responding correctly while performing power action."
++            "  MAAS performed several retries.  Please wait and try again."
++        ),
++        "exception": PowerConnError,
++    },
+     "could not find inband device": {
+         "message": (
+             "An inband device could not be found."
+@@ -310,7 +317,7 @@ class IPMIPowerDriver(PowerDriver):
+         ),
+     ]
+     ip_extractor = make_ip_extractor("power_address")
+-    wait_time = (4, 8, 16, 32)
++    wait_time = (4, 4, 8, 8, 16, 16, 32, 32)
+
+     def detect_missing_packages(self):
+         if not shell.has_command_available("ipmipower"):
diff --git a/images/maas-rack-controller-jammy/3.3_nic_filter.patch b/images/maas-rack-controller-jammy/3.3_nic_filter.patch
new file mode 100644
index 0000000..bf61151
--- /dev/null
+++ b/images/maas-rack-controller-jammy/3.3_nic_filter.patch
@@ -0,0 +1,13 @@
+diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py
+index 4ac6962..5381bc4 100644
+--- a/src/provisioningserver/utils/network.py
++++ b/src/provisioningserver/utils/network.py
+@@ -1134,6 +1134,8 @@ def get_all_interfaces_definition(
+         # interfaces for guests. By themselves, they're not useful for MAAS to
+         # manage.
+         "tunnel",
++        # Always exclude non-specific ethernet interfaces.
++        "ethernet",
+     ]
+     if not running_in_container():
+         # When not running in a container, we should be able to identify
diff --git a/images/maas-rack-controller-jammy/3.3_redfish_retries.patch b/images/maas-rack-controller-jammy/3.3_redfish_retries.patch
new file mode 100644
index 0000000..21cdf8c
--- /dev/null
+++ b/images/maas-rack-controller-jammy/3.3_redfish_retries.patch
@@ -0,0 +1,12 @@
+diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py
+index f554a22..4ff0724 100644
+--- a/src/provisioningserver/drivers/power/redfish.py
++++ b/src/provisioningserver/drivers/power/redfish.py
+@@ -171,6 +171,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase):
+         make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE),
+     ]
+     ip_extractor = make_ip_extractor("power_address")
++    wait_time = (4, 8, 16, 32)
+
+     def detect_missing_packages(self):
+         # no required packages
diff --git a/images/maas-rack-controller-jammy/3.3_secure_headers.patch b/images/maas-rack-controller-jammy/3.3_secure_headers.patch
new file mode 100644
index 0000000..ca66adf
--- /dev/null
+++ b/images/maas-rack-controller-jammy/3.3_secure_headers.patch
@@ -0,0 +1,12 @@
+diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
+index d30156b..3a04ecb 100644
+--- a/src/twisted/web/server.py
++++ b/src/twisted/web/server.py
+@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized):
+         self.site = self.channel.site
+
+         # set various default headers
+-        self.setHeader(b"server", version)
+         self.setHeader(b"date", http.datetimeToString())
+
+         # Resource Identification
diff --git a/images/maas-rack-controller-jammy/Dockerfile b/images/maas-rack-controller-jammy/Dockerfile
new file mode 100644
index 0000000..b7e584a
--- /dev/null
+++ b/images/maas-rack-controller-jammy/Dockerfile
@@ -0,0 +1,88 @@
+ARG FROM=ubuntu:22.04
+FROM ${FROM}
+
+LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
+LABEL org.opencontainers.image.url='https://airshipit.org'
+LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
+LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
+LABEL org.opencontainers.image.vendor='The Airship Authors'
+LABEL org.opencontainers.image.licenses='Apache-2.0'
+
+ARG HTTP_PROXY
+ARG HTTPS_PROXY
+ARG NO_PROXY
+ARG http_proxy
+ARG https_proxy
+ARG no_proxy
+
+ENV DEBIAN_FRONTEND noninteractive
+ENV container docker
+
+ENV MAAS_VERSION 1:3.3.4-13189-g.f88272d1e-0ubuntu1~22.04.1
+
+# Remove systemd-timesyncd, which conflicts with chrony
+RUN apt-get remove -y --purge systemd-timesyncd
+
+RUN apt-get -qq update \
+ && apt-get install -y \
+        avahi-daemon \
+        isc-dhcp-server \
+        jq \
+        libvirt-clients \
+        libvirt-daemon-system\
+        patch \
+        software-properties-common \
+        sudo \
+        systemd \
+        ca-certificates \
+# Don't start any optional services except for the few we need.
+# (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd)
+ && find /etc/systemd/system \
+         /lib/systemd/system \
+         -path '*.wants/*' \
+         -not -name '*journald*' \
+         -not -name '*systemd-tmpfiles*' \
+         -not -name '*systemd-user-sessions*' \
+         -exec rm \{} \; \
+ && systemctl set-default multi-user.target \
+# Install maas from the ppa
+ && add-apt-repository -yu ppa:maas/3.3 \
+ && apt-get install -y \
+        maas-rack-controller=$MAAS_VERSION \
+ && rm -rf /var/lib/apt/lists/*
+
+# Preserve the directory structure, permissions, and contents of /var/lib/maas
+RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
+
+# register ourselves with the region controller
+COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-controller.service
+RUN systemctl enable register-rack-controller.service
+
+# Patch so that Calico interfaces are ignored
+COPY 3.3_nic_filter.patch /tmp/3.3_nic_filter.patch
+COPY 3.3_secure_headers.patch /tmp/3.3_secure_headers.patch
+# Patch so maas knows that "BMC error" is retriable
+COPY 3.3_ipmi_error.patch /tmp/3.3_ipmi_error.patch
+# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
+COPY 3.3_redfish_retries.patch /tmp/3.3_redfish_retries.patch
+# Patch to allow any recursion and cache queries
+COPY 3.3_allow_query.patch /tmp/3.3_allow_query.patch
+
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.3_nic_filter.patch
+RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.3_secure_headers.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.3_ipmi_error.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.3_redfish_retries.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.3_allow_query.patch
+
+# echo journalctl logs to the container's stdout
+COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
+RUN systemctl enable journalctl-to-tty.service
+
+# quiet sudo for the maas user
+RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
+
+# avoid triggering bind9 high cpu utilization bug
+RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf
+
+# initalize systemd
+CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]
diff --git a/images/maas-rack-controller-jammy/README.md b/images/maas-rack-controller-jammy/README.md
new file mode 100644
index 0000000..0a11659
--- /dev/null
+++ b/images/maas-rack-controller-jammy/README.md
@@ -0,0 +1 @@
+[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-rack) Ubuntu MaaS Rack Controller
diff --git a/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service b/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service
new file mode 100644
index 0000000..2725055
--- /dev/null
+++ b/images/maas-rack-controller-jammy/scripts/journalctl-to-tty.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Journald console log streamer
+Requires=systemd-journald.service
+After=systemd-journald.service
+
+[Service]
+Restart=always
+RestartSec=0
+ExecStart=/bin/journalctl -f
+StandardOutput=tty
+
+[Install]
+WantedBy=basic.target
diff --git a/images/maas-rack-controller-jammy/scripts/register-rack-controller.service b/images/maas-rack-controller-jammy/scripts/register-rack-controller.service
new file mode 100644
index 0000000..fb439d3
--- /dev/null
+++ b/images/maas-rack-controller-jammy/scripts/register-rack-controller.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Register with MaaS Region Controller
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+PassEnvironment=MAAS_ENDPOINT MAAS_REGION_SECRET MAAS_API_KEY HOST_MOUNT_PATH
+ExecStart=/usr/local/bin/register-rack-controller.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/images/maas-region-controller-jammy/3.3_allow_query.patch b/images/maas-region-controller-jammy/3.3_allow_query.patch
new file mode 100644
index 0000000..60d0bef
--- /dev/null
+++ b/images/maas-region-controller-jammy/3.3_allow_query.patch
@@ -0,0 +1,15 @@
+diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+index d76fcfa..d198e90 100644
+--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+@@ -13,8 +13,8 @@ empty-zones-enable no;
+ allow-query { any; };
+ {{endif}}
+ {{if not upstream_allow_recursion}}
+-allow-recursion { trusted; };
++allow-recursion { any; };
+ {{endif}}
+ {{if not upstream_allow_query_cache}}
+-allow-query-cache { trusted; };
++allow-query-cache { any; };
+ {{endif}}
diff --git a/images/maas-region-controller-jammy/3.3_bios_grub_partition.patch b/images/maas-region-controller-jammy/3.3_bios_grub_partition.patch
new file mode 100644
index 0000000..2e79cd0
--- /dev/null
+++ b/images/maas-region-controller-jammy/3.3_bios_grub_partition.patch
@@ -0,0 +1,12 @@
+diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py
+index 84a8fba..c62f25f 100644
+--- a/src/maasserver/models/partition.py
++++ b/src/maasserver/models/partition.py
+@@ -211,6 +211,7 @@ class Partition(CleanSave, TimestampedModel):
+                 arch == "amd64"
+                 and bios_boot_method != "uefi"
+                 and block_device.type == "physical"
++                and block_device.id == boot_disk.id
+             )
+             if need_prep_partition or need_bios_grub:
+                 index = 2
diff --git a/images/maas-region-controller-jammy/3.3_configure_ipmi_user.patch b/images/maas-region-controller-jammy/3.3_configure_ipmi_user.patch
new file mode 100644
index 0000000..68b8e9f
--- /dev/null
+++ b/images/maas-region-controller-jammy/3.3_configure_ipmi_user.patch
@@ -0,0 +1,52 @@
+diff --git a/usr/lib/python3/dist-packages//metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/bmc_config.py
+index 02e900d..ffee0f6 100755
+--- a/usr/lib/python3/dist-packages//metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
++++ b/bmc_config.py
+@@ -184,6 +184,29 @@ class IPMIBase(BMCConfig):
+         return first_unused
+
+     def add_bmc_user(self):
++        """Create/configure an IPMI user, but with several tries"""
++        attempt = 1
++        max_attempts = 5
++        backoff_amount = 30
++        exceptions_caught = []
++        while attempt <= max_attempts:
++            print("INFO: Attempt to add IPMI BMC user - %s" % attempt)
++            try:
++                self._add_bmc_user()
++            except Exception as e:
++                exceptions_caught.append(e)
++                if (attempt + 1) > max_attempts:
++                    # This is our last attempt, exiting
++                    print("ERROR: Unable to add BMC user!\n{}".format(exceptions_caught), file=sys.stderr)
++                    sys.exit(1)
++
++            if self.password is None:
++                time.sleep(attempt * backoff_amount)
++            else:
++                return
++            attempt += 1
++
++    def _add_bmc_user(self):
+         if not self.username:
+             self.username = "maas"
+         user_number = self._pick_user_number(self.username)
+@@ -205,7 +228,7 @@ class IPMIBase(BMCConfig):
+                     if self._bmc_config[user_number].get(key) != value:
+                         self._bmc_set(user_number, key, value)
+             except Exception:
+-                pass
++                raise
+             else:
+                 self.password = password
+                 # Not all user settings are available on all BMC keys, its
+@@ -220,8 +243,6 @@ class IPMIBase(BMCConfig):
+                     "Yes",
+                 )
+                 return
+-        print("ERROR: Unable to add BMC user!", file=sys.stderr)
+-        sys.exit(1)
+
+     def _bmc_get_config(self, section=None):
+         """Fetch and cache all BMC settings."""
diff --git a/images/maas-region-controller-jammy/3.3_kernel_package.patch b/images/maas-region-controller-jammy/3.3_kernel_package.patch
new file mode 100644
index 0000000..c89549a
--- /dev/null
+++ b/images/maas-region-controller-jammy/3.3_kernel_package.patch
@@ -0,0 +1,31 @@
+diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py
+index c692969..b92b6d5 100644
+--- a/src/maasserver/preseed.py
++++ b/src/maasserver/preseed.py
+@@ -250,7 +250,26 @@ def compose_curtin_kernel_preseed(node):
+     if node.get_osystem() == "custom":
+         return []
+
++    # previous logic to retrieve kpackage parameter
+     kpackage = BootResource.objects.get_kpackage_for_node(node)
++
++    # determine if this node has kernel parameters applied by drydock
++    # and override kpackage if we discover the right properties
++    kernel_opt_tag = "%s_kp" % (node.hostname)
++    if kernel_opt_tag in node.tag_names():
++
++        # the tag exists, retrieve it
++        kernel_opts = node.tags.get(name=kernel_opt_tag).kernel_opts
++
++        # parse the string and find our package param value
++        # e.g. kernel_package=linux-image-4.15.0-34-generic
++        kparams = kernel_opts.split()
++        kdict = dict(
++            kparam.split("=", 1) for kparam in kparams if "=" in kparam
++        )
++        if "kernel_package" in kdict:
++            kpackage = kdict["kernel_package"]
++
+     if kpackage:
+         kernel_config = {"kernel": {"package": kpackage, "mapping": {}}}
+         return [yaml.safe_dump(kernel_config)]
diff --git a/images/maas-region-controller-jammy/3.3_partitiontable_does_not_exist.patch b/images/maas-region-controller-jammy/3.3_partitiontable_does_not_exist.patch
new file mode 100644
index 0000000..8346799
--- /dev/null
+++ b/images/maas-region-controller-jammy/3.3_partitiontable_does_not_exist.patch
@@ -0,0 +1,13 @@
+diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py
+index 4302d8d..f0e51c8 100644
+--- a/src/maasserver/api/partitions.py
++++ b/src/maasserver/api/partitions.py
+@@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler):
+         device = BlockDevice.objects.get_block_device_or_404(
+             system_id, device_id, request.user, NodePermission.view
+         )
+-        partition_table = device.partitiontable_set.get()
++        partition_table = device.get_partitiontable()
+         if partition_table is None:
+             return []
+         else:
diff --git a/images/maas-region-controller-jammy/3.3_proxy_acl.patch b/images/maas-region-controller-jammy/3.3_proxy_acl.patch
new file mode 100644
index 0000000..0de535e
--- /dev/null
+++ b/images/maas-region-controller-jammy/3.3_proxy_acl.patch
@@ -0,0 +1,10 @@
+18,24c18
+< http_access allow maas_proxy_manager localhost
+< http_access deny maas_proxy_manager
+< http_access deny !Safe_ports
+< http_access deny CONNECT !SSL_ports
+< http_access allow localnet
+< http_access allow localhost
+< http_access deny all
+---
+> http_access allow all
diff --git a/images/maas-region-controller-jammy/3.3_regex_tags.patch b/images/maas-region-controller-jammy/3.3_regex_tags.patch
new file mode 100644
index 0000000..14bf164
--- /dev/null
+++ b/images/maas-region-controller-jammy/3.3_regex_tags.patch
@@ -0,0 +1,24 @@
+diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py
+index 2cbaa9d..bb83b4b 100644
+--- a/src/maasserver/models/ownerdata.py
++++ b/src/maasserver/models/ownerdata.py
+@@ -17,7 +17,7 @@ from django.db.models import (
+
+ from maasserver.models.cleansave import CleanSave
+
+-DATA_KEY_RE = re.compile(r"[\w.-]+$")
++#DATA_KEY_RE = re.compile(r"[\w.-]+$")
+
+
+ class OwnerDataManager(Manager):
+@@ -32,8 +32,8 @@ class OwnerDataManager(Manager):
+             if value is None:
+                 to_remove.add(key)
+             else:
+-                if not DATA_KEY_RE.match(key):
+-                    raise ValueError("Invalid character in key name")
++                # if not DATA_KEY_RE.match(key):
++                #    raise ValueError("Invalid character in key name")
+
+                 self.update_or_create(
+                     node=node, key=key, defaults={"value": value}
diff --git a/images/maas-region-controller-jammy/3.3_route.patch b/images/maas-region-controller-jammy/3.3_route.patch
new file mode 100644
index 0000000..bd8a633
--- /dev/null
+++ b/images/maas-region-controller-jammy/3.3_route.patch
@@ -0,0 +1,17 @@
+diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py
+index 03073f7..c17444a 100644
+--- a/src/maasserver/preseed_network.py
++++ b/src/maasserver/preseed_network.py
+@@ -309,7 +309,11 @@ class InterfaceConfiguration:
+
+     def _get_matching_routes(self, source):
+         """Return all route objects matching `source`."""
+-        return {route for route in self.routes if route.source == source}
++        return {
++            route
++            for route in self.routes
++            if str(route.source.cidr) == str(source.cidr)
++        }
+
+     def _generate_addresses(self, version=1):
+         """Generate the various addresses needed for this interface."""
diff --git a/images/maas-region-controller-jammy/3.3_secure_headers.patch b/images/maas-region-controller-jammy/3.3_secure_headers.patch
new file mode 100644
index 0000000..ca66adf
--- /dev/null
+++ b/images/maas-region-controller-jammy/3.3_secure_headers.patch
@@ -0,0 +1,12 @@
+diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
+index d30156b..3a04ecb 100644
+--- a/src/twisted/web/server.py
++++ b/src/twisted/web/server.py
+@@ -206,7 +206,6 @@ class Request(Copyable, http.Request, components.Componentized):
+         self.site = self.channel.site
+
+         # set various default headers
+-        self.setHeader(b"server", version)
+         self.setHeader(b"date", http.datetimeToString())
+
+         # Resource Identification
diff --git a/images/maas-region-controller-jammy/Dockerfile b/images/maas-region-controller-jammy/Dockerfile
new file mode 100644
index 0000000..0b47d9a
--- /dev/null
+++ b/images/maas-region-controller-jammy/Dockerfile
@@ -0,0 +1,94 @@
+ARG FROM=ubuntu:22.04
+FROM ${FROM}
+
+LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode'
+LABEL org.opencontainers.image.url='https://airshipit.org'
+LABEL org.opencontainers.image.documentation='https://github.com/openstack/airship-maas'
+LABEL org.opencontainers.image.source='https://git.openstack.org/openstack/airship-maas'
+LABEL org.opencontainers.image.vendor='The Airship Authors'
+LABEL org.opencontainers.image.licenses='Apache-2.0'
+
+ARG HTTP_PROXY
+ARG HTTPS_PROXY
+ARG NO_PROXY
+ARG http_proxy
+ARG https_proxy
+ARG no_proxy
+
+ENV DEBIAN_FRONTEND noninteractive
+ENV container docker
+
+ENV MAAS_VERSION 1:3.3.4-13189-g.f88272d1e-0ubuntu1~22.04.1
+
+# Remove systemd-timesyncd, which conflicts with chrony
+RUN apt-get remove -y --purge systemd-timesyncd
+
+RUN apt-get -qq update \
+ && apt-get install -y \
+        avahi-daemon \
+        jq \
+        patch \
+        software-properties-common \
+        sudo \
+        systemd \
+        cron \
+        ca-certificates \
+# Don't start any optional services except for the few we need.
+# (specifically, don't start avahi-daemon)
+ && find /etc/systemd/system \
+         /lib/systemd/system \
+         -path '*.wants/*' \
+         -not -name '*journald*' \
+         -not -name '*systemd-tmpfiles*' \
+         -not -name '*systemd-user-sessions*' \
+         -exec rm \{} \; \
+ && systemctl set-default multi-user.target \
+# Install maas from the ppa
+ && add-apt-repository -yu ppa:maas/3.3 \
+ && apt-get install -y \
+        maas-region-api=$MAAS_VERSION \
+        # tcpdump is required by /usr/lib/maas/beacon-monitor
+        tcpdump \
+ && rm -rf /var/lib/apt/lists/*
+
+# Preserve the directory structure, permissions, and contents of /var/lib/maas
+RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
+
+# MAAS workarounds
+COPY 3.3_route.patch /tmp/3.3_route.patch
+COPY 3.3_kernel_package.patch /tmp/3.3_kernel_package.patch
+COPY 3.3_bios_grub_partition.patch /tmp/3.3_bios_grub_partition.patch
+# sh8121att: allow all requests via the proxy to allow it to work
+# behind ingress
+COPY 3.3_proxy_acl.patch /tmp/3.3_proxy_acl.patch
+# Patch to add retrying to MaaS BMC user setup, and improve exception handling
+COPY 3.3_configure_ipmi_user.patch /tmp/3.3_configure_ipmi_user.patch
+COPY 3.3_secure_headers.patch /tmp/3.3_secure_headers.patch
+COPY 3.3_partitiontable_does_not_exist.patch /tmp/3.3_partitiontable_does_not_exist.patch
+# Allow tags with '/' symbols
+COPY 3.3_regex_tags.patch /tmp/3.3_regex_tags.patch
+# Patch to allow any recursion and cache queries
+COPY 3.3_allow_query.patch /tmp/3.3_allow_query.patch
+
+RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.3_route.patch
+RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.3_kernel_package.patch
+RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.3_bios_grub_partition.patch
+RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.3_configure_ipmi_user.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.3_proxy_acl.patch
+RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.3_secure_headers.patch
+RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.3_partitiontable_does_not_exist.patch
+RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.3_regex_tags.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.3_allow_query.patch
+
+# echo journalctl logs to the container's stdout
+COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
+RUN systemctl enable journalctl-to-tty.service
+
+# quiet sudo for the maas user
+RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
+
+# avoid triggering bind9 high cpu utilization bug
+RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf
+
+# initalize systemd
+CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]
diff --git a/images/maas-region-controller-jammy/README.md b/images/maas-region-controller-jammy/README.md
new file mode 100644
index 0000000..cd33b83
--- /dev/null
+++ b/images/maas-region-controller-jammy/README.md
@@ -0,0 +1 @@
+[![Docker Repository on Quay](https://quay.io/repository/airshipit/maas-rack/status "Docker Repository on Quay")](https://quay.io/repository/airshipit/maas-region) Ubuntu MaaS Region Controller
diff --git a/images/maas-region-controller-jammy/journalctl-to-tty.service b/images/maas-region-controller-jammy/journalctl-to-tty.service
new file mode 100644
index 0000000..2725055
--- /dev/null
+++ b/images/maas-region-controller-jammy/journalctl-to-tty.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Journald console log streamer
+Requires=systemd-journald.service
+After=systemd-journald.service
+
+[Service]
+Restart=always
+RestartSec=0
+ExecStart=/bin/journalctl -f
+StandardOutput=tty
+
+[Install]
+WantedBy=basic.target