Comment 9 for bug 2025978

Hmm, it was fairly straightforward to reproduce on a clean environment.

- MAAS provider (192.168.151.0/24 is the network managed by MAAS and 192.168.151.1 is MAAS)
- Juju 2.9.43-ubuntu-amd64
- landscape-dense-maas bundle from the charmstore

cat <<EOF | tee cloudinit-userdata.yaml
apt-http-proxy: http://192.168.151.1:8000/
apt-https-proxy: http://192.168.151.1:8000/
juju-http-proxy: http://192.168.151.1:8000/
juju-https-proxy: http://192.168.151.1:8000/
juju-no-proxy: 127.0.0.1,localhost,::1,192.168.151.0/24
snap-http-proxy: http://192.168.151.1:8000/
snap-https-proxy: http://192.168.151.1:8000/

cloudinit-userdata: |
  preruncmd:
  - ufw default allow # don't block anything by default
  - ufw reject out http # block outgoing 80/tcp connection without proxy
  - ufw reject out https # block outgoing 443/tcp connection without proxy
  - ufw enable
EOF

juju add-model landscape-test --config cloudinit-userdata.yaml

juju deploy landscape-dense-maas && time juju-wait -w

-> ERROR:root:landscape-server/0 failed: workload status is error

[juju debug-log -i landscape-server/0 --replay]
unit-landscape-server-0: 11:03:00 DEBUG unit.landscape-server/0.install Cannot add PPA: 'ppa:~landscape/ubuntu/self-hosted-beta'.
unit-landscape-server-0: 11:03:00 DEBUG unit.landscape-server/0.install ERROR: '~landscape' user or team does not exist.

$ juju ssh landscape-server/0 -- sudo ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), deny (routed)
New profiles: skip

To Action From
-- ------ ----
80/tcp REJECT OUT Anywhere
443/tcp REJECT OUT Anywhere
80/tcp (v6) REJECT OUT Anywhere (v6)
443/tcp (v6) REJECT OUT Anywhere (v6)