Merge release branch 4.18 to main

* 4.18: SSVM: 'allow from' private IP in other SSVMs if the public IP is in allowed internal sites cidrs (#7288) eof added to StorPoolStatsCollector (#7754)
2025-10-26 08:42:29 +01:00 · 2023-07-20 13:41:20 +02:00 · 2023-07-20 13:41:20 +02:00 · afec876951
commit afec876951
parent 729e6d1446 56d98ea2e7
4 changed files with 32 additions and 12 deletions
--- a/core/src/main/java/com/cloud/storage/template/TemplateConstants.java
+++ b/core/src/main/java/com/cloud/storage/template/TemplateConstants.java
@ -27,12 +27,10 @@ public final class TemplateConstants {
    public static final String DEFAULT_SYSTEM_VM_TEMPLATE_PATH = "template/tmpl/1/";
    public static final String DEFAULT_SYSTEM_VM_TMPLT_NAME = "routing";
    public static final int DEFAULT_TMPLT_COPY_PORT = 80;
    public static final String DEFAULT_TMPLT_COPY_INTF = "eth2";
    public static final String TMPLT_COPY_INTF_PRIVATE = "eth1";
    public static final String DEFAULT_SSL_CERT_DOMAIN = "realhostip.com";
    public static final String DEFAULT_HTTP_AUTH_USER = "cloud";
 }
--- a/plugins/storage/volume/storpool/src/main/java/org/apache/cloudstack/storage/datastore/driver/StorPoolStatsCollector.java
+++ b/plugins/storage/volume/storpool/src/main/java/org/apache/cloudstack/storage/datastore/driver/StorPoolStatsCollector.java
@ -185,4 +185,4 @@ public class StorPoolStatsCollector extends ManagerBase {
            }
        }
    }
-}
+}
--- a/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
+++ b/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
@ -361,13 +361,7 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
        SecStorageVMSetupCommand setupCmd = new SecStorageVMSetupCommand();
        if (_allowedInternalSites != null) {
-            List<String> allowedCidrs = new ArrayList<>();
+            List<String> allowedCidrs = getAllowedInternalSiteCidrs();
            String[] cidrs = _allowedInternalSites.split(",");
            for (String cidr : cidrs) {
                if (NetUtils.isValidIp4Cidr(cidr) || NetUtils.isValidIp4(cidr) || !cidr.startsWith("0.0.0.0")) {
                    allowedCidrs.add(cidr);
                }
            }
            setupCmd.setAllowedInternalSites(allowedCidrs.toArray(new String[allowedCidrs.size()]));
        }
        String copyPasswd = _configDao.getValue("secstorage.copy.password");
@ -388,6 +382,20 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
        }
    }
    private List<String> getAllowedInternalSiteCidrs() {
        List<String> allowedCidrs = new ArrayList<>();
        if (_allowedInternalSites == null) {
            return allowedCidrs;
        }
        String[] cidrs = _allowedInternalSites.split(",");
        for (String cidr : cidrs) {
            if (NetUtils.isValidIp4Cidr(cidr) || NetUtils.isValidIp4(cidr) || !cidr.startsWith("0.0.0.0")) {
                allowedCidrs.add(cidr);
            }
        }
        return allowedCidrs;
    }
    @Override
    public Pair<HostVO, SecondaryStorageVmVO> assignSecStorageVm(long zoneId, Command cmd) {
        return null;
@ -412,6 +420,9 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
        SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand(true);
        thiscpc.addPortConfig(thisSecStorageVm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
        List<String> allowedCidrs = getAllowedInternalSiteCidrs();
        addPortConfigForPrivateIpToCommand(thiscpc, allowedCidrs, thisSecStorageVm.getPrivateIpAddress(), thisSecStorageVm.getPublicIpAddress(), copyPort);
        QueryBuilder<HostVO> sc = QueryBuilder.create(HostVO.class);
        sc.and(sc.entity().getType(), Op.EQ, Host.Type.SecondaryStorageVM);
        sc.and(sc.entity().getStatus(), Op.IN, Status.Up, Status.Connecting);
@ -441,6 +452,7 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
                continue;
            }
            allSSVMIpList.addPortConfig(ssvm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
            addPortConfigForPrivateIpToCommand(allSSVMIpList, allowedCidrs, ssvm.getPrivateIpAddress(), ssvm.getPublicIpAddress(), copyPort);
        }
        hostName = thisSecStorageVm.getHostName();
@ -461,6 +473,16 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
    }
    private void addPortConfigForPrivateIpToCommand(SecStorageFirewallCfgCommand command, List<String> allowedCidrs,
                                                    String privateIpAddress, String publicIpAddress, String copyPort) {
        for (String allowCidr : allowedCidrs) {
            if (NetUtils.isIpWithInCidrRange(publicIpAddress, allowCidr)) {
                command.addPortConfig(privateIpAddress, copyPort, true, TemplateConstants.TMPLT_COPY_INTF_PRIVATE);
                break;
            }
        }
    }
    protected boolean isSecondaryStorageVmRequired(long dcId) {
        DataCenterVO dc = _dcDao.findById(dcId);
        _dcDao.loadDetails(dc);
--- a/systemvm/agent/scripts/ipfirewall.sh
+++ b/systemvm/agent/scripts/ipfirewall.sh
@ -32,7 +32,7 @@ config_htaccess() {
 }
 ips(){
-  echo "allow from $1" >> $HTACCESS
+  grep -e "^allow from $1$" $HTACCESS || echo "allow from $1" >> $HTACCESS
  result=$?
  return $result
 }