From 07fda3b39548d0199e762586bb1bd0174dc538f0 Mon Sep 17 00:00:00 2001
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Date: Wed, 5 Jul 2017 00:18:51 +0530
Subject: [PATCH 1/3] CLOUDSTACK-9983: Hide credentials in listClusters
 response

This removes username and passwords details from the listClusters
response. The details are usually seen in VMware environments only.
With dynamic roles features, the listClusters API may be provided
to a read-only root-admin user role/type which should not be able to get
the credentials.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
---
 .../apache/cloudstack/api/response/ClusterResponse.java   | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/api/src/org/apache/cloudstack/api/response/ClusterResponse.java b/api/src/org/apache/cloudstack/api/response/ClusterResponse.java
index 754baa26776..d6ae70fd7a7 100644
--- a/api/src/org/apache/cloudstack/api/response/ClusterResponse.java
+++ b/api/src/org/apache/cloudstack/api/response/ClusterResponse.java
@@ -208,6 +208,12 @@ public class ClusterResponse extends BaseResponse {
         if (details == null) {
             return;
         }
-        this.resourceDetails = new HashMap<>(details);
+        resourceDetails = new HashMap<>(details);
+        if (resourceDetails.containsKey("username")) {
+            resourceDetails.remove("username");
+        }
+        if (resourceDetails.containsKey("password")) {
+            resourceDetails.remove("password");
+        }
     }
 }

From aa8a721c393347b2624184d6ed04e1ede7ed38a6 Mon Sep 17 00:00:00 2001
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Date: Fri, 7 Apr 2017 17:14:18 +0530
Subject: [PATCH 2/3] CLOUDSTACK-9838: Allow ingress traffic between guest VMs
 via snat IPs

This enables the firewall/mangle tables rules to ACCEPT instead of RETURN, which
is the same behaviour as observed in ACS 4.5. By accepting the traffic, guest
VMs will be able to communicate tcp traffic between each other over snat public
IPs.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
---
 systemvm/patches/debian/config/opt/cloud/bin/configure.py    | 2 +-
 systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py | 2 +-
 systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index bdcfec9ade8..82244e43c6b 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -140,7 +140,7 @@ class CsAcl(CsDataBag):
                                     " -s %s " % cidr +
                                     " -p %s " % rule['protocol'] +
                                     " -m %s " % rule['protocol'] +
-                                    "  %s -j RETURN" % rnge])
+                                    "  %s -j %s" % (rnge, self.rule['action'])])
 
             logging.debug("Current ACL IP direction is ==> %s", self.direction)
             if self.direction == 'egress':
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
index a16fd071613..4eac3483a97 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@@ -380,7 +380,7 @@ class CsIP:
             self.fw.append(["mangle", "",
                             "-A FIREWALL_%s DROP" % self.address['public_ip']])
             self.fw.append(["mangle", "",
-                            "-A VPN_%s -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.address['public_ip']])
+                            "-I VPN_%s -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.address['public_ip']])
             self.fw.append(["mangle", "",
                             "-A VPN_%s -j RETURN" % self.address['public_ip']])
             self.fw.append(["nat", "",
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
index 927c2ae0d74..56096c86466 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
@@ -63,7 +63,7 @@ class CsRoute:
         table = self.get_tablename(dev)
         logging.info("Adding route: dev " + dev + " table: " +
                      table + " network: " + address + " if not present")
-        cmd = "dev %s table %s %s" % (dev, table, address)
+        cmd = "dev %s table %s throw %s proto static" % (dev, table, address)
         self.set_route(cmd)
 
     def set_route(self, cmd, method="add"):

From 449ff979bd06a0aedabbcbe4daea086b69650d3c Mon Sep 17 00:00:00 2001
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Date: Wed, 24 May 2017 13:58:29 +0530
Subject: [PATCH 3/3] packaging: Improve post-upgrade processing

$1 is "2" during package upgrade in %post section, this fixes the
handling of $1 as per https://fedoraproject.org/wiki/Packaging:Scriptlets

This improves handling of $1 during %post upgrade step. Some of the
command/code are idempotent such as enabling and starting a service
and can be run without any $1 checks.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
---
 packaging/centos63/cloud.spec | 23 +++++++++++------------
 packaging/centos7/cloud.spec  | 18 ++++++++----------
 2 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/packaging/centos63/cloud.spec b/packaging/centos63/cloud.spec
index 87a60c39134..729747ca186 100644
--- a/packaging/centos63/cloud.spec
+++ b/packaging/centos63/cloud.spec
@@ -434,10 +434,8 @@ if [ "$1" == "2" ] ; then
 fi
 
 %post management
-if [ "$1" == "1" ] ; then
-    /sbin/chkconfig --add cloudstack-management > /dev/null 2>&1 || true
-    /sbin/chkconfig --level 345 cloudstack-management on > /dev/null 2>&1 || true
-fi
+/sbin/chkconfig --add cloudstack-management > /dev/null 2>&1 || true
+/sbin/chkconfig --level 345 cloudstack-management on > /dev/null 2>&1 || true
 
 grep -s -q "db.cloud.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties" || sed -i -e "\$adb.cloud.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties"
 grep -s -q "db.usage.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties" || sed -i -e "\$adb.usage.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties"
@@ -522,18 +520,19 @@ if [ -d "%{_sysconfdir}/cloud" ] ; then
 fi
 
 %post agent
-if [ "$1" == "1" ] ; then
+if [ "$1" == "2" ] ; then
     echo "Running %{_bindir}/%{name}-agent-upgrade to update bridge name for upgrade from CloudStack 4.0.x (and before) to CloudStack 4.1 (and later)"
     %{_bindir}/%{name}-agent-upgrade
-    if [ ! -d %{_sysconfdir}/libvirt/hooks ] ; then
-        mkdir %{_sysconfdir}/libvirt/hooks
-    fi
-    cp -a ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib/libvirtqemuhook %{_sysconfdir}/libvirt/hooks/qemu
-    /sbin/service libvirtd restart
-    /sbin/chkconfig --add cloudstack-agent > /dev/null 2>&1 || true
-    /sbin/chkconfig --level 345 cloudstack-agent on > /dev/null 2>&1 || true
 fi
 
+if [ ! -d %{_sysconfdir}/libvirt/hooks ] ; then
+    mkdir %{_sysconfdir}/libvirt/hooks
+fi
+cp -a ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib/libvirtqemuhook %{_sysconfdir}/libvirt/hooks/qemu
+/sbin/service libvirtd restart
+/sbin/chkconfig --add cloudstack-agent > /dev/null 2>&1 || true
+/sbin/chkconfig --level 345 cloudstack-agent on > /dev/null 2>&1 || true
+
 # if saved configs from upgrade exist, copy them over
 if [ -f "%{_sysconfdir}/cloud.rpmsave/agent/agent.properties" ]; then
     mv %{_sysconfdir}/%{name}/agent/agent.properties  %{_sysconfdir}/%{name}/agent/agent.properties.rpmnew
diff --git a/packaging/centos7/cloud.spec b/packaging/centos7/cloud.spec
index 74f60e7fa45..14f5742cbc6 100644
--- a/packaging/centos7/cloud.spec
+++ b/packaging/centos7/cloud.spec
@@ -392,9 +392,7 @@ if [ "$1" == "2" ] ; then
 fi
 
 %post management
-if [ "$1" == "1" ] ; then
-    /usr/bin/systemctl on cloudstack-management > /dev/null 2>&1 || true
-fi
+/usr/bin/systemctl on cloudstack-management > /dev/null 2>&1 || true
 
 grep -s -q "db.cloud.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties" || sed -i -e "\$adb.cloud.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties"
 grep -s -q "db.usage.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties" || sed -i -e "\$adb.usage.driver=jdbc:mysql"  "%{_sysconfdir}/%{name}/management/db.properties"
@@ -424,16 +422,16 @@ if [ -d "%{_sysconfdir}/cloud" ] ; then
 fi
 
 %post agent
-if [ "$1" == "1" ] ; then
+if [ "$1" == "2" ] ; then
     echo "Running %{_bindir}/%{name}-agent-upgrade to update bridge name for upgrade from CloudStack 4.0.x (and before) to CloudStack 4.1 (and later)"
     %{_bindir}/%{name}-agent-upgrade
-    if [ ! -d %{_sysconfdir}/libvirt/hooks ] ; then
-        mkdir %{_sysconfdir}/libvirt/hooks
-    fi
-    cp -a ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib/libvirtqemuhook %{_sysconfdir}/libvirt/hooks/qemu
-    /sbin/service libvirtd restart
-    /sbin/systemctl enable cloudstack-agent > /dev/null 2>&1 || true
 fi
+if [ ! -d %{_sysconfdir}/libvirt/hooks ] ; then
+    mkdir %{_sysconfdir}/libvirt/hooks
+fi
+cp -a ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib/libvirtqemuhook %{_sysconfdir}/libvirt/hooks/qemu
+/sbin/service libvirtd restart
+/sbin/systemctl enable cloudstack-agent > /dev/null 2>&1 || true
 
 # if saved configs from upgrade exist, copy them over
 if [ -f "%{_sysconfdir}/cloud.rpmsave/agent/agent.properties" ]; then