929 Commits

Author SHA1 Message Date
Rohit Yadav
212e5ccfa7 CLOUDSTACK-9782: Host HA and KVM HA provider
Host-HA offers investigation, fencing and recovery mechanisms for host that for
any reason are malfunctioning. It uses Activity and Health checks to determine
current host state based on which it may degrade a host or try to recover it. On
failing to recover it, it may try to fence the host.

The core feature is implemented in a hypervisor agnostic way, with two separate
implementations of the driver/provider for Simulator and KVM hypervisors. The
framework also allows for implementation of other hypervisor specific provider
implementation in future.

The Host-HA provider implementation for KVM hypervisor uses the out-of-band
management sub-system to issue IPMI calls to reset (recover) or poweroff (fence)
a host.

The Host-HA provider implementation for Simulator provides a means of testing
and validating the core framework implementation.

Signed-off-by: Abhinandan Prateek <abhinandan.prateek@shapeblue.com>
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2017-08-30 18:06:48 +02:00
Rohit Yadav
7ce54bf7a8 CLOUDSTACK-9993: Securing Agents Communications (#2239)
This introduces a new certificate authority framework that allows
pluggable CA provider implementations to handle certificate operations
around issuance, revocation and propagation. The framework injects
itself to `NioServer` to handle agent connections securely. The
framework adds assumptions in `NioClient` that a keystore if available
with known name `cloud.jks` will be used for SSL negotiations and
handshake.

This includes a default 'root' CA provider plugin which creates its own
self-signed root certificate authority on first run and uses it for
issuance and provisioning of certificate to CloudStack agents such as
the KVM, CPVM and SSVM agents and also for the management server for
peer clustering.

Additional changes and notes:
- Comma separate list of management server IPs can be set to the 'host'
  global setting. Newly provisioned agents (KVM/CPVM/SSVM etc) will get
  radomized comma separated list to which they will attempt connection
  or reconnection in provided order. This removes need of a TCP LB on
  port 8250 (default) of the management server(s).
- All fresh deployment will enforce two-way SSL authentication where
  connecting agents will be required to present certificates issued
  by the 'root' CA plugin.
- Existing environment on upgrade will continue to use one-way SSL
  authentication and connecting agents will not be required to present
  certificates.
- A script `keystore-setup` is responsible for initial keystore setup
  and CSR generation on the agent/hosts.
- A script `keystore-cert-import` is responsible for import provided
  certificate payload to the java keystore file.
- Agent security (keystore, certificates etc) are setup initially using
  SSH, and later provisioning is handled via an existing agent connection
  using command-answers. The supported clients and agents are limited to
  CPVM, SSVM, and KVM agents, and clustered management server (peering).
- Certificate revocation does not revoke an existing agent-mgmt server
  connection, however rejects a revoked certificate used during SSL
  handshake.
- Older `cloudstackmanagement.keystore` is deprecated and will no longer
  be used by mgmt server(s) for SSL negotiations and handshake. New
  keystores will be named `cloud.jks`, any additional SSL certificates
  should not be imported in it for use with tomcat etc. The `cloud.jks`
  keystore is stricly used for agent-server communications.
- Management server keystore are validated and renewed on start up only,
  the validity of them are same as the CA certificates.

New APIs:
- listCaProviders: lists all available CA provider plugins
- listCaCertificate: lists the CA certificate(s)
- issueCertificate: issues X509 client certificate with/without a CSR
- provisionCertificate: provisions certificate to a host
- revokeCertificate: revokes a client certificate using its serial

Global settings for the CA framework:
- ca.framework.provider.plugin: The configured CA provider plugin
- ca.framework.cert.keysize: The key size for certificate generation
- ca.framework.cert.signature.algorithm: The certificate signature algorithm
- ca.framework.cert.validity.period: Certificate validity in days
- ca.framework.cert.automatic.renewal: Certificate auto-renewal setting
- ca.framework.background.task.delay: CA background task delay/interval
- ca.framework.cert.expiry.alert.period: Days to check and alert expiring certificates

Global settings for the default 'root' CA provider:
- ca.plugin.root.private.key: (hidden/encrypted) CA private key
- ca.plugin.root.public.key: (hidden/encrypted) CA public key
- ca.plugin.root.ca.certificate: (hidden/encrypted) CA certificate
- ca.plugin.root.issuer.dn: The CA issue distinguished name
- ca.plugin.root.auth.strictness: Are clients required to present certificates
- ca.plugin.root.allow.expired.cert: Are clients with expired certificates allowed

UI changes:
- Button to download/save the CA certificates.

Misc changes:
- Upgrades bountycastle version and uses newer classes
- Refactors SAMLUtil to use new CertUtils

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2017-08-28 12:15:11 +02:00
SudharmaJain
5397106a76 CLOUDSTACK-8906: /var/log/cloud/ doesn't get logrotated on xenserver (#883)
After integrating XS with CCP the following folder gets created: /var/log/cloud/ however the logs in that are not rotated resulting in root file system fill up. It was a known issue and link http://support.citrix.com/article/CTX138064 describes the issue and solution. Used the article and added corresponding changes to Cloudstack.
2017-08-03 00:51:16 +02:00
Wido den Hollander
990e4a6e40 ipv6: Allow all ICMPv6 traffic if -1 is provided as a ICMP type
ip6tables no longer takes '--icmpv6-type any' as a argument.

To allow all ICMPv6 traffic with ip6tables it has to be invoked this way:

  $ ip6tables -I i-2-14-VM -p icmpv6 -s ::/0 -j ACCEPT

All ICMPv6 traffic is now allow into the Instance.

Signed-off-by: Wido den Hollander <wido@widodh.nl>
2017-07-25 16:31:35 +02:00
Rajani Karuturi
c95b47b740 Merge pull request #1824 from jayapalu/SGipset
CLOUDSTACK-9657: Fixed security group ipset issues with long vm name
2017-05-19 14:05:51 +05:30
Daan Hoogland
70ef0788c9 CLOUDSTACK-9408: Fix download urls in sql and scripts
This fixes the agreed upon url on download.cloudstack.org in various
sql files and misc scripts.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2017-04-20 12:33:33 +05:30
Jayapal
43a991d2eb CLOUDSTACK-9821: Fixed issue in deploying vm in basic zone 2017-03-06 19:01:15 +05:30
Jayapal
1cff18fcfa CLOUDSTACK-9657: Fixed security group ipset issues with long vm name 2017-02-24 15:20:04 +05:30
Jayapal
175c8d83b8 CLOUDSTACK-8871: fixed issue with the xenserver 6.2 ipset nethash 2017-02-20 18:34:13 +05:30
Wido den Hollander
115d6d5dc7
CLOUDSTACK-676: IPv6 In -and Egress filtering for Basic Networking
This commit implements Ingress and Egress filtering for IPv6 in
Basic Networking.

It allows for opening and closing ports just as can be done with IPv4.

Rules have to be specified twice, once for IPv4 and once for IPv6, for
example:

- 22 until 22: 0.0.0.0/0
- 22 until 22: ::/0

Egress filtering works the same as with IPv4. When no rule is applied all
traffic is allowed. Otherwise only the specified traffic (with DNS being
the exception) is allowed.

Signed-off-by: Wido den Hollander <wido@widodh.nl>
2017-01-26 15:36:20 +01:00
Wido den Hollander
84e496b4f9
CLOUDSTACK-676: IPv6 Basic Security Grouping for KVM
This commit implements basic Security Grouping for KVM in
Basic Networking.

It does not implement full Security Grouping yet, but it does:
- Prevent IP-Address source spoofing
- Allow DHCPv6 clients, but disallow DHCPv6 servers
- Disallow Instances to send out Router Advertisements

The Security Grouping allows ICMPv6 packets as described by RFC4890
as they are essential for IPv6 connectivity.

Following RFC4890 it allows:
- Router Solicitations
- Router Advertisements (incoming only)
- Neighbor Advertisements
- Neighbor Solicitations
- Packet Too Big
- Time Exceeded
- Destination Unreachable
- Parameter Problem
- Echo Request

ICMPv6 is a essential part of IPv6, without it connectivity will break or be very
unreliable.

For now it allows any UDP and TCP packet to be send in to the Instance which
effectively opens up the firewall completely.

Future commits will implement Security Grouping further which allows controlling UDP and TCP
ports for IPv6 like can be done with IPv4.

Regardless of the egress filtering (which can't be done yet) it will always allow outbound DNS
to port 53 over UDP or TCP.

Signed-off-by: Wido den Hollander <wido@widodh.nl>
2017-01-26 15:36:08 +01:00
Rohit Yadav
0db4471be0
Merge branch '4.9' 2016-12-26 21:01:20 +05:30
Rohit Yadav
2ce02dc937 CLOUDSTACK-9662: Fix failing iscsi test
Use separate lvcreate command on XenServer7 hosts, that checks and passes
different parameters based on the xenserver release version.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2016-12-25 23:53:50 +05:30
Rohit Yadav
342162bad7 Merge branch '4.9'
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2016-12-22 11:59:02 +05:30
Syed
eabf862ba9 [CLOUDSTACK-9662] Add support for XenServer 7 2016-12-21 16:58:10 -05:00
Rohit Yadav
4845b0a5e7
Merge branch '4.9' 2016-11-08 15:04:20 +05:30
Wido den Hollander
8ea75f1a85
CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic Networking
Allow DNS queries over TCP when egress filtering is configured.

When using DNSSEC more and more queries are done over TCP and this
requires 53/TCP to be allowed.

Signed-off-by: Wido den Hollander <wido@widodh.nl>
2016-10-31 09:57:25 +01:00
Rajani Karuturi
f3b132f638 Merge pull request #1548 from moul/patch-2
Compabitility fix for Docker >= 1.11 (docker/docker#19490)

* pr/1548:
  Compabitility fix for Docker >= 1.11 (docker/docker#19490)

Signed-off-by: Rajani Karuturi <rajani.karuturi@accelerite.com>
2016-10-13 14:28:48 +05:30
Rohit Yadav
16913a9822 CLOUDSTACK-9842: Make UI JSP Free
We use some JSP file just for translation of strings in the UI. This is
achievable purely in JavaScript. This removes those JSPs, simplifies
translation usage and workflow (purely JS based). The l10n js (dictionary)
files are generated from existing messages.properties files during client-ui
code generation phase.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2016-09-28 12:26:43 +05:30
Rohit Yadav
f699fd4a15 CLOUDSTACK-9463: Fix dynamic-roles migrate script for old format
The old commands.properties format included the full class name such as:

createAccount=com.cloud.api.commands.CreateAccountCmd;1

The migration script did not consider this format and fails. With this fix
the migration script will process both the formats, including processing a
commands.properties file with mixed format, for example:

    $ cat commands.properties
    ### Account commands
    createAccount=1
    deleteAccount=2
    markDefaultZoneForAccount=com.cloud.api.commands.MarkDefaultZoneForAccountCmd;3

    $ python scripts/util/migrate-dynamicroles.py -d -f commands.properties
    Apache CloudStack Role Permission Migration Tool
    (c) Apache CloudStack Authors and the ASF, under the Apache License, Version 2.0

    Running this migration tool will remove any default-role permissions from cloud.role_permissions. Do you want to continue? [y/N]y
    The commands.properties file has been deprecated and moved at: commands.properties.deprecated
    Running SQL query: DELETE FROM `cloud`.`role_permissions` WHERE `role_id` in (1,2,3,4);
    Running SQL query: INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) values (UUID(), 1, '*', 'ALLOW', 0);
    Running SQL query: INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) values (UUID(), 2, 'deleteAccount', 'ALLOW', 0);
    Running SQL query: INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) values (UUID(), 2, 'markDefaultZoneForAccount', 'ALLOW', 1);
    Static role permissions from commands.properties have been migrated into the db
    Running SQL query: UPDATE `cloud`.`configuration` SET value='true' where name='dynamic.apichecker.enabled'
    Dynamic role based API checker has been enabled!

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2016-08-19 17:33:07 +05:30
Manfred Touron
c92dcd2b32
Compabitility fix for Docker >= 1.11 (docker/docker#19490) 2016-06-30 17:21:53 +02:00
Sverrir Berg
751d3552dc patchviasocket improve error handling
more detailed error if host file not found or cannot be opened
using mkstemp and mkdtemp for improved security
improve resource cleanup in error conditions in unit test
2016-05-20 15:42:34 +00:00
Sverrir A. Berg
0acd3c12a2 Convert patchviasocket to python (removes perl dependency for KVM agent)
As requested here: https://github.com/apache/cloudstack/pull/1495

No scripts are using perl so that install requirement can be removed.
The new scripts are using standard python packages only.
Includes extensive unit test.
2016-05-20 15:42:34 +00:00
Rohit Yadav
05e1db7373 migrate-dynamicroles: use mysql.connector due to #1054
Due to PR #1054 this patch fixes the dynamic-roles migration script
to use the mysql-connector-python dependency.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2016-05-19 11:36:30 +05:30
Will Stevens
3f97908417 Merge release branch 4.8 to master
* 4.8:
  writeIfNotHere requires an array of strings, not a string
2016-05-12 16:47:09 -04:00
Will Stevens
a1e181cd7e Merge release branch 4.7 to 4.8
* 4.7:
  writeIfNotHere requires an array of strings, not a string
2016-05-12 16:46:28 -04:00
Will Stevens
170765e90d Merge pull request #1456 from greenqloud/pr-4.7-baremetal_metadata_parameter_bugfix
writeIfNotHere requires an array of strings, not a string

* pr/1456:
  writeIfNotHere requires an array of strings, not a string

Signed-off-by: Will Stevens <williamstevens@gmail.com>
2016-05-12 16:45:34 -04:00
Rohit Yadav
afcbd270b2 CLOUDSTACK-8562: Deprecate commands.properties
- Removes commands.properties file
- Fixes apidocs and marvin to be independent of commands.properties usage
- Removes bundling of commands.properties in deb/rpm packaging
- Removes file references across codebase

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2016-05-11 09:45:19 +05:30
Rohit Yadav
4347776ac6 CLOUDSTACK-8562: DB-Backed Dynamic Role Based API Access Checker
This feature allows root administrators to define new roles and associate API
permissions to them.

A limited form of role-based access control for the CloudStack management server
API is provided through a properties file, commands.properties, embedded in the
WAR distribution. Therefore, customizing API permissions requires unpacking the
distribution and modifying this file consistently on all servers. The old system
also does not permit the specification of additional roles.

FS:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack

DB-Backed Dynamic Role Based API Access Checker for CloudStack brings following
changes, features and use-cases:
- Moves the API access definitions from commands.properties to the mgmt server DB
- Allows defining custom roles (such as a read-only ROOT admin) beyond the
  current set of four (4) roles
- All roles will resolve to one of the four known roles types (Admin, Resource
  Admin, Domain Admin and User) which maintains this association by requiring
  all new defined roles to specify a role type.
- Allows changes to roles and API permissions per role at runtime including additions or
  removal of roles and/or modifications of permissions, without the need
  of restarting management server(s)

Upgrade/installation notes:
- The feature will be enabled by default for new installations, existing
  deployments will continue to use the older static role based api access checker
  with an option to enable this feature
- During fresh installation or upgrade, the upgrade paths will add four default
  roles based on the four default role types
- For ease of migration, at the time of upgrade commands.properties will be used
  to add existing set of permissions to the default roles. cloud.account
  will have a new role_id column which will be populated based on default roles
  as well

Dynamic-roles migration tool: scripts/util/migrate-dynamicroles.py
- Allows admins to migrate to the dynamic role based checker at a future date
- Performs a harder one-way migrate and update
- Migrates rules from existing commands.properties file into db and deprecates it
- Enables an internal hidden switch to enable dynamic role based checker feature

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2016-05-11 09:45:19 +05:30
Will Stevens
62d2954f51 Merge pull request #1408 from wido/security-group-lock
kvm: Aqcuire lock when running security group Python scriptIt could happen that when multiple instances are starting at the same
time on a KVM host the Agent spawns multiple instances of security_group.py
which both try to modify iptables/ebtables rules.

This fails with on of the two processes failing.

The instance is still started, but it doesn't have any IP connectivity due
to the failed programming of the security groups.

This modification lets the script aqcuire a exclusive lock on a file so that
only one instance of the scripts talks to iptables/ebtables at once.

Other instances of the script which start will poll every 500ms if they can
obtain the lock and otherwise execute anyway after 15 seconds.

* pr/1408:
  kvm: Aqcuire lock when running security group Python script

Signed-off-by: Will Stevens <williamstevens@gmail.com>
2016-05-04 10:32:48 -04:00
Wido den Hollander
26becef722
kvm: Aqcuire lock when running security group Python script
It could happen that when multiple instances are starting at the same
time on a KVM host the Agent spawns multiple instances of security_group.py
which both try to modify iptables/ebtables rules.

This fails with on of the two processes failing.

The instance is still started, but it doesn't have any IP connectivity due
to the failed programming of the security groups.

This modification lets the script aqcuire a exclusive lock on a file so that
only one instance of the scripts talks to iptables/ebtables at once.

Other instances of the script which start will poll every 500ms if they can
obtain the lock and otherwise execute anyway after 15 seconds.

The lock will be released as soon as the script exists, which is usually within
a few hundred ms.
2016-04-28 10:16:11 +02:00
Will Stevens
c2fc0c4cd3 Merge release branch 4.7 to 4.8
* 4.7:
  CLOUDSTACK-9172 Added cross zones check to delete template and iso
  Check the existence of 'forceencap' parameter before use
  systemvm: set default umask 022 in injectkeys.sh
2016-04-21 16:31:49 -04:00
Högni Ingimarsson
fde0b6aa57 writeIfNotHere requires an array of strings, not a string 2016-03-30 11:17:13 +00:00
Rohit Yadav
a11f711062 systemvm: set default umask 022 in injectkeys.sh
The default umask of 0022 is set in Ubuntu and other packages. Set the same
in case of CentOS startup scripts. Use umask 022 in the injectkeys.sh script

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2016-03-14 12:21:57 +01:00
Remi Bergsma
262be758bc Merge release branch 4.7 to master
* 4.7:
  CLOUDSTACK-9240 remove 40GB filesize limit from SSVM scripts
2016-01-17 13:45:48 +01:00
Remi Bergsma
69022f97c5 CLOUDSTACK-9240 remove 40GB filesize limit from SSVM scripts
Thanks Syed <syed1.mushtaq@gmail.com>
2016-01-17 13:26:43 +01:00
Remi Bergsma
fb658f575d Merge pull request #1226 from borisroman/CLOUDSTACK-9148
Removed .pydevproject from plugin kvm hypervisor.Ping @wido @wilderrodrigues @remibergsma @miguelaferreira

It's there for no apparent reason...

Running integration tests now.

```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 6:12.189s
[INFO] Finished at: Sat Dec 12 02:13:01 CET 2015
[INFO] Final Memory: 102M/808M
[INFO] ------------------------------------------------------------------------
```

* pr/1226:
  Removed .pydevproject from plugin kvm hypervisor.

Signed-off-by: Remi Bergsma <github@remi.nl>
2016-01-17 13:04:58 +01:00
Wido den Hollander
239148c31b CLOUDSTACK-9210: Pass secondary IPs to default_network_rules() function
This is a mandatory argument but it was NOT passed which caused the
re-programming of security groups to fail.

Simple fix to just add the argument since the variable is available
there.
2016-01-05 18:06:34 +01:00
Boris Schrijver
223e3d5466 Removed .pydevproject from plugin kvm hypervisor. 2015-12-13 14:53:08 +01:00
Rohit Yadav
f30fbe9a5c Merge branch '4.6' 2015-12-07 12:44:07 +05:30
Wei Zhou
9221cb3e0d CLOUDSTACK-9101: resize root volume of stopped vm on KVM 2015-12-03 14:54:49 +01:00
Remi Bergsma
d7859ad21c Merge release branch 4.6 to master
* 4.6:
  Revert "Change references of people.apache.org to home.apache.org in the test code"
  Change references of people.apache.org to home.apache.org in the test code This closes #1123 Signed-off-by: SrikanteswaraRao Talluri <talluri@apache.org>
  CLOUDSTACK-9077 Fix injectkeys.sh to work on CentOS7
  CLOUDSTACK-9065: fix bug when creating packaging with noredist flag
2015-11-27 20:10:02 +01:00
Remi Bergsma
9b0b69d9c8 CLOUDSTACK-9077 Fix injectkeys.sh to work on CentOS7 2015-11-25 11:26:10 +01:00
Boris Schrijver
5c0366c99e CLOUDSTACK-9062: Improve S3 implementation.
The S3 implementation is far from finished, this commit focusses on the bases.

 - Upgrade AWS SDK to latest version.
 - Rewrite S3 Template downloader.
 - Rewrite S3Utils utility class.
 - Improve addImageStoreS3 API command.
 - Split various classes for convenience.
 - Various minor improvements and code optimalisations.

A side effect of the new AWS SDK is that it, by default, uses the V4 signature. Therefore I added an option to specify the Signer, so it stays compatible with previous versions.
2015-11-19 15:29:10 +01:00
Remi Bergsma
ca860348dc Merge pull request #1033 from Carles-Figuerola/centos-7-redhat-release
CLOUDSTACK-9029: Proper support to identify CentOS 7 version numberhttps://issues.apache.org/jira/browse/CLOUDSTACK-9029

* pr/1033:
  CLOUDSTACK-9029: Proper support to identify CentOS 7 version number

Signed-off-by: Remi Bergsma <github@remi.nl>
2015-11-09 16:54:38 +01:00
Carles Figuerola
3ce420c367 CLOUDSTACK-9029: Proper support to identify CentOS 7 version number 2015-11-04 11:21:47 -06:00
Remi Bergsma
5fed4f41d7 Rename xapi plugins for s3 and swift to make them work after renaming the calls
Renaming introduced in a8212d9ef458dd7ac64b021e6fa33fcf64b3cce0

This PR is to address comments in PR #970
2015-10-27 14:07:29 +01:00
Wilder Rodrigues
e72a79c1ce Formatting the router_proxy.sh script 2015-09-25 16:09:27 +02:00
Vincent Bernat
f2b8f2eade sysctl: don't modify /etc/sysctl.conf
To configure firewall rules, CloudStack modifies `/etc/sysctl.conf` and
execute those modifications. This may be harmful for several reasons:

 1. `/etc/sysctl.conf` may be managed by some configuration management
    system. Such a system will constantly restore the previous version.

 2. `/etc/sysctl.conf` may contain additional properties that have been
    changed later by some system administrator (for example, once a
    firewall has been configured, forwarding may have been activated
    while it is disabled in `/etc/sysctl.conf`). Executing the file
    again at a later time may disrupt the system.

 3. Entries are added again and again. `/etc/sysctl.conf` will contain
    the same directives repeated several times.

Using a configuration file is not needed as `sysctl` is able to directly
modify sysctl values with `-w` flag.

Signed-off-by: Vincent Bernat <Vincent.Bernat@exoscale.ch>
2015-09-04 14:31:09 +02:00
Wei Zhou
c0a0aec0f9 Merge pull request #732 from ustcweizhou/revert-volume-snapshot-master
Guys, can you review it? things need to be discussed:
(1) this supports KVM/QCOW2 only. Anyone want to implement for other Hypervisor/format ?
(2) The original data volume (on primary storage) will be removed.
(3) The script uses the default timeout in libvirtComputingResource. Do we need to add one in global configuration (like copy.volume.wait or backup.snapshot.wait, create.volume.from.snapshot.wait)
(4) In scripts/storage/qcow2/managesnapshot.sh, I use "qemu-img convert -f qcow2 -O qcow2" to copy the snapshot from secondary to primary (hence there is no base image file), instead of "cp -f", this is because convert is faster than cp in my testing.

* pr/732:
  CLOUDSTACK-5863: revert volume snapshot for KVM/QCOW2

Signed-off-by: Wei Zhou <w.zhou@tech.leaseweb.com>
2015-09-01 16:18:40 +02:00