* cks: Fix when deployed on a nw without internet access
* Revert "cks: Fix when deployed on a nw without internet access"
This reverts commit 40e3338001b2f1c239533bedac5b60d8b9d2f631.
* cks: Fix issue when creating cluster in nw without internet access
* Fix extract snapshot from VM snapshot on KVM
* Fix validation expression - does not need to escape the slash
Co-authored-by: GutoVeronezi <daniel@scclouds.com.br>
* login/-out constants
* no request listener
* store session as value, using id as key
* Apply suggestions from sonarcloud.io code review
three instances of unsafe parameters to logging
* new sonar issues
* sonar issues
* UI: display 'egress/ipv6/publicip' tabs only for domain/root admin and the owner
please note
(1) isolated networks only .
(2) networks in project are not impacted. the tabs are always visible.
(3) 'network permission' tab is also only visible for domain/root admin and the owner. but not visible in project view.
* UI: fix create vpc private gateway for regular user
* kvm: truncate vnc password to 8 chars (#6244)
This PR truncates the vnc password of kvm vms to 8 chars to support latest versions of libvirt.
* Use lang3 string utils
Co-authored-by: Wei Zhou <weizhou@apache.org>
* Prevent NPE on reboot stopped VM
* Use VM UUID instead of VM ID
* Apply suggestion
* Refactor and fix start VM output
* Use format instead of concatenation
* Fix, change network.disable.rpfilter type from integer to boolean.
`network.disable.rpfilter` global setting doesn't accept boolean values.
* Changed consoleproxy.disable.rpfilter global setting type from integer to boolean.
* UI: Add missing tooltips on service offering creation
* Refactor - use translation
* Corrected message for compute only offering tool tip
Co-authored-by: Harikrishna Patnala <harikrishna.patnala@gmail.com>
* agent: enable ssl only for kvm agent (not in system vms)
* Revert "agent: enable ssl only for kvm agent (not in system vms)"
This reverts commit b2d76bad2e9455384c4ac34cee6763014e255eb6.
* Revert "KVM: Enable SSL if keystore exists (#6200)"
This reverts commit 4525f8c8e7ffecf50eff586ccfbc3d498f1b8021.
* KVM: Enable SSL if keystore exists in LibvirtComputingResource.java
this fixes the error below when create K8S ISO using scripts/util/create-kubernetes-binaries-iso.sh
```
+ echo 'Downloading image weaveworks/weave-kube:latest ---'
Downloading image weaveworks/weave-kube:latest ---
+ [[ weaveworks/weave-kube:latest == kubernetesui* ]]
+ [[ weaveworks/weave-kube:latest == apache* ]]
+ sudo ctr image pull weaveworks/weave-kube:latest
INFO[0000] trying next host error="failed to do request: Head https://weaveworks/v2/weave-kube/manifests/latest: dial tcp: lookup weaveworks: no such host" host=weaveworks
ctr: failed to resolve reference "weaveworks/weave-kube:latest": failed to do request: Head https://weaveworks/v2/weave-kube/manifests/latest: dial tcp: lookup weaveworks: no such host
```
The issue is found in the smoke test `test/integration/smoke/test_network_ipv6.py`.
sometimes the test failed with error below
```
FAIL: Test to verify IPv6 network
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/marvin/lib/decoratorGenerators.py", line 30, in test_wrapper
return test(self, *args, **kwargs)
File "/marvin/test_network_ipv6.py", line 1215, in test_01_verify_ipv6_network
self.checkNetworkRouting()
File "/marvin/test_network_ipv6.py", line 1060, in checkNetworkRouting
"Ping from VM %s of network %s to VM %s of network %s is unsuccessful" % (self.routing_test_vm.id, self.routing_test_network.id, self.virtual_machine.id, self.network.id))
AssertionError: False is not true : Ping from VM 0aa36a76-09c6-476f-97c5-b9cea27a5b7c of network 27a2b244-e319-46c5-a779-d6ae73eb9ac2 to VM ae13ea17-1f35-4ca7-83c1-e13126f8df79 of network 1f38a686-69f3-41ed-a75e-cd3f822497d8 is unsuccessful
```
After investigation, we found the egress traffic is dropped by `nft`.
a correct nft chain looks like
```
root@r-282-VM:~# nft list chain ip6 ip6_firewall fw_chain_egress
table ip6 ip6_firewall {
chain fw_chain_egress {
counter packets 0 bytes 0 accept
}
}
```
However, some VRs has the following nft chain
```
root@r-280-VM:~# nft list chain ip6 ip6_firewall fw_chain_egress
table ip6 ip6_firewall {
chain fw_chain_egress {
counter packets 0 bytes 0 drop
}
}
```
It is because the ingress rule does not have correct `default_egress_policy`
```
root@r-280-VM:~# cat /etc/cloudstack/ipv6firewallrules.json
{
"0": {
"already_added": false,
"default_egress_policy": true,
"dest_cidr_list": [],
"guest_ip6_cidr": "fd17:ac56:1234:1a96::/64",
"id": 0,
"protocol": "all",
"purpose": "Ipv6Firewall",
"revoked": false,
"source_cidr_list": [],
"src_ip": "",
"traffic_type": "Egress"
},
"1263": {
"already_added": false,
"default_egress_policy": false,
"dest_cidr_list": [
"::/0"
],
"guest_ip6_cidr": "fd17:ac56:1234:1a96::/64",
"icmp_code": -1,
"icmp_type": -1,
"id": 1263,
"protocol": "icmp",
"purpose": "Ipv6Firewall",
"revoked": false,
"source_cidr_list": [
"::/0"
],
"traffic_type": "Ingress"
},
"id": "ipv6firewallrules"
}
```
in mose time, the Egress rule is processed before Ingress rule.
But when the Ingress rule is processed at first, the nft chain will be wrong.
