This extends securing of KVM hosts to securing of libvirt on KVM
host as well for TLS enabled live VM migration. To simplify implementation
securing of host implies that both host and libvirtd processes are
secured with management server's CA plugin issued certificates.
Based on whether keystore and certificates files are available at
/etc/cloudstack/agent, the KVM agent determines whether to use TLS or
TCP based uris for live VM migration. It is also enforced that a secured
host will allow live VM migration to/from other secured host, and an
unsecured hosts will allow live VM migration to/from other unsecured
host only.
Post upgrade the KVM agent on startup will expose its security state
(secured detail is sent as true or false) to the managements server that
gets saved in host_details for the host. This host detail can be accesed
via the listHosts response, and in the UI unsecured KVM hosts will show
up with the host state of ‘unsecured’. Further, a button has been added
that allows admins to provision/renew certificates to KVM hosts and can
be used to secure any unsecured KVM host.
The `cloudstack-setup-agent` was modified to accept a new flag `-s`
which will reconfigure libvirtd with following settings:
listen_tcp=0
listen_tls=1
tcp_port="16509"
tls_port="16514"
auth_tcp="none"
auth_tls="none"
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"
For a connected KVM host agent, when the certificate are
renewed/provisioned a background task is scheduled that waits until all
of the agent tasks finish after which libvirt process is restarted and
finally the agent is restarted via AgentShell.
There are no API or DB changes.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This includes test related fixes and code review fixes based on
reviews from @rafaelweingartner, @marcaurele, @wido and @DaanHoogland.
This also includes VMware disk-resize limitation bug fix based on comments
from @sateesh-chodapuneedi and @priyankparihar.
This also includes the final changes to systemvmtemplate and fixes to
code based on issues found via test failures.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This fixes test failures around VMware with the new systemvmtemplate.
In addition:
- Does not skip rVR related test cases for VMware
- Removes rc.local
- Processes unprocessed cmd_line.json
- Fixed NPEs around VMware tests/code
- On VMware, use udevadm to reconfigure nic/mac address than rebooting
- Fix proper acpi shutdown script for faster systemvm shutdowns
- Give at least 256MB of swap for VRs to avoid OOM on VMware
- Fixes smoke tests for environment related failures
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
- Migrate to embedded Jetty server.
- Improve ServerDaemon implementation.
- Introduce a new server.properties file for easier configuration.
- Have a single /etc/default/cloudstack-management to configure env.
- Reduce shaded jar file, removing unnecessary dependencies.
- Upgrade to Spring 5.x, upgrade several jar dependencies.
- Does not shade and include mysql-connector, used from classpath instead.
- Upgrade and use bountcastle as a separate un-shaded jar dependency.
- Remove tomcat related configuration and files.
- Have both embedded UI assets in uber jar and separate webapp directory.
- Refactor systemd and init scripts, cleanup packaging.
- Made cloudstack-setup-databases faster, using `urandom`.
- Remove unmaintained distro packagings.
- Moves creation and usage of server keystore in CA manager, this
deprecates the need to create/store cloud.jks in conf folder and
the db.cloud.keyStorePassphrase in db.properties file. This also
remove the need of the --keystore-passphrase in the
cloudstack-setup-encryption script.
- GZip contents dynamically in embedded Jetty
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
MySQLdb has been deprecated and is also not supported in Python 3.
mysql.connector is a connector written in Python which talks the
native MySQL protocol without any external code.
https://dev.mysql.com/doc/connector-python/en/
Add support for not (re)starting server after cloud-setup-management.This adds an option to the cloud-setup-management script to not start the management server after a successful configuration of it.
The primary motivation for this is to avoid circular dependency issues on systems that use systemd. When calling cloud-setup-management from a unit with a Before= directive on a service depending on
cloudstack-management, the process will deadlock because /usr/bin/service will delegate to systemd, which is waiting for the Before service to start.
Executing the cloud-setup-management script with this new `--no-start` option will simply leave the management server stopped after a successful configuration. systemd can then be bypassed with `export _SYSTEMCTL_SKIP_REDIRECT=1` and using the init.d script.
* pr/1162:
Add support for not (re)starting server after cloud-setup-management.
Signed-off-by: Remi Bergsma <github@remi.nl>
This adds an option to the cloud-setup-management script to not start
the management server after a successful configuration of it. The
primary motivation for this is to avoid circular dependency issues on
systems that use systemd. When calling cloud-setup-management from a
unit with a Before= directive on a service depending on
cloudstack-management, the process will deadlock because
/usr/bin/service will delegate to systemd, which is waiting for the
Before service to start.
CLOUDSTACK-9049: fix Centos7 with Tomcat7 packaging and python libsCLOUDSTACK-9049: Fix Centos7 with Tomcat7 packaging and python libs
* pr/1052:
CLOUDSTACK-9049: fix Centos7 with Tomcat7 packaging and python libs * adjust library to support tomcat7 config files * adjust centos7 spec to use tomcat7 config files from deployment * add option to use tomcat7 files in management server setup
reorder content to match original
Signed-off-by: Remi Bergsma <github@remi.nl>
* adjust library to support tomcat7 config files
* adjust centos7 spec to use tomcat7 config files from deployment
* add option to use tomcat7 files in management server setup
CLOUDSTACK-9039: Fix paths for logging Ubuntu ManagementFix paths for logging Ubuntu Management.
How to test:
Install via DEB packages...
* pr/1039:
CLOUDSTACK-9039: Fix paths for logging Ubuntu Management.
Signed-off-by: Remi Bergsma <github@remi.nl>
CLOUDSTACK-9029: Proper support to identify CentOS 7 version numberhttps://issues.apache.org/jira/browse/CLOUDSTACK-9029
* pr/1033:
CLOUDSTACK-9029: Proper support to identify CentOS 7 version number
Signed-off-by: Remi Bergsma <github@remi.nl>
If a custom resource (kvm/libvirt implementation) is defined in agent.properties
don't override with the default, but check and fallback to the default if
resource property not defined
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 536a8b22c8865dc94281bce6267930a63e03ab77)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This setting works on CentOS 6 / RHEL 6 but does nothing, as
"cpu" cgroup is not mounted. On CentOS 7 / RHEL 7 systemd does
mount cgroups and "cpu" is co-mounted with "cpuacc". Hence, if
we specify "cpu" then this results in an error because it can
only use them both, or none.
By removing the setting, we rely on the default of qemu, which
is:
cgroup_controllers = ["cpu", "devices", "memory", "blkio", "cpuacct", "net_cls"]
Only if they are really mounted, they will be used. So, this will
work on both version 6 and 7.
The 'fix script' didn't work well, as after a reboot you'd still have qemu
throwing errors. Now we can handle the co-mountedcgroups.
In init.d scripts, the LSB header may specify what kind of service is
provided by an init script. If spaces are used, this means the init
script is providing several boot facilities. We fix that by using an
hyphen.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Replacing whatami with $0 which is how UNIX shell scripts should get the
script's name.
BUG-ID: CLOUDSTACK-6129
Bugfix-for:
Reviewed-by:
Reported-by:
Signed-off-by: John Kinsella <jlk@stratosec.co> 1392660036 -0800
Detail: Previously the cloud user has full password-less sudo access.
This commit changes that to only allow access to a specific list of
commands. Been tested in production on ACS 4.0 and 4.2 mangement servers.
BUG-ID: CLOUDSTACK-967
Bugfix-for:
Reviewed-by:
Reported-by:
Signed-off-by: John Kinsella <jlk@stratosec.co> 1382560936 -0700
Ovs brcompat will be obsolete, so if network.bridge.type was
set to openvswitch, we'll use ovs command explicitly.
Signed-off-by: Hiroaki KAWAI <kawai@stratosphere.co.jp>
Summary: EC2 REST API: AWS APIs are not getting translated on the CloudStack Management Server and AWS API Installation Problems.
This fixes the above two defects and other packaging related issues.
Signed-off-by: Pradeep <pradeep.soundararajan@citrix.com>
The change in package script allowed us to create proper tar under rpmbuild/SOURCES directory
The change in the path enabled us to launch the management server properly.
Signed-off-by: Hugo Trippaers <htrippaers@schubergphilis.com>
Committed-by: Hugo Trippaers <htrippaers@schubergphilis.com>
