Prior to this PR
```
root@r-663-VM:/var/cache/cloud# gzip -dk vpn_user_list.json.aae73e2c-32ba-44f3-bf47-426933a67bcb.gz
root@r-663-VM:/var/cache/cloud# /opt/cloud/bin/update_config.py vpn_user_list.json.aae73e2c-32ba-44f3-bf47-426933a67bcb
{'id': 'vpnuserlist', 'test': {'add': True, 'password': 'test', 'user': 'test'}}
{'vpn_users': [{'user': 'test', 'password': 'test', 'add': True}], 'type': 'vpnuserlist', 'delete_from_processed_cache': False}
line = # Secrets for authentication using CHAP
line = # client server secret IP addresses
line =
line =
line = test * test *
```
with this PR
```
root@r-663-VM:/var/cache/cloud# gzip -dk vpn_user_list.json.aae73e2c-32ba-44f3-bf47-426933a67bcb.gz
root@r-663-VM:/var/cache/cloud# /opt/cloud/bin/update_config.py vpn_user_list.json.aae73e2c-32ba-44f3-bf47-426933a67bcb
root@r-663-VM:/var/cache/cloud#
```
* 4.18:
protect against null-path (#8915)
UI: Fix missing locale strings for Status widget (#8792)
Add a shutdownhook to remove jobs owned by the process (#8896)
* VR: fix issue between VPC VMs and other Public IPs in the same subnet as additional Public IPs
* Update PR8599: move to VpcVirtualNetworkApplianceManagerImpl
the service `user@0.service` fails in system vms and virtual routers
This PR removes a change to fix memory leak of SSH connections in the systemvm templates with old linux kernel.
This PR fixes#6702
The service conntrackd will be started by the script /opt/cloud/bin/cs/CsRedundant.py, therefore add it to disabled_svcs so it is not started automatically when VR is started.
Fixes#6873
When the management server is in a different subnet than the pod in which a VPC VR is deployed, an ip route must be added just after creation of eth0 to allow the connectivity between the VR and the management server.
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Co-authored-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This PR fixes that the /etc/network/interfaces is misconfigured in VPC VR startup, which causes VPC VR to be stuck for 1 minute and continue working.
The issue is because ifup eth0 and ifdown eth0 do not work when /etc/network/interfaces is not correct in VPC VR.
PR #5375, introduced in version 4.15.2.0, removed parameter %any of VPNs client-to-site (C2S) IPSec secrets:
structure before PR vr: ipsec/l2tp vpn secret with no ID selectors #5375:
<IP> %any : PSK "<PSK>"
structure after PR vr: ipsec/l2tp vpn secret with no ID selectors #5375:
<IP> : PSK "<PSK>"
Because of that, when a VPN site-so-site (S2S) is created in parallel to a VPN C2S in the same network, the C2S will not handle any IP (%any) anymore and, as the network is being tunneled to the other VPN, the connection will be handled by the final peer. This way, when a VPN S2S is created in parallel to a VPN C2S in the same network, it is only possible to connect to the C2S with the S2S PSK.
As ACS is only able to implement a single C2S per network (ACS allows setting more than one IP of the network as VPN, however, only the first will be implemented) and every S2S has its own secret file, the secrets structure of C2S was changed to contain only the PSK:
: PSK "<PSK>"
By doing that, StrongSwan will handle correctly C2S connections from any IP and still will use the correct PSK for S2S.
Co-authored-by: GutoVeronezi <daniel@scclouds.com.br>
This PR allows the cloud admin to set either a global or domain-specific value "metadata.allow.expose.domain", and when set this allows the VM to see the name and ID of the immediate domain that contains the VM in instance metadata. This can be useful or a variety of things such as bootstrapping VM configuration and access according to domain.
This PR also deletes the CloudZonesNetworkElement because it isn't referred to anywhere, and there was initially some confusion as to whether this code needed to be updated when extending metadata. If it needs to be kept we can remove that delete from the PR.
Signed-off-by: Marcus Sorensen <mls@apple.com>
Co-authored-by: Marcus Sorensen <mls@apple.com>
Co-authored-by: dahn <daan.hoogland@gmail.com>
Co-authored-by: Daniel Augusto Veronezi Salvador <38945620+GutoVeronezi@users.noreply.github.com>
This PR creates a new API createConsoleAccess to create VM console URL allowing it to connect using other UI implementations. To avoid reply attacks, the console access is enhanced to use a one time token per session
New configuration added:
consoleproxy.extra.security.validation.enabled: Enable/disable extra security validation for console proxy using a token
Documentation PR: apache/cloudstack-documentation#284
Adds option to provide custom DNS servers for isolated network, shared network and VPC tier.
New API parameters added in createNetwork API along with the corresponding response parameters.
Doc PR: apache/cloudstack-documentation#276
