+1 to John's comment, Regards ilya
> -----Original Message----- > From: John Burwell [mailto:jburw...@basho.com] > Sent: Monday, March 04, 2013 11:16 AM > To: cloudstack-dev@incubator.apache.org > Subject: Re: issue with 4.1 > > Chip, > > I neglected to mention in my reply that the extracted utility script would > also > need to be refactored to accept the various important bits (e.g. password, > type, and length) into command line parameters or prompt the user. The > core of the security issue I see is the defaulting of the password to > "vmops.com", and assumptions about certificate strength. > > Thanks, > -John > > On Mar 4, 2013, at 11:13 AM, John Burwell <jburw...@basho.com> wrote: > > > Chip, > > > > My recommendation in the ticket is to extract the script from the > management server to a external script provided as a connivence to end > users. If we encounter a situation where a certificate is not present, > provide > a meaningful error message in the logs and exit. If a user needs help > generating an SSL certificate, they can use execute the script with the > appropriate parameters. Otherwise, they will generate/procure one through > external means. > > > > Thanks, > > -John > > > > On Mar 4, 2013, at 10:59 AM, Chip Childers <chip.child...@sungard.com> > wrote: > > > >> On Mon, Mar 04, 2013 at 08:51:03AM -0700, Marcus Sorensen wrote: > >>> There's a bug for this, I think it's related to passwordless sudo > >>> for cloud user on management server. > >> > >> Is this the one? > >> > >> https://issues.apache.org/jira/browse/CLOUDSTACK-1389 > >> > >>> > >>> On Mon, Mar 4, 2013 at 6:52 AM, Sebastien Goasguen > <run...@gmail.com> wrote: > >>>> Hi I am trying to test the latest 4.1 (and 4.1l10n branch). > >>>> > >>>> I am on OSX 10.8.2, I had to update to JDK 1.7 to get things going. > >>>> > >>>> and after a 'clean install' I get stuck with: > >>>> > >>>> Password:WARN [utils.script.Script] (Script-1:) Interrupting script. > >>>> WARN [utils.script.Script] (Timer-2:) Timed out: sudo keytool -genkey - > keystore /Users/sebastiengoasguen/Documents/incubator- > cloudstack/client/target/cloud-client-ui-4.1.0-SNAPSHOT/WEB- > INF/classes/cloud.keystore -storepass vmops.com -keypass vmops.com - > keyalg RSA -validity 3650 -dname cn="Cloudstack > User",ou="168.1.20",o="168.1.20",c="Unknown" . Output is: > >>>> WARN [cloud.server.ConfigurationServerImpl] (Timer-2:) Would use > fail-safe keystore to continue. > >>>> java.io.IOException: Fail to generate certificate!: timeout > >>>> at > com.cloud.server.ConfigurationServerImpl.generateDefaultKeystore(Config > urationServerImpl.java:491) > >>>> at > com.cloud.server.ConfigurationServerImpl.updateSSLKeystore(Configuratio > nServerImpl.java:512) > >>>> at > com.cloud.server.ConfigurationServerImpl.persistDefaultValues(Configurati > onServerImpl.java:269) > >>>> at > com.cloud.server.ConfigurationServerImpl.configure(ConfigurationServerIm > pl.java:143) > >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >>>> at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j > ava:57) > >>>> at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces > sorImpl.java:43) > >>>> at java.lang.reflect.Method.invoke(Method.java:601) > >>>> at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection( > AopUtils.java:319) > >>>> at > org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoi > npoint(ReflectiveMethodInvocation.java:183) > >>>> at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed( > ReflectiveMethodInvocation.java:150) > >>>> at > org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.pr > oceed(MethodInvocationProceedingJoinPoint.java:80) > >>>> at > com.cloud.utils.db.TransactionContextBuilder.AroundAnyMethod(Transactio > nContextBuilder.java:37) > >>>> at sun.reflect.GeneratedMethodAccessor36.invoke(Unknown > Source) > >>>> at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces > sorImpl.java:43) > >>>> at java.lang.reflect.Method.invoke(Method.java:601) > >>>> at > org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMeth > odWithGivenArgs(AbstractAspectJAdvice.java:621) > >>>> at > org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMeth > od(AbstractAspectJAdvice.java:610) > >>>> at > org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJArou > ndAdvice.java:65) > >>>> at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed( > ReflectiveMethodInvocation.java:172) > >>>> at > org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(E > xposeInvocationInterceptor.java:90) > >>>> at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed( > ReflectiveMethodInvocation.java:172) > >>>> at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDyna > micAopProxy.java:202) > >>>> at $Proxy388.configure(Unknown Source) > >>>> at > com.cloud.utils.component.ComponentContext.initComponentsLifeCycle(Co > mponentContext.java:110) > >>>> at > com.cloud.servlet.CloudStartupServlet$1.run(CloudStartupServlet.java:50) > >>>> at java.util.TimerThread.mainLoop(Timer.java:555) > >>>> at java.util.TimerThread.run(Timer.java:505) > >>>> INFO [cloud.server.ConfigurationServerImpl] (Timer-2:) Processing > >>>> updateKeyPairs INFO [cloud.server.ConfigurationServerImpl] > >>>> (Timer-2:) Keypairs already in database INFO > >>>> [cloud.server.ConfigurationServerImpl] (Timer-2:) Keypairs already > >>>> in database, skip updating local copy (not running as cloud user) > >>>> INFO [cloud.server.ConfigurationServerImpl] (Timer-2:) Going to > >>>> update systemvm iso with generated keypairs if needed > >>>> Password: > >>>> > >>>> ? > >>>> > >>>> -sebastien > >>> > > >
