Re: [GitHub] cloudstack pull request: Feature cenik123 vpcvrr 1.1.1
On Dec 2, 2014, at 8:32 AM, bhaisaab g...@git.apache.org wrote: Github user bhaisaab commented on the pull request: https://github.com/apache/cloudstack/pull/33#issuecomment-65192819 Wrong question, I should asked about veewee vs packer. The current systemvm building scripts uses veewee to build systemvms and to export appliances in various image/file formats (such as vhd, qcow2, raw, ova) we depend on vbox-manage, qemu etc. We further use veewee to build vagrant boxes. I just want to understand how easy it is to build/export appliances using packer as I have never played with it and veewee/vagrant requires ruby and other dependencies that are hard to setup? veewee is being abandoned in favor of packer. so ultimately we should start using packer. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat option, so it's not only 1.7+. Personally I'm in favour of Will's approach. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Rohit Yadav bhais...@apache.org To: Will Stevens wstev...@cloudops.com Cc: Edison Su edison...@citrix.com, Wilder Rodrigues wrodrig...@schubergphilis.com, dev@cloudstack.apache.org, Leo Simons lsim...@schubergphilis.com Sent: Tuesday, 2 December, 2014 07:36:21 Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat Hi Will, While we can use your first solution that checks exit status ($?) but in case some is running the script with a set -e, the script will simply break when $? is not zero. I think if we know above which qemu-img version we should we the compat option (1.7?) than that's great we should we that. Thanks for looking into this. Regards. On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens wstev...@cloudops.com wrote: Thanks for that. Does that mean that we prefer to do an if else based on version rather than basically doing a try catch? I have not been involved in previous bash scripting for CS, so I am willing to fall in line with the preferred method. What I proposed was based on how similar problems were solved in other code in the same file. If I check for version, do you agree that I should check for 1.7 as the version since that is the version where the compact default changed? I will try to get this resolved tomorrow. Cheers, Will On Dec 1, 2014 9:16 PM, Edison Su edison...@citrix.com wrote: qemu-img |head -n 1|awk '{print $3}' should show the version of qemu-img *From:* williamstev...@gmail.com [mailto:williamstev...@gmail.com] *On Behalf Of *Will Stevens *Sent:* Monday, December 01, 2014 2:17 PM *To:* dev@cloudstack.apache.org *Cc:* Leo Simons; Wilder Rodrigues; Rohit Yadav; Edison Su *Subject:* Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat Alright, so far I have found the following: https://github.com/qemu/qemu/commit/9117b47717ad208b12786ce88eacb013f9b3dd1c Basically, if the qemu-img version is less than 1.7, we should run the non 'compat' option version and if the version is 1.7 or greater, we should run the new command with the 'compat' version. Unfortunately I am not able to find a way to get the qemu-img version from the command line. I am looking to basically add a conditional to try running with the compat option and if that fails, then run it without the compat option. Basically, I would be replacing this: qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img ${appliance_build_name}-kvm.qcow2 With this: set +e qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img ${appliance_build_name}-kvm.qcow2 local qemuresult=$? set -e if [ ${qemuresult} != 0 ]; then log INFO qemu-img convert failed, trying without compat option qemu-img convert -f raw -c -O qcow2 raw.img ${appliance_build_name}-kvm.qcow2 fi What do you guys think? Is this a good enough solution? If you guys agree I will implement it in master and make sure it works, then we can merge the change back to 4.5 to fix that branch as well. Let me know if you have issues with this approach... Cheers, Will *Will STEVENS* Lead Developer *CloudOps | *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Mon, Dec 1, 2014 at 4:06 PM, Will Stevens wstev...@cloudops.com wrote: Edison, According to this page the default compat option is 0.10: http://manpages.ubuntu.com/manpages/trusty/man1/qemu-img.1.html Did you find that to not be the case and is that why you had to add the compat option? BTW, in an attempt to get the master system vms building again, I committed a change to master to remove the compat option. We now have master system vms building correctly, but Rohit rightly pointed out that I had basically reverted your change. I created a Jira ticket for this issue: https://issues.apache.org/jira/browse/CLOUDSTACK-7959 I have not reverted my change in master at this point, so it is building right now, but I also did not make the change to 4.5, so that branch is currently failing to build system vms. I will see if I can track down in which version of qemu the compat option was added so we can add some intelligent logic around this command. Will *Will STEVENS* Lead Developer *CloudOps | *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Thu, Nov 20, 2014 at 1:07 PM, edison su sudi...@gmail.com wrote: Hi Leo, Our new internal build system are using ubuntu 14.04 or something like that, which has qemu 1.x installed by default, that's why I added the compat option in the build script, otherwise, the image build by qemu 1.x, won't
Re: NFS overprovisioning of 0.5 ???
I think your approaching this from the wrong side. Why not just nfs export half of the space instead? (you could use lvm, thin-lvm etc)? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Andrija Panic andrija.pa...@gmail.com To: us...@cloudstack.apache.org, dev@cloudstack.apache.org Sent: Tuesday, 2 December, 2014 07:53:37 Subject: NFS overprovisioning of 0.5 ??? Hi. wondering if it is possible to set overprovisioning factor to less than 1 ? I have 1 NFS box, 2 x 10GB cards inside, don't want to do bonding, but efectively present this single box as 2 boxes via 2 IP adresses - so in this scenario I need to set overprovisioning factor to less than 1, to i.e. 0.5 - because of disk space etc... This is for test purposes, but again... -- Andrija Panić
Re: NFS overprovisioning of 0.5 ???
true... ZFS pool under NFS...will consider...but I;'m just wondering, since it is math of available space = overprovisioningFactor x realspace - I guess this is technicaly possible... On 2 December 2014 at 09:34, Nux! n...@li.nux.ro wrote: I think your approaching this from the wrong side. Why not just nfs export half of the space instead? (you could use lvm, thin-lvm etc)? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Andrija Panic andrija.pa...@gmail.com To: us...@cloudstack.apache.org, dev@cloudstack.apache.org Sent: Tuesday, 2 December, 2014 07:53:37 Subject: NFS overprovisioning of 0.5 ??? Hi. wondering if it is possible to set overprovisioning factor to less than 1 ? I have 1 NFS box, 2 x 10GB cards inside, don't want to do bonding, but efectively present this single box as 2 boxes via 2 IP adresses - so in this scenario I need to set overprovisioning factor to less than 1, to i.e. 0.5 - because of disk space etc... This is for test purposes, but again... -- Andrija Panić -- Andrija Panić
[GitHub] cloudstack pull request: Feature cenik123 vpcvrr 1.1.1
Github user lsimons commented on the pull request: https://github.com/apache/cloudstack/pull/33#issuecomment-65199170 Hey folks, Karl thanks for contributing. Looks like quite a bit of work! Rohit thanks for CC-ing me in :) It's a bit hard to read the pull request right now and provide review comments: * Github says there's nearly 7000 changed files so at a guess something went wrong there? I had a look, and it looks like KarlHarrisSungardAS/cloudstack is quite a ways behind master, which may explain that...? It's probably a good idea to make a copy of the feature branch, rebase it against current master, squash some of the commits together, and then re-send the pull request. Or, start another branch, and cherry-pick over just the changes that _should_ be in the change set. * git hasn't picked up on the relation between veewee and packer, it's probably good idea to give it some more hints. For example it would be good to see https://github.com/KarlHarrisSungardAS/cloudstack/commit/892b11ec0230ce87d14370fd1055ac223096cc77#diff-67bdab8b08f1e110ceabe1a23c3d4011R1 compared to the veewee equivalent. * there's a lot of 'shuffling' and/or adding comments intermixed with functional changes. For example https://github.com/KarlHarrisSungardAS/cloudstack/commit/7f55a1ef032c29cb955e02c90da43c91739108d7#diff-95748c84d8b6be2da502091e69b748d9L30 you might think the 'set -x' is getting removed here, but it just moved down a bit amidst a few new comments. * there's a lot of commits that are seemingly unrelated to the actual change (probably cherry-picked from master onto the feature branch?), those will need to be filtered out I think. * there's a lot of 'archive' commits which have unfinished 'checkpoint' code. I imagine all that work gets finished 'later on' (like renaming _gitignore to .gitignore is one that I tracked) but it's not so easy to see. It'd be great if those things could be squashed together. As far as content goes... 1) Like sebastien says, veewee is in maintenance mode and moving to packer (replacing veewee) is definitely a good idea. This looks like a straightforward port, which if it works ok seems like the way to go. We _should_ make sure to do it in a way that's somewhat compatible with the jenkins.buildacloud.org setup. I don't think we could sustain maintenance of both packer and veewee builds for long, it'll be a pain to keep changes in sync. I'd want to drop veewee use completely. 2) Testing the systemvm using vagrant is also obviously a good idea (we're doing much the same, over at https://github.com/schubergphilis/cloudstack/tree/feature/systemvm-persistent-config/tools/vagrant/systemvm see https://github.com/schubergphilis/cloudstack/commits/feature/systemvm-test for an abandoned branch having just test-related commits), though I don't understand why we'd need to use vagrant templates? The .box file that we get out of the veewee-based systemvm build imports (https://github.com/apache/cloudstack/blob/master/tools/appliance/build.sh#L466) just fine... 3) For the stuff that seems to be planned _beyond_ these changes, it might be a good idea to pop by on the development mailing list and discuss plans. A few people at Schuberg Philis (my employer, where there's a few people working on cloudstack) have been working on redundancy for the virtual router for a few months now. We've found that making it work also involves a lot of changes outside of the systemvm, too, i.e. changing the orchestration logic in the java code to match changed behavior of the vpc router (see https://cwiki.apache.org/confluence/display/CLOUDSTACK/Refactor+for+Redundant+Virtual+Router+Implementation / https://www.slideshare.net/LeoSimons1/toolkit-posterccceu14-v2 ). @spark404 please do have a look at Karl's approach :) cheers, Leo --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
Review Request 28597: CLOUDSTACK-8001: test_add_remove_network.py - Tag invalid test case as invalid
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28597/ --- Review request for cloudstack and SrikanteswaraRao Talluri. Bugs: CLOUDSTACK-8001 https://issues.apache.org/jira/browse/CLOUDSTACK-8001 Repository: cloudstack-git Description --- test_18_add_nic_basic_zone tries to add isolated network to basic zone. This is invalid test and should be marked as invalid. Diffs - test/integration/component/test_add_remove_network.py bc9be6f Diff: https://reviews.apache.org/r/28597/diff/ Testing --- N/A Thanks, Gaurav Aradhye
Re: Review Request 28597: CLOUDSTACK-8001: test_add_remove_network.py - Tag invalid test case as invalid
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28597/#review63508 --- Ship it! 2fa1b02e3c6cf31e77ac08fde789006859eb095e master e6236297a12c07b63309867fcc166d25483aed25 4.5 - SrikanteswaraRao Talluri On Dec. 2, 2014, 9:13 a.m., Gaurav Aradhye wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28597/ --- (Updated Dec. 2, 2014, 9:13 a.m.) Review request for cloudstack and SrikanteswaraRao Talluri. Bugs: CLOUDSTACK-8001 https://issues.apache.org/jira/browse/CLOUDSTACK-8001 Repository: cloudstack-git Description --- test_18_add_nic_basic_zone tries to add isolated network to basic zone. This is invalid test and should be marked as invalid. Diffs - test/integration/component/test_add_remove_network.py bc9be6f Diff: https://reviews.apache.org/r/28597/diff/ Testing --- N/A Thanks, Gaurav Aradhye
[DOCS]4.4 dos at readthedocs
H, I saw the 4.4 branch at read the docs does not exist. Is this intentional? I am looking for the update procedure for the 4.4.1 templates in there. -- Daan
Re: [ACS450] remove some upgrade path from Release Notes
Wilder (sitting next to me) is testing 4.3.0 to 4.4.2 and is having some template issues. So I wanted to look up howto in the release notes but can only find the goto 4.4.0 art of it. you have a link? On Mon, Dec 1, 2014 at 10:54 PM, Pierre-Luc Dion pd...@cloudops.com wrote: Actually, here is the best thread to ask the question... Does anyone validate upgrade instruction from 2.x, 3.x. 4.0.x, 4.1.x since 4.3.0 ? Thanks, On Mon, Dec 1, 2014 at 4:52 PM, Pierre-Luc Dion pd...@cloudops.com wrote: Well, I've never heard some someone tested upgrading a 2.2.x, 3.x.x, 4.0.x or 4.1.x since 4.4 as been released. I know for sure those upgrade path have not been tested. I'll ask for 4.5... Thanks, On Mon, Dec 1, 2014 at 3:07 AM, Leo Simons lsim...@schubergphilis.com wrote: Hey hey, Thinking as an administrator, I definitely don't want release notes (or upgrade paths themselves, or other documentation that contains procedures that have huge impact) that have not been tested. If I'm running cloudstack 2.2.14, and I want to upgrade to 4.4.2, and I ask on the users list what to do, what is the answer? If it is just follow the upgrade instructions for all consecutive releases and it'll be fine, keep it. Otherwise, remove it. My two cents :) cheers, Leo On Dec 1, 2014, at 12:39 AM, Pierre-Luc Dion pd...@cloudops.com wrote: I'm wondering if I should remove the upgrade instructions of 4.1.x, 4.0.x, 3.0.x and 2.2.14 from the 4.5.0 release notes. These upgrade instructions are fairly outdated and has not been tested(at least in 4.4). They also contain errors and some inconsistency. Unless someone is willing to validate them and fix instructions? any thoughts? thanks, PL -- Daan
Re: Is issue status can only change by owner on jira system ?
On Tue, Dec 2, 2014 at 1:11 AM, ChunFeng chunf...@domolo.com wrote: chunfeng is in -- Daan
Re: Review Request 28523: CLOUDSTACK-7991: test_security_groups.py - Move config data to test_data.py and fix pep8 issues
On Nov. 30, 2014, 10:16 p.m., Pierre-Luc Dion wrote: Cannot be merge into 4.5 branch their is conflict in ``test/integration/component/test_security_groups.py`` Gaurav Aradhye wrote: Thanks Pierre-Luc, I will check, and put rebased patch. Can you please try now? It wasn't applying cleanly because one of the commits was missing in branch 4.5. It applies cleanly now. - Gaurav --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28523/#review63320 --- On Nov. 28, 2014, 2:25 p.m., Gaurav Aradhye wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28523/ --- (Updated Nov. 28, 2014, 2:25 p.m.) Review request for cloudstack and SrikanteswaraRao Talluri. Bugs: CLOUDSTACK-7991 https://issues.apache.org/jira/browse/CLOUDSTACK-7991 Repository: cloudstack-git Description --- Moving the config data in the test case to test_data.py Keeping host credentails in configurableData section. Fixing pep8 issues. Diffs - test/integration/component/test_security_groups.py eb242c7 tools/marvin/marvin/config/test_data.py f0802a5 Diff: https://reviews.apache.org/r/28523/diff/ Testing --- Yes. Two test cases failing for different reason. Log: Test authorize ingress rule ... === TestName: test_01_authorizeIngressRule | Status : SUCCESS === ok Test deploy VM in default security group ... === TestName: test_01_deployVM_InDefaultSecurityGroup | Status : SUCCESS === ok Test list security groups for admin account ... === TestName: test_02_listSecurityGroups | Status : SUCCESS === ok Test access in default security group ... === TestName: test_03_accessInDefaultSecurityGroup | Status : SUCCESS === ok Test delete security group with running VM ... === TestName: test_01_delete_security_grp_running_vm | Status : SUCCESS === ok Test delete security group without running VM ... === TestName: test_02_delete_security_grp_withoout_running_vm | Status : SUCCESS === ok Test router services for user account ... === TestName: test_01_dhcpOnlyRouter | Status : SUCCESS === ok Test delete security group with running VM ... === TestName: test_01_authorizeIngressRule_AfterDeployVM | Status : SUCCESS === ok Test Revoke ingress rule after deploy VM ... === TestName: test_02_revokeIngressRule_AfterDeployVM | Status : FAILED === FAIL Test Start/Stop VM and Verify ingress rule ... === TestName: test_03_stopStartVM_verifyIngressAccess | Status : SUCCESS === ok Test revoke ingress rule ... === TestName: test_01_revokeIngressRule | Status : FAILED === FAIL Test Deploy VM with User data ... === TestName: test_01_deployVMWithUserData | Status : SUCCESS === ok Thanks, Gaurav Aradhye
Re: WTF: Difference between schemas across branches?
Nitin, On Tue, Dec 2, 2014 at 6:38 AM, Nitin Mehta nitin.me...@citrix.com wrote: The changes from the commit 0e2e6995 are right, but this is not exactly schema change but view definition changes. This has been fixed in 4.5 through acc9c79 so that any one upgrading to 4.5 do not miss these changes. Do note that this change is idempotent so even if you do or do not make this change, anyone upgrading to 4.5 shouldn¹t have an issue, but yes 4.3 do not have these changes. This is not just a matter of working functionality. It concerns maintainability of the code base as well. It is assumed in the project that schema and upgrade files do not change and only forward changes are added to newer schema- and Upgrade-files. different fies in different branches mean we are painting ourselves in a corner, especially if we want to do any sustainable LTS. Thanks, -Nitin On 01/12/14 1:47 PM, Rohit Yadav rohit.ya...@shapeblue.com wrote: Hi, While I¹m working to backport changes on 4.3 branch, I discovered some changes between 4.3 branch¹s schema-421to431.sql and master branch¹s 421to431.sql files. While most changes are inserts/update related which may not severely harm a user upgrading from a previous version of CloudStack, but I found there were changes in the schema itself; in this case the `cloud`.`template_view`: 0e2e6995 setup/db/db/schema-421to430.sql (Nitin Mehta 2014-01-30 17:59:55 -0800 306) `cloud`.`template_store_ref` ON template_store_ref.template_id = vm_template.id and template_store_ref.store_role = 'Image' and template_store_ref.destroyed=0 While on 4.3 branch: abbae2aa setup/db/db/schema-420to430.sql (Alex Huang 2013-08-26 17:30:58 -0700 306) `cloud`.`template_store_ref` ON template_store_ref.template_id = vm_template.id and template_store_ref.store_role = ŒImage¹ Which version should we keep? Here¹s the complete diff: http://pastebin.com/PB6N7aCt You may do it locally against 4.3 (4.4/4.5 etc.) and master as well: git diff master 4.3 -- setup/db/db/schema-421to430.sql I think such issues are seen time and time again due to the way paid contributors work on private forks and upstream ACS. We simply don¹t want to use code thrown over corporate fences to ACS branches. While who am I to tell you how to do your job - I simply request that all of the committers are expected to have some level of commitment to the project and ethics of their contributions. The best way to work together is to work in the upstream first and then work on your forks that is based on the upstream. Hope this will improve with time. Regards, Rohit Yadav Software Architect, ShapeBlue M. +91 88 262 30892 | rohit.ya...@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Software Engineeringhttp://shapeblue.com/cloudstack-software-engineering/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark. -- Daan
Re: Review Request 28549: CLOUDSTACK-7993: Code enhancement - test_egress_fw_rules.py - Removing unncessary waits
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28549/#review63517 --- Ship it! 6a2c18a989a081cdf79dc8453b488b14a72cdd01 master 3d279bbb190f9907a80cc5d3f8142b3f9eb90f01 4.5 - SrikanteswaraRao Talluri On Dec. 1, 2014, 11:14 a.m., Gaurav Aradhye wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28549/ --- (Updated Dec. 1, 2014, 11:14 a.m.) Review request for cloudstack and SrikanteswaraRao Talluri. Bugs: CLOUDSTACK-7993 https://issues.apache.org/jira/browse/CLOUDSTACK-7993 Repository: cloudstack-git Description --- All test cases in this test suite wait for vm expungement time period after destroying VMs. It is not necessary as now th VM is destroyed by default from Marvin with expunge parameter as True, hence it will be immediately destroyed and expunged. Diffs - test/integration/component/test_egress_fw_rules.py 0122e4f Diff: https://reviews.apache.org/r/28549/diff/ Testing --- Yes. Thanks, Gaurav Aradhye
Review Request 28598: CLOUDSTACK-8002: test_high_availability.py - Skip test cases if enough hosts are not available
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28598/ --- Review request for cloudstack and SrikanteswaraRao Talluri. Bugs: CLOUDSTACK-8002 https://issues.apache.org/jira/browse/CLOUDSTACK-8002 Repository: cloudstack-git Description --- The test cases in this test suite raise an exception if enough hosts are not present n the cluster. Instead the test cases should be skipped in such situation. Also fixed imports and pep8 issues. Diffs - test/integration/component/maint/test_high_availability.py 3e69fd5 Diff: https://reviews.apache.org/r/28598/diff/ Testing --- yes. Thanks, Gaurav Aradhye
SSH Keypairs listing is missing under the account tab
Hi, Didn't get any reaction on this. In 4.4.2 RC the account tab doesn't have the dropdown box to find SSH Keypairs. Is that expected? Earlier versions of ACS had that option, was it moved somewhere or that's a bug? Kind regards, Ilia Shakitko Innovation Engineer LeaseWeb Technologies B.V. T: +31 20 316 0235 M: E: i.shaki...@tech.leaseweb.com W: http://www.leaseweb.com Luttenbergweg 8, 1101 EC Amsterdam, Netherlands -Original Message- From: Ilia Shakitko [mailto:i.shaki...@tech.leaseweb.com] Sent: maandag, 01 december, 2014 11:01 To: dev@cloudstack.apache.org Subject: RE: [4.4][CLOUDSTACK][BUG?] - SSH Keypairs listing is missing under the account tab Sorry for long reply. I am looking at release. And latest branch 4.4 - same bug. No SSH Keypairs selector. Kind regards, Ilia Shakitko Innovation Engineer LeaseWeb Technologies B.V. T: +31 20 316 0235 M: E: i.shaki...@tech.leaseweb.com W: http://www.leaseweb.com Luttenbergweg 8, 1101 EC Amsterdam, Netherlands -Original Message- From: Daan Hoogland [mailto:daan.hoogl...@gmail.com] Sent: maandag, 24 november, 2014 15:29 To: dev Subject: Re: [4.4][CLOUDSTACK][BUG?] - SSH Keypairs listing is missing under the account tab Ilia, were you testing the release candidate or a release? On Mon, Nov 24, 2014 at 3:16 PM, Ilia Shakitko i.shaki...@tech.leaseweb.com wrote: Hi everybody, Today I found (or actually not found) an option to list/manage SSH Keypairs under the Account tab which was here: http://clip2net.com/s/jlj2EP Is that a bug or it has been moved somewhere explicitly? Kind regards, Ilia Shakitko Innovation Engineer LeaseWeb Technologies B.V. T: +31 20 316 0235 E: i.shaki...@tech.leaseweb.com W: www.leaseweb.comhttp://www.leaseweb.com Luttenbergweg 8,1101 EC Amsterdam, Netherlands -- Daan
Re: SSH Keypairs listing is missing under the account tab
It's probably a bug, the UI has been a bit messed up, the additional IP info was also removed and added back in when I reported it. You should open a issue in jira. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Ilia Shakitko i.shaki...@tech.leaseweb.com To: dev@cloudstack.apache.org Sent: Tuesday, 2 December, 2014 11:24:15 Subject: SSH Keypairs listing is missing under the account tab Hi, Didn't get any reaction on this. In 4.4.2 RC the account tab doesn't have the dropdown box to find SSH Keypairs. Is that expected? Earlier versions of ACS had that option, was it moved somewhere or that's a bug? Kind regards, Ilia Shakitko Innovation Engineer LeaseWeb Technologies B.V. T: +31 20 316 0235 M: E: i.shaki...@tech.leaseweb.com W: http://www.leaseweb.com Luttenbergweg 8, 1101 EC Amsterdam, Netherlands -Original Message- From: Ilia Shakitko [mailto:i.shaki...@tech.leaseweb.com] Sent: maandag, 01 december, 2014 11:01 To: dev@cloudstack.apache.org Subject: RE: [4.4][CLOUDSTACK][BUG?] - SSH Keypairs listing is missing under the account tab Sorry for long reply. I am looking at release. And latest branch 4.4 - same bug. No SSH Keypairs selector. Kind regards, Ilia Shakitko Innovation Engineer LeaseWeb Technologies B.V. T: +31 20 316 0235 M: E: i.shaki...@tech.leaseweb.com W: http://www.leaseweb.com Luttenbergweg 8, 1101 EC Amsterdam, Netherlands -Original Message- From: Daan Hoogland [mailto:daan.hoogl...@gmail.com] Sent: maandag, 24 november, 2014 15:29 To: dev Subject: Re: [4.4][CLOUDSTACK][BUG?] - SSH Keypairs listing is missing under the account tab Ilia, were you testing the release candidate or a release? On Mon, Nov 24, 2014 at 3:16 PM, Ilia Shakitko i.shaki...@tech.leaseweb.com wrote: Hi everybody, Today I found (or actually not found) an option to list/manage SSH Keypairs under the Account tab which was here: http://clip2net.com/s/jlj2EP Is that a bug or it has been moved somewhere explicitly? Kind regards, Ilia Shakitko Innovation Engineer LeaseWeb Technologies B.V. T: +31 20 316 0235 E: i.shaki...@tech.leaseweb.com W: www.leaseweb.comhttp://www.leaseweb.com Luttenbergweg 8,1101 EC Amsterdam, Netherlands -- Daan
Re: WTF: Difference between schemas across branches?
Thanks for replying Nitin. I've picked the latest fix, both schema files are semantically same now. If we're fixing/back-porting bug-fixes to all branches where a bug exists and making sure we're not introducing differences in schema, by doing that in a way we're helping the overall community (and not just coding) and living the Apache way of community over code. I think if our day-job allow us to fix then it should *ideally* allow us to fix a bug on all the affected branches. I noticed recently within the community that a lot of companies who may provide such ideal environments are looking for good developers. Some folks expressed concerns over the email subject. They were all right, the subject contains a typo that I forgot to remove. On Tuesday 02 December 2014 11:08 AM, Nitin Mehta wrote: The changes from the commit 0e2e6995 are right, but this is not exactly schema change but view definition changes. This has been fixed in 4.5 through acc9c79 so that any one upgrading to 4.5 do not miss these changes. Do note that this change is idempotent so even if you do or do not make this change, anyone upgrading to 4.5 shouldn¹t have an issue, but yes 4.3 do not have these changes. Thanks, -Nitin On 01/12/14 1:47 PM, Rohit Yadav rohit.ya...@shapeblue.com wrote: Hi, While I¹m working to backport changes on 4.3 branch, I discovered some changes between 4.3 branch¹s schema-421to431.sql and master branch¹s 421to431.sql files. While most changes are inserts/update related which may not severely harm a user upgrading from a previous version of CloudStack, but I found there were changes in the schema itself; in this case the `cloud`.`template_view`: 0e2e6995 setup/db/db/schema-421to430.sql (Nitin Mehta 2014-01-30 17:59:55 -0800 306) `cloud`.`template_store_ref` ON template_store_ref.template_id = vm_template.id and template_store_ref.store_role = 'Image' and template_store_ref.destroyed=0 While on 4.3 branch: abbae2aa setup/db/db/schema-420to430.sql (Alex Huang 2013-08-26 17:30:58 -0700 306) `cloud`.`template_store_ref` ON template_store_ref.template_id = vm_template.id and template_store_ref.store_role = ŒImage¹ Which version should we keep? Here¹s the complete diff: http://pastebin.com/PB6N7aCt You may do it locally against 4.3 (4.4/4.5 etc.) and master as well: git diff master 4.3 -- setup/db/db/schema-421to430.sql I think such issues are seen time and time again due to the way paid contributors work on private forks and upstream ACS. We simply don¹t want to use code thrown over corporate fences to ACS branches. While who am I to tell you how to do your job - I simply request that all of the committers are expected to have some level of commitment to the project and ethics of their contributions. The best way to work together is to work in the upstream first and then work on your forks that is based on the upstream. Hope this will improve with time. Regards, Rohit Yadav Software Architect, ShapeBlue M. +91 88 262 30892 | rohit.ya...@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab -- Regards, Rohit Yadav Software Architect, ShapeBlue M. +41 779015219 | rohit.ya...@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Software Engineeringhttp://shapeblue.com/cloudstack-software-engineering/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
time zones
Hi,Does CloudStack accepted time zones limited to list below?http://docs.cloudstack.apache.org/en/latest/dev.html?highlight=time%20zones#time-zones Is it possible to use different time zone outside of the above list?Thanks
Re: time zones
Hmm... AFAIK this list covers all timezones available. Pick the one that match your timezone? Even if its not Your city thata written. I dont think any is missing. (?) FG On Dec 2, 2014 7:41 AM, Alireza Eskandari astro.alir...@yahoo.com.invalid wrote: Hi,Does CloudStack accepted time zones limited to list below? http://docs.cloudstack.apache.org/en/latest/dev.html?highlight=time%20zones#time-zones Is it possible to use different time zone outside of the above list?Thanks
Re: time zones
Francois, you are right but unfortunately our time zone isn't standard. We use +3.5 (+4.5 with DST)Thanks
Re: time zones
Interesting. I guess you should do a JIRA ticket to track it. Most of these timezone probably comes from Java tho. FG On Dec 2, 2014 7:56 AM, Alireza Eskandari astro.alir...@yahoo.com.invalid wrote: Francois, you are right but unfortunately our time zone isn't standard. We use +3.5 (+4.5 with DST)Thanks
Jenkins 4.4.2 release?
In Jenkins I can find the 4.4.3 snapshots but where can I find the 4.4.2 so I can test it? Matthew Midgett
Re: Jenkins 4.4.2 release?
the source tarball is in https://dist.apache.org/repos/dist/release/cloudstack/releases/4.4.2/ On Tue, Dec 2, 2014 at 3:33 PM, Matthew Midgett clouds...@trick-solutions.com.invalid wrote: In Jenkins I can find the 4.4.3 snapshots but where can I find the 4.4.2 so I can test it? Matthew Midgett -- Daan
Re: Review Request 28523: CLOUDSTACK-7991: test_security_groups.py - Move config data to test_data.py and fix pep8 issues
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28523/#review63535 --- Pushed into master and 4.5 branches. - Pierre-Luc Dion On Nov. 28, 2014, 8:55 a.m., Gaurav Aradhye wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28523/ --- (Updated Nov. 28, 2014, 8:55 a.m.) Review request for cloudstack and SrikanteswaraRao Talluri. Bugs: CLOUDSTACK-7991 https://issues.apache.org/jira/browse/CLOUDSTACK-7991 Repository: cloudstack-git Description --- Moving the config data in the test case to test_data.py Keeping host credentails in configurableData section. Fixing pep8 issues. Diffs - test/integration/component/test_security_groups.py eb242c7 tools/marvin/marvin/config/test_data.py f0802a5 Diff: https://reviews.apache.org/r/28523/diff/ Testing --- Yes. Two test cases failing for different reason. Log: Test authorize ingress rule ... === TestName: test_01_authorizeIngressRule | Status : SUCCESS === ok Test deploy VM in default security group ... === TestName: test_01_deployVM_InDefaultSecurityGroup | Status : SUCCESS === ok Test list security groups for admin account ... === TestName: test_02_listSecurityGroups | Status : SUCCESS === ok Test access in default security group ... === TestName: test_03_accessInDefaultSecurityGroup | Status : SUCCESS === ok Test delete security group with running VM ... === TestName: test_01_delete_security_grp_running_vm | Status : SUCCESS === ok Test delete security group without running VM ... === TestName: test_02_delete_security_grp_withoout_running_vm | Status : SUCCESS === ok Test router services for user account ... === TestName: test_01_dhcpOnlyRouter | Status : SUCCESS === ok Test delete security group with running VM ... === TestName: test_01_authorizeIngressRule_AfterDeployVM | Status : SUCCESS === ok Test Revoke ingress rule after deploy VM ... === TestName: test_02_revokeIngressRule_AfterDeployVM | Status : FAILED === FAIL Test Start/Stop VM and Verify ingress rule ... === TestName: test_03_stopStartVM_verifyIngressAccess | Status : SUCCESS === ok Test revoke ingress rule ... === TestName: test_01_revokeIngressRule | Status : FAILED === FAIL Test Deploy VM with User data ... === TestName: test_01_deployVMWithUserData | Status : SUCCESS === ok Thanks, Gaurav Aradhye
Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
@Rohit: If the script is run with 'set -e' it should not be a problem because I was planning to do an explicit 'set +e' before the call and then a 'set -e' after the call. This should handle this case, no? @Nux: When you say EL7 comes with qemu-img 1.5.3 and it requires the compat option, what do you mean by that? Are you saying that if you run the build system vms job on EL7, that you have to specify the compat option even though it comes with qemu-img 1.5.3? That should not be the case because the default compat flag should not have been changed till 1.7. If you are talking about having a KVM host which runs EL7 and has a qemu-img version of 1.5.3, then that is not really relevant for this bash script. The version of qemu-img which this script checking is the version on the build system, not on the KVM host. It is validating if the compat option needs to be passed to the 'qemu-img convert' command in order for the image to have the 'compat=0.10' option set. We are not debating that the 'compat=0.10' option needs to be set, that is for sure. We are determining when it needs to be explicitly set on the build systems. In short... Jenkins kicks off a job to build the system vms. This build system could have one of many different qemu-img versions. When this script runs on the build system, we need to determine which command needs to be run in order to output a 'compat=0.10' compatible image. I will do some testing with Edison's suggestion and see if I can come up with a solution that way as well and then we can pick which we want to implement. Cheers, Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 3:32 AM, Nux! n...@li.nux.ro wrote: As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat option, so it's not only 1.7+. Personally I'm in favour of Will's approach. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Rohit Yadav bhais...@apache.org To: Will Stevens wstev...@cloudops.com Cc: Edison Su edison...@citrix.com, Wilder Rodrigues wrodrig...@schubergphilis.com, dev@cloudstack.apache.org, Leo Simons lsim...@schubergphilis.com Sent: Tuesday, 2 December, 2014 07:36:21 Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat Hi Will, While we can use your first solution that checks exit status ($?) but in case some is running the script with a set -e, the script will simply break when $? is not zero. I think if we know above which qemu-img version we should we the compat option (1.7?) than that's great we should we that. Thanks for looking into this. Regards. On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens wstev...@cloudops.com wrote: Thanks for that. Does that mean that we prefer to do an if else based on version rather than basically doing a try catch? I have not been involved in previous bash scripting for CS, so I am willing to fall in line with the preferred method. What I proposed was based on how similar problems were solved in other code in the same file. If I check for version, do you agree that I should check for 1.7 as the version since that is the version where the compact default changed? I will try to get this resolved tomorrow. Cheers, Will On Dec 1, 2014 9:16 PM, Edison Su edison...@citrix.com wrote: qemu-img |head -n 1|awk '{print $3}' should show the version of qemu-img *From:* williamstev...@gmail.com [mailto:williamstev...@gmail.com] *On Behalf Of *Will Stevens *Sent:* Monday, December 01, 2014 2:17 PM *To:* dev@cloudstack.apache.org *Cc:* Leo Simons; Wilder Rodrigues; Rohit Yadav; Edison Su *Subject:* Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat Alright, so far I have found the following: https://github.com/qemu/qemu/commit/9117b47717ad208b12786ce88eacb013f9b3dd1c Basically, if the qemu-img version is less than 1.7, we should run the non 'compat' option version and if the version is 1.7 or greater, we should run the new command with the 'compat' version. Unfortunately I am not able to find a way to get the qemu-img version from the command line. I am looking to basically add a conditional to try running with the compat option and if that fails, then run it without the compat option. Basically, I would be replacing this: qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img ${appliance_build_name}-kvm.qcow2 With this: set +e qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img ${appliance_build_name}-kvm.qcow2 local qemuresult=$? set -e if [ ${qemuresult} != 0 ]; then log INFO qemu-img convert failed, trying without compat option qemu-img convert -f raw -c -O qcow2 raw.img ${appliance_build_name}-kvm.qcow2 fi
Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
Will, I might have gotten lost in the details, apologies if it's the case. What I wanted to point out is that the qemu-img in EL7 (v1.5.3 which is _lower_ than 1.7) will by default produce an image with compat = 1.1 which older qemu-kvm will not be able to use, such as the one in CentOS 6. So if you are running a systemvm build job on EL7 you should be aware of this. That's why I preferred your script, because it doesn't just rely on version numbers. I myself am not running any systemvm build jobs. qemu-img create -f raw test.raw 1G qemu-img convert -f raw test.raw -O qcow2 test.qcow2 qemu-img info test.qcow2 image: test.qcow2 file format: qcow2 virtual size: 1.0G (1073741824 bytes) disk size: 196K cluster_size: 65536 Format specific information: compat: 1.1 lazy refcounts: false -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Will Stevens wstev...@cloudops.com To: Nux! n...@li.nux.ro Cc: dev@cloudstack.apache.org, Edison Su edison...@citrix.com, Wilder Rodrigues wrodrig...@schubergphilis.com, Leo Simons lsim...@schubergphilis.com Sent: Tuesday, 2 December, 2014 15:11:40 Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat @Rohit: If the script is run with 'set -e' it should not be a problem because I was planning to do an explicit 'set +e' before the call and then a 'set -e' after the call. This should handle this case, no? @Nux: When you say EL7 comes with qemu-img 1.5.3 and it requires the compat option, what do you mean by that? Are you saying that if you run the build system vms job on EL7, that you have to specify the compat option even though it comes with qemu-img 1.5.3? That should not be the case because the default compat flag should not have been changed till 1.7. If you are talking about having a KVM host which runs EL7 and has a qemu-img version of 1.5.3, then that is not really relevant for this bash script. The version of qemu-img which this script checking is the version on the build system, not on the KVM host. It is validating if the compat option needs to be passed to the 'qemu-img convert' command in order for the image to have the 'compat=0.10' option set. We are not debating that the 'compat=0.10' option needs to be set, that is for sure. We are determining when it needs to be explicitly set on the build systems. In short... Jenkins kicks off a job to build the system vms. This build system could have one of many different qemu-img versions. When this script runs on the build system, we need to determine which command needs to be run in order to output a 'compat=0.10' compatible image. I will do some testing with Edison's suggestion and see if I can come up with a solution that way as well and then we can pick which we want to implement. Cheers, Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 3:32 AM, Nux! n...@li.nux.ro wrote: As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat option, so it's not only 1.7+. Personally I'm in favour of Will's approach. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Rohit Yadav bhais...@apache.org To: Will Stevens wstev...@cloudops.com Cc: Edison Su edison...@citrix.com, Wilder Rodrigues wrodrig...@schubergphilis.com, dev@cloudstack.apache.org, Leo Simons lsim...@schubergphilis.com Sent: Tuesday, 2 December, 2014 07:36:21 Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat Hi Will, While we can use your first solution that checks exit status ($?) but in case some is running the script with a set -e, the script will simply break when $? is not zero. I think if we know above which qemu-img version we should we the compat option (1.7?) than that's great we should we that. Thanks for looking into this. Regards. On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens wstev...@cloudops.com wrote: Thanks for that. Does that mean that we prefer to do an if else based on version rather than basically doing a try catch? I have not been involved in previous bash scripting for CS, so I am willing to fall in line with the preferred method. What I proposed was based on how similar problems were solved in other code in the same file. If I check for version, do you agree that I should check for 1.7 as the version since that is the version where the compact default changed? I will try to get this resolved tomorrow. Cheers, Will On Dec 1, 2014 9:16 PM, Edison Su edison...@citrix.com wrote: qemu-img |head -n 1|awk '{print $3}' should show the version of qemu-img *From:* williamstev...@gmail.com [mailto:williamstev...@gmail.com] *On Behalf Of *Will Stevens *Sent:* Monday, December 01, 2014
Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
Interesting. Thanks for that... So it seems that if you run the build system on a EL7 the version check approach won't even help us because they have changed the default behavior of the installed qemu-img version to make it default to '1.1'. In light of this and considering what a PITA it is to compare version numbers in bash, I will solve the problem with my original code. I will do some testing on a local system to work out the kinks and try to validate that Rohit's concerns are addressed. I will report back later today. Thanks for the help on this Nux... :) Cheers, Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 10:27 AM, Nux! n...@li.nux.ro wrote: Will, I might have gotten lost in the details, apologies if it's the case. What I wanted to point out is that the qemu-img in EL7 (v1.5.3 which is _lower_ than 1.7) will by default produce an image with compat = 1.1 which older qemu-kvm will not be able to use, such as the one in CentOS 6. So if you are running a systemvm build job on EL7 you should be aware of this. That's why I preferred your script, because it doesn't just rely on version numbers. I myself am not running any systemvm build jobs. qemu-img create -f raw test.raw 1G qemu-img convert -f raw test.raw -O qcow2 test.qcow2 qemu-img info test.qcow2 image: test.qcow2 file format: qcow2 virtual size: 1.0G (1073741824 bytes) disk size: 196K cluster_size: 65536 Format specific information: compat: 1.1 lazy refcounts: false -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Will Stevens wstev...@cloudops.com To: Nux! n...@li.nux.ro Cc: dev@cloudstack.apache.org, Edison Su edison...@citrix.com, Wilder Rodrigues wrodrig...@schubergphilis.com, Leo Simons lsim...@schubergphilis.com Sent: Tuesday, 2 December, 2014 15:11:40 Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat @Rohit: If the script is run with 'set -e' it should not be a problem because I was planning to do an explicit 'set +e' before the call and then a 'set -e' after the call. This should handle this case, no? @Nux: When you say EL7 comes with qemu-img 1.5.3 and it requires the compat option, what do you mean by that? Are you saying that if you run the build system vms job on EL7, that you have to specify the compat option even though it comes with qemu-img 1.5.3? That should not be the case because the default compat flag should not have been changed till 1.7. If you are talking about having a KVM host which runs EL7 and has a qemu-img version of 1.5.3, then that is not really relevant for this bash script. The version of qemu-img which this script checking is the version on the build system, not on the KVM host. It is validating if the compat option needs to be passed to the 'qemu-img convert' command in order for the image to have the 'compat=0.10' option set. We are not debating that the 'compat=0.10' option needs to be set, that is for sure. We are determining when it needs to be explicitly set on the build systems. In short... Jenkins kicks off a job to build the system vms. This build system could have one of many different qemu-img versions. When this script runs on the build system, we need to determine which command needs to be run in order to output a 'compat=0.10' compatible image. I will do some testing with Edison's suggestion and see if I can come up with a solution that way as well and then we can pick which we want to implement. Cheers, Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 3:32 AM, Nux! n...@li.nux.ro wrote: As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat option, so it's not only 1.7+. Personally I'm in favour of Will's approach. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Rohit Yadav bhais...@apache.org To: Will Stevens wstev...@cloudops.com Cc: Edison Su edison...@citrix.com, Wilder Rodrigues wrodrig...@schubergphilis.com, dev@cloudstack.apache.org, Leo Simons lsim...@schubergphilis.com Sent: Tuesday, 2 December, 2014 07:36:21 Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat Hi Will, While we can use your first solution that checks exit status ($?) but in case some is running the script with a set -e, the script will simply break when $? is not zero. I think if we know above which qemu-img version we should we the compat option (1.7?) than that's great we should we that. Thanks for looking into this. Regards. On Tue, Dec 2, 2014 at 8:01
RE: Jenkins 4.4.2 release?
Thanks Daan, Going to get coffee as this build might take a while on the small VM that its running on. Awesome! I'm super stoked that now I have created my own repo. :) BTW thanks for good documnetion http://docs.cloudstack.apache.org/projects/cloudstack-installation/en/latest/building_from_source.html I did upgrade to the latest version of maven. -Original Message- From: Daan Hoogland [mailto:daan.hoogl...@gmail.com] Sent: Tuesday, December 02, 2014 9:36 AM To: dev Subject: Re: Jenkins 4.4.2 release? the source tarball is in https://dist.apache.org/repos/dist/release/cloudstack/releases/4.4.2/ On Tue, Dec 2, 2014 at 3:33 PM, Matthew Midgett clouds...@trick-solutions.com.invalid wrote: In Jenkins I can find the 4.4.3 snapshots but where can I find the 4.4.2 so I can test it? Matthew Midgett -- Daan
Re: git commit: updated refs/heads/master to 6dd30ea
Hi Daan/Wilder, Quick question about fixing the following coverity issue (in-line); On Tue, Dec 2, 2014 at 8:45 PM, d...@apache.org wrote: Repository: cloudstack Updated Branches: refs/heads/master 818957de0 - 6dd30eaf1 CID-1256273/CID-1256274/CID-1256275 leaky resources plus switch statement warning reviewed by Wilder Rodrigues Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6dd30eaf Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6dd30eaf Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6dd30eaf Branch: refs/heads/master Commit: 6dd30eaf14f323cd84252647c490e84982b0a853 Parents: 818957d Author: Daan Hoogland dhoogl...@schubergphilis.com Authored: Tue Dec 2 16:14:34 2014 +0100 Committer: Daan Hoogland d...@onecht.net Committed: Tue Dec 2 16:14:34 2014 +0100 -- .../com/cloud/upgrade/dao/Upgrade442to450.java | 28 ++-- 1 file changed, 8 insertions(+), 20 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6dd30eaf/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java -- diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java index aeb44a1..9fe1319 100644 --- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java +++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java @@ -115,9 +115,6 @@ public class Upgrade442to450 implements DbUpgrade { } private void upgradeMemoryOfInternalLoadBalancervmOffering(Connection conn) { -PreparedStatement updatePstmt = null; -PreparedStatement selectPstmt = null; -ResultSet selectResultSet = null; int newRamSize = 256; //256MB long serviceOfferingId = 0; @@ -126,10 +123,9 @@ public class Upgrade442to450 implements DbUpgrade { * We should not update/modify any user-defined offering. */ -try { -selectPstmt = conn.prepareStatement(SELECT id FROM `cloud`.`service_offering` WHERE vm_type='internalloadbalancervm'); -updatePstmt = conn.prepareStatement(UPDATE `cloud`.`service_offering` SET ram_size=? WHERE id=?); -selectResultSet = selectPstmt.executeQuery(); +try (PreparedStatement selectPstmt = conn.prepareStatement(SELECT id FROM `cloud`.`service_offering` WHERE vm_type='internalloadbalancervm'); + PreparedStatement updatePstmt = conn.prepareStatement(UPDATE `cloud`.`service_offering` SET ram_size=? WHERE id=?); + ResultSet selectResultSet = selectPstmt.executeQuery()){ if(selectResultSet.next()) { serviceOfferingId = selectResultSet.getLong(id); } @@ -139,19 +135,6 @@ public class Upgrade442to450 implements DbUpgrade { updatePstmt.executeUpdate(); } catch (SQLException e) { throw new CloudRuntimeException(Unable to upgrade ram_size of service offering for internal loadbalancer vm. , e); -} finally { -try { -if (selectPstmt != null) { -selectPstmt.close(); -} -if (selectResultSet != null) { -selectResultSet.close(); -} -if (updatePstmt != null) { -updatePstmt.close(); -} -} catch (SQLException e) { -} Why are we removing closing statements and resultsets here? } s_logger.debug(Done upgrading RAM for service offering of internal loadbalancer vm to + newRamSize); } @@ -188,6 +171,8 @@ public class Upgrade442to450 implements DbUpgrade { break; case LXC: hypervisorsListInUse.add(Hypervisor.HypervisorType.LXC); break; +default: // no action on cases Any, BareMetal, None, Ovm, Parralels, Simulator and VirtualBox: +break; } } } catch (SQLException e) { @@ -258,6 +243,8 @@ public class Upgrade442to450 implements DbUpgrade { pstmt.executeUpdate(); pstmt.close(); } else { +rs.close(); +pstmt.close(); if (hypervisorsListInUse.contains(hypervisorAndTemplateName.getKey())){ throw new CloudRuntimeException(4.5.0 + hypervisorAndTemplateName.getKey() + SystemVm template not found. Cannot upgrade system Vms); }
Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
Hi Will, Reply in-line; On Tuesday 02 December 2014 08:41 PM, Will Stevens wrote: @Rohit: If the script is run with 'set -e' it should not be a problem because I was planning to do an explicit 'set +e' before the call and then a 'set -e' after the call. This should handle this case, no? Yes, I think that will work as well. If we are not sure about qemu version, it should be alright to try once without compat and check $? and retry again with compat option. The only corner case I can think of is when qemu-img genuinely exits with a non-zero exit code during image conversion. @Nux: When you say EL7 comes with qemu-img 1.5.3 and it requires the compat option, what do you mean by that? Are you saying that if you run the build system vms job on EL7, that you have to specify the compat option even though it comes with qemu-img 1.5.3? That should not be the case because the default compat flag should not have been changed till 1.7. If you are talking about having a KVM host which runs EL7 and has a qemu-img version of 1.5.3, then that is not really relevant for this bash script. The version of qemu-img which this script checking is the version on the build system, not on the KVM host. It is validating if the compat option needs to be passed to the 'qemu-img convert' command in order for the image to have the 'compat=0.10' option set. We are not debating that the 'compat=0.10' option needs to be set, that is for sure. We are determining when it needs to be explicitly set on the build systems. In short... Jenkins kicks off a job to build the system vms. This build system could have one of many different qemu-img versions. When this script runs on the build system, we need to determine which command needs to be run in order to output a 'compat=0.10' compatible image. I will do some testing with Edison's suggestion and see if I can come up with a solution that way as well and then we can pick which we want to implement. Cheers, Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 3:32 AM, Nux! n...@li.nux.ro wrote: As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat option, so it's not only 1.7+. Personally I'm in favour of Will's approach. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Rohit Yadav bhais...@apache.org To: Will Stevens wstev...@cloudops.com Cc: Edison Su edison...@citrix.com, Wilder Rodrigues wrodrig...@schubergphilis.com, dev@cloudstack.apache.org, Leo Simons lsim...@schubergphilis.com Sent: Tuesday, 2 December, 2014 07:36:21 Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat Hi Will, While we can use your first solution that checks exit status ($?) but in case some is running the script with a set -e, the script will simply break when $? is not zero. I think if we know above which qemu-img version we should we the compat option (1.7?) than that's great we should we that. Thanks for looking into this. Regards. On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens wstev...@cloudops.com wrote: Thanks for that. Does that mean that we prefer to do an if else based on version rather than basically doing a try catch? I have not been involved in previous bash scripting for CS, so I am willing to fall in line with the preferred method. What I proposed was based on how similar problems were solved in other code in the same file. If I check for version, do you agree that I should check for 1.7 as the version since that is the version where the compact default changed? I will try to get this resolved tomorrow. Cheers, Will On Dec 1, 2014 9:16 PM, Edison Su edison...@citrix.com wrote: qemu-img |head -n 1|awk '{print $3}' should show the version of qemu-img *From:* williamstev...@gmail.com [mailto:williamstev...@gmail.com] *On Behalf Of *Will Stevens *Sent:* Monday, December 01, 2014 2:17 PM *To:* dev@cloudstack.apache.org *Cc:* Leo Simons; Wilder Rodrigues; Rohit Yadav; Edison Su *Subject:* Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat Alright, so far I have found the following: https://github.com/qemu/qemu/commit/9117b47717ad208b12786ce88eacb013f9b3dd1c Basically, if the qemu-img version is less than 1.7, we should run the non 'compat' option version and if the version is 1.7 or greater, we should run the new command with the 'compat' version. Unfortunately I am not able to find a way to get the qemu-img version from the command line. I am looking to basically add a conditional to try running with the compat option and if that fails, then run it without the compat option. Basically, I would be replacing this: qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img ${appliance_build_name}-kvm.qcow2 With this: set +e qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img
Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
I will do some testing and see what I can come up with. BTW, I would be doing it the reverse of what you said. I would try to specify the 'compat=0.10' option initially and if that is OK, then we are good. If it fails (it is currently failing on the 4.5 branch) this is most likely because the version of qemu-img does not support the 'compat' option being passed to the convert call (which is what is happening right now on our build systems). In that case, we will want to run the command without the compat option because if it is too old to support the 'compat' option then it will have the compat=0.10 default. Basically, I will try it the new way that Edison introduced. If that fails, I will fall back to the way it was being done before Edison's change... Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 10:53 AM, Rohit Yadav rohit.ya...@shapeblue.com wrote: Hi Will, Reply in-line; On Tuesday 02 December 2014 08:41 PM, Will Stevens wrote: @Rohit: If the script is run with 'set -e' it should not be a problem because I was planning to do an explicit 'set +e' before the call and then a 'set -e' after the call. This should handle this case, no? Yes, I think that will work as well. If we are not sure about qemu version, it should be alright to try once without compat and check $? and retry again with compat option. The only corner case I can think of is when qemu-img genuinely exits with a non-zero exit code during image conversion. @Nux: When you say EL7 comes with qemu-img 1.5.3 and it requires the compat option, what do you mean by that? Are you saying that if you run the build system vms job on EL7, that you have to specify the compat option even though it comes with qemu-img 1.5.3? That should not be the case because the default compat flag should not have been changed till 1.7. If you are talking about having a KVM host which runs EL7 and has a qemu-img version of 1.5.3, then that is not really relevant for this bash script. The version of qemu-img which this script checking is the version on the build system, not on the KVM host. It is validating if the compat option needs to be passed to the 'qemu-img convert' command in order for the image to have the 'compat=0.10' option set. We are not debating that the 'compat=0.10' option needs to be set, that is for sure. We are determining when it needs to be explicitly set on the build systems. In short... Jenkins kicks off a job to build the system vms. This build system could have one of many different qemu-img versions. When this script runs on the build system, we need to determine which command needs to be run in order to output a 'compat=0.10' compatible image. I will do some testing with Edison's suggestion and see if I can come up with a solution that way as well and then we can pick which we want to implement. Cheers, Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 3:32 AM, Nux! n...@li.nux.ro wrote: As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat option, so it's not only 1.7+. Personally I'm in favour of Will's approach. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Rohit Yadav bhais...@apache.org To: Will Stevens wstev...@cloudops.com Cc: Edison Su edison...@citrix.com, Wilder Rodrigues wrodrig...@schubergphilis.com, dev@cloudstack.apache.org, Leo Simons lsim...@schubergphilis.com Sent: Tuesday, 2 December, 2014 07:36:21 Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat Hi Will, While we can use your first solution that checks exit status ($?) but in case some is running the script with a set -e, the script will simply break when $? is not zero. I think if we know above which qemu-img version we should we the compat option (1.7?) than that's great we should we that. Thanks for looking into this. Regards. On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens wstev...@cloudops.com wrote: Thanks for that. Does that mean that we prefer to do an if else based on version rather than basically doing a try catch? I have not been involved in previous bash scripting for CS, so I am willing to fall in line with the preferred method. What I proposed was based on how similar problems were solved in other code in the same file. If I check for version, do you agree that I should check for 1.7 as the version since that is the version where the compact default changed? I will try to get this resolved tomorrow. Cheers, Will On Dec 1, 2014 9:16 PM, Edison Su edison...@citrix.com wrote: qemu-img |head -n 1|awk '{print $3}' should show the version of qemu-img
Re: Review Request 24991: CLOUDSTACK-6697: BigSwitchVns plugin update
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/24991/#review63543 --- Hey KC, I had some trouble applying the latest patch too, it appears a couple of other commits got into your patch as well. I've applied the patch as i think it should be, but could you check the cloudstack branch reviews/24991 to see if everything is in order? Cheers, Hugo - Hugo Trippaers On Nov. 30, 2014, 2:49 a.m., Kuang-Ching Wang wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/24991/ --- (Updated Nov. 30, 2014, 2:49 a.m.) Review request for cloudstack, Chiradeep Vittal, David Nalley, Sebastien Goasguen, and Hugo Trippaers. Repository: cloudstack-git Description --- CLOUDSTACK-6697: Big Switch network plugin update 1. provide compatibility with the Big Cloud Fabric (BCF) controller L2 Connectivity Service in both VPC and non-VPC modes 2. virtual network terminology updates: VNS -- BCF_SEGMENT 3. uses HTTPS with trust-always certificate handling 4. topology sync support with BCF controller 5. support multiple (two) BCF controllers with HA 6. support VM migration Diffs - .travis.yml cb07a68cb3e7decf7cdb593172d8c9011c418e36 api/src/com/cloud/network/Network.java c5a9bf286df8d502a6ca33661fb52ee717643566 api/src/com/cloud/network/PhysicalNetwork.java 7c9349d932771fdbecc4a0b1ae4cad28b3d67857 api/src/org/apache/cloudstack/api/response/UserVmResponse.java 9fe3475f57afebbd976294e4fd5231cdf77612c2 client/WEB-INF/classes/resources/messages.properties 3228578ce81a826f49166a72a6c67143fb12c95d client/WEB-INF/classes/resources/messages_fr_FR.properties 54dc6215a8339b9f8c2bad9fe4c3ed18b4a702e7 client/WEB-INF/classes/resources/messages_ja_JP.properties 1962e92a4cf47978dae35a3d2b090b4c1765fecb client/WEB-INF/classes/resources/messages_ko_KR.properties ced576cb23598e7d3e5005bc24c2adf20b66a826 client/WEB-INF/classes/resources/messages_nl_NL.properties 86653a5f5144c75e67b5a6f02c47d37bd5a71ef0 client/WEB-INF/classes/resources/messages_pt_BR.properties fa77633a650f1b37d8398a8936bbf84f5b4a40e3 client/WEB-INF/classes/resources/messages_ru_RU.properties 7f57daa58bef379ddb47acb88965d0defe32ad73 client/WEB-INF/classes/resources/messages_zh_CN.properties 217849582b41cb2c63a0e305e5613af6f659d11d client/pom.xml 6803f9a11fd2c80523ea16bdd35f2a4d163f953c client/tomcatconf/commands.properties.in a87d1677f24657299ec24d4ce9df9a180a62bd0c engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java dc1057f9033fd783900e6c3b623d3b28fb7d6836 engine/schema/src/com/cloud/user/dao/VmDiskStatisticsDaoImpl.java e1136d3cf567b73fd1198181aea4d6995df6b78a engine/storage/datamotion/src/org/apache/cloudstack/storage/motion/AncientDataMotionStrategy.java 5b01f95eef164e725001f34528e46dde0eb15f99 packaging/centos63/cloud.spec 072a0b94884c5f32176df3ac0083249a52a1f9ed packaging/centos63/default/macros.spec f3c937cac37afb39c1d95d223a0debd42c19a505 packaging/centos63/default/tomcat.sh 0908da4696e300d0b26a1aef18ce08b1816e9af9 packaging/centos63/package.sh 00c19478ea0125fbf1ec5902cc7da11d7bbdc5de packaging/centos63/rhel7/cloud-management.service 5d69885640416bbf1760eb644a062a1f79b5022a packaging/centos63/rhel7/macros.spec 4b7109280abcb22b3f846edd81147391477289e9 packaging/centos63/rhel7/tomcat.sh 03c6e7b97848a923bf69b57abd2970aeb883c4c7 packaging/centos63/tomcat.sh PRE-CREATION packaging/centos7/cloud-agent.rc PRE-CREATION packaging/centos7/cloud-ipallocator.rc PRE-CREATION packaging/centos7/cloud-management.service PRE-CREATION packaging/centos7/cloud-management.sudoers PRE-CREATION packaging/centos7/cloud-management.sysconfig PRE-CREATION packaging/centos7/cloud-usage-sysd PRE-CREATION packaging/centos7/cloud-usage.service PRE-CREATION packaging/centos7/cloud-usage.sysconfig PRE-CREATION packaging/centos7/cloud.limits PRE-CREATION packaging/centos7/cloud.spec PRE-CREATION packaging/centos7/cloudstack-agent.te PRE-CREATION packaging/centos7/cloudstack-sccs PRE-CREATION packaging/centos7/replace.properties PRE-CREATION packaging/centos7/tomcat7/catalina.properties PRE-CREATION packaging/centos7/tomcat7/cloud-bridge.properties PRE-CREATION packaging/centos7/tomcat7/commons-logging.properties PRE-CREATION packaging/centos7/tomcat7/db.properties PRE-CREATION packaging/centos7/tomcat7/ec2-service.properties PRE-CREATION packaging/centos7/tomcat7/environment.properties PRE-CREATION packaging/centos7/tomcat7/log4j-cloud.xml PRE-CREATION packaging/centos7/tomcat7/server.xml PRE-CREATION
Can't ping/ssh any guest from a laptop attached in same vlan - guests can talk wth each other though
Hi , I am using cloudstack(4.4.1) with KVM host. I have a L3 switch - partitioned to 4 vlans public(CIDR:-192.168.1.0/24) guest vlan (CIDR:-10.0.0.0/24) management vlan (CIDR:-10.0.1.0/24) storage vlan (CIDR:-10.0.2.0/24) I have a kvm host with four physical NICS that a connected in switch and each NIC is connected in each different vlan. I have created bridge over each physical nics:- Cloudrbr0:-ip address:-10.0.0.24 connected on the port of the switch belongs to guest vlan) Cloudbr1:-ip address:-10.0.1.24 (connected on the port of the switch belongs to management vlan) Cloudbr2:-ip address:-10.0.2.24 (connected on the port of the switch belongs to storage vlan) Cloudbr3:-ip address:-192.168.1.24 (connected on the port of the switch belongs to public vlan) I have a physical machine with four NICS and CloudStack management is installed on it and four NICS are connected in four vlans with ip. =I have created a zone with advanced networking and everything been success so far. when I created two instances(guests) on kvm host, I can ping this instances with each other.( guest1/ guest2) i.e Instance1:-ip address:-10.0.0.90 Instance2:-ip address:-10.0.0.91 Virtual router:-ip address:-10.0.0.4 Now when I tried to ping /ssh the guest from a laptop attached in same vlan (guest vlan) , I can’t ping guests. From the laptop , I can ping 10.0.0.24 ( my cloudbr0 ip – in KVM host machine) , but cant ping/ssh any guest. There is no firewall issues - i checked. I have attached a network diagram also for better understanding of issues. Could you please help me so that I can ping /ssh to any guest from any machine in guest vlan. Thanks in advance Best Regards Papu Bhattacharya CEO- PTR Technologies http://www.ptrsoft.com 91-9963111687
Re: git commit: updated refs/heads/master to 6dd30ea
On Tue, Dec 2, 2014 at 4:50 PM, Rohit Yadav rohityada...@gmail.com wrote: Hi Daan/Wilder, Quick question about fixing the following coverity issue (in-line); On Tue, Dec 2, 2014 at 8:45 PM, d...@apache.org wrote: Repository: cloudstack Updated Branches: refs/heads/master 818957de0 - 6dd30eaf1 CID-1256273/CID-1256274/CID-1256275 leaky resources plus switch statement warning reviewed by Wilder Rodrigues Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6dd30eaf Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6dd30eaf Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6dd30eaf Branch: refs/heads/master Commit: 6dd30eaf14f323cd84252647c490e84982b0a853 Parents: 818957d Author: Daan Hoogland dhoogl...@schubergphilis.com Authored: Tue Dec 2 16:14:34 2014 +0100 Committer: Daan Hoogland d...@onecht.net Committed: Tue Dec 2 16:14:34 2014 +0100 -- .../com/cloud/upgrade/dao/Upgrade442to450.java | 28 ++-- 1 file changed, 8 insertions(+), 20 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6dd30eaf/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java -- diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java index aeb44a1..9fe1319 100644 --- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java +++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java @@ -115,9 +115,6 @@ public class Upgrade442to450 implements DbUpgrade { } private void upgradeMemoryOfInternalLoadBalancervmOffering(Connection conn) { -PreparedStatement updatePstmt = null; -PreparedStatement selectPstmt = null; -ResultSet selectResultSet = null; int newRamSize = 256; //256MB long serviceOfferingId = 0; @@ -126,10 +123,9 @@ public class Upgrade442to450 implements DbUpgrade { * We should not update/modify any user-defined offering. */ -try { -selectPstmt = conn.prepareStatement(SELECT id FROM `cloud`.`service_offering` WHERE vm_type='internalloadbalancervm'); -updatePstmt = conn.prepareStatement(UPDATE `cloud`.`service_offering` SET ram_size=? WHERE id=?); -selectResultSet = selectPstmt.executeQuery(); +try (PreparedStatement selectPstmt = conn.prepareStatement(SELECT id FROM `cloud`.`service_offering` WHERE vm_type='internalloadbalancervm'); + PreparedStatement updatePstmt = conn.prepareStatement(UPDATE `cloud`.`service_offering` SET ram_size=? WHERE id=?); + ResultSet selectResultSet = selectPstmt.executeQuery()){ if(selectResultSet.next()) { serviceOfferingId = selectResultSet.getLong(id); } @@ -139,19 +135,6 @@ public class Upgrade442to450 implements DbUpgrade { updatePstmt.executeUpdate(); } catch (SQLException e) { throw new CloudRuntimeException(Unable to upgrade ram_size of service offering for internal loadbalancer vm. , e); -} finally { -try { -if (selectPstmt != null) { -selectPstmt.close(); -} -if (selectResultSet != null) { -selectResultSet.close(); -} -if (updatePstmt != null) { -updatePstmt.close(); -} -} catch (SQLException e) { -} Why are we removing closing statements and resultsets here? because of the try-with-resource (automatic closing of resources) } s_logger.debug(Done upgrading RAM for service offering of internal loadbalancer vm to + newRamSize); } @@ -188,6 +171,8 @@ public class Upgrade442to450 implements DbUpgrade { break; case LXC: hypervisorsListInUse.add(Hypervisor.HypervisorType.LXC); break; +default: // no action on cases Any, BareMetal, None, Ovm, Parralels, Simulator and VirtualBox: +break; } } } catch (SQLException e) { @@ -258,6 +243,8 @@ public class Upgrade442to450 implements DbUpgrade { pstmt.executeUpdate(); pstmt.close(); } else { +rs.close(); +pstmt.close(); if (hypervisorsListInUse.contains(hypervisorAndTemplateName.getKey())){ throw new
Re: Can't ping/ssh any guest from a laptop attached in same vlan - guests can talk wth each other though
Hi, ( sending same mail with attachments image- seems early mail image was not attached), I am using cloudstack(4.4.1) with KVM host. I have a L3 switch - partitioned to 4 vlans public(CIDR:-192.168.1.0/24) guest vlan (CIDR:-10.0.0.0/24) management vlan (CIDR:-10.0.1.0/24) storage vlan (CIDR:-10.0.2.0/24) I have a kvm host with four physical NICS that a connected in switch and each NIC is connected in each different vlan. I have created bridge over each physical nics:- Cloudrbr0:-ip address:-10.0.0.24 connected on the port of the switch belongs to guest vlan) Cloudbr1:-ip address:-10.0.1.24 (connected on the port of the switch belongs to management vlan) Cloudbr2:-ip address:-10.0.2.24 (connected on the port of the switch belongs to storage vlan) Cloudbr3:-ip address:-192.168.1.24 (connected on the port of the switch belongs to public vlan) I have a physical machine with four NICS and CloudStack management is installed on it and four NICS are connected in four vlans with ip. =I have created a zone with advanced networking and everything been success so far. when I created two instances(guests) on kvm host, I can ping this instances with each other.( guest1/ guest2) i.e Instance1:-ip address:-10.0.0.90 Instance2:-ip address:-10.0.0.91 Virtual router:-ip address:-10.0.0.4 Now when I tried to ping /ssh the guest from a laptop attached in same vlan (guest vlan) , I can’t ping guests. From the laptop , I can ping 10.0.0.24 ( my cloudbr0 ip – in KVM host machine) , but cant ping/ssh any guest. There is no firewall issues - i checked. I have attached a network diagram also for better understanding of issues. Could you please help me so that I can ping /ssh to any guest from any machine in guest vlan. Thanks in advance Best Regards Papu Bhattacharya CEO- PTR Technologies http://www.ptrsoft.com 91-9963111687 - Original Message - From: papu bhattcharaya p...@ptrsoft.com To: papub...@gmail.com Sent: Tuesday, December 2, 2014 10:15:30 PM Subject: Fwd: Can't ping/ssh any guest from a laptop attached in same vlan - guests can talk wth each other though Best Regards Papu Bhattacharya CEO- PTR Technologies http://www.ptrsoft.com 91-9963111687 - Forwarded Message - From: papu bhattcharaya p...@ptrsoft.com To: dev@cloudstack.apache.org Sent: Tuesday, December 2, 2014 10:05:11 PM Subject: Can't ping/ssh any guest from a laptop attached in same vlan - guests can talk wth each other though Hi , I am using cloudstack(4.4.1) with KVM host. I have a L3 switch - partitioned to 4 vlans public(CIDR:-192.168.1.0/24) guest vlan (CIDR:-10.0.0.0/24) management vlan (CIDR:-10.0.1.0/24) storage vlan (CIDR:-10.0.2.0/24) I have a kvm host with four physical NICS that a connected in switch and each NIC is connected in each different vlan. I have created bridge over each physical nics:- Cloudrbr0:-ip address:-10.0.0.24 connected on the port of the switch belongs to guest vlan) Cloudbr1:-ip address:-10.0.1.24 (connected on the port of the switch belongs to management vlan) Cloudbr2:-ip address:-10.0.2.24 (connected on the port of the switch belongs to storage vlan) Cloudbr3:-ip address:-192.168.1.24 (connected on the port of the switch belongs to public vlan) I have a physical machine with four NICS and CloudStack management is installed on it and four NICS are connected in four vlans with ip. =I have created a zone with advanced networking and everything been success so far. when I created two instances(guests) on kvm host, I can ping this instances with each other.( guest1/ guest2) i.e Instance1:-ip address:-10.0.0.90 Instance2:-ip address:-10.0.0.91 Virtual router:-ip address:-10.0.0.4 Now when I tried to ping /ssh the guest from a laptop attached in same vlan (guest vlan) , I can’t ping guests. From the laptop , I can ping 10.0.0.24 ( my cloudbr0 ip – in KVM host machine) , but cant ping/ssh any guest. There is no firewall issues - i checked. I have attached a network diagram also for better understanding of issues. Could you please help me so that I can ping /ssh to any guest from any machine in guest vlan. Thanks in advance Best Regards Papu Bhattacharya CEO- PTR Technologies http://www.ptrsoft.com 91-9963111687
RE: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
-Original Message- From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On Behalf Of Will Stevens Sent: Tuesday, December 02, 2014 8:06 AM To: dev@cloudstack.apache.org Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat I will do some testing and see what I can come up with. BTW, I would be doing it the reverse of what you said. I would try to specify the 'compat=0.10' option initially and if that is OK, then we are good. If it fails (it is currently failing on the 4.5 branch) this is most likely because the version of qemu-img does not support the 'compat' option being passed to the convert call (which is what is happening right now on our build systems). In that case, we will want to run the command without the compat option because if it is too old to support the 'compat' option then it will have the compat=0.10 default. Seems the qemu version is a little bit of mess, I think above method is good enough. BTW, thanks to look into the issue... Basically, I will try it the new way that Edison introduced. If that fails, I will fall back to the way it was being done before Edison's change... Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 10:53 AM, Rohit Yadav rohit.ya...@shapeblue.com wrote: Hi Will, Reply in-line; On Tuesday 02 December 2014 08:41 PM, Will Stevens wrote: @Rohit: If the script is run with 'set -e' it should not be a problem because I was planning to do an explicit 'set +e' before the call and then a 'set -e' after the call. This should handle this case, no? Yes, I think that will work as well. If we are not sure about qemu version, it should be alright to try once without compat and check $? and retry again with compat option. The only corner case I can think of is when qemu-img genuinely exits with a non-zero exit code during image conversion. @Nux: When you say EL7 comes with qemu-img 1.5.3 and it requires the compat option, what do you mean by that? Are you saying that if you run the build system vms job on EL7, that you have to specify the compat option even though it comes with qemu-img 1.5.3? That should not be the case because the default compat flag should not have been changed till 1.7. If you are talking about having a KVM host which runs EL7 and has a qemu-img version of 1.5.3, then that is not really relevant for this bash script. The version of qemu-img which this script checking is the version on the build system, not on the KVM host. It is validating if the compat option needs to be passed to the 'qemu-img convert' command in order for the image to have the 'compat=0.10' option set. We are not debating that the 'compat=0.10' option needs to be set, that is for sure. We are determining when it needs to be explicitly set on the build systems. In short... Jenkins kicks off a job to build the system vms. This build system could have one of many different qemu-img versions. When this script runs on the build system, we need to determine which command needs to be run in order to output a 'compat=0.10' compatible image. I will do some testing with Edison's suggestion and see if I can come up with a solution that way as well and then we can pick which we want to implement. Cheers, Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 3:32 AM, Nux! n...@li.nux.ro wrote: As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat option, so it's not only 1.7+. Personally I'm in favour of Will's approach. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Rohit Yadav bhais...@apache.org To: Will Stevens wstev...@cloudops.com Cc: Edison Su edison...@citrix.com, Wilder Rodrigues wrodrig...@schubergphilis.com, dev@cloudstack.apache.org, Leo Simons lsim...@schubergphilis.com Sent: Tuesday, 2 December, 2014 07:36:21 Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat Hi Will, While we can use your first solution that checks exit status ($?) but in case some is running the script with a set -e, the script will simply break when $? is not zero. I think if we know above which qemu-img version we should we the compat option (1.7?) than that's great we should we that. Thanks for looking into this. Regards. On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens wstev...@cloudops.com wrote: Thanks for that. Does that mean that we prefer to do an if else based on version rather than basically doing a try catch? I have not been involved in
Re: git commit: updated refs/heads/master to 6dd30ea
Hi Daan, Thanks for confirming, I’ll use this pattern in future. On 02-Dec-2014, at 10:05 pm, Daan Hoogland daan.hoogl...@gmail.com wrote: On Tue, Dec 2, 2014 at 4:50 PM, Rohit Yadav rohityada...@gmail.com wrote: Hi Daan/Wilder, Quick question about fixing the following coverity issue (in-line); On Tue, Dec 2, 2014 at 8:45 PM, d...@apache.org wrote: Repository: cloudstack Updated Branches: refs/heads/master 818957de0 - 6dd30eaf1 CID-1256273/CID-1256274/CID-1256275 leaky resources plus switch statement warning reviewed by Wilder Rodrigues Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6dd30eaf Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6dd30eaf Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6dd30eaf Branch: refs/heads/master Commit: 6dd30eaf14f323cd84252647c490e84982b0a853 Parents: 818957d Author: Daan Hoogland dhoogl...@schubergphilis.com Authored: Tue Dec 2 16:14:34 2014 +0100 Committer: Daan Hoogland d...@onecht.net Committed: Tue Dec 2 16:14:34 2014 +0100 -- .../com/cloud/upgrade/dao/Upgrade442to450.java | 28 ++-- 1 file changed, 8 insertions(+), 20 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6dd30eaf/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java -- diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java index aeb44a1..9fe1319 100644 --- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java +++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java @@ -115,9 +115,6 @@ public class Upgrade442to450 implements DbUpgrade { } private void upgradeMemoryOfInternalLoadBalancervmOffering(Connection conn) { -PreparedStatement updatePstmt = null; -PreparedStatement selectPstmt = null; -ResultSet selectResultSet = null; int newRamSize = 256; //256MB long serviceOfferingId = 0; @@ -126,10 +123,9 @@ public class Upgrade442to450 implements DbUpgrade { * We should not update/modify any user-defined offering. */ -try { -selectPstmt = conn.prepareStatement(SELECT id FROM `cloud`.`service_offering` WHERE vm_type='internalloadbalancervm'); -updatePstmt = conn.prepareStatement(UPDATE `cloud`.`service_offering` SET ram_size=? WHERE id=?); -selectResultSet = selectPstmt.executeQuery(); +try (PreparedStatement selectPstmt = conn.prepareStatement(SELECT id FROM `cloud`.`service_offering` WHERE vm_type='internalloadbalancervm'); + PreparedStatement updatePstmt = conn.prepareStatement(UPDATE `cloud`.`service_offering` SET ram_size=? WHERE id=?); + ResultSet selectResultSet = selectPstmt.executeQuery()){ if(selectResultSet.next()) { serviceOfferingId = selectResultSet.getLong(id); } @@ -139,19 +135,6 @@ public class Upgrade442to450 implements DbUpgrade { updatePstmt.executeUpdate(); } catch (SQLException e) { throw new CloudRuntimeException(Unable to upgrade ram_size of service offering for internal loadbalancer vm. , e); -} finally { -try { -if (selectPstmt != null) { -selectPstmt.close(); -} -if (selectResultSet != null) { -selectResultSet.close(); -} -if (updatePstmt != null) { -updatePstmt.close(); -} -} catch (SQLException e) { -} Why are we removing closing statements and resultsets here? because of the try-with-resource (automatic closing of resources) } s_logger.debug(Done upgrading RAM for service offering of internal loadbalancer vm to + newRamSize); } @@ -188,6 +171,8 @@ public class Upgrade442to450 implements DbUpgrade { break; case LXC: hypervisorsListInUse.add(Hypervisor.HypervisorType.LXC); break; +default: // no action on cases Any, BareMetal, None, Ovm, Parralels, Simulator and VirtualBox: +break; } } } catch (SQLException e) { @@ -258,6 +243,8 @@ public class Upgrade442to450 implements DbUpgrade { pstmt.executeUpdate(); pstmt.close(); } else { +rs.close(); +pstmt.close(); if
RE: Re:CloudStack Quality Process
I'll throw my hat in the ring and do whatever my skillset allows. Regards, Paul Angus Cloud Architect S: +44 20 3603 0540 | M: +447711418784 | T: @CloudyAngus paul.an...@shapeblue.com -Original Message- From: ChunFeng [mailto:chunf...@domolo.com] Sent: 02 December 2014 00:31 To: dev Subject: Re:CloudStack Quality Process Hi Steve, I am now focus on test automation , and I willing to be one of this team. -- Regards, ChunFeng @accesine -- Original -- From: Steve Wilsonsteve.wil...@citrix.com; Date: Tue, Dec 2, 2014 03:12 AM To: dev@cloudstack.apache.orgdev@cloudstack.apache.org; Subject: CloudStack Quality Process Hi Everyone, It was great to get to see a number of you at the recent CCC in Budapest. While I was there, I got to meet face to face with individuals working for several companies that have a real stake in the commercial success of the CloudStack project. After joining Citrix (and becoming involved in CloudStack) about a year ago, I’ve come to believe that we need to do more to mature our quality practices around this codebase. We all like to say #cloudstackworks (and it’s true), but this is a massive codebase that’s used in the most demanding situations. We have large telecommunications companies and enterprises who are betting their businesses on this software. It has to be great! There has been quite a bit of discussion on the mailing list in recent months about how we improve in this area. There is plenty of passion, but we haven’t made enough concrete progress as a community. In my discussions with key contributors as CCC, there was general agreement that the DEV list isn’t a good forum for hashing out these kinds of things. Email is too low-bandwidth and too impersonal. At CCC, I discussed with several people the idea that we commission a small sub team to go hash out a proposal for how we handle the following topics within the ACS community (which can then be brought back to the larger community for ratification): * Continuous integration and test automation * Gating of commits * Overall commit workflow We are looking for volunteers to commit to being part of this team. This would imply a serious commitment. We don’t want hangers on or observers. This will entail real work and late night meetings. We’re looking for people who are serious contributors to the codebase. From Citrix, David Nalley and Animesh Chaturvedi have booth told me they’re willing to commit to this project. They’ve both managed ACS releases and have a really good view into the current process — and I know both are passionate about improving our process. From my CCC discussions, I believe there are individuals from Schuberg Philis, Shape Blue and Cloud Ops who are willing to commit to this process. If you are willing to be part of this team to drive forward our community, please reply here. Thanks, -Steve Steve Wilson VP Product Unit Manager Cloud Software Citrix @virtualsteve Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Software Engineeringhttp://shapeblue.com/cloudstack-software-engineering/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: CloudStack Quality Process
I'll be happy to participate and contribute to this effort. On Wednesday 03 December 2014 02:04 AM, Paul Angus wrote: I'll throw my hat in the ring and do whatever my skillset allows. Regards, Paul Angus Cloud Architect S: +44 20 3603 0540 | M: +447711418784 | T: @CloudyAngus paul.an...@shapeblue.com -Original Message- From: ChunFeng [mailto:chunf...@domolo.com] Sent: 02 December 2014 00:31 To: dev Subject: Re:CloudStack Quality Process Hi Steve, I am now focus on test automation , and I willing to be one of this team. -- Regards, ChunFeng @accesine -- Original -- From: Steve Wilsonsteve.wil...@citrix.com; Date: Tue, Dec 2, 2014 03:12 AM To: dev@cloudstack.apache.orgdev@cloudstack.apache.org; Subject: CloudStack Quality Process Hi Everyone, It was great to get to see a number of you at the recent CCC in Budapest. While I was there, I got to meet face to face with individuals working for several companies that have a real stake in the commercial success of the CloudStack project. After joining Citrix (and becoming involved in CloudStack) about a year ago, I’ve come to believe that we need to do more to mature our quality practices around this codebase. We all like to say #cloudstackworks (and it’s true), but this is a massive codebase that’s used in the most demanding situations. We have large telecommunications companies and enterprises who are betting their businesses on this software. It has to be great! There has been quite a bit of discussion on the mailing list in recent months about how we improve in this area. There is plenty of passion, but we haven’t made enough concrete progress as a community. In my discussions with key contributors as CCC, there was general agreement that the DEV list isn’t a good forum for hashing out these kinds of things. Email is too low-bandwidth and too impersonal. At CCC, I discussed with several people the idea that we commission a small sub team to go hash out a proposal for how we handle the following topics within the ACS community (which can then be brought back to the larger community for ratification): * Continuous integration and test automation * Gating of commits * Overall commit workflow We are looking for volunteers to commit to being part of this team. This would imply a serious commitment. We don’t want hangers on or observers. This will entail real work and late night meetings. We’re looking for people who are serious contributors to the codebase. From Citrix, David Nalley and Animesh Chaturvedi have booth told me they’re willing to commit to this project. They’ve both managed ACS releases and have a really good view into the current process — and I know both are passionate about improving our process. From my CCC discussions, I believe there are individuals from Schuberg Philis, Shape Blue and Cloud Ops who are willing to commit to this process. If you are willing to be part of this team to drive forward our community, please reply here. Thanks, -Steve Steve Wilson VP Product Unit Manager Cloud Software Citrix @virtualsteve Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Software Engineeringhttp://shapeblue.com/cloudstack-software-engineering/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark. -- Regards, Rohit Yadav Software Architect, ShapeBlue M. +41 779015219 | rohit.ya...@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge –
Re: A secure way to reset VMs password
That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.org dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is quite complicated (CA must be on VR etc), and makes it considerably harder to get a working setup - using self signed causes issues with validation Don't get me wrong, I love the idea, but it's not just to flip a switch and have (proper) SSL in place. -- Erik
Re: Review Request 28579: CLOUDSTACK-7996: Fixed the script test_tags.py - Tags and Template should belong to the User Account to test the case
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28579/#review63580 --- Ship it! Ship It! - sangeetha hariharan On Dec. 1, 2014, 10:35 p.m., Chandan Purushothama wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28579/ --- (Updated Dec. 1, 2014, 10:35 p.m.) Review request for cloudstack and sangeetha hariharan. Bugs: CLOUDSTACK-7996 https://issues.apache.org/jira/browse/CLOUDSTACK-7996 Repository: cloudstack-git Description --- Currently the tags and template belong to the Admin Account and not the User Account. Listing tags is being done as the regular User Account. This results in test case failure as no tags are returned to the regular User. Hence the inconsistency in creation of template, tags and listing them needs to be corrected for the test case to work. Diffs - test/integration/component/test_tags.py c5a8ced Diff: https://reviews.apache.org/r/28579/diff/ Testing --- Test creation, listing and deletion tag on templates ... === TestName: test_06_template_tag | Status : SUCCESS === ok -- Ran 1 test in 441.116s OK Thanks, Chandan Purushothama
Re: A secure way to reset VMs password
You would need client-side certs as well since the password server needs to be able to validate WHO is asking for the password. Currently it is based on the client's IP address. Also the current scheme is a single-use password — as soon as the password is retrieved, it is not available to anybody else (of course a MITM could sniff the first exchange). You could eliminate a lot of MITM-style attacks by running the password server locally on each hypervisor (hard for VMW), or by attaching an ISO (containing the password) to the VM. From: John Kinsella j...@stratosec.comailto:j...@stratosec.co Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Tuesday, December 2, 2014 at 1:32 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: A secure way to reset VMs password That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.romailto:n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.commailto:jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.commailto:astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.commailto:terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalidmailto:astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is quite complicated (CA must be on VR etc), and makes it considerably harder to get a working setup - using self signed causes issues with validation Don't get me wrong, I love the idea, but it's not just to flip a switch and have (proper) SSL in place. -- Erik
RE: review board cleanup
-Original Message- From: Rohit Yadav [mailto:rohit.ya...@shapeblue.com] Sent: Friday, November 28, 2014 1:44 AM To: dev@cloudstack.apache.org Subject: Re: review board cleanup On 28-Nov-2014, at 2:43 pm, Rajani Karuturi raj...@apache.org wrote: Is there a way to 'force' close a review if its already submitted? Some of us can do it. I went through some of them yesterday and closed a few. There are many review requests on it which are too old and lack information. I’m not sure what to do with them. [Animesh] Call the list out here for things older than 6 months and provide a week to respond failing which we can close them out. I’ll try to close a few more today. Regards, Rohit Yadav Software Architect, ShapeBlue M. +91 88 262 30892 | rohit.ya...@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Software Engineeringhttp://shapeblue.com/cloudstack-software- engineering/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack- infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack- training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Review Request 28611: CLOUDSTACK-8007: Fixed the script 'test_vm_passwdenabled.py' - Template created by Admin should have public access to be used for regular User VM Deployment
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28611/ --- Review request for cloudstack and sangeetha hariharan. Bugs: CLOUDSTACK-8007 https://issues.apache.org/jira/browse/CLOUDSTACK-8007 Repository: cloudstack-git Description --- Based on Fix for CLOUDSTACK-7394, Caller should be owner after creating template from snapshot/volume. Since the Admin created the template from the Volume, the Admin is the owner of the private template. In order to deploy a VM for the Regular Account the template created by Admin should have public Access. Diffs - test/integration/component/test_vm_passwdenabled.py 1b556da Diff: https://reviews.apache.org/r/28611/diff/ Testing --- Test get VM password for password enabled template ... === TestName: test_11_get_vm_password | Status : SUCCESS === ok -- Ran 1 test in 706.715s OK Thanks, Chandan Purushothama
Re: [ACS44] release 4.4.2 imminent
CloudStack 4.4.2 deb/rpm repository is available now, for more information and release notes, checkout: http://shapeblue.com/packages On 18-Nov-2014, at 1:20 am, Andrija Panic andrija.pa...@gmail.com wrote: Upgrade fine for me - no issues at all... - from the RPMs snapshots On 17 November 2014 14:36, Daan Hoogland daan.hoogl...@gmail.com wrote: On Mon, Nov 17, 2014 at 2:12 PM, Pierre-Luc Dion pdion...@apache.org wrote: Trying devcloud4 with 4.4 branch and I'm having this issue: I don't see the schema-441to442.sql files in the db folder too. does 442 is on a different branch? no, I added the file locallly and forgot to commit. it is pushed now, sorry -- Daan -- Andrija Panić -- http://admintweets.com -- Regards, Rohit Yadav Software Architect, ShapeBlue M. +91 88 262 30892 | rohit.ya...@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Software Engineeringhttp://shapeblue.com/cloudstack-software-engineering/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
I have gotten a bit side tracked with other work today. I have pushed this change to master and I have verified that everything is working correctly. I will be pushing a MERGE REQUEST for the same (ish) change to the 4.5 branch. Once it is committed I will validate that everything works as expected since I have to kick off a build of the system vms to be positive that everything works as expected. Cheers, *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 11:34 AM, Edison Su edison...@citrix.com wrote: -Original Message- From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On Behalf Of Will Stevens Sent: Tuesday, December 02, 2014 8:06 AM To: dev@cloudstack.apache.org Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat I will do some testing and see what I can come up with. BTW, I would be doing it the reverse of what you said. I would try to specify the 'compat=0.10' option initially and if that is OK, then we are good. If it fails (it is currently failing on the 4.5 branch) this is most likely because the version of qemu-img does not support the 'compat' option being passed to the convert call (which is what is happening right now on our build systems). In that case, we will want to run the command without the compat option because if it is too old to support the 'compat' option then it will have the compat=0.10 default. Seems the qemu version is a little bit of mess, I think above method is good enough. BTW, thanks to look into the issue... Basically, I will try it the new way that Edison introduced. If that fails, I will fall back to the way it was being done before Edison's change... Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 10:53 AM, Rohit Yadav rohit.ya...@shapeblue.com wrote: Hi Will, Reply in-line; On Tuesday 02 December 2014 08:41 PM, Will Stevens wrote: @Rohit: If the script is run with 'set -e' it should not be a problem because I was planning to do an explicit 'set +e' before the call and then a 'set -e' after the call. This should handle this case, no? Yes, I think that will work as well. If we are not sure about qemu version, it should be alright to try once without compat and check $? and retry again with compat option. The only corner case I can think of is when qemu-img genuinely exits with a non-zero exit code during image conversion. @Nux: When you say EL7 comes with qemu-img 1.5.3 and it requires the compat option, what do you mean by that? Are you saying that if you run the build system vms job on EL7, that you have to specify the compat option even though it comes with qemu-img 1.5.3? That should not be the case because the default compat flag should not have been changed till 1.7. If you are talking about having a KVM host which runs EL7 and has a qemu-img version of 1.5.3, then that is not really relevant for this bash script. The version of qemu-img which this script checking is the version on the build system, not on the KVM host. It is validating if the compat option needs to be passed to the 'qemu-img convert' command in order for the image to have the 'compat=0.10' option set. We are not debating that the 'compat=0.10' option needs to be set, that is for sure. We are determining when it needs to be explicitly set on the build systems. In short... Jenkins kicks off a job to build the system vms. This build system could have one of many different qemu-img versions. When this script runs on the build system, we need to determine which command needs to be run in order to output a 'compat=0.10' compatible image. I will do some testing with Edison's suggestion and see if I can come up with a solution that way as well and then we can pick which we want to implement. Cheers, Will *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Tue, Dec 2, 2014 at 3:32 AM, Nux! n...@li.nux.ro wrote: As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat option, so it's not only 1.7+. Personally I'm in favour of Will's approach. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Rohit Yadav bhais...@apache.org To: Will Stevens wstev...@cloudops.com Cc: Edison Su edison...@citrix.com, Wilder Rodrigues wrodrig...@schubergphilis.com, dev@cloudstack.apache.org, Leo Simons
[MERGE REQUEST] hotfix/4.5-7959
I have tested the equivalent fix in master and it is working perfectly. The code in 4.5 is a bit different, but this should fix it in 4.5. I have tested the basic logic on my system, but once this gets merged I will kick off a 4.5 build of the system vms to verify that it fixes the build systems (they are currently broken). This fix is related to this issue: https://issues.apache.org/jira/browse/CLOUDSTACK-7959 --- I have created a separate topic in the dev list to discuss the workflow I am using here... *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_
[DISCUSS] MERGE REQUEST
I just posted a topic called: [MERGE REQUEST] hotfix/4.5-7959 This is a workflow that I am going to adopt and test out for a little while to see if it has real benefits. I have added some notes below as to why I decided to start doing this. This came out of a lot of conversations at CCCEU. I am going to adopt this approach for getting fixes merged into release branches. The 'hotfix' branch method that we adopted for 4.4 seems to work very well, so I want to continue to use a similar technique. In addition to the benefits that we got from the hotfix branches, requesting a MERGE REQUEST also gives us the following benefits: - If the branch's release manager wants to manage all of the commits they can, but not every release manager wants to have to do every merge. This way a release manager can delegate some helpers who they trust to help them merge in hotfixes. - This seems to me like the cheapest (least overhead) way to implement some basic peer review of commits. Yes, I have access to commit directly to the 4.5 branch, but that does not mean that I should. This way we at least get another committers approval before changes get merged. - As a committer, it is my responsibility for creating a hotfix branch for each of the releases my change fixes and test them. This way me as the developer who made the initial changes can make sure there will not be merge conflicts in the other branches when I create my hotfix branches. This will simplify the job for the release managers and will reduce the need for cherry picking. If I am asking for multiple hotfixes for the same issue I could do the following; [MERGE REQUEST] hotfix/4.4-1234, hotfix/4.5-1234 then the respective release managers or delegates can merge the hotfixes and post back MERGED so there is a bit of a feedback loop. Anyway, this is a workflow I am going to adopt for changes to the release branches and we will see if there are any issues with it. If you have ideas to improve this, please join the conversation... Cheers, *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_
Re: A secure way to reset VMs password
A stupid question! I can't find the source of windows version of password manager! Where is it? Sent from Samsung Mobile. div Original message /divdivFrom: Chiradeep Vittal chiradeep.vit...@citrix.com /divdivDate:03/12/2014 02:05 (GMT+03:30) /divdivTo: dev@cloudstack.apache.org /divdivSubject: Re: A secure way to reset VMs password /divdiv /divYou would need client-side certs as well since the password server needs to be able to validate WHO is asking for the password. Currently it is based on the client's IP address. Also the current scheme is a single-use password — as soon as the password is retrieved, it is not available to anybody else (of course a MITM could sniff the first exchange). You could eliminate a lot of MITM-style attacks by running the password server locally on each hypervisor (hard for VMW), or by attaching an ISO (containing the password) to the VM. From: John Kinsella j...@stratosec.comailto:j...@stratosec.co Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Tuesday, December 2, 2014 at 1:32 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: A secure way to reset VMs password That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.romailto:n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.commailto:jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.commailto:astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.commailto:terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalidmailto:astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is quite complicated (CA must be on VR etc), and makes it considerably harder to get a working setup - using self signed causes issues with validation Don't get me wrong, I love the idea, but it's not just to flip a switch and have (proper) SSL in place. -- Erik
Re: A secure way to reset VMs password
Why do passwords at all? Why not just use ssh keys like AWS does. The functionality is already there just not in the ACS UI. Cloud-init already supports it which is available in most distros and therefore would not require CS specific scripts. At least not for linux. On windows I'm not exactly sure how AWS does it but I think it is also some kind of terminal services certificates so I think it could be made to work too. -Carlos On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal chiradeep.vit...@citrix.com wrote: You would need client-side certs as well since the password server needs to be able to validate WHO is asking for the password. Currently it is based on the client's IP address. Also the current scheme is a single-use password — as soon as the password is retrieved, it is not available to anybody else (of course a MITM could sniff the first exchange). You could eliminate a lot of MITM-style attacks by running the password server locally on each hypervisor (hard for VMW), or by attaching an ISO (containing the password) to the VM. From: John Kinsella j...@stratosec.comailto:j...@stratosec.co Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Tuesday, December 2, 2014 at 1:32 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: A secure way to reset VMs password That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.romailto:n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.commailto:jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.commailto:astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.commailto:terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalidmailto:astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is quite complicated (CA must be on VR etc), and makes it considerably harder to get a working setup - using self signed causes issues with validation Don't get me wrong, I love the idea, but it's not just to flip a switch and have (proper) SSL in place. -- Erik
Re: A secure way to reset VMs password
Correct...I've chatted with Folks in the past, it wasnt open-sourced. Excuse any typos - sent from mobile device On Dec 2, 2014, at 20:50, Alireza Eskandari astro.alir...@yahoo.com.INVALID wrote: A stupid question! I can't find the source of windows version of password manager! Where is it? Sent from Samsung Mobile. div Original message /divdivFrom: Chiradeep Vittal chiradeep.vit...@citrix.com /divdivDate:03/12/2014 02:05 (GMT+03:30) /divdivTo: dev@cloudstack.apache.org /divdivSubject: Re: A secure way to reset VMs password /divdiv /divYou would need client-side certs as well since the password server needs to be able to validate WHO is asking for the password. Currently it is based on the client's IP address. Also the current scheme is a single-use password — as soon as the password is retrieved, it is not available to anybody else (of course a MITM could sniff the first exchange). You could eliminate a lot of MITM-style attacks by running the password server locally on each hypervisor (hard for VMW), or by attaching an ISO (containing the password) to the VM. From: John Kinsella j...@stratosec.comailto:j...@stratosec.co Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Tuesday, December 2, 2014 at 1:32 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: A secure way to reset VMs password That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.romailto:n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.commailto:jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.commailto:astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.commailto:terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalidmailto:astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is quite complicated (CA must be on VR etc), and makes it considerably harder to get a working setup - using self signed causes issues with validation Don't get me wrong, I love the idea, but it's not just to flip a switch and have (proper) SSL in place. -- Erik
Re: A secure way to reset VMs password
It's not our place to enforce how users authenticate to their VMs. We provide flexible options, suggest best practices, and let them use the tool as best suits their needs. Excuse any typos - sent from mobile device On Dec 2, 2014, at 21:22, Carlos Reategui create...@gmail.com wrote: Why do passwords at all? Why not just use ssh keys like AWS does. The functionality is already there just not in the ACS UI. Cloud-init already supports it which is available in most distros and therefore would not require CS specific scripts. At least not for linux. On windows I'm not exactly sure how AWS does it but I think it is also some kind of terminal services certificates so I think it could be made to work too. -Carlos On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal chiradeep.vit...@citrix.com wrote: You would need client-side certs as well since the password server needs to be able to validate WHO is asking for the password. Currently it is based on the client's IP address. Also the current scheme is a single-use password — as soon as the password is retrieved, it is not available to anybody else (of course a MITM could sniff the first exchange). You could eliminate a lot of MITM-style attacks by running the password server locally on each hypervisor (hard for VMW), or by attaching an ISO (containing the password) to the VM. From: John Kinsella j...@stratosec.comailto:j...@stratosec.co Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Tuesday, December 2, 2014 at 1:32 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: A secure way to reset VMs password That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.romailto:n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.commailto:jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.commailto:astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.commailto:terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalidmailto:astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is quite complicated (CA must be on VR etc), and makes it considerably harder to get a working setup - using self signed causes issues with validation Don't get me wrong, I love the idea, but it's not just to flip a switch and have (proper) SSL in place. -- Erik
Re: CI improvment part 1
Hi Edison, Just curious, any update on the pytest effort? Thanks. On Friday 26 September 2014 10:13 AM, Edison Su wrote: Highlights the improvements on marvin I made in these days on pytest branch: 1. Switch test framework from nose to pytest, while also maintain the back-compatibility for existing test cases. pytest is more flexible than nose, more enjoyable to work with. 2. Speed up test speed a LOT: It only takes 250-300 seconds for a single run for all the test cases under test/integration/smoke folder, while it usually takes 40 minutes to run before. The speed up is coming from running test cases in parallel. pytest-xdist is modified to fix the issue: https://bitbucket.org/hpk42/pytest/issue/175/way-to-control-how-pytest-xdist-runs-tests. we have a lot of existing test cases have to run in sequence per test class. 3. Add a new Jenkins job at http://jenkins.buildacloud.org/job/fastsimulatorbuild/, which only takes 22 minutes for a full cycle buildtest. A new VM is created on digitalocean: 4G memory, 40G SSD, and added into Jenkins.buildacloud.org. SSD is life saver, it really makes big difference during build/test. A new docker image is created, which has all the tools installed in order to build and test: e.g. java/mysql/python/git/ installed. A new Jenkins job is created to build and test periodically in every 20 minutes. So far, the Jenkins job works very well, if everybody ok with what I am doing, I want to merge pytest branch into master later. With a quick CI in hand, we then can start to think about how to add gerrit into our system. -- Regards, Rohit Yadav Software Architect, ShapeBlue M. +91 8826230892 | rohit.ya...@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Software Engineeringhttp://shapeblue.com/cloudstack-software-engineering/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: A secure way to reset VMs password
John, +1If we provide password reset capability it should be secure, if not it is better to make it disable at all.About source of windows version, so what did we do? Should we write it from scratch? Why it isn't open?I open a jira ticket, if you have any comment or suggestion please write there.https://issues.apache.org/jira/browse/CLOUDSTACK-8009 Thanks From: John Kinsella j...@stratosec.co To: dev@cloudstack.apache.org dev@cloudstack.apache.org Sent: Wednesday, December 3, 2014 9:18 AM Subject: Re: A secure way to reset VMs password It's not our place to enforce how users authenticate to their VMs. We provide flexible options, suggest best practices, and let them use the tool as best suits their needs. Excuse any typos - sent from mobile device On Dec 2, 2014, at 21:22, Carlos Reategui create...@gmail.com wrote: Why do passwords at all? Why not just use ssh keys like AWS does. The functionality is already there just not in the ACS UI. Cloud-init already supports it which is available in most distros and therefore would not require CS specific scripts. At least not for linux. On windows I'm not exactly sure how AWS does it but I think it is also some kind of terminal services certificates so I think it could be made to work too. -Carlos On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal chiradeep.vit...@citrix.com wrote: You would need client-side certs as well since the password server needs to be able to validate WHO is asking for the password. Currently it is based on the client's IP address. Also the current scheme is a single-use password — as soon as the password is retrieved, it is not available to anybody else (of course a MITM could sniff the first exchange). You could eliminate a lot of MITM-style attacks by running the password server locally on each hypervisor (hard for VMW), or by attaching an ISO (containing the password) to the VM. From: John Kinsella j...@stratosec.comailto:j...@stratosec.co Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Tuesday, December 2, 2014 at 1:32 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: A secure way to reset VMs password That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.romailto:n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.commailto:jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.commailto:astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.commailto:terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalidmailto:astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is quite complicated (CA must be on VR etc), and makes it considerably harder to get a working setup - using self signed causes issues with validation Don't get me wrong, I
Re: A secure way to reset VMs password
I’m all for providing choice, but not when one of them is not a good/secure one. On Dec 2, 2014, at 9:48 PM, John Kinsella j...@stratosec.co wrote: It's not our place to enforce how users authenticate to their VMs. We provide flexible options, suggest best practices, and let them use the tool as best suits their needs. Excuse any typos - sent from mobile device On Dec 2, 2014, at 21:22, Carlos Reategui create...@gmail.com wrote: Why do passwords at all? Why not just use ssh keys like AWS does. The functionality is already there just not in the ACS UI. Cloud-init already supports it which is available in most distros and therefore would not require CS specific scripts. At least not for linux. On windows I'm not exactly sure how AWS does it but I think it is also some kind of terminal services certificates so I think it could be made to work too. -Carlos On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal chiradeep.vit...@citrix.com wrote: You would need client-side certs as well since the password server needs to be able to validate WHO is asking for the password. Currently it is based on the client's IP address. Also the current scheme is a single-use password — as soon as the password is retrieved, it is not available to anybody else (of course a MITM could sniff the first exchange). You could eliminate a lot of MITM-style attacks by running the password server locally on each hypervisor (hard for VMW), or by attaching an ISO (containing the password) to the VM. From: John Kinsella j...@stratosec.comailto:j...@stratosec.co Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Tuesday, December 2, 2014 at 1:32 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: A secure way to reset VMs password That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.romailto:n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.commailto:jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.commailto:astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.commailto:terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalidmailto:astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is quite complicated (CA must be on VR etc), and makes it considerably harder to get a working setup - using self signed causes issues with validation Don't get me wrong, I love the idea, but it's not just to flip a switch and have (proper) SSL in place. -- Erik
Review Request 28635: CLOUDSTACK-8003: test_egress_fw_rules.py - Remove test case dependency on each other and improve cleanup code
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/28635/ --- Review request for cloudstack and SrikanteswaraRao Talluri. Bugs: CLOUDSTACK-8003 https://issues.apache.org/jira/browse/CLOUDSTACK-8003 Repository: cloudstack-git Description --- Test cases in this test suite use a common account and hence in cleanup operations, we explicitly delete all the resources created in a test case. This adds to the running time of the test cases. Also in case, there is any issue in cleanup operation, all other test cases will get affected. Hence, it is wise to create a new account for each test cases and delete the account in cleanup. Diffs - test/integration/component/test_egress_fw_rules.py 4f95925 Diff: https://reviews.apache.org/r/28635/diff/ Testing --- Yes. 2 test cases failed because db info in my config was wrong. Test By-default the communication from guest n/w to public n/w is NOT allowed. ... === TestName: test_01_1_egress_fr1 | Status : SUCCESS === ok Test By-default the communication from guest n/w to public n/w is allowed. ... === TestName: test_01_egress_fr1 | Status : SUCCESS === ok Test Allow Communication using Egress rule with CIDR + Port Range + Protocol. ... === TestName: test_02_1_egress_fr2 | Status : SUCCESS === ok Test Allow Communication using Egress rule with CIDR + Port Range + Protocol. ... === TestName: test_02_egress_fr2 | Status : SUCCESS === ok Test Communication blocked with network that is other than specified ... === TestName: test_03_1_egress_fr3 | Status : EXCEPTION === ERROR Test Communication blocked with network that is other than specified ... === TestName: test_03_egress_fr3 | Status : SUCCESS === ok Test Create Egress rule and check the Firewall_Rules DB table ... === TestName: test_04_1_egress_fr4 | Status : FAILED === FAIL Test Create Egress rule and check the Firewall_Rules DB table ... === TestName: test_04_egress_fr4 | Status : FAILED === FAIL Test Create Egress rule and check the IP tables ... SKIP: Skip Test Create Egress rule and check the IP tables ... SKIP: Skip Test Create Egress rule without CIDR ... === TestName: test_06_1_egress_fr6 | Status : SUCCESS === ok Test Create Egress rule without CIDR ... === TestName: test_06_egress_fr6 | Status : SUCCESS === ok Test Create Egress rule without End Port ... === TestName: test_07_1_egress_fr7 | Status : SUCCESS === ok Test Create Egress rule without End Port ... === TestName: test_07_egress_fr7 | Status : SUCCESS === ok Test Port Forwarding and Egress Conflict ... SKIP: Skip Test Port Forwarding and Egress Conflict ... SKIP: Skip Test Delete Egress rule ... === TestName: test_09_1_egress_fr9 | Status : SUCCESS === ok Test Delete Egress rule ... === TestName: test_09_egress_fr9 | Status : SUCCESS === ok Test Invalid CIDR and Invalid Port ranges ... === TestName: test_10_1_egress_fr10 | Status : SUCCESS === ok Test Invalid CIDR and Invalid Port ranges ... === TestName: test_10_egress_fr10 | Status : SUCCESS === ok Test Regression on Firewall + PF + LB + SNAT ... === TestName: test_11_1_egress_fr11 | Status : EXCEPTION === ERROR Test Regression on Firewall + PF + LB + SNAT ... === TestName: test_11_egress_fr11 | Status : SUCCESS === ok Test Reboot Router ... === TestName: test_12_1_egress_fr12 | Status : SUCCESS === ok Test Reboot Router ... === TestName: test_12_egress_fr12 | Status : SUCCESS === ok Test Redundant Router : Master failover ... === TestName: test_13_1_egress_fr13 | Status : SUCCESS === ok Test Redundant Router : Master failover ... === TestName: test_13_egress_fr13 | Status : SUCCESS === ok Thanks, Gaurav Aradhye
Re: A secure way to reset VMs password
While they might be better than weak passwords, ssh keys are not a silver bullet - they're harder to use and a case can be made that they're no more secure (think: attacker compromises desktop, accesses ssh key file) And no, from my previous research, you can't enforce that an ssh key has a passphrase... Excuse any typos - sent from mobile device On Dec 2, 2014, at 22:01, Carlos Reátegui create...@gmail.com wrote: I’m all for providing choice, but not when one of them is not a good/secure one. On Dec 2, 2014, at 9:48 PM, John Kinsella j...@stratosec.co wrote: It's not our place to enforce how users authenticate to their VMs. We provide flexible options, suggest best practices, and let them use the tool as best suits their needs. Excuse any typos - sent from mobile device On Dec 2, 2014, at 21:22, Carlos Reategui create...@gmail.com wrote: Why do passwords at all? Why not just use ssh keys like AWS does. The functionality is already there just not in the ACS UI. Cloud-init already supports it which is available in most distros and therefore would not require CS specific scripts. At least not for linux. On windows I'm not exactly sure how AWS does it but I think it is also some kind of terminal services certificates so I think it could be made to work too. -Carlos On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal chiradeep.vit...@citrix.com wrote: You would need client-side certs as well since the password server needs to be able to validate WHO is asking for the password. Currently it is based on the client's IP address. Also the current scheme is a single-use password — as soon as the password is retrieved, it is not available to anybody else (of course a MITM could sniff the first exchange). You could eliminate a lot of MITM-style attacks by running the password server locally on each hypervisor (hard for VMW), or by attaching an ISO (containing the password) to the VM. From: John Kinsella j...@stratosec.comailto:j...@stratosec.co Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Tuesday, December 2, 2014 at 1:32 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: A secure way to reset VMs password That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.romailto:n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.commailto:jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.commailto:astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.commailto:terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalidmailto:astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is quite complicated (CA must be on VR etc), and makes it considerably harder to get a working setup - using self signed causes issues with
Re: A secure way to reset VMs password
BTW If anyone wants to upvote the the key management GUI Jira here it is: https://issues.apache.org/jira/browse/CLOUDSTACK-1230 On Dec 2, 2014, at 9:59 PM, Carlos Reátegui create...@gmail.com wrote: I’m all for providing choice, but not when one of them is not a good/secure one. On Dec 2, 2014, at 9:48 PM, John Kinsella j...@stratosec.co wrote: It's not our place to enforce how users authenticate to their VMs. We provide flexible options, suggest best practices, and let them use the tool as best suits their needs. Excuse any typos - sent from mobile device On Dec 2, 2014, at 21:22, Carlos Reategui create...@gmail.com wrote: Why do passwords at all? Why not just use ssh keys like AWS does. The functionality is already there just not in the ACS UI. Cloud-init already supports it which is available in most distros and therefore would not require CS specific scripts. At least not for linux. On windows I'm not exactly sure how AWS does it but I think it is also some kind of terminal services certificates so I think it could be made to work too. -Carlos On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal chiradeep.vit...@citrix.com wrote: You would need client-side certs as well since the password server needs to be able to validate WHO is asking for the password. Currently it is based on the client's IP address. Also the current scheme is a single-use password — as soon as the password is retrieved, it is not available to anybody else (of course a MITM could sniff the first exchange). You could eliminate a lot of MITM-style attacks by running the password server locally on each hypervisor (hard for VMW), or by attaching an ISO (containing the password) to the VM. From: John Kinsella j...@stratosec.comailto:j...@stratosec.co Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Tuesday, December 2, 2014 at 1:32 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: A secure way to reset VMs password That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.romailto:n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.commailto:jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.commailto:astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.commailto:terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalidmailto:astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is quite complicated (CA must be on VR etc), and makes it considerably harder to get a working setup - using self signed causes issues with validation Don't get me wrong, I love the idea, but it's not just to flip a switch and have (proper) SSL in place. -- Erik
Re: A secure way to reset VMs password
Probably should be re-written. Excuse any typos - sent from mobile device On Dec 2, 2014, at 21:58, Alireza Eskandari astro.alir...@yahoo.com.INVALID wrote: John, +1If we provide password reset capability it should be secure, if not it is better to make it disable at all.About source of windows version, so what did we do? Should we write it from scratch? Why it isn't open?I open a jira ticket, if you have any comment or suggestion please write there.https://issues.apache.org/jira/browse/CLOUDSTACK-8009 Thanks From: John Kinsella j...@stratosec.co To: dev@cloudstack.apache.org dev@cloudstack.apache.org Sent: Wednesday, December 3, 2014 9:18 AM Subject: Re: A secure way to reset VMs password It's not our place to enforce how users authenticate to their VMs. We provide flexible options, suggest best practices, and let them use the tool as best suits their needs. Excuse any typos - sent from mobile device On Dec 2, 2014, at 21:22, Carlos Reategui create...@gmail.com wrote: Why do passwords at all? Why not just use ssh keys like AWS does. The functionality is already there just not in the ACS UI. Cloud-init already supports it which is available in most distros and therefore would not require CS specific scripts. At least not for linux. On windows I'm not exactly sure how AWS does it but I think it is also some kind of terminal services certificates so I think it could be made to work too. -Carlos On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal chiradeep.vit...@citrix.com wrote: You would need client-side certs as well since the password server needs to be able to validate WHO is asking for the password. Currently it is based on the client's IP address. Also the current scheme is a single-use password — as soon as the password is retrieved, it is not available to anybody else (of course a MITM could sniff the first exchange). You could eliminate a lot of MITM-style attacks by running the password server locally on each hypervisor (hard for VMW), or by attaching an ISO (containing the password) to the VM. From: John Kinsella j...@stratosec.comailto:j...@stratosec.co Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Tuesday, December 2, 2014 at 1:32 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: A secure way to reset VMs password That password reset infrastructure has bigger issues than just SSL. The server side works, but that’s about all I can say for it. This topic comes up every 6-12 months. :) I thought there was a Jira entry but I can’t find it…personally I’d love to see the client and server sides both rewritten from scratch. John On Nov 28, 2014, at 11:33 AM, Nux! n...@li.nux.romailto:n...@li.nux.ro wrote: Jayapal, Not necesarily, one could run stunnel or nginx as SSL proxy on some other port (8443?), this way SSL and non-SSL connections will still work and give you plenty of time to update your templates, if you so wish. Am I missing any important bits here? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: Jayapal Reddy Uradi jayapalreddy.ur...@citrix.commailto:jayapalreddy.ur...@citrix.com To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Cc: Alireza Eskandari astro.alir...@yahoo.commailto:astro.alir...@yahoo.com Sent: Friday, 28 November, 2014 09:34:02 Subject: Re: A secure way to reset VMs password Another point to note is all the vms in production has to update with the new cloud-set-guest-password scripts because of the new password reset method. Thanks, Jayapal On 28-Nov-2014, at 2:28 PM, Erik Weber terbol...@gmail.commailto:terbol...@gmail.com wrote: On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari astro.alir...@yahoo.com.invalidmailto:astro.alir...@yahoo.com.invalid wrote: HiI viewed the bash script that resets Linux password ( http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It seems that it doesn't use a secure way for transferring password string to instance.Instances on a shared network can sniff password requests and export requested password of other instances.I suggest to use SSL (https) instead of plan text.Regards I like the idea, but there's a couple of obstacles to overcome, namely which SSL certificates to use. - certificates need a subject name, ie. IP or hostname for web pages, you could solve this by making the mgmt server a CA and have each VR get a signed certificate by it, but it's complicated - if the community bundle a pre generated certificate it is commonly known and not to be trusted, also not sure how to handle subject name - assuming everyone to supply a valid certificate is
broken schema450to460.sql in cloudstack master?
Hi, Pardon me if this is already a known issue - wonder if anyone noticed the schema450to460.sql file in master now is actually broken? It has a truncated line, and a line ending with ‘,’. KC