RE: Static ip for virtual router

[Marty Godsey]

ACS manages the IP space you give it in the Zone settings. It keeps track of 
whats been assigned based upon the id of the virtual router. It seems you have 
some overlap somewhere in the settings of IPs. But to answer your question, no, 
there is no "good" way to give the virtual router a static IP other than 
editing the database entry and changing it yourself.

If you assign, outside of ACS, and IP to another machine that is also in the 
subnet you gave ACS to use, it will not know this IP as used and could cause a 
conflict.

Regards,
Marty Godsey

-Original Message-
From: Mohd Zainal Abidin Rabani [mailto:zai...@nocser.net] 
Sent: Friday, October 14, 2016 9:57 PM
To: users@cloudstack.apache.org
Subject: Static ip for virtual router

Hi,

Is it possible to set vr as static ip? Yesterday we had problem because it take 
ip that already use on other vm (solusvm). We need to change solusvm ip. Please 
advice.

Sent with AquaMail for Android
http://www.aqua-mail.com

Static ip for virtual router

[Mohd Zainal Abidin Rabani]

Hi,

Is it possible to set vr as static ip? Yesterday we had problem because it 
take ip that already use on other vm (solusvm). We need to change solusvm 
ip. Please advice.


Sent with AquaMail for Android
http://www.aqua-mail.com

Re: replace secondary storage

[Sergey Levitskiy]

Easiest way is rsync the whole folder structure to new secondary storage, then 
change the URL of SS in image_store table, and then restart all SSVMs, proxies 
and vrouters in this zone

Sent from my iPhone

Re: Public Templates

[Sergey Levitskiy]

Public and featured attribute doesn't affect template lifecycle. In short a 
template will reside on a secondary storage until explicitly deleted.

Sent from my iPhone

replace secondary storage

[Ghaith Bannoura]

Hello All,

I need to replace secondary storage that I have, is there and procedure to do 
it , keep in minds that I need the templates that already exist unchanged .

Can anyone advice how can I do it ?

Best Regards,
EtQ, Inc.
Ghaith Bannoura
System Administrator
MCT, MCSE (Messaging, Server Infrastructure)
MCSA (Windows Server 2008, 2012), MCP

*  Phone: +9626-537-0923 Ext. 376
*  gbanno...@etq.com 
*   http://www.etq.com

Public Templates

[Ghaith Bannoura]

Hello All,

I read about the public template will be copied to all secondary storage I have 
three secondary storage so its will be copied to all of them ?

If its copied and after creating the template I  unchecked the public its will 
be deleted from two secondary storage  , or its will be kept as it is ( on 
three secondary storage ) ?

Best Regards,
EtQ, Inc.
Ghaith Bannoura
System Administrator
MCT, MCSE (Messaging, Server Infrastructure)
MCSA (Windows Server 2008, 2012), MCP

*  Phone: +9626-537-0923 Ext. 376
*  gbanno...@etq.com 
*   http://www.etq.com

RE: Link Domain to LDAP

[Marty Godsey]

Ok. So that is not it.. Basically this is where I set..

All the settings are as below. The database looks fine, the settings look good. 
I can authenticate as any AD users IF I add them manually. However, when I 
attempt to login with a user that is not in ACS but IS in AD, in a domain that 
has a link, I don’t even see the attempt to query LDAP hit the domain 
controller from a network level (using wireshark). If I log in as an LDAP user 
that is already in ACS, I see the request hit the domain controller in 
wireshark.

Is there a library or something I may be missing? This was originally a 4.8.0.1 
install that was upgraded to 4.9.

Regards,
Marty Godsey

-Original Message-
From: Marty Godsey [mailto:ma...@gonsource.com] 
Sent: Friday, October 14, 2016 10:21 AM
To: users@cloudstack.apache.org
Subject: RE: Link Domain to LDAP

I think I found my issue.. Standby..

Regards,
Marty Godsey

-Original Message-
From: Marty Godsey [mailto:ma...@gonsource.com]
Sent: Friday, October 14, 2016 10:17 AM
To: users@cloudstack.apache.org
Subject: RE: Link Domain to LDAP

This is how this is set up.. One think I see different however are my ldap 
settings. I am going over 389 (for now) does this functionality require 636?

Regards,
Marty Godsey

-Original Message-
From: Rajani Karuturi [mailto:raj...@apache.org]
Sent: Friday, October 14, 2016 7:02 AM
To: Users 
Subject: Re: Link Domain to LDAP

you need not import the users manually. It should automatically sync.

In my installation with microsoftAD, this is how any entry in the 
ldap_trust_map looks:
mysql> select * from ldap_trust_map where domain_id=7\G
*** 1. row ***
  id: 4
   domain_id: 7
type: GROUP
name: CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com
account_type: 0
1 row in set (0.00 sec)

Any user who is member of AD group
"CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com" should be able to login to 
domain with id 7. If a user doesnt exist, it will automatically create one.


Check the below configuration values
ldap.provider: microsoftad
ldap.nested.groups.enable: true
ldap.search.group.principle: NULL

My sample configuration values:
mysql> select component,name,value,description from configuration where
name like '%ldap%';
+---+--+---+---+
| component | name |
value |
description   |
+---+--+---+---+
| management-server | ldap.basedn  |
dc=acp,dc=accelerite,dc=com   | Sets the basedn for
LDAP  |
| management-server | ldap.bind.password   | password
| Specifies the password to use
for binding to LDAP |
| management-server | ldap.bind.principal  |
CN=Administrator,CN=Users,DC=acp,DC=accelerite,DC=com | Specifies the bind
principal to use for bind to LDAP  |
| management-server | ldap.email.attribute |
mail  | Sets the email
attribute used within LDAP |
| management-server | ldap.firstname.attribute |
givenname | Sets the firstname
attribute used within LDAP |
| management-server | ldap.group.object|
group | Sets the object
type of groups within LDAP|
| management-server | ldap.group.user.uniquemember |
member| Sets the attribute
for uniquemembers within a group   |
| management-server | ldap.lastname.attribute  |
sn| Sets the lastname
attribute used within LDAP  |
| LdapConfiguration | ldap.nested.groups.enable|
true  | if true, nested
groups will also be queried   |
| LdapConfiguration | ldap.provider|
microsoftad   | ldap provider
ex:openldap, microsoftad|
| LdapConfiguration | ldap.read.timeout|
1000  | LDAP connection
Timeout in milli sec  |
| LdapConfiguration | ldap.request.page.size   |
1000   

RE: reassign a vm from account to project

[Mauricio Schaepers]

Hi Gerd,

never done that yet but if the UI doesn't show you any option I assume that the 
API is going to help you to get there.
https://cloudstack.apache.org/api/apidocs-4.9/apis/assignVirtualMachine.html
https://cloudstack.apache.org/api/apidocs-4.9/apis/addAccountToProject.html

If you don't know how to use the API here is a nice intro 
http://de.slideshare.net/sebastiengoasguen/intro-to-cloudstack-api

I personally prefer psCloudStack for PowerShell for the "quick & dirty jobs"

Mit freundlichen Grüßen,

Mauricio Schäpers
CIO / Trainer & Consultant

VS Qloud Solution GmbH 
Wilhelm-Binder-Str. 19 
78048 VS-Villingen

Tel. +49 7721 69701 20
Mob. +49 171 6970120
Email: m.schaep...@vsqloud.de 
Internet: www.vsqloud.de

Geschäftsführer: Michael Marx 
Handelsregister: HRB 713324
Sitz der Gesellschaft: Villingen-Schwenningen
Steuer-Nr. 22108/21737
USt-IdNr. DE300890182

-Original Message-
From: Gerd Müller [mailto:gerd.muel...@teamix.de] 
Sent: Freitag, 14. Oktober 2016 14:35
To: users@cloudstack.apache.org
Subject: reassign a vm from account to project

Hi list,

I am new to cloudstack so sorry if there is a common solution to this problem.

But can anyone tell me how I can reassign a vm from an account to a project?

Thanks,

Gerd

--
Gerd Müller  | Service Manager Cloud

teamix GmbH
Südwestpark 43
90449 Nürnberg

Tel.:  +49 911 30999 293 | Fax: +49 911 30999 99
mail: gerd.muel...@teamix.de | web:  http://www.teamix.de | blog: 
http://blog.teamix.de

Amtsgericht Nürnberg, HRB 18320 | Geschäftsführer: Oliver Kügow, Richard Müller

teamix Support Hotline: +49 911 30999-112

 *** Cloud Computing, Virenschutz, Datensicherung und mehr: teamix @itsa vom 
18.-20.Oktober 2016, Messe Nürnberg ***

reassign a vm from account to project

[Gerd Müller]

Hi list,

I am new to cloudstack so sorry if there is a common solution to this
problem.

But can anyone tell me how I can reassign a vm from an account to a
project?

Thanks,

Gerd

--
Gerd Müller  | Service Manager Cloud

teamix GmbH
Südwestpark 43
90449 Nürnberg

Tel.:  +49 911 30999 293 | Fax: +49 911 30999 99
mail: gerd.muel...@teamix.de | web:  http://www.teamix.de | blog: 
http://blog.teamix.de

Amtsgericht Nürnberg, HRB 18320 | Geschäftsführer: Oliver Kügow, Richard Müller

teamix Support Hotline: +49 911 30999-112

 *** Cloud Computing, Virenschutz, Datensicherung und mehr: teamix @itsa vom 
18.-20.Oktober 2016, Messe Nürnberg ***

Re: Link Domain to LDAP

[Rajani Karuturi]

you need not import the users manually. It should automatically sync.

In my installation with microsoftAD, this is how any entry in the
ldap_trust_map looks:
mysql> select * from ldap_trust_map where domain_id=7\G
*** 1. row ***
  id: 4
   domain_id: 7
type: GROUP
name: CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com
account_type: 0
1 row in set (0.00 sec)

Any user who is member of AD group
"CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com" should be able to login
to domain with id 7. If a user doesnt exist, it will automatically create
one.


Check the below configuration values
ldap.provider: microsoftad
ldap.nested.groups.enable: true
ldap.search.group.principle: NULL

My sample configuration values:
mysql> select component,name,value,description from configuration where
name like '%ldap%';
+---+--+---+---+
| component | name |
value |
description   |
+---+--+---+---+
| management-server | ldap.basedn  |
dc=acp,dc=accelerite,dc=com   | Sets the basedn for
LDAP  |
| management-server | ldap.bind.password   | password
| Specifies the password to use
for binding to LDAP |
| management-server | ldap.bind.principal  |
CN=Administrator,CN=Users,DC=acp,DC=accelerite,DC=com | Specifies the bind
principal to use for bind to LDAP  |
| management-server | ldap.email.attribute |
mail  | Sets the email
attribute used within LDAP |
| management-server | ldap.firstname.attribute |
givenname | Sets the firstname
attribute used within LDAP |
| management-server | ldap.group.object|
group | Sets the object
type of groups within LDAP|
| management-server | ldap.group.user.uniquemember |
member| Sets the attribute
for uniquemembers within a group   |
| management-server | ldap.lastname.attribute  |
sn| Sets the lastname
attribute used within LDAP  |
| LdapConfiguration | ldap.nested.groups.enable|
true  | if true, nested
groups will also be queried   |
| LdapConfiguration | ldap.provider|
microsoftad   | ldap provider
ex:openldap, microsoftad|
| LdapConfiguration | ldap.read.timeout|
1000  | LDAP connection
Timeout in milli sec  |
| LdapConfiguration | ldap.request.page.size   |
1000  | page size sent to
ldap server on each request to get user |
| management-server | ldap.search.group.principle  |
NULL  | Sets the principle
of the group that users must be a member of (optional) |
| management-server | ldap.truststore  |
NULL  | Sets the path to
the truststore to use for LDAP SSL   |
| management-server | ldap.truststore.password |
NULL  | Sets the password
for the truststore  |
| management-server | ldap.user.object |
user  | Sets the object
type of users within LDAP |
| management-server | ldap.username.attribute  |
sAMAccountName| Sets the username
attribute used within LDAP  |
+---+--+---+---+
17 rows in set (0.00 sec)


~ Rajani
http://cloudplatform.accelerite.com/

~Rajani
http://cloudplatform.accelerite.com/

On Fri, Oct 14, 2016 at 2:23 PM, Stephan Seitz <
s.se...@secretresearchfacility.com> wrote:

> Hi,
>
> I'ld verify 

Re[2]: Erased snapshot/templates still remains in storage

[David Amorín]

Hi Simon,
Yes it was enable but I changed the default values of the timer set to:
storage.cleanup.delay 60storage.cleanup.interval 
300storage.cleanup.enabled=true
In order to make a couple of test and when i delete an instance with 
snapshost and templates, i see the following behavior:
The templates are deleted correctlyThe snapshosts still remain on 
primary storage


I was reading the following thread about the same issue:

https://www.mail-archive.com/users@cloudstack.apache.org/msg19669.html


Thanks for your help

Best

David


-- Mensaje original --
De: "Simon Weller" 
Para: "users@cloudstack.apache.org" ; 
"David Amorín" 

Enviado: 11/10/2016 13:42:24
Asunto: Re: Erased snapshot/templates still remains in storage


David,


What have you got your storage cleanup thread timer set to? ACS will 
normally run a periodic process to expunge deleted storage objects.



- si



From: David Amorín 
Sent: Tuesday, October 11, 2016 4:04 AM
To: users@cloudstack.apache.org
Subject: Erased snapshot/templates still remains in storage

Hi all,
I just wanted to share with you the following behavior we saw on CS
4.5.2 and now we also see on version 4.9.

Our environment: Xenserver 6.5, Cloudstack 4.9, primary storage: iSCSI
Description: When I take a volume snapshot, I see an snapshot in
XenServer primary storage:xe vdi-list name-label=snapshot-20161010uuid 
(

RO): 81d37e1c-d9a7-431e-9996-7a550b72528bname-label (
RW): snapshot-20161010name-description ( RW):sr-uuid ( RO):
36eb8055-90f1-8cbf-e35c-3b13c0dd701avirtual-size ( RO):
26843545600sharable ( RO): falseread-only ( RO): falseOnce it is
transferred to the secondary storage, I see the following
message:2016-10-10 13:44:38,897 DEBUG
[c.c.h.x.r.XenServerStorageProcessor] (DirectAgent-419:ctx-7b451fd0)
(logid:b8c932db) Successfully destroyed snapshot on volume:
82d3194e-a4f0-4813-b0c9-c0c3c4a81deb execept this current snapshot
81d37e1c-d9a7-431e-9996-7a550b72528bThen when I delete from Cloudstack
this volume snapshots:2016-10-10 13:47:41,402 DEBUG
[o.a.c.s.s.XenserverSnapshotStrategy] (API-Job-Executor-69:ctx-77734d15
job-3789 ctx-1f2ebdf0) (logid:1cac9567) Snapshot: 754 doesn't have
children, so it's ok to delete it and its parentsChecking CS database,
in "snapshot_store_ref" table, the element with
install_path=81d37e1c-d9a7-431e-9996-7a550b72528b changed its status
from "Ready" to "Destroyed" but in Xenserver this vdi wasn't
deleted.Something similar happens deleting templates, but in this case,
in table "template_spool_ref", the referenced vdi never change to
"Destroyed".

Questions:
If i don't have any wrong configuration on CS, i confirm that when i
delete a snapshot or template from CloudStack, the file VHD is deleted
correctly on the secondary storage but the volumen (VDI) on primary
storage remains. Can you confirm if somebody else has the same 
behavior?

When we take a manual snapshot or template. CS always keep the
snapshot/template on the secondary storage and ALSO on primary storage.
Is that correct?

Thanks for your help

Best,

David

Re: Link Domain to LDAP

[Stephan Seitz]

Hi,

I'ld verify the settings via mysql

mysql> select * from ldap_configuration \G
*** 1. row ***
  id: 2
hostname: YOUR_LDAP_SERVER
port: 636

also check, if you're able to resolve the hostname and connect to it
from your management host.

mysql> select * from ldap_trust_map \G
*** 1. row ***
  id: 1
   domain_id: 2
type: OU
name: dc=FOO,dc=BAR
account_type: 0

you'ld also need to import the specific users. I checked them via

mysql> select * from user where username="XX" \G
*** X. row ***
  id: NNN
uuid: ----
username: XX
password: XX==:10
  account_id: NNN
   firstname: John
lastname: Doe
   email: X@XX
   state: enabled
 api_key: NULL
  secret_key: NULL
 created: -NN-NN NN:NN:NN
 removed: NULL
timezone: NULL
  registration_token: NULL
   is_registered: 0
incorrect_login_attempts: 0
 default: 0
  source: LDAP
 external_entity: NULL



- Stephan

Am Freitag, den 14.10.2016, 02:06 + schrieb Marty Godsey:
> I have confirmed that when I am attempting to login with the user
> that is failing, or any user in the group specified for that matter,
> the packets are not even hitting the domain controller. I did a
> packet capture at the DC and logged in with a known AD user that is
> already configured in another ACS domain. This ACS domain does not
> have any LDAP bindings just the "default" LDAP settings. I was able
> to see my packets hit the DC and authenticate. When attempting to log
> in from a user in the linked domain, no packets are seen.. Is there a
> service or a library I need to check?
> 
> Regards,
> Marty Godsey
> 
> -Original Message-
> From: Marty Godsey [mailto:ma...@gonsource.com] 
> Sent: Thursday, October 13, 2016 9:37 PM
> To: users@cloudstack.apache.org
> Subject: RE: Link Domain to LDAP
> 
> Whenever I try to bind to LDAP using the users credentials, its
> works.
> 
> root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h
> x.x.x.x -p 389 -D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com"
> -x -w Password1234!
> ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe
> Result: Success (0)
> 
> If I also run an ldapsearch on this user, it is successful..
> 
> However upon trying to authenticate with the same credentials on the
> ACS screen, I receive an incorrect password error. When I look in the
> log file all that is the following:
> 
> Authentication failure:
> {"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is
> not allowed CloudStack login"}}
> 
> I have recreated this domain and liked it to GROUP and OU. Nested
> groups is set to true in the ldap settings.
> 
> Thoughts?
> 
> Regards,
> Marty Godsey
> 
> -Original Message-
> From: Rajani Karuturi [mailto:raj...@apache.org]
> Sent: Wednesday, October 12, 2016 3:01 AM
> To: users@cloudstack.apache.org
> Subject: Re: Link Domain to LDAP
> 
> Yes, you can have LDAP configured at global and domain level.
> Did you give fully qualified name of GROUP/OU while linking?
> 
> Easiest way to debug is to run the ldap query manually and see if it
> returns any results ldapsearch -x -h hostname -p port "basedn" -s sub
> -D "username"
> -w password
> "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))"
> 
> Also check that `ldap.provider` is set to correct value and there are
> direct users in the group.
> Nested groups will only work with MicrosoftAD provider and with
> configuration `ldap.nested.groups.enable` set to true.
> 
> There is a demo of the feature at
> https://youtu.be/GI9b9MiOQkw?t=4m10s
> 
> Thanks,
> ~ Rajani
> http://cloudplatform.accelerite.com/
> 
> On October 12, 2016 at 6:23 AM, Marty Godsey
> (ma...@gonsource.com) wrote:
> Hello,
> 
> I have an ACS 4.9 instance that runs well with no issues. I have
> enabled LDAP authentication at the Global Level and this works
> without issue. The question I have is the "Link Domain to LDAP"
> function at the domain level. I have a domain that I want to auto
> sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I
> configured with the DN of the group I am wanting to populate from (I
> also attempted this with the OU setting as well) and the user that
> was created cannot authenticate nor are any of the test accounts in
> Active Directory being created in ACS.
> 
> I have LDAP configured globally and I also, as a test made the user
> part of the group I indicated for "LDAP Accounts" and the user shows
> up, but the "Link Domain to LDAP" does not seem to work. I tried
> looking in