Rocky 9 management setup

[Jeremy Hansen]

The database setup script seems broken in 4.17.2.0 for Rocky 9. I realize Rocky 
isn’t officially supported yet but I’d like to try…

Is there an alternative way to setup the db on a fresh install?

Currently seeing

Traceback (most recent call last):
File "/usr/bin/cloudstack-setup-databases", line 45, in 
from cloud_utils import check_selinux, CheckFailed, resolves_to_ipv6
ImportError: cannot import name 'check_selinux' from 'cloud_utils' 
(/usr/local/lib/python3.9/site-packages/cloud_utils/__init__.py)

Do the latest builds support Rocky 9?

Thanks
-jeremy



signature.asc
Description: PGP signature

Re: Console Proxy VM TLS version and cipher suites

[Simon Weller]

Gary,

Can you provide more information as to which CloudStack version you're
running and also where you made modifications? Was it to the Tomcat config?
As Kiran indicated, you should not see any old TLS versions offered in
modern versions of CloudStack. So, if you are, we want to get to the bottom
of it quickly.

-Si

On Wed, Mar 8, 2023 at 3:48 AM Gary Dixon 
wrote:

>
> The PEN test had picked up that a JBoss Enterprise Application was
> allowing TLS v1.0 and TLS v1.1- we have managed to disable this now but
> obviously we would need to build this in to a new System VM template to
> make the change persist a Console Proxy VM rebuild
> Gary Dixon​
> Senior Technical Consultant
> T:  +44 161 537 4990
> E:  *v* <+44%207989717661>ms@quadris‑support.com
> W: www.quadris.co.uk
> The information contained in this e-mail from Quadris may be confidential
> and privileged for the private use of the named recipient.  The contents of
> this e-mail may not necessarily represent the official views of Quadris.
> If you have received this information in error you must not copy,
> distribute or take any action or reliance on its contents.  Please destroy
> any hard copies and delete this message.
>
> From: Kiran Chavala 
> Sent: Tuesday, March 7, 2023 12:59 PM
> To: users@cloudstack.apache.org
> Subject: Re: Console Proxy VM TLS version and cipher suites
>
> Hi Gary
>
> AFAIK, I think cloudstack has disabled anything below TLS v1.2 from 4.11.0
> release
>
>
>
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D=0
>
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCLOUDSTACK-10319=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=5DMAQJ38va8zfrqiNml2l6xp8KNEiQWjFVc8DQDjePQ%3D=0
>
> [
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopengraph.githubassets.com%2F2b9813d128412ed49741e9c7523f4d3fb466d19b3c3b290539fb876ba1bcf0a9%2Fapache%2Fcloudstack%2Fpull%2F2480=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=9lCnFXXAzx6fkhd1mm4ICMFgA1wqQwXAr%2BM4gQfOgFw%3D=0
> ]<
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D=0
> >
> CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 by rohityadavcloud
> · Pull Request #2480 · apache/cloudstack<
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D=0
> >
> This deprecates and remove TLS 1.0 and 1.1 from preferred list of
> protocols and keeps only TLSv1.2. @blueorangutan package github.com 
>
>
> Regards
> Kiran
> 
> From: Gary Dixon 
> Sent: 07 March 2023 17:35
> To: users@cloudstack.apache.org 
> Subject: Console Proxy VM TLS version and cipher suites
>
>
>
>
>
>
> Hi all
>
>
>
> Is there a way of limiting the console proxy to allow nothing below TLS
> v1.2, 1.3 and only allow strong cipher suites – we are failing a PEN test
> currently and need to strengthen the CPVM security ?
>
>
>
> TIA
>
>
>
> Gary
>
> Gary Dixon​
> Senior Technical Consultant
> T: +44 161 537 4990
> E: vms@quadris‑support.com
> W:
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.quadris.co.uk%2F=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=ELMyfDyavuFHOtvcyf7PvqWUFkMwhmWHJPADH6nd%2FnE%3D=0
> [cid:image056775.png@576B6FF7.488A06BD]
> The information contained in this e-mail from Quadris may be confidential
> and privileged for the private use of the 

Re: User-Data for Windows Instance

[Simon Weller]

Ranjit,

As Stephan has suggested, Cloudinit for Windows, supported by Cloudbase is
the way to go. It works very well and is fully compatible with CloudStack
user data.

-Si

On Wed, Mar 8, 2023 at 2:29 PM Stephan Bienek 
wrote:

> Hi Ranjit,
>
> while searching for the same some time ago i stumbled across
> https://cloudbase.it/cloudbase-init/
> which looks like the ready-to-use windows-enabled cloud-init i was looking
> for.
>
> Not tested yet, but the description sounds promising.
>
> If you prefer to self-develop something similar, independent of the OS you
> can always query
> http://data-server./latest/user-data
> and to retrieve parse the provided user-data via scripts and take actions.
> (see
> https://docs.cloudstack.apache.org/en/latest/adminguide/virtual_machines/user-data.html
> )
>
> Best regards,
> Stephan
>
> > Ranjit Jadhav  hat am 08.03.2023 20:04 CET
> geschrieben:
> >
> >
> > Hello Folks.
> >
> > On the KVM hypervisor, we need to pass user-data i.e. bat script while
> > creating a windows instance. Is it possible?  Which guest-tools should we
> > use?
> >
> > Thank you,
> > Ranjit
>

Re: User-Data for Windows Instance

[Stephan Bienek]

Hi Ranjit,

while searching for the same some time ago i stumbled across
https://cloudbase.it/cloudbase-init/
which looks like the ready-to-use windows-enabled cloud-init i was looking for.

Not tested yet, but the description sounds promising.

If you prefer to self-develop something similar, independent of the OS you can 
always query
http://data-server./latest/user-data
and to retrieve parse the provided user-data via scripts and take actions.
(see 
https://docs.cloudstack.apache.org/en/latest/adminguide/virtual_machines/user-data.html
 )

Best regards,
Stephan

> Ranjit Jadhav  hat am 08.03.2023 20:04 CET 
> geschrieben:
> 
>  
> Hello Folks.
> 
> On the KVM hypervisor, we need to pass user-data i.e. bat script while
> creating a windows instance. Is it possible?  Which guest-tools should we
> use?
> 
> Thank you,
> Ranjit

User-Data for Windows Instance

[Ranjit Jadhav]

Hello Folks.

On the KVM hypervisor, we need to pass user-data i.e. bat script while
creating a windows instance. Is it possible?  Which guest-tools should we
use?

Thank you,
Ranjit

New rootdisksize not set with Scale instance in 4.17.2

[cristian.c]

Hello,

 

Any idea why the new value for "rootdisksize" parameter does not have
any effect on the instance?

   I executed this via cmk (api):


scale virtualmachine id=a2b9aca8-4e67-4cb4-8526-e2507b8d3898
serviceofferingid=08f5f8fa-88d7-44c7-8ed5-7f06a6031888
details[0].cpuNumber=1 details[0].memory=1024 details[0].rootdisksize=25

   And the response is:



{

  "virtualmachine": {c API result

"account": "emeaclient_16_49",

"affinitygroup": [],

"cpunumber": 1,

"cpuspeed": 1600,

"created": "2023-03-07T10:21:04+",

"details": {

  "Message.ReservedCapacityFreed.Flag": "true",

  "cpuNumber": "1",

  "cpuOvercommitRatio": "2.0",

  "cpuSpeed": "1600",

  "dataDiskController": "osdefault",

  "keyboard": "us",

  "memory": "1024",

  "memoryOvercommitRatio": "2.0",

  "nicAdapter": "Vmxnet3",

  "rootDiskController": "scsi",

  "rootdisksize": "10"

},

"displayname": "Test-Scale-March-3",

"displayvm": true,

"domain": "cloud16",

"domainid": "793d17f0-30d3-46c1-adbf-657c4659a624",

"guestosid": "6428ffbd-1f58-11ec-b6e8-244bfeb8116f",

"haenable": false,

"hasannotations": false,

"hypervisor": "VMware",

"id": "a2b9aca8-4e67-4cb4-8526-e2507b8d3898",

"instancename": "i-74-1443-VM",

"isdynamicallyscalable": false,

"jobid": "701a1122-0185-43a1-b110-bfbee380f4dd",

"jobstatus": 0,

"lastupdated": "2023-03-07T10:30:43+",

"memory": 1024,

"name": "VM-a2b9aca8-4e67-4cb4-8526-e2507b8d3898",

"nic": [

  {

"broadcasturi": "vlan://untagged",

"deviceid": "0",

"extradhcpoption": [],

"gateway": "46.xxx.xxx.49",

"id": "4e23f2be-ecc5-4793-8cbd-c3bc15920cd1",

"ipaddress": "46.xxx.xxx.54",

"isdefault": true,

"isolationuri": "vlan://untagged",

"macaddress": "1e:00:cf:00:00:87",

"netmask": "255.255.255.240",

"networkid": "3f5fbbe4-fe38-42ae-af2d-01709d7a2e9c",

"networkname": "Public-NL-01",

"secondaryip": [],

"traffictype": "Guest",

"type": "Shared"

  }

],

"osdisplayname": "Other Linux (64-bit)",

"ostypeid": "6428ffbd-1f58-11ec-b6e8-244bfeb8116f",

"passwordenabled": true,

"pooltype": "VMFS",

"receivedbytes": 0,

"rootdeviceid": 0,

"rootdevicetype": "ROOT",

"securitygroup": [],

"sentbytes": 0,

"serviceofferingid": "08f5f8fa-88d7-44c7-8ed5-7f06a6031888",

"serviceofferingname": "S-Packages",

"state": "Stopped",

"tags": [

  {

"account": "emeaclient_16_49",

"domain": "cloud16",

"domainid": "793d17f0-30d3-46c1-adbf-657c4659a624",

"key": "service_type",

"resourceid": "a2b9aca8-4e67-4cb4-8526-e2507b8d3898",

"resourcetype": "UserVm",

"value": "S-2"

  },

  {

"account": "emeaclient_16_49",

"domain": "cloud16",

"domainid": "793d17f0-30d3-46c1-adbf-657c4659a624",

"key": "service_id",

"resourceid": "a2b9aca8-4e67-4cb4-8526-e2507b8d3898",

"resourcetype": "UserVm",

"value": "450"

  }

],

"templatedisplaytext": "RockyLinux-8",

"templateid": "be405fbf-9ca9-4b90-bf97-9806ebf75b7b",

"templatename": "RockyLinux-8",

"userid": "df0acf1e-52a2-4c4f-b4e6-535546cf6b12",

"username": "emeaclient_16_49",

"zoneid": "55f0123b-285c-4a70-8b34-565d8454393d",

"zonename": "EMEA-NL-01"

  }

}

  
I have also changed the value to "true" for
allow.diskoffering.change.during.scale.vm. The only difference is that I do
not see any more the warning in the log "Changing the disk offering of the
root volume during the compute offering change operation is disabled. Please
check the setting [allow.diskoffering.change.during.scale.vm]"

Any suggestion?

Thank you,

Cristian
   

 

RE: Console Proxy VM TLS version and cipher suites

[Gary Dixon]

The PEN test had picked up that a JBoss Enterprise Application was allowing TLS 
v1.0  and TLS v1.1- we have managed to disable this now but obviously we would 
need to build this in to a new System VM template to make the change persist a 
Console Proxy VM rebuild


Gary Dixon
Senior Technical Consultant
T:  +44 161 537 4990
E:  v...@quadris-support.com
W: www.quadris.co.uk
The information contained in this e-mail from Quadris may be confidential and 
privileged for the private use of the named recipient.  The contents of this 
e-mail may not necessarily represent the official views of Quadris.  If you 
have received this information in error you must not copy, distribute or take 
any action or reliance on its contents.  Please destroy any hard copies and 
delete this message.
From: Kiran Chavala 
Sent: Tuesday, March 7, 2023 12:59 PM
To: users@cloudstack.apache.org
Subject: Re: Console Proxy VM TLS version and cipher suites

Hi Gary

AFAIK, I think cloudstack has disabled  anything below TLS v1.2 from 4.11.0 
release



https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fpull%2F2480=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=Ezd9nXe6wavgsWaZntbfm6s3fj%2FdaWRle%2BNQbZYcaKg%3D=0

https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCLOUDSTACK-10319=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=5DMAQJ38va8zfrqiNml2l6xp8KNEiQWjFVc8DQDjePQ%3D=0

[https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopengraph.githubassets.com%2F2b9813d128412ed49741e9c7523f4d3fb466d19b3c3b290539fb876ba1bcf0a9%2Fapache%2Fcloudstack%2Fpull%2F2480=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=9lCnFXXAzx6fkhd1mm4ICMFgA1wqQwXAr%2BM4gQfOgFw%3D=0]
CLOUDSTACK-10319: Prefer TLSv1.2, deprecate TLSv1.0,1.1 by rohityadavcloud · 
Pull Request #2480 · 
apache/cloudstack
This deprecates and remove TLS 1.0 and 1.1 from preferred list of protocols and 
keeps only TLSv1.2. @blueorangutan package github.com 


Regards
Kiran

From: Gary Dixon 
Sent: 07 March 2023 17:35
To: users@cloudstack.apache.org 
Subject: Console Proxy VM TLS version and cipher suites






Hi all



Is there a way of limiting the console proxy to allow nothing below TLS v1.2, 
1.3 and only allow strong cipher suites – we are failing a PEN test currently 
and need to strengthen the CPVM security ?



TIA



Gary

Gary Dixon​
Senior Technical Consultant
T:  +44 161 537 4990
E:  vms@quadris‑support.com
W: 
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.quadris.co.uk%2F=05%7C01%7CGary.Dixon%40quadris.co.uk%7C8bc43b9aac7341c924db08db1f0bee5d%7Cf1d6abf3d3b44894ae16db0fb93a96a2%7C0%7C0%7C638137908353696323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=ELMyfDyavuFHOtvcyf7PvqWUFkMwhmWHJPADH6nd%2FnE%3D=0
[cid:image056775.png@576B6FF7.488A06BD]
The information contained in this e-mail from Quadris may be confidential and 
privileged for the private use of the named recipient.  The contents of this 
e-mail may not necessarily represent the official views of Quadris.  If you 
have received this information in error you must not copy, distribute or take 
any action or reliance on its contents.  Please destroy any hard copies and 
delete this message.

Webinar today on the upcoming 4.18 release

[Ivet Petrova]

Hi,

I would like to share agin that at ShapeBlue we are having a webinar today 
reviewing and sharing our opinion over the upcoming 4.18 release. I hope the 
event will be useful for all community members: 
https://www.shapeblue.com/apache-cloudstack-4-18-release-webinar/

Will be happy to see some of you online.

Kind regards,