[GitHub] cloudstack issue #1640: CLOUDSTACK-9458: Fix HA bug when VMs are stopped on ...

[marcaurele]

Github user marcaurele commented on the issue:

https://github.com/apache/cloudstack/pull/1640
  
@jburwell I changed the commit and PR to point to 4.9


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Re: builds.cloudstack.org (new jenkins system)

[Rajani Karuturi]

This is great. Thanks for setting it up PL.

If possible, could you also move the coverity job[1] to the new
jenkins please?
CloudStack coverity report last ran on Jan 25, 2016

[1]
http://jenkins.buildacloud.org/job/cloudstack-master-twiceweekly-coverity/

Thanks,
~ Rajani
http://cloudplatform.accelerite.com/

On September 14, 2016 at 12:11 AM, Pierre-Luc Dion
(pdion...@apache.org) wrote:
Hi,

we now have a nice URL pointing to the replacement jenkins
of j.bac.o:
builds.cloudstack.org

I'll make sure the enable SSL for user authentication, whoever is
commiter
that want admin access to Jenkins, let me know, if you have CI
system that
we could leverage via a centralized portal, feel free to post on
dev@

Cheers,

PL

[GitHub] cloudstack issue #1542: CLOUDSTACK-9379: Support nested virtualization at VM...

[serg38]

Github user serg38 commented on the issue:

https://github.com/apache/cloudstack/pull/1542
  
@rhtyd @jburwell @rafaelweingartner @koushik-das The rationale to have 
vmware.nested.virtualization.perVM was that advanced vm_details and template 
details are user controlled. With 
https://issues.apache.org/jira/browse/CLOUDSTACK-9457
‘Allow retrieval and modification of VM and template details via API and 
UI’ users will be able to change any advanced details in UI and API.
If admin wants to preserve that nested virtualization is controlled in 
centralized fashion they can do so by setting 
vmware.nested.virtualization.perVM to ‘false’. Idea was to allow 
organizations that currently have nested virtualization disabled to have it so 
after upgrade. Does it make sense or everyone prefers that setting on VM level 
overrides global one? 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on the issue:

https://github.com/apache/cloudstack/pull/1511
  
@rhtyd this PR is actually fairly important as it upgrades our crypto 
implementation to the latest available.  Therefore, I want to get it into LTS 
for 4.9.2.0.

In addition to addressing the code review comments, I see the following 
items need to addressed into order merge this PR:

  * [ ] Re-target the PR to the 4.9 branch
  * [ ] Create a JIRA ticket for this change and reference it in the commit 
message
  * [ ] Squash the commits
  * [ ] Fix the Travis failures
  * [ ] Rebase the changes with the parent branch to resolve merge conflicts
  * [ ] Integration test it



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78648723
  
--- Diff: 
utils/src/main/java/com/cloud/utils/security/CertificateHelper.java ---
@@ -38,125 +38,139 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
 import java.util.List;
 
-import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.commons.codec.binary.Base64;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
 
 import com.cloud.utils.Ternary;
-import org.bouncycastle.openssl.PEMReader;
+import com.cloud.utils.exception.CloudRuntimeException;
 
 public class CertificateHelper {
-public static byte[] buildAndSaveKeystore(String alias, String cert, 
String privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
-KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
+public static byte[] buildAndSaveKeystore(final String alias, final 
String cert, final String privateKey, final String storePassword) throws 
KeyStoreException, CertificateException,
+NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+final KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static byte[] buildAndSaveKeystore(List> certs, String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
-CertificateException, IOException, InvalidKeySpecException {
-KeyStore ks = KeyStore.getInstance("JKS");
+public static byte[] buildAndSaveKeystore(final List> certs, final String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
+CertificateException, IOException, InvalidKeySpecException {
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(null, storePassword != null ? storePassword.toCharArray() 
: null);
 
 //name,cert,key
-for (Ternary cert : certs) {
+for (final Ternary cert : certs) {
 if (cert.third() == null) {
-Certificate c = buildCertificate(cert.second());
+final Certificate c = buildCertificate(cert.second());
 ks.setCertificateEntry(cert.first(), c);
 } else {
-Certificate[] c = new Certificate[certs.size()];
+final Certificate[] c = new Certificate[certs.size()];
 int i = certs.size();
-for (Ternary ct : certs) {
+for (final Ternary ct : certs) {
 c[i - 1] = buildCertificate(ct.second());
 i--;
 }
 ks.setKeyEntry(cert.first(), 
buildPrivateKey(cert.third()), storePassword != null ? 
storePassword.toCharArray() : null, c);
 }
 }
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static KeyStore loadKeystore(byte[] ksData, String 
storePassword) throws KeyStoreException, CertificateException, 
NoSuchAlgorithmException, IOException {
-assert (ksData != null);
-KeyStore ks = KeyStore.getInstance("JKS");
+public static KeyStore loadKeystore(final byte[] ksData, final String 
storePassword) throws KeyStoreException, CertificateException, 
NoSuchAlgorithmException, IOException {
+assert ksData != null;
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(new ByteArrayInputStream(ksData), storePassword != null ? 
storePassword.toCharArray() : null);
 
 return ks;
 }
 
-public static KeyStore buildKeystore(String alias, String cert, String 
privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+public 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78649049
  
--- Diff: 
utils/src/main/java/com/cloud/utils/security/CertificateHelper.java ---
@@ -38,125 +38,139 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
 import java.util.List;
 
-import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.commons.codec.binary.Base64;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
 
 import com.cloud.utils.Ternary;
-import org.bouncycastle.openssl.PEMReader;
+import com.cloud.utils.exception.CloudRuntimeException;
 
 public class CertificateHelper {
-public static byte[] buildAndSaveKeystore(String alias, String cert, 
String privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
-KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
+public static byte[] buildAndSaveKeystore(final String alias, final 
String cert, final String privateKey, final String storePassword) throws 
KeyStoreException, CertificateException,
+NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+final KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static byte[] buildAndSaveKeystore(List> certs, String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
-CertificateException, IOException, InvalidKeySpecException {
-KeyStore ks = KeyStore.getInstance("JKS");
+public static byte[] buildAndSaveKeystore(final List> certs, final String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
+CertificateException, IOException, InvalidKeySpecException {
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(null, storePassword != null ? storePassword.toCharArray() 
: null);
 
 //name,cert,key
-for (Ternary cert : certs) {
+for (final Ternary cert : certs) {
 if (cert.third() == null) {
-Certificate c = buildCertificate(cert.second());
+final Certificate c = buildCertificate(cert.second());
 ks.setCertificateEntry(cert.first(), c);
 } else {
-Certificate[] c = new Certificate[certs.size()];
+final Certificate[] c = new Certificate[certs.size()];
 int i = certs.size();
-for (Ternary ct : certs) {
+for (final Ternary ct : certs) {
 c[i - 1] = buildCertificate(ct.second());
 i--;
 }
 ks.setKeyEntry(cert.first(), 
buildPrivateKey(cert.third()), storePassword != null ? 
storePassword.toCharArray() : null, c);
 }
 }
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static KeyStore loadKeystore(byte[] ksData, String 
storePassword) throws KeyStoreException, CertificateException, 
NoSuchAlgorithmException, IOException {
-assert (ksData != null);
-KeyStore ks = KeyStore.getInstance("JKS");
+public static KeyStore loadKeystore(final byte[] ksData, final String 
storePassword) throws KeyStoreException, CertificateException, 
NoSuchAlgorithmException, IOException {
+assert ksData != null;
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(new ByteArrayInputStream(ksData), storePassword != null ? 
storePassword.toCharArray() : null);
 
 return ks;
 }
 
-public static KeyStore buildKeystore(String alias, String cert, String 
privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+public 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78648669
  
--- Diff: 
utils/src/main/java/com/cloud/utils/security/CertificateHelper.java ---
@@ -38,125 +38,139 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
 import java.util.List;
 
-import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.commons.codec.binary.Base64;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
 
 import com.cloud.utils.Ternary;
-import org.bouncycastle.openssl.PEMReader;
+import com.cloud.utils.exception.CloudRuntimeException;
 
 public class CertificateHelper {
-public static byte[] buildAndSaveKeystore(String alias, String cert, 
String privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
-KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
+public static byte[] buildAndSaveKeystore(final String alias, final 
String cert, final String privateKey, final String storePassword) throws 
KeyStoreException, CertificateException,
+NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+final KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static byte[] buildAndSaveKeystore(List> certs, String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
-CertificateException, IOException, InvalidKeySpecException {
-KeyStore ks = KeyStore.getInstance("JKS");
+public static byte[] buildAndSaveKeystore(final List> certs, final String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
+CertificateException, IOException, InvalidKeySpecException {
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(null, storePassword != null ? storePassword.toCharArray() 
: null);
 
 //name,cert,key
-for (Ternary cert : certs) {
+for (final Ternary cert : certs) {
 if (cert.third() == null) {
-Certificate c = buildCertificate(cert.second());
+final Certificate c = buildCertificate(cert.second());
 ks.setCertificateEntry(cert.first(), c);
 } else {
-Certificate[] c = new Certificate[certs.size()];
+final Certificate[] c = new Certificate[certs.size()];
 int i = certs.size();
-for (Ternary ct : certs) {
+for (final Ternary ct : certs) {
 c[i - 1] = buildCertificate(ct.second());
 i--;
 }
 ks.setKeyEntry(cert.first(), 
buildPrivateKey(cert.third()), storePassword != null ? 
storePassword.toCharArray() : null, c);
 }
 }
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static KeyStore loadKeystore(byte[] ksData, String 
storePassword) throws KeyStoreException, CertificateException, 
NoSuchAlgorithmException, IOException {
-assert (ksData != null);
-KeyStore ks = KeyStore.getInstance("JKS");
+public static KeyStore loadKeystore(final byte[] ksData, final String 
storePassword) throws KeyStoreException, CertificateException, 
NoSuchAlgorithmException, IOException {
+assert ksData != null;
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(new ByteArrayInputStream(ksData), storePassword != null ? 
storePassword.toCharArray() : null);
 
 return ks;
 }
 
-public static KeyStore buildKeystore(String alias, String cert, String 
privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+public 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78648573
  
--- Diff: 
utils/src/main/java/com/cloud/utils/security/CertificateHelper.java ---
@@ -38,125 +38,139 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
 import java.util.List;
 
-import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.commons.codec.binary.Base64;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
 
 import com.cloud.utils.Ternary;
-import org.bouncycastle.openssl.PEMReader;
+import com.cloud.utils.exception.CloudRuntimeException;
 
 public class CertificateHelper {
-public static byte[] buildAndSaveKeystore(String alias, String cert, 
String privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
-KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
+public static byte[] buildAndSaveKeystore(final String alias, final 
String cert, final String privateKey, final String storePassword) throws 
KeyStoreException, CertificateException,
+NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+final KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static byte[] buildAndSaveKeystore(List> certs, String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
-CertificateException, IOException, InvalidKeySpecException {
-KeyStore ks = KeyStore.getInstance("JKS");
+public static byte[] buildAndSaveKeystore(final List> certs, final String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
+CertificateException, IOException, InvalidKeySpecException {
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(null, storePassword != null ? storePassword.toCharArray() 
: null);
 
 //name,cert,key
-for (Ternary cert : certs) {
+for (final Ternary cert : certs) {
 if (cert.third() == null) {
-Certificate c = buildCertificate(cert.second());
+final Certificate c = buildCertificate(cert.second());
 ks.setCertificateEntry(cert.first(), c);
 } else {
-Certificate[] c = new Certificate[certs.size()];
+final Certificate[] c = new Certificate[certs.size()];
 int i = certs.size();
-for (Ternary ct : certs) {
+for (final Ternary ct : certs) {
 c[i - 1] = buildCertificate(ct.second());
 i--;
 }
 ks.setKeyEntry(cert.first(), 
buildPrivateKey(cert.third()), storePassword != null ? 
storePassword.toCharArray() : null, c);
 }
 }
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static KeyStore loadKeystore(byte[] ksData, String 
storePassword) throws KeyStoreException, CertificateException, 
NoSuchAlgorithmException, IOException {
-assert (ksData != null);
-KeyStore ks = KeyStore.getInstance("JKS");
+public static KeyStore loadKeystore(final byte[] ksData, final String 
storePassword) throws KeyStoreException, CertificateException, 
NoSuchAlgorithmException, IOException {
+assert ksData != null;
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(new ByteArrayInputStream(ksData), storePassword != null ? 
storePassword.toCharArray() : null);
 
 return ks;
 }
 
-public static KeyStore buildKeystore(String alias, String cert, String 
privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+public 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78648332
  
--- Diff: 
utils/src/main/java/com/cloud/utils/security/CertificateHelper.java ---
@@ -38,125 +38,139 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
 import java.util.List;
 
-import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.commons.codec.binary.Base64;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
 
 import com.cloud.utils.Ternary;
-import org.bouncycastle.openssl.PEMReader;
+import com.cloud.utils.exception.CloudRuntimeException;
 
 public class CertificateHelper {
-public static byte[] buildAndSaveKeystore(String alias, String cert, 
String privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
-KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
+public static byte[] buildAndSaveKeystore(final String alias, final 
String cert, final String privateKey, final String storePassword) throws 
KeyStoreException, CertificateException,
+NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+final KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static byte[] buildAndSaveKeystore(List> certs, String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
-CertificateException, IOException, InvalidKeySpecException {
-KeyStore ks = KeyStore.getInstance("JKS");
+public static byte[] buildAndSaveKeystore(final List> certs, final String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
+CertificateException, IOException, InvalidKeySpecException {
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(null, storePassword != null ? storePassword.toCharArray() 
: null);
 
 //name,cert,key
-for (Ternary cert : certs) {
+for (final Ternary cert : certs) {
 if (cert.third() == null) {
-Certificate c = buildCertificate(cert.second());
+final Certificate c = buildCertificate(cert.second());
 ks.setCertificateEntry(cert.first(), c);
 } else {
-Certificate[] c = new Certificate[certs.size()];
+final Certificate[] c = new Certificate[certs.size()];
 int i = certs.size();
-for (Ternary ct : certs) {
+for (final Ternary ct : certs) {
 c[i - 1] = buildCertificate(ct.second());
 i--;
 }
 ks.setKeyEntry(cert.first(), 
buildPrivateKey(cert.third()), storePassword != null ? 
storePassword.toCharArray() : null, c);
 }
 }
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
--- End diff --

It appears that we are potentially leaving a dangling `OutputSteam` 
instance.  It seems like lines 84 and 85 should be wrapped in a try with 
resources block that translates all checked exceptions to unchecked exceptions 
and logs the error.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78647094
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -440,129 +441,130 @@ public void runUploadSslCertBadkeyPair() throws 
IOException, IllegalAccessExcept
 public void runUploadSslCertBadkeyAlgo() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
 try {
 certService.uploadSslCert(uploadCmd);
 fail("Given a private key which has a different algorithm than 
the certificate, upload should fail");
-} catch (Exception e) {
-assertTrue(e.getMessage().contains("Public and private key 
have different algorithms"));
+} catch (final Exception e) {
+assertTrue("Did not expect message: " + e.getMessage(),
+e.getMessage().contains("Error parsing certificate 
data Parsing certificate/key failed: Invalid Key format."));
 }
 }
 
 @Test
 public void runUploadSslCertExpiredCert() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/expired_cert.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/expired_cert.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78647052
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -440,129 +441,130 @@ public void runUploadSslCertBadkeyPair() throws 
IOException, IllegalAccessExcept
 public void runUploadSslCertBadkeyAlgo() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
 try {
 certService.uploadSslCert(uploadCmd);
 fail("Given a private key which has a different algorithm than 
the certificate, upload should fail");
-} catch (Exception e) {
-assertTrue(e.getMessage().contains("Public and private key 
have different algorithms"));
+} catch (final Exception e) {
+assertTrue("Did not expect message: " + e.getMessage(),
+e.getMessage().contains("Error parsing certificate 
data Parsing certificate/key failed: Invalid Key format."));
 }
 }
 
 @Test
 public void runUploadSslCertExpiredCert() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/expired_cert.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/expired_cert.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78648238
  
--- Diff: 
utils/src/main/java/com/cloud/utils/security/CertificateHelper.java ---
@@ -38,125 +38,139 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
 import java.util.List;
 
-import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.commons.codec.binary.Base64;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
 
 import com.cloud.utils.Ternary;
-import org.bouncycastle.openssl.PEMReader;
+import com.cloud.utils.exception.CloudRuntimeException;
 
 public class CertificateHelper {
-public static byte[] buildAndSaveKeystore(String alias, String cert, 
String privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
-KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
+public static byte[] buildAndSaveKeystore(final String alias, final 
String cert, final String privateKey, final String storePassword) throws 
KeyStoreException, CertificateException,
+NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+final KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static byte[] buildAndSaveKeystore(List> certs, String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
-CertificateException, IOException, InvalidKeySpecException {
-KeyStore ks = KeyStore.getInstance("JKS");
+public static byte[] buildAndSaveKeystore(final List> certs, final String storePassword) throws KeyStoreException, 
NoSuchAlgorithmException,
+CertificateException, IOException, InvalidKeySpecException {
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(null, storePassword != null ? storePassword.toCharArray() 
: null);
 
 //name,cert,key
-for (Ternary cert : certs) {
+for (final Ternary cert : certs) {
 if (cert.third() == null) {
-Certificate c = buildCertificate(cert.second());
+final Certificate c = buildCertificate(cert.second());
 ks.setCertificateEntry(cert.first(), c);
 } else {
-Certificate[] c = new Certificate[certs.size()];
+final Certificate[] c = new Certificate[certs.size()];
 int i = certs.size();
-for (Ternary ct : certs) {
+for (final Ternary ct : certs) {
 c[i - 1] = buildCertificate(ct.second());
 i--;
 }
 ks.setKeyEntry(cert.first(), 
buildPrivateKey(cert.third()), storePassword != null ? 
storePassword.toCharArray() : null, c);
 }
 }
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
 return os.toByteArray();
 }
 
-public static KeyStore loadKeystore(byte[] ksData, String 
storePassword) throws KeyStoreException, CertificateException, 
NoSuchAlgorithmException, IOException {
-assert (ksData != null);
-KeyStore ks = KeyStore.getInstance("JKS");
+public static KeyStore loadKeystore(final byte[] ksData, final String 
storePassword) throws KeyStoreException, CertificateException, 
NoSuchAlgorithmException, IOException {
+assert ksData != null;
+final KeyStore ks = KeyStore.getInstance("JKS");
 ks.load(new ByteArrayInputStream(ksData), storePassword != null ? 
storePassword.toCharArray() : null);
--- End diff --

It appears that we are potentially leaving a dangling `InputSteam` here.  
It seems like line 93 should be wrapped in a try with resources block that 
translates all checked exceptions to unchecked exceptions and logs the error.


---
If your project is set up for it, you can 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78648029
  
--- Diff: 
utils/src/main/java/com/cloud/utils/security/CertificateHelper.java ---
@@ -38,125 +38,139 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
 import java.util.List;
 
-import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.commons.codec.binary.Base64;
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
 
 import com.cloud.utils.Ternary;
-import org.bouncycastle.openssl.PEMReader;
+import com.cloud.utils.exception.CloudRuntimeException;
 
 public class CertificateHelper {
-public static byte[] buildAndSaveKeystore(String alias, String cert, 
String privateKey, String storePassword) throws KeyStoreException, 
CertificateException,
-NoSuchAlgorithmException, InvalidKeySpecException, IOException {
-KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
+public static byte[] buildAndSaveKeystore(final String alias, final 
String cert, final String privateKey, final String storePassword) throws 
KeyStoreException, CertificateException,
+NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+final KeyStore ks = buildKeystore(alias, cert, privateKey, 
storePassword);
 
-ByteArrayOutputStream os = new ByteArrayOutputStream();
+final ByteArrayOutputStream os = new ByteArrayOutputStream();
 ks.store(os, storePassword != null ? storePassword.toCharArray() : 
null);
 os.close();
--- End diff --

It appears that we potentially leaving a dangling `OutputSteam` instance 
here.  It seems like lines 57 and 58 should be wrapped in a try with resources 
block that translates all checked exceptions to unchecked exceptions and logs 
the error.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78647513
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -726,17 +729,17 @@ public void runDeleteSslCertInvalidId() throws 
NoSuchFieldException, IllegalAcce
 
when(certService._lbCertDao.listByCertId(anyLong())).thenReturn(null);
 
 //creating the command
-DeleteSslCertCmd deleteCmd = new DeleteSslCertCmdExtn();
-Class _class = deleteCmd.getClass().getSuperclass();
+final DeleteSslCertCmd deleteCmd = new DeleteSslCertCmdExtn();
+final Class klazz = deleteCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("id");
+final Field certField = klazz.getDeclaredField("id");
 certField.setAccessible(true);
 certField.set(deleteCmd, certId);
 
 try {
 certService.deleteSslCert(deleteCmd);
 fail("Delete with an invalid ID should fail");
-} catch (Exception e) {
+} catch (final Exception e) {
 assertTrue(e.getMessage().contains("Invalid certificate id"));
 }
--- End diff --

Please consider replacing this `try` block with `expected` on the `@Test` 
annotation


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78647426
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -686,35 +689,35 @@ public void runDeleteSslCertBoundCert() throws 
NoSuchFieldException, IllegalAcce
 when(certService._entityMgr.findById(eq(LoadBalancerVO.class), 
anyLong())).thenReturn(new LoadBalancerVO());
 
 //creating the command
-DeleteSslCertCmd deleteCmd = new DeleteSslCertCmdExtn();
-Class _class = deleteCmd.getClass().getSuperclass();
+final DeleteSslCertCmd deleteCmd = new DeleteSslCertCmdExtn();
+final Class klazz = deleteCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("id");
+final Field certField = klazz.getDeclaredField("id");
 certField.setAccessible(true);
 certField.set(deleteCmd, certId);
 
 try {
 certService.deleteSslCert(deleteCmd);
 fail("Delete with a cert id bound to a lb should fail");
-} catch (Exception e) {
+} catch (final Exception e) {
 assertTrue(e.getMessage().contains("Certificate in use by a 
loadbalancer"));
 }
--- End diff --

Please consider replacing this `try` block with `expected` on the `@Test` 
annotation


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78647300
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -571,43 +573,44 @@ public void runUploadSslCertNotX509() throws 
IOException, IllegalAccessException
 public void runUploadSslCertBadFormat() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/bad_format_cert.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/bad_format_cert.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
 try {
 certService.uploadSslCert(uploadCmd);
 fail("Given a Certificate in bad format (Not PEM), upload 
should fail");
-} catch (Exception e) {
-assertTrue(e.getMessage().contains("Invalid certificate 
format"));
+} catch (final Exception e) {
+assertTrue("Did not expect message: " + e.getMessage(),
+e.getMessage().contains("Error parsing certificate 
data Invalid Certificate format. Expected X509 certificate. Failed due to 
null"));
 }
 }
--- End diff --

Please consider replacing this `try` block with `expected` on the `@Test` 
annotation


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78645945
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -348,90 +348,91 @@ public void runUploadSslCertNoRootCert() throws 
IOException, IllegalAccessExcept
 @Test
 public void runUploadSslCertBadPassword() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
-String password = "bad_password";
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
+final String password = "bad_password";
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
-Field passField = _class.getDeclaredField("password");
+final Field passField = klazz.getDeclaredField("password");
 passField.setAccessible(true);
 passField.set(uploadCmd, password);
 
 try {
 certService.uploadSslCert(uploadCmd);
 fail("Given an encrypted private key with a bad password. 
Upload should fail.");
-} catch (Exception e) {
-assertTrue(e.getMessage().contains("please check password and 
data"));
+} catch (final Exception e) {
+assertTrue("Did not expect message: " + e.getMessage(),
+e.getMessage().contains("Error parsing certificate 
data Parsing certificate/key failed: Invalid Key format."));
 }
 
 }
 
 @Test
 public void runUploadSslCertBadkeyPair() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/non_root.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/non_root.key").getFile(),Charset.defaultCharset().name());
 
-   

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78645447
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -297,48 +297,48 @@ public void runUploadSslCertNoRootCert() throws 
IOException, IllegalAccessExcept
 
 Assume.assumeTrue(isOpenJdk() || isJCEInstalled());
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.key").getFile(),Charset.defaultCharset().name());
-String chainFile = 
URLDecoder.decode(getClass().getResource("/certs/non_root.crt").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.key").getFile(),Charset.defaultCharset().name());
+final String chainFile = 
URLDecoder.decode(getClass().getResource("/certs/non_root.crt").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
-String chain = readFileToString(new File(chainFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
+final String chain = readFileToString(new File(chainFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
-Field chainField = _class.getDeclaredField("chain");
+final Field chainField = klazz.getDeclaredField("chain");
 chainField.setAccessible(true);
 chainField.set(uploadCmd, chain);
 
 try {
 certService.uploadSslCert(uploadCmd);
 fail("Chain is given but does not link to the certificate");
-} catch (Exception e) {
+} catch (final Exception e) {
 assertTrue(e.getMessage().contains("Invalid certificate 
chain"));
 }
--- End diff --

Please consider replacing this try block with `expected` on the `@Test` 
annotation.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78645238
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -297,48 +297,48 @@ public void runUploadSslCertNoRootCert() throws 
IOException, IllegalAccessExcept
 
 Assume.assumeTrue(isOpenJdk() || isJCEInstalled());
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.key").getFile(),Charset.defaultCharset().name());
-String chainFile = 
URLDecoder.decode(getClass().getResource("/certs/non_root.crt").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.key").getFile(),Charset.defaultCharset().name());
+final String chainFile = 
URLDecoder.decode(getClass().getResource("/certs/non_root.crt").getFile(),Charset.defaultCharset().name());
--- End diff --

Please see line notes for 154-155 as those comments apply to lines 300-302 
as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78645782
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -348,90 +348,91 @@ public void runUploadSslCertNoRootCert() throws 
IOException, IllegalAccessExcept
 @Test
 public void runUploadSslCertBadPassword() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
-String password = "bad_password";
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
+final String password = "bad_password";
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
--- End diff --

Please see line comments 158-159 as they apply to lines 355-356 as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78646098
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -440,129 +441,130 @@ public void runUploadSslCertBadkeyPair() throws 
IOException, IllegalAccessExcept
 public void runUploadSslCertBadkeyAlgo() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
--- End diff --

Please see line comments 158-159 as they apply to lines 447-448 as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78647140
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -571,43 +573,44 @@ public void runUploadSslCertNotX509() throws 
IOException, IllegalAccessException
 public void runUploadSslCertBadFormat() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/bad_format_cert.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/bad_format_cert.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
--- End diff --

Please see line notes for 154-155 as those comments apply to lines 576-577 
as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78647190
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -571,43 +573,44 @@ public void runUploadSslCertNotX509() throws 
IOException, IllegalAccessException
 public void runUploadSslCertBadFormat() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/bad_format_cert.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/bad_format_cert.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
--- End diff --

Please see line comments 158-159 as they apply to lines 579-580 as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78646689
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -440,129 +441,130 @@ public void runUploadSslCertBadkeyPair() throws 
IOException, IllegalAccessExcept
 public void runUploadSslCertBadkeyAlgo() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
 try {
 certService.uploadSslCert(uploadCmd);
 fail("Given a private key which has a different algorithm than 
the certificate, upload should fail");
-} catch (Exception e) {
-assertTrue(e.getMessage().contains("Public and private key 
have different algorithms"));
+} catch (final Exception e) {
+assertTrue("Did not expect message: " + e.getMessage(),
+e.getMessage().contains("Error parsing certificate 
data Parsing certificate/key failed: Invalid Key format."));
 }
 }
--- End diff --

Please consider replacing this `try` block with `expected` on the `@Test` 
annotation.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78646330
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -440,129 +441,130 @@ public void runUploadSslCertBadkeyPair() throws 
IOException, IllegalAccessExcept
 public void runUploadSslCertBadkeyAlgo() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
--- End diff --

This line appears in nearly every test method.  Consider converting it to 
an attribute and initializing it in `setUp`.   Since the `setUp` is run before 
every test method, the instance will be re-initialized and it will remove some 
repetition.  


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78646913
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -440,129 +441,130 @@ public void runUploadSslCertBadkeyPair() throws 
IOException, IllegalAccessExcept
 public void runUploadSslCertBadkeyAlgo() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
 try {
 certService.uploadSslCert(uploadCmd);
 fail("Given a private key which has a different algorithm than 
the certificate, upload should fail");
-} catch (Exception e) {
-assertTrue(e.getMessage().contains("Public and private key 
have different algorithms"));
+} catch (final Exception e) {
+assertTrue("Did not expect message: " + e.getMessage(),
+e.getMessage().contains("Error parsing certificate 
data Parsing certificate/key failed: Invalid Key format."));
 }
 }
 
 @Test
 public void runUploadSslCertExpiredCert() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/expired_cert.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/expired_cert.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
--- End diff --

Please see line notes for 154-155 as those comments apply to lines 489-490 
as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78646974
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -440,129 +441,130 @@ public void runUploadSslCertBadkeyPair() throws 
IOException, IllegalAccessExcept
 public void runUploadSslCertBadkeyAlgo() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
 try {
 certService.uploadSslCert(uploadCmd);
 fail("Given a private key which has a different algorithm than 
the certificate, upload should fail");
-} catch (Exception e) {
-assertTrue(e.getMessage().contains("Public and private key 
have different algorithms"));
+} catch (final Exception e) {
+assertTrue("Did not expect message: " + e.getMessage(),
+e.getMessage().contains("Error parsing certificate 
data Parsing certificate/key failed: Invalid Key format."));
 }
 }
 
 @Test
 public void runUploadSslCertExpiredCert() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/expired_cert.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/expired_cert.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
--- End diff --

Please 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78646545
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -440,129 +441,130 @@ public void runUploadSslCertBadkeyPair() throws 
IOException, IllegalAccessExcept
 public void runUploadSslCertBadkeyAlgo() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
--- End diff --

Lines 450-462 appear in nearly every test method. Consider converting it to 
an attribute and initializing it in setUp. Since the setUp is run before every 
test method, the instance will be re-initialized and it will remove some 
repetition.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78646056
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -440,129 +441,130 @@ public void runUploadSslCertBadkeyPair() throws 
IOException, IllegalAccessExcept
 public void runUploadSslCertBadkeyAlgo() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/dsa_self_signed.key").getFile(),Charset.defaultCharset().name());
--- End diff --

Please see line notes for 154-155 as those comments apply to lines 444-445 
as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78645990
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -348,90 +348,91 @@ public void runUploadSslCertNoRootCert() throws 
IOException, IllegalAccessExcept
 @Test
 public void runUploadSslCertBadPassword() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
-String password = "bad_password";
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
+final String password = "bad_password";
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
-Field passField = _class.getDeclaredField("password");
+final Field passField = klazz.getDeclaredField("password");
 passField.setAccessible(true);
 passField.set(uploadCmd, password);
 
 try {
 certService.uploadSslCert(uploadCmd);
 fail("Given an encrypted private key with a bad password. 
Upload should fail.");
-} catch (Exception e) {
-assertTrue(e.getMessage().contains("please check password and 
data"));
+} catch (final Exception e) {
+assertTrue("Did not expect message: " + e.getMessage(),
+e.getMessage().contains("Error parsing certificate 
data Parsing certificate/key failed: Invalid Key format."));
 }
 
 }
 
 @Test
 public void runUploadSslCertBadkeyPair() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 // Reading appropritate files
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/non_root.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/non_root.key").getFile(),Charset.defaultCharset().name());
--- End 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78645872
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -348,90 +348,91 @@ public void runUploadSslCertNoRootCert() throws 
IOException, IllegalAccessExcept
 @Test
 public void runUploadSslCertBadPassword() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
-String password = "bad_password";
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
+final String password = "bad_password";
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
 
-CertServiceImpl certService = new CertServiceImpl();
+final CertServiceImpl certService = new CertServiceImpl();
 
 //setting mock objects
 certService._accountMgr = Mockito.mock(AccountManager.class);
-Account account = new AccountVO("testaccount", 1, "networkdomain", 
(short)0, UUID.randomUUID().toString());
+final Account account = new AccountVO("testaccount", 1, 
"networkdomain", (short)0, UUID.randomUUID().toString());
 
when(certService._accountMgr.getAccount(anyLong())).thenReturn(account);
 
 certService._domainDao = Mockito.mock(DomainDao.class);
-DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
+final DomainVO domain = new DomainVO("networkdomain", 1L, 1L, 
"networkdomain");
 
when(certService._domainDao.findByIdIncludingRemoved(anyLong())).thenReturn(domain);
 
 certService._sslCertDao = Mockito.mock(SslCertDao.class);
 
when(certService._sslCertDao.persist(any(SslCertVO.class))).thenReturn(new 
SslCertVO());
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
-Field passField = _class.getDeclaredField("password");
+final Field passField = klazz.getDeclaredField("password");
 passField.setAccessible(true);
 passField.set(uploadCmd, password);
 
 try {
 certService.uploadSslCert(uploadCmd);
 fail("Given an encrypted private key with a bad password. 
Upload should fail.");
-} catch (Exception e) {
-assertTrue(e.getMessage().contains("please check password and 
data"));
+} catch (final Exception e) {
+assertTrue("Did not expect message: " + e.getMessage(),
+e.getMessage().contains("Error parsing certificate 
data Parsing certificate/key failed: Invalid Key format."));
 }
--- End diff --

Please consider replacing this `try` block with `expected` on the `@Test` 
annotation.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78645670
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -348,90 +348,91 @@ public void runUploadSslCertNoRootCert() throws 
IOException, IllegalAccessExcept
 @Test
 public void runUploadSslCertBadPassword() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
-String password = "bad_password";
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
+final String password = "bad_password";
--- End diff --

Please see line notes for 154-155 as those comments apply to lines 351-353 
as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78645295
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -297,48 +297,48 @@ public void runUploadSslCertNoRootCert() throws 
IOException, IllegalAccessExcept
 
 Assume.assumeTrue(isOpenJdk() || isJCEInstalled());
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.key").getFile(),Charset.defaultCharset().name());
-String chainFile = 
URLDecoder.decode(getClass().getResource("/certs/non_root.crt").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.key").getFile(),Charset.defaultCharset().name());
+final String chainFile = 
URLDecoder.decode(getClass().getResource("/certs/non_root.crt").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
-String chain = readFileToString(new File(chainFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
+final String chain = readFileToString(new File(chainFile));
--- End diff --

Please see line comments 158-159 as they apply to lines 304-306 as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78644966
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -245,48 +245,48 @@ public void runUploadSslCertSelfSignedNoPassword() 
throws Exception {
 public void runUploadSslCertBadChain() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 Assume.assumeTrue(isOpenJdk() || isJCEInstalled());
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.key").getFile(),Charset.defaultCharset().name());
-String chainFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.key").getFile(),Charset.defaultCharset().name());
+final String chainFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
-String chain = readFileToString(new File(chainFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
+final String chain = readFileToString(new File(chainFile));
--- End diff --

Please see line comments 158-159 as they apply to lines 252-254 as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78644844
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -245,48 +245,48 @@ public void runUploadSslCertSelfSignedNoPassword() 
throws Exception {
 public void runUploadSslCertBadChain() throws IOException, 
IllegalAccessException, NoSuchFieldException {
 Assume.assumeTrue(isOpenJdk() || isJCEInstalled());
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.key").getFile(),Charset.defaultCharset().name());
-String chainFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_ca_signed.key").getFile(),Charset.defaultCharset().name());
+final String chainFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
--- End diff --

Please see line notes for 154-155 as those comments apply to lines 248-250 
as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78644684
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -200,23 +200,23 @@ public void runUploadSslCertSelfSignedWithPassword() 
throws Exception {
  */
 public void runUploadSslCertSelfSignedNoPassword() throws Exception {
 
-TransactionLegacy txn = 
TransactionLegacy.open("runUploadSslCertSelfSignedNoPassword");
+TransactionLegacy.open("runUploadSslCertSelfSignedNoPassword");
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
--- End diff --

Please see line notes for 154-155 as those comments apply here as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78644729
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -200,23 +200,23 @@ public void runUploadSslCertSelfSignedWithPassword() 
throws Exception {
  */
 public void runUploadSslCertSelfSignedNoPassword() throws Exception {
 
-TransactionLegacy txn = 
TransactionLegacy.open("runUploadSslCertSelfSignedNoPassword");
+TransactionLegacy.open("runUploadSslCertSelfSignedNoPassword");
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed.key").getFile(),Charset.defaultCharset().name());
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
--- End diff --

Please see line comments 158-159 as they apply here as well.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78644594
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -125,48 +125,48 @@ public void runUploadSslCertWithCAChain() throws 
Exception {
 
when(certService._accountDao.findByIdIncludingRemoved(anyLong())).thenReturn((AccountVO)account);
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
-Field chainField = _class.getDeclaredField("chain");
+final Field chainField = klazz.getDeclaredField("chain");
 chainField.setAccessible(true);
 chainField.set(uploadCmd, chain);
 
 certService.uploadSslCert(uploadCmd);
 }
 
-@Test
+//@Test
 /**
  * Given a Self-signed Certificate with encrypted key, upload should 
succeed
  */
 public void runUploadSslCertSelfSignedWithPassword() throws Exception {
 
-TransactionLegacy txn = 
TransactionLegacy.open("runUploadSslCertSelfSignedWithPassword");
+TransactionLegacy.open("runUploadSslCertSelfSignedWithPassword");
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
-String password = "test";
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
+final String password = "test";
 
-String cert = readFileToString(new File(certFile));
-String key = readFileToString(new File(keyFile));
+final String cert = readFileToString(new File(certFile));
+final String key = readFileToString(new File(keyFile));
--- End diff --

Lines 154-155 and 158-159 are a repeating group.  Please consider 
extracting to a utility method with proper unit tests.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78644423
  
--- Diff: server/test/org/apache/cloudstack/network/lb/CertServiceTest.java 
---
@@ -125,48 +125,48 @@ public void runUploadSslCertWithCAChain() throws 
Exception {
 
when(certService._accountDao.findByIdIncludingRemoved(anyLong())).thenReturn((AccountVO)account);
 
 //creating the command
-UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
-Class _class = uploadCmd.getClass().getSuperclass();
+final UploadSslCertCmd uploadCmd = new UploadSslCertCmdExtn();
+final Class klazz = uploadCmd.getClass().getSuperclass();
 
-Field certField = _class.getDeclaredField("cert");
+final Field certField = klazz.getDeclaredField("cert");
 certField.setAccessible(true);
 certField.set(uploadCmd, cert);
 
-Field keyField = _class.getDeclaredField("key");
+final Field keyField = klazz.getDeclaredField("key");
 keyField.setAccessible(true);
 keyField.set(uploadCmd, key);
 
-Field chainField = _class.getDeclaredField("chain");
+final Field chainField = klazz.getDeclaredField("chain");
 chainField.setAccessible(true);
 chainField.set(uploadCmd, chain);
 
 certService.uploadSslCert(uploadCmd);
 }
 
-@Test
+//@Test
 /**
  * Given a Self-signed Certificate with encrypted key, upload should 
succeed
  */
 public void runUploadSslCertSelfSignedWithPassword() throws Exception {
 
-TransactionLegacy txn = 
TransactionLegacy.open("runUploadSslCertSelfSignedWithPassword");
+TransactionLegacy.open("runUploadSslCertSelfSignedWithPassword");
 
-String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
-String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
-String password = "test";
+final String certFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile(),Charset.defaultCharset().name());
+final String keyFile = 
URLDecoder.decode(getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile(),Charset.defaultCharset().name());
--- End diff --

From the best I can see, this code is finding the resource's URL, changing 
to a `File` instance, and decoding it to a `String` only to turn around and 
turn it back into a `File` on lines 158-159.  Please consider simplifying as 
follows:

```
final File certFile = 
getClass().getResource("/certs/rsa_self_signed_with_pwd.crt").getFile();
final File keyFile = 
getClass().getResource("/certs/rsa_self_signed_with_pwd.key").getFile());
```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78643673
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -341,179 +350,172 @@ public SslCertResponse createCertResponse(SslCertVO 
cert, List chain, Certificate cert) {
 
-List certs = new ArrayList();
-Set anchors = new HashSet();
+final List certs = new ArrayList();
+final Set anchors = new HashSet();
 
 certs.add(cert); // adding for self signed certs
 certs.addAll(chain);
 
-for (Certificate c : certs) {
-if (!(c instanceof X509Certificate))
+for (final Certificate c : certs) {
+if (!(c instanceof X509Certificate)) {
 throw new IllegalArgumentException("Invalid chain format. 
Expected X509 certificate");
+}
 
-X509Certificate xCert = (X509Certificate)c;
+final X509Certificate xCert = (X509Certificate)c;
 
-Principal subject = xCert.getSubjectDN();
-Principal issuer = xCert.getIssuerDN();
+xCert.getSubjectDN();
+xCert.getIssuerDN();
 
anchors.add(new TrustAnchor(xCert, null));
 }
 
-X509CertSelector target = new X509CertSelector();
+final X509CertSelector target = new X509CertSelector();
 target.setCertificate((X509Certificate)cert);
 
 PKIXBuilderParameters params = null;
 try {
 params = new PKIXBuilderParameters(anchors, target);
 params.setRevocationEnabled(false);
 params.addCertStore(CertStore.getInstance("Collection", new 
CollectionCertStoreParameters(certs)));
-CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", 
"BC");
+final CertPathBuilder builder = 
CertPathBuilder.getInstance("PKIX", "BC");
 builder.build(params);
 
-} catch (InvalidAlgorithmParameterException e) {
+} catch (final InvalidAlgorithmParameterException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (CertPathBuilderException e) {
+} catch (final CertPathBuilderException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (NoSuchAlgorithmException e) {
+} catch (final NoSuchAlgorithmException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (NoSuchProviderException e) {
+} catch (final NoSuchProviderException e) {
 throw new CloudRuntimeException("No provider for certificate 
validation", e);
 }
 
 }
 
-public PrivateKey parsePrivateKey(String key, String password) throws 
IOException {
-
-PasswordFinder pGet = null;
-
-if (password != null)
-pGet = new KeyPassword(password.toCharArray());
-
-PEMReader privateKey = new PEMReader(new StringReader(key), pGet);
-Object obj = null;
-try {
-obj = privateKey.readObject();
-} finally {
-IOUtils.closeQuietly(privateKey);
-}
-
-try {
-
-if (obj instanceof KeyPair)
-return ((KeyPair)obj).getPrivate();
-
-return (PrivateKey)obj;
-
-} catch (Exception e) {
+public PrivateKey parsePrivateKey(final String key, final String 
password) throws IOException {
+try (final PemReader pemReader = new PemReader(new 
StringReader(key));) {
+final PemObject pemObject = pemReader.readPemObject();
+final byte[] content = pemObject.getContent();
+final PKCS8EncodedKeySpec privKeySpec = new 
PKCS8EncodedKeySpec(content);
+final KeyFactory factory = KeyFactory.getInstance("RSA", "BC");
+return factory.generatePrivate(privKeySpec);
+} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+throw new IOException("No encryption provider available.", e);
+} catch (final InvalidKeySpecException e) {
 throw new IOException("Invalid Key format or invalid 
password.", e);
 }
 }
 
 public Certificate parseCertificate(String cert) {
-PEMReader certPem = new PEMReader(new StringReader(cert));
+final PemReader certPem = new PemReader(new StringReader(cert));
 try {
-return (Certificate)certPem.readObject();
-} catch (Exception e) {
+return 

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78643413
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -339,190 +348,182 @@ public SslCertResponse createCertResponse(SslCertVO 
cert, List chain, Certificate cert) {
+private void validateChain(final List chain, final 
Certificate cert) {
 
-List certs = new ArrayList();
-Set anchors = new HashSet();
+final List certs = new ArrayList();
+final Set anchors = new HashSet();
 
 certs.add(cert); // adding for self signed certs
 certs.addAll(chain);
 
-for (Certificate c : certs) {
-if (!(c instanceof X509Certificate))
+for (final Certificate c : certs) {
+if (!(c instanceof X509Certificate)) {
 throw new IllegalArgumentException("Invalid chain format. 
Expected X509 certificate");
+}
 
-X509Certificate xCert = (X509Certificate)c;
+final X509Certificate xCert = (X509Certificate)c;
 
-Principal subject = xCert.getSubjectDN();
-Principal issuer = xCert.getIssuerDN();
+xCert.getSubjectDN();
+xCert.getIssuerDN();
 
-   anchors.add(new TrustAnchor(xCert, null));
+anchors.add(new TrustAnchor(xCert, null));
 }
 
-X509CertSelector target = new X509CertSelector();
+final X509CertSelector target = new X509CertSelector();
 target.setCertificate((X509Certificate)cert);
 
 PKIXBuilderParameters params = null;
 try {
 params = new PKIXBuilderParameters(anchors, target);
 params.setRevocationEnabled(false);
 params.addCertStore(CertStore.getInstance("Collection", new 
CollectionCertStoreParameters(certs)));
-CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", 
"BC");
+final CertPathBuilder builder = 
CertPathBuilder.getInstance("PKIX", "BC");
 builder.build(params);
 
-} catch (InvalidAlgorithmParameterException e) {
+} catch (final InvalidAlgorithmParameterException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (CertPathBuilderException e) {
+} catch (final CertPathBuilderException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (NoSuchAlgorithmException e) {
+} catch (final NoSuchAlgorithmException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (NoSuchProviderException e) {
+} catch (final NoSuchProviderException e) {
 throw new CloudRuntimeException("No provider for certificate 
validation", e);
 }
 
 }
 
-public PrivateKey parsePrivateKey(String key, String password) throws 
IOException {
-
-PasswordFinder pGet = null;
-
-if (password != null)
-pGet = new KeyPassword(password.toCharArray());
-
-PEMReader privateKey = new PEMReader(new StringReader(key), pGet);
-Object obj = null;
-try {
-obj = privateKey.readObject();
-} finally {
-IOUtils.closeQuietly(privateKey);
-}
-
-try {
-
-if (obj instanceof KeyPair)
-return ((KeyPair)obj).getPrivate();
-
-return (PrivateKey)obj;
-
-} catch (Exception e) {
-throw new IOException("Invalid Key format or invalid 
password.", e);
+public PrivateKey parsePrivateKey(final String key) throws IOException 
{
+try (final PemReader pemReader = new PemReader(new 
StringReader(key));) {
+final PemObject pemObject = pemReader.readPemObject();
+final byte[] content = pemObject.getContent();
+final PKCS8EncodedKeySpec privKeySpec = new 
PKCS8EncodedKeySpec(content);
+final KeyFactory factory = KeyFactory.getInstance("RSA", "BC");
+return factory.generatePrivate(privKeySpec);
+} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+throw new IOException("No encryption provider available.", e);
+} catch (final InvalidKeySpecException e) {
+throw new IOException("Invalid Key format.", e);
 }
 }
 
-public Certificate parseCertificate(String cert) {
-PEMReader certPem = new PEMReader(new StringReader(cert));
+public Certificate parseCertificate(final String cert) {
   

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78642099
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -339,190 +348,182 @@ public SslCertResponse createCertResponse(SslCertVO 
cert, List

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78642059
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -339,190 +348,182 @@ public SslCertResponse createCertResponse(SslCertVO 
cert, List chain, Certificate cert) {
+private void validateChain(final List chain, final 
Certificate cert) {
 
-List certs = new ArrayList();
-Set anchors = new HashSet();
+final List certs = new ArrayList();
+final Set anchors = new HashSet();
 
 certs.add(cert); // adding for self signed certs
 certs.addAll(chain);
 
-for (Certificate c : certs) {
-if (!(c instanceof X509Certificate))
+for (final Certificate c : certs) {
+if (!(c instanceof X509Certificate)) {
 throw new IllegalArgumentException("Invalid chain format. 
Expected X509 certificate");
+}
 
-X509Certificate xCert = (X509Certificate)c;
+final X509Certificate xCert = (X509Certificate)c;
 
-Principal subject = xCert.getSubjectDN();
-Principal issuer = xCert.getIssuerDN();
+xCert.getSubjectDN();
+xCert.getIssuerDN();
 
-   anchors.add(new TrustAnchor(xCert, null));
+anchors.add(new TrustAnchor(xCert, null));
 }
 
-X509CertSelector target = new X509CertSelector();
+final X509CertSelector target = new X509CertSelector();
 target.setCertificate((X509Certificate)cert);
 
 PKIXBuilderParameters params = null;
 try {
 params = new PKIXBuilderParameters(anchors, target);
 params.setRevocationEnabled(false);
 params.addCertStore(CertStore.getInstance("Collection", new 
CollectionCertStoreParameters(certs)));
-CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", 
"BC");
+final CertPathBuilder builder = 
CertPathBuilder.getInstance("PKIX", "BC");
 builder.build(params);
 
-} catch (InvalidAlgorithmParameterException e) {
+} catch (final InvalidAlgorithmParameterException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (CertPathBuilderException e) {
+} catch (final CertPathBuilderException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (NoSuchAlgorithmException e) {
+} catch (final NoSuchAlgorithmException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (NoSuchProviderException e) {
+} catch (final NoSuchProviderException e) {
 throw new CloudRuntimeException("No provider for certificate 
validation", e);
 }
 
 }
 
-public PrivateKey parsePrivateKey(String key, String password) throws 
IOException {
-
-PasswordFinder pGet = null;
-
-if (password != null)
-pGet = new KeyPassword(password.toCharArray());
-
-PEMReader privateKey = new PEMReader(new StringReader(key), pGet);
-Object obj = null;
-try {
-obj = privateKey.readObject();
-} finally {
-IOUtils.closeQuietly(privateKey);
-}
-
-try {
-
-if (obj instanceof KeyPair)
-return ((KeyPair)obj).getPrivate();
-
-return (PrivateKey)obj;
-
-} catch (Exception e) {
-throw new IOException("Invalid Key format or invalid 
password.", e);
+public PrivateKey parsePrivateKey(final String key) throws IOException 
{
+try (final PemReader pemReader = new PemReader(new 
StringReader(key));) {
+final PemObject pemObject = pemReader.readPemObject();
+final byte[] content = pemObject.getContent();
+final PKCS8EncodedKeySpec privKeySpec = new 
PKCS8EncodedKeySpec(content);
+final KeyFactory factory = KeyFactory.getInstance("RSA", "BC");
+return factory.generatePrivate(privKeySpec);
+} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+throw new IOException("No encryption provider available.", e);
+} catch (final InvalidKeySpecException e) {
+throw new IOException("Invalid Key format.", e);
 }
 }
 
-public Certificate parseCertificate(String cert) {
-PEMReader certPem = new PEMReader(new StringReader(cert));
+public Certificate parseCertificate(final String cert) {
   

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78641993
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -339,190 +348,182 @@ public SslCertResponse createCertResponse(SslCertVO 
cert, List chain, Certificate cert) {
+private void validateChain(final List chain, final 
Certificate cert) {
 
-List certs = new ArrayList();
-Set anchors = new HashSet();
+final List certs = new ArrayList();
+final Set anchors = new HashSet();
 
 certs.add(cert); // adding for self signed certs
 certs.addAll(chain);
 
-for (Certificate c : certs) {
-if (!(c instanceof X509Certificate))
+for (final Certificate c : certs) {
+if (!(c instanceof X509Certificate)) {
 throw new IllegalArgumentException("Invalid chain format. 
Expected X509 certificate");
+}
 
-X509Certificate xCert = (X509Certificate)c;
+final X509Certificate xCert = (X509Certificate)c;
 
-Principal subject = xCert.getSubjectDN();
-Principal issuer = xCert.getIssuerDN();
+xCert.getSubjectDN();
+xCert.getIssuerDN();
 
-   anchors.add(new TrustAnchor(xCert, null));
+anchors.add(new TrustAnchor(xCert, null));
 }
 
-X509CertSelector target = new X509CertSelector();
+final X509CertSelector target = new X509CertSelector();
 target.setCertificate((X509Certificate)cert);
 
 PKIXBuilderParameters params = null;
 try {
 params = new PKIXBuilderParameters(anchors, target);
 params.setRevocationEnabled(false);
 params.addCertStore(CertStore.getInstance("Collection", new 
CollectionCertStoreParameters(certs)));
-CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", 
"BC");
+final CertPathBuilder builder = 
CertPathBuilder.getInstance("PKIX", "BC");
 builder.build(params);
 
-} catch (InvalidAlgorithmParameterException e) {
+} catch (final InvalidAlgorithmParameterException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (CertPathBuilderException e) {
+} catch (final CertPathBuilderException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (NoSuchAlgorithmException e) {
+} catch (final NoSuchAlgorithmException e) {
 throw new IllegalArgumentException("Invalid certificate 
chain", e);
-} catch (NoSuchProviderException e) {
+} catch (final NoSuchProviderException e) {
 throw new CloudRuntimeException("No provider for certificate 
validation", e);
 }
 
 }
 
-public PrivateKey parsePrivateKey(String key, String password) throws 
IOException {
-
-PasswordFinder pGet = null;
-
-if (password != null)
-pGet = new KeyPassword(password.toCharArray());
-
-PEMReader privateKey = new PEMReader(new StringReader(key), pGet);
-Object obj = null;
-try {
-obj = privateKey.readObject();
-} finally {
-IOUtils.closeQuietly(privateKey);
-}
-
-try {
-
-if (obj instanceof KeyPair)
-return ((KeyPair)obj).getPrivate();
-
-return (PrivateKey)obj;
-
-} catch (Exception e) {
-throw new IOException("Invalid Key format or invalid 
password.", e);
+public PrivateKey parsePrivateKey(final String key) throws IOException 
{
+try (final PemReader pemReader = new PemReader(new 
StringReader(key));) {
+final PemObject pemObject = pemReader.readPemObject();
+final byte[] content = pemObject.getContent();
+final PKCS8EncodedKeySpec privKeySpec = new 
PKCS8EncodedKeySpec(content);
+final KeyFactory factory = KeyFactory.getInstance("RSA", "BC");
+return factory.generatePrivate(privKeySpec);
+} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+throw new IOException("No encryption provider available.", e);
+} catch (final InvalidKeySpecException e) {
+throw new IOException("Invalid Key format.", e);
 }
 }
 
-public Certificate parseCertificate(String cert) {
-PEMReader certPem = new PEMReader(new StringReader(cert));
+public Certificate parseCertificate(final String cert) {
   

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78641717
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -339,190 +348,182 @@ public SslCertResponse createCertResponse(SslCertVO 
cert, List

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78640135
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -339,190 +348,182 @@ public SslCertResponse createCertResponse(SslCertVO 
cert, List

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78639151
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -339,190 +348,182 @@ public SslCertResponse createCertResponse(SslCertVO 
cert, List

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78638892
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -339,190 +348,182 @@ public SslCertResponse createCertResponse(SslCertVO 
cert, List

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78638846
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -339,190 +348,182 @@ public SslCertResponse createCertResponse(SslCertVO 
cert, List

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78638396
  
--- Diff: server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java 
---
@@ -111,37 +116,37 @@ public CertServiceImpl() {
 @DB
 @Override
 @ActionEvent(eventType = EventTypes.EVENT_LB_CERT_UPLOAD, 
eventDescription = "Uploading a certificate to cloudstack", async = false)
-public SslCertResponse uploadSslCert(UploadSslCertCmd certCmd) {
+public SslCertResponse uploadSslCert(final UploadSslCertCmd certCmd) {
 try {
-String cert = certCmd.getCert();
-String key = certCmd.getKey();
-String password = certCmd.getPassword();
-String chain = certCmd.getChain();
+final String cert = certCmd.getCert();
+final String key = certCmd.getKey();
+final String password = certCmd.getPassword();
+final String chain = certCmd.getChain();
 
 validate(cert, key, password, chain);
 s_logger.debug("Certificate Validation succeeded");
 
-String fingerPrint = 
generateFingerPrint(parseCertificate(cert));
+final String fingerPrint = 
generateFingerPrint(parseCertificate(cert));
 
-CallContext ctx = CallContext.current();
-Account caller = ctx.getCallingAccount();
+final CallContext ctx = CallContext.current();
+final Account caller = ctx.getCallingAccount();
 
 Account owner = null;
-if ((certCmd.getAccountName() != null && certCmd.getDomainId() 
!= null) || certCmd.getProjectId() != null) {
+if (certCmd.getAccountName() != null && certCmd.getDomainId() 
!= null || certCmd.getProjectId() != null) {
 owner = _accountMgr.finalizeOwner(caller, 
certCmd.getAccountName(), certCmd.getDomainId(), certCmd.getProjectId());
 } else {
 owner = caller;
 }
 
-Long accountId = owner.getId();
-Long domainId = owner.getDomainId();
+final Long accountId = owner.getId();
+final Long domainId = owner.getDomainId();
 
-SslCertVO certVO = new SslCertVO(cert, key, password, chain, 
accountId, domainId, fingerPrint);
+final SslCertVO certVO = new SslCertVO(cert, key, password, 
chain, accountId, domainId, fingerPrint);
 _sslCertDao.persist(certVO);
 
 return createCertResponse(certVO, null);
 
-} catch (Exception e) {
+} catch (final Exception e) {
--- End diff --

Why are all checked and unchecked exceptions being caught here?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1511: 4.9/master bountycastle changes

[jburwell]

Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1511#discussion_r78638045
  
--- Diff: pom.xml ---
@@ -70,7 +70,7 @@
 
 4.12
 1.3
-1.46
+1.54
--- End diff --

it appears that 
[1.55](http://search.maven.org/#artifactdetails%7Corg.bouncycastle%7Cbcprov-jdk14%7C1.55%7Cjar)
 has been released.  Seems like a good idea to use the latest.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1666: CLOUDSTACK-9480: Egress Firewall: Incorrect use of A...

[jburwell]

Github user jburwell commented on the issue:

https://github.com/apache/cloudstack/pull/1666
  
@murali-reddy could you please investigate the cause of the Jenkins build 
failure?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Re: [DISCUSS] Replacing the VR

[Will Stevens]

Ya, I can't find anything either.  So that means that we would be working
with the API of each component, which I don't really like.  It means we
don't have a single API endpoint to handle things like IPSec, etc (or even
an API at all for a lot of the functionality).  :(

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Tue, Sep 13, 2016 at 3:52 PM, Marty Godsey  wrote:

> Since Cloudrouter has a full distro for Opendaylight would you use that
> for the API? But I can't find anything about the Cloudrouter API if it does
> have one.
>
> Regards,
> Marty Godsey
> nSource Solutions
>
> -Original Message-
> From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On
> Behalf Of Will Stevens
> Sent: Tuesday, September 13, 2016 3:48 PM
> To: dev@cloudstack.apache.org
> Subject: Re: [DISCUSS] Replacing the VR
>
> I can't seem to find any API documentation for CloudRouter.  Maybe my
> Google foo is weak.  Has anyone else found any usable docs on that?
>
> *Will STEVENS*
> Lead Developer
>
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw
> @CloudOps_
>
> On Tue, Sep 13, 2016 at 5:22 AM, Nux!  wrote:
>
> > Hi,
> >
> > I like the idea.
> >
> > Cloudrouter looks really promising, I'm not too keen on VyOS (it
> > doesn't have a proper http api etc).
> >
> > --
> > Sent from the Delta quadrant using Borg technology!
> >
> > Nux!
> > www.nux.ro
> >
> > - Original Message -
> > > From: "Will Stevens" 
> > > To: dev@cloudstack.apache.org
> > > Sent: Monday, 12 September, 2016 21:20:11
> > > Subject: [DISCUSS] Replacing the VR
> >
> > > *Disclaimer:* This is a thought experiment and should be treated as
> such.
> > > Please weigh in with the good and bad of this idea...
> > >
> > > A couple of us have been discussing the idea of potentially
> > > replacing the ACS VR with the VyOS [1] (Open Source Vyatta VM).
> > > There may be a license issue because I think it is licensed under
> > > GPL, but for the sake of discussion, let's assume we can overcome any
> license issues.
> > >
> > > I have spent some time recently with the VyOS and I have to admit, I
> > > was pretty impressed.  It is simple and intuitive and it gives you a
> > > lot more options for auditing the configuration etc...
> > >
> > > Items of potential interest:
> > > - Clean up our current VR script spaghetti to a simpler more
> > > auditable configuration workflow.
> > > - Gives a cleaner path for IPv6 support.
> > > - Handles VPN configuration via the same configuration interface.
> > > - Support for OSPF & BGP.
> > > - VPN support through OpenVPN & StrongSwan.
> > > - Easily supports HA (redundant routers) through VRRP.
> > > - VXLAN support.
> > > - Transaction based changes to the VR with rollback on error.
> > >
> > > Items that could be difficult to solve:
> > > - Userdata password reset workflow and implementation.
> > > - Upgrade process.
> > >
> > > The VyOS is not the only option if we were to consider this approach.
> > > Another option, which I don't know as well, would be CloudRouter
> > > (AGPL
> > > license) [2] which is purely API driven.
> > >
> > > Anyway, would love to hear your thoughts...
> > >
> > > Will
> > >
> > > [1] https://vyos.io/
> > > [2] https://cloudrouter.org/
> >
>

Re: [DISCUSS] Replacing the VR

[Will Stevens]

I can't seem to find any API documentation for CloudRouter.  Maybe my
Google foo is weak.  Has anyone else found any usable docs on that?

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Tue, Sep 13, 2016 at 5:22 AM, Nux!  wrote:

> Hi,
>
> I like the idea.
>
> Cloudrouter looks really promising, I'm not too keen on VyOS (it doesn't
> have a proper http api etc).
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> - Original Message -
> > From: "Will Stevens" 
> > To: dev@cloudstack.apache.org
> > Sent: Monday, 12 September, 2016 21:20:11
> > Subject: [DISCUSS] Replacing the VR
>
> > *Disclaimer:* This is a thought experiment and should be treated as such.
> > Please weigh in with the good and bad of this idea...
> >
> > A couple of us have been discussing the idea of potentially replacing the
> > ACS VR with the VyOS [1] (Open Source Vyatta VM).  There may be a license
> > issue because I think it is licensed under GPL, but for the sake of
> > discussion, let's assume we can overcome any license issues.
> >
> > I have spent some time recently with the VyOS and I have to admit, I was
> > pretty impressed.  It is simple and intuitive and it gives you a lot more
> > options for auditing the configuration etc...
> >
> > Items of potential interest:
> > - Clean up our current VR script spaghetti to a simpler more auditable
> > configuration workflow.
> > - Gives a cleaner path for IPv6 support.
> > - Handles VPN configuration via the same configuration interface.
> > - Support for OSPF & BGP.
> > - VPN support through OpenVPN & StrongSwan.
> > - Easily supports HA (redundant routers) through VRRP.
> > - VXLAN support.
> > - Transaction based changes to the VR with rollback on error.
> >
> > Items that could be difficult to solve:
> > - Userdata password reset workflow and implementation.
> > - Upgrade process.
> >
> > The VyOS is not the only option if we were to consider this approach.
> > Another option, which I don't know as well, would be CloudRouter (AGPL
> > license) [2] which is purely API driven.
> >
> > Anyway, would love to hear your thoughts...
> >
> > Will
> >
> > [1] https://vyos.io/
> > [2] https://cloudrouter.org/
>

RE: [DISCUSS] Replacing the VR

[Marty Godsey]

Since Cloudrouter has a full distro for Opendaylight would you use that for the 
API? But I can't find anything about the Cloudrouter API if it does have one.

Regards,
Marty Godsey
nSource Solutions

-Original Message-
From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On Behalf Of 
Will Stevens
Sent: Tuesday, September 13, 2016 3:48 PM
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] Replacing the VR

I can't seem to find any API documentation for CloudRouter.  Maybe my Google 
foo is weak.  Has anyone else found any usable docs on that?

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_

On Tue, Sep 13, 2016 at 5:22 AM, Nux!  wrote:

> Hi,
>
> I like the idea.
>
> Cloudrouter looks really promising, I'm not too keen on VyOS (it 
> doesn't have a proper http api etc).
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> - Original Message -
> > From: "Will Stevens" 
> > To: dev@cloudstack.apache.org
> > Sent: Monday, 12 September, 2016 21:20:11
> > Subject: [DISCUSS] Replacing the VR
>
> > *Disclaimer:* This is a thought experiment and should be treated as such.
> > Please weigh in with the good and bad of this idea...
> >
> > A couple of us have been discussing the idea of potentially 
> > replacing the ACS VR with the VyOS [1] (Open Source Vyatta VM).  
> > There may be a license issue because I think it is licensed under 
> > GPL, but for the sake of discussion, let's assume we can overcome any 
> > license issues.
> >
> > I have spent some time recently with the VyOS and I have to admit, I 
> > was pretty impressed.  It is simple and intuitive and it gives you a 
> > lot more options for auditing the configuration etc...
> >
> > Items of potential interest:
> > - Clean up our current VR script spaghetti to a simpler more 
> > auditable configuration workflow.
> > - Gives a cleaner path for IPv6 support.
> > - Handles VPN configuration via the same configuration interface.
> > - Support for OSPF & BGP.
> > - VPN support through OpenVPN & StrongSwan.
> > - Easily supports HA (redundant routers) through VRRP.
> > - VXLAN support.
> > - Transaction based changes to the VR with rollback on error.
> >
> > Items that could be difficult to solve:
> > - Userdata password reset workflow and implementation.
> > - Upgrade process.
> >
> > The VyOS is not the only option if we were to consider this approach.
> > Another option, which I don't know as well, would be CloudRouter 
> > (AGPL
> > license) [2] which is purely API driven.
> >
> > Anyway, would love to hear your thoughts...
> >
> > Will
> >
> > [1] https://vyos.io/
> > [2] https://cloudrouter.org/
>

[GitHub] cloudstack issue #1591: Updating Alert codes

[dcarbone]

Github user dcarbone commented on the issue:

https://github.com/apache/cloudstack/pull/1591
  
squashed, pointing at 4.9, and commit amended.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Re: System VM's are getting stuck in starting mode

[Simon Weller]

This looks interesting to me:

  1.
looking for pif for bridge virbr0
  2.
2016-09-13 19:22:09,833 DEBUG [kvm.resource.LibvirtComputingResource] 
(main:null) failing to get physical interface from bridge virbr0, did not find 
an eth*, bond*, team*, vlan*, em*, p*p*, ens*, eno*, enp*, or enx* in 
/sys/devices/virtual/net/virbr0/brif
  3.
2016-09-13 19:22:09,833 DEBUG [kvm.resource.LibvirtComputingResource] 
(main:null) looking for pif for bridge lxcbr0
  4.
2016-09-13 19:22:09,833 DEBUG [kvm.resource.LibvirtComputingResource] 
(main:null) failing to get physical interface from bridge


Can you post your interfaces and bridges please?


- Si



From: ned dogg 
Sent: Tuesday, September 13, 2016 1:27 PM
To: dev@cloudstack.apache.org
Subject: Re: System VM's are getting stuck in starting mode

Hi Simon,

Thanks for the reply. I changed the logging level to dedug as per your
recommendation. Please find enclosed the link of my cloudstack-management
and cloudstack-agent respectively:
http://pastebin.com/gG1LRm0X
http://pastebin.com/zJ7CHhLD

On Mon, Sep 12, 2016 at 2:22 PM, Tutkowski, Mike 
wrote:

> Thanks
>
> Yeah, I wasn't sure if you just experienced it on reboot or if sometimes
> when setting up your cloud you encountered this issue, as well (like 9144).
> 
> From: ned dogg 
> Sent: Monday, September 12, 2016 6:08 AM
> To: dev@cloudstack.apache.org
> Subject: Re: System VM's are getting stuck in starting mode
>
> Hi Mike and thank you for the reply. Sorry but this issue is not similar
>  to mine, I already gave you the one which looks similar :
> https://issues.apache.org/jira/browse/CLOUDSTACK-7936
>
> On Sun, Sep 11, 2016 at 5:28 AM, Tutkowski, Mike <
> mike.tutkow...@netapp.com>
> wrote:
>
> > Is your issue similar to this one?
> >
> > https://issues.apache.org/jira/browse/CLOUDSTACK-9144
> > 
> > From: ned dogg 
> > Sent: Saturday, September 10, 2016 1:24 PM
> > To: dev@cloudstack.apache.org
> > Subject: System VM's are getting stuck in starting mode
> >
> > Hi Everybody,
> >
> > I'm a newbie on cloudstack. I started playing with this technology. For
> > that I install both the management -server and the agent. I was able to
> > install and start them properly but I unable to create any instance.
> When I
> > click on instance the menu then I  click on add instance and next, I have
> > no templates that is presented to me. Thus I stuck at this level. I don't
> > know what to do.
> >
> > I think that this issue is because my System VM get stuck an the starting
> > mode. After some googling, I discovered that this is a know issue
> > https://issues.apache.org/jira/browse/CLOUDSTACK-7936. But this issue is
> > for cloudstack 4.4.1 but I'm using cloudstack 4.6. I was asking myself if
> > this issue is also common on cloudstack 4.6?
> >
> > Please any help will be welcoming.
> > Thanks.
> >
>

[GitHub] cloudstack issue #1602: CLOUDSTACK-9422: Granular 'vmware.create.full.clone'...

[serg38]

Github user serg38 commented on the issue:

https://github.com/apache/cloudstack/pull/1602
  
LGTM for the testing. Smoke test results
```
test DeployVM in anti-affinity groups for project ... === TestName: 
test_DeployVmAntiAffinityGroup_in_project | Status : SUCCESS ===
test DeployVM in anti-affinity groups ... === TestName: 
test_DeployVmAntiAffinityGroup | Status : SUCCESS ===
Test Deploy Virtual Machine ... SKIP: Skipping test because suitable 
hypervisor/host notpresent
Test Deploy Virtual Machine from ISO ... === TestName: 
test_deploy_vm_from_iso | Status : SUCCESS ===
Test deploy virtual machine with root resize ... === TestName: 
test_00_deploy_vm_root_resize | Status : SUCCESS ===
Test proper failure to deploy virtual machine with rootdisksize of 0 ... 
=== TestName: test_01_deploy_vm_root_resize | Status : SUCCESS ===
Test proper failure to deploy virtual machine with rootdisksize less than 
template size ... === TestName: test_02_deploy_vm_root_resize | Status : 
SUCCESS ===
Test to deploy vm with a first fit offering ... === TestName: 
test_deployvm_firstfit | Status : SUCCESS ===
Test deploy VMs using user concentrated planner ... === TestName: 
test_deployvm_userconcentrated | Status : SUCCESS ===
Test deploy VMs using user dispersion planner ... === TestName: 
test_deployvm_userdispersing | Status : SUCCESS ===
Test userdata as GET, size > 2k ... === TestName: test_deployvm_userdata | 
Status : SUCCESS ===
Test userdata as POST, size > 2k ... === TestName: 
test_deployvm_userdata_post | Status : SUCCESS ===
Test to create disk offering ... === TestName: test_01_create_disk_offering 
| Status : SUCCESS ===
Test to create  a sparse type disk offering ... === TestName: 
test_02_create_sparse_type_disk_offering | Status : SUCCESS ===
Test to create  a sparse type disk offering ... === TestName: 
test_04_create_fat_type_disk_offering | Status : SUCCESS ===
Test to update existing disk offering ... === TestName: 
test_02_edit_disk_offering | Status : SUCCESS ===
Test to delete disk offering ... === TestName: test_03_delete_disk_offering 
| Status : SUCCESS ===
Test to ensure 4 default roles cannot be deleted ... SKIP: Dynamic 
Role-Based API checker not enabled, skipping test
Test to check role, role permissions and account life cycles ... SKIP: 
Dynamic Role-Based API checker not enabled, skipping test
Test for role-rule enforcement in case of multiple mgmt servers ... SKIP: 
Dynamic Role-Based API checker not enabled, skipping test
Test to ensure role in use cannot be deleted ... SKIP: Dynamic Role-Based 
API checker not enabled, skipping test
Tests normal lifecycle operations for roles ... SKIP: Dynamic Role-Based 
API checker not enabled, skipping test
Tests role update ... SKIP: Dynamic Role-Based API checker not enabled, 
skipping test
Tests that default four roles exist ... SKIP: Dynamic Role-Based API 
checker not enabled, skipping test
Tests role update ... SKIP: Dynamic Role-Based API checker not enabled, 
skipping test
Tests role update when role is in use by an account ... SKIP: Dynamic 
Role-Based API checker not enabled, skipping test
Tests concurrent order updation of role permission ... SKIP: Dynamic 
Role-Based API checker not enabled, skipping test
Tests creation of role permission ... SKIP: Dynamic Role-Based API checker 
not enabled, skipping test
Tests deletion of role permission ... SKIP: Dynamic Role-Based API checker 
not enabled, skipping test
Tests listing of default role's permission ... SKIP: Dynamic Role-Based API 
checker not enabled, skipping test
Tests order updation of role permission ... SKIP: Dynamic Role-Based API 
checker not enabled, skipping test
test update configuration setting at zone level scope ... === TestName: 
test_UpdateConfigParamWithScope | Status : SUCCESS ===
Test guest vlan range dedication ... === TestName: 
test_dedicateGuestVlanRange | Status : SUCCESS ===
Test create public & private ISO ... === TestName: test_01_create_iso | 
Status : SUCCESS ===
Test Edit ISO ... === TestName: test_02_edit_iso | Status : SUCCESS ===
Test delete ISO ... === TestName: test_03_delete_iso | Status : SUCCESS ===
Test for extract ISO ... === TestName: test_04_extract_Iso | Status : 
SUCCESS ===
Update & Test for ISO permissions ... === TestName: test_05_iso_permissions 
| Status : SUCCESS ===
Test for copy ISO from one zone to another ... SKIP: Not enough zones 
available to perform copy template
Test delete ISO ... === TestName: test_07_list_default_iso | Status : 
SUCCESS ===
Test listing Volumes using 'ids' parameter ... === TestName: 
test_01_list_volumes | Status : SUCCESS ===
Test listing Templates using 'ids' parameter ... === TestName: 
test_02_list_templates | Status : SUCCESS ===
Test listing Snapshots using 'ids' parameter ... === TestName: 

builds.cloudstack.org (new jenkins system)

[Pierre-Luc Dion]

Hi,

we now have a nice URL pointing to the replacement jenkins of   j.bac.o:
builds.cloudstack.org

I'll make sure the enable SSL for user authentication, whoever is commiter
that want admin access to Jenkins, let me know, if you have CI system that
we could leverage via a centralized portal, feel free to post on dev@

Cheers,

PL

Re: System VM's are getting stuck in starting mode

[ned dogg]

Hi Simon,

Thanks for the reply. I changed the logging level to dedug as per your
recommendation. Please find enclosed the link of my cloudstack-management
and cloudstack-agent respectively:
http://pastebin.com/gG1LRm0X
http://pastebin.com/zJ7CHhLD

On Mon, Sep 12, 2016 at 2:22 PM, Tutkowski, Mike 
wrote:

> Thanks
>
> Yeah, I wasn't sure if you just experienced it on reboot or if sometimes
> when setting up your cloud you encountered this issue, as well (like 9144).
> 
> From: ned dogg 
> Sent: Monday, September 12, 2016 6:08 AM
> To: dev@cloudstack.apache.org
> Subject: Re: System VM's are getting stuck in starting mode
>
> Hi Mike and thank you for the reply. Sorry but this issue is not similar
>  to mine, I already gave you the one which looks similar :
> https://issues.apache.org/jira/browse/CLOUDSTACK-7936
>
> On Sun, Sep 11, 2016 at 5:28 AM, Tutkowski, Mike <
> mike.tutkow...@netapp.com>
> wrote:
>
> > Is your issue similar to this one?
> >
> > https://issues.apache.org/jira/browse/CLOUDSTACK-9144
> > 
> > From: ned dogg 
> > Sent: Saturday, September 10, 2016 1:24 PM
> > To: dev@cloudstack.apache.org
> > Subject: System VM's are getting stuck in starting mode
> >
> > Hi Everybody,
> >
> > I'm a newbie on cloudstack. I started playing with this technology. For
> > that I install both the management -server and the agent. I was able to
> > install and start them properly but I unable to create any instance.
> When I
> > click on instance the menu then I  click on add instance and next, I have
> > no templates that is presented to me. Thus I stuck at this level. I don't
> > know what to do.
> >
> > I think that this issue is because my System VM get stuck an the starting
> > mode. After some googling, I discovered that this is a know issue
> > https://issues.apache.org/jira/browse/CLOUDSTACK-7936. But this issue is
> > for cloudstack 4.4.1 but I'm using cloudstack 4.6. I was asking myself if
> > this issue is also common on cloudstack 4.6?
> >
> > Please any help will be welcoming.
> > Thanks.
> >
>

Re: [DISCUSS] Replacing the VR

[Will Stevens]

I think there are other options for the vyos, but none are elegant from
what I have seen so far.

On Sep 13, 2016 1:14 PM, "Will Stevens"  wrote:

> Yes, not pretty, but this would probably be the best option for remote
> management of the vyos.
>
> https://github.com/vyos/python-vyos-mgmt
>
> On Sep 13, 2016 1:08 PM, "Simon Weller"  wrote:
>
>> Yeah, today, the agent uses a script to inject CLI via ssh into the VR.
>> It's really (did I mention really) ugly.
>>
>> 
>> From: Marty Godsey 
>> Sent: Tuesday, September 13, 2016 12:05 PM
>> To: dev@cloudstack.apache.org
>> Subject: RE: [DISCUSS] Replacing the VR
>>
>> So it looks like we are eliminating CloudRouter. To many missing or non
>> API managed features.
>>
>> But in reading VyOS, it also does not have a remote management API so
>> this would have to be a "SSH to CLI" job.
>>
>> If I am not mistaken is this how it's done now?
>>
>> -Original Message-
>> From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On
>> Behalf Of Will Stevens
>> Sent: Tuesday, September 13, 2016 12:58 PM
>> To: dev@cloudstack.apache.org
>> Subject: Re: [DISCUSS] Replacing the VR
>>
>> Judging from this, it does not look like IPSec is managed via the API
>> though:
>> https://cloudrouter.atlassian.net/wiki/display/CPD/Bridging+
>> Public+Clouds+with+CloudRouter
>>
>> I believe it is also missing VXLAN and VRRP, but I have not dug into it
>> yet.
>>
>> *Will STEVENS*
>> Lead Developer
>>
>> *CloudOps* *| *Cloud Solutions Experts
>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw
>> @CloudOps_
>>
>> On Tue, Sep 13, 2016 at 12:53 PM, Marty Godsey 
>> wrote:
>>
>> > It does.. Its under Secure Connectivity.
>> >
>> > -Original Message-
>> > From: Syed Ahmed [mailto:sah...@cloudops.com]
>> > Sent: Tuesday, September 13, 2016 12:49 PM
>> > To: dev@cloudstack.apache.org
>> > Subject: Re: [DISCUSS] Replacing the VR
>> >
>> > Does CloudRouter provide VPN (site-site and client)? Looking from
>> > their website I don't seem to find it. Also, missing is VVRP for
>> > redundancy. Has anyone used it for this?
>> >
>> > On Tue, Sep 13, 2016 at 12:43 PM, Zaeem Arshad
>> > 
>> > wrote:
>> >
>> > > +1 on cloudrouter. We have been looking at this as a potential
>> > > replacement/addon to our existing VRs.
>> > >
>> > > On Tue, Sep 13, 2016 at 9:07 PM, Will Stevens
>> > > 
>> > > wrote:
>> > >
>> > > > yes, technically we should be able to just make a new VR
>> > > > implementation available and then when people create their network
>> > > > offerings, they just pick which VR implementation they want to use
>> > > > for the different capabilities.
>> > > >
>> > > > *Will STEVENS*
>> > > > Lead Developer
>> > > >
>> > > > *CloudOps* *| *Cloud Solutions Experts
>> > > > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|*
>> > > > tw @CloudOps_
>> > > >
>> > > > On Tue, Sep 13, 2016 at 11:41 AM, Dustin Wright <
>> > > > dwri...@untangledtechnology.com> wrote:
>> > > >
>> > > > > I would like to see a "virtual router offering" in the UI which
>> > > > > lets
>> > > you
>> > > > > pick the legacy VR or your own. Probably a component of the
>> > > > > network offering. I've had many cases were I needed Mikrotik
>> > > > > RouterOS or
>> > > pfSense
>> > > > to
>> > > > > match a clients on-premise gear. ACS should find a way to stay
>> > > > > agnostic IMO.
>> > > > >
>> > > > > On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey
>> > > > > 
>> > > > > wrote:
>> > > > >
>> > > > > > I like this idea as well. I would be willing to test both VyOS
>> > > > > > and Cloudrouter if you need an active service to test with.
>> > > > > > Specifically
>> > > I
>> > > > am
>> > > > > > looking to test IPv6 since I provide IPv6 /64 spaces to my
>> > > > > > customers
>> > > > and
>> > > > > I
>> > > > > > am having to provide it via an external router at the moment
>> > > > > > which
>> > > has
>> > > > a
>> > > > > > lot of manual configurations.
>> > > > > >
>> > > > > > Let me know if I can help in anyway.
>> > > > > >
>> > > > > > -Original Message-
>> > > > > > From: Will Stevens [mailto:williamstev...@gmail.com]
>> > > > > > Sent: Tuesday, September 13, 2016 7:21 AM
>> > > > > > To: dev@cloudstack.apache.org
>> > > > > > Subject: Re: [DISCUSS] Replacing the VR
>> > > > > >
>> > > > > > Ya. If we go this way, I like the approach of building the
>> > > integration
>> > > > > and
>> > > > > > putting it through its paces as a stand alone VR before we
>> > > > > > consider replacing the old VR and making it the default.
>> > > > > >
>> > > > > > On Sep 13, 2016 6:52 AM, "Jayapal Uradi" <
>> > > jayapal.ur...@accelerite.com
>> > > > >
>> > > > > > wrote:
>> > > > > >
>> > > > > > > Hi,
>> > > > > > >
>> > > > > > > Instead of replacing the VR in first place we 

Re: [DISCUSS] Replacing the VR

[Will Stevens]

Yes, not pretty, but this would probably be the best option for remote
management of the vyos.

https://github.com/vyos/python-vyos-mgmt

On Sep 13, 2016 1:08 PM, "Simon Weller"  wrote:

> Yeah, today, the agent uses a script to inject CLI via ssh into the VR.
> It's really (did I mention really) ugly.
>
> 
> From: Marty Godsey 
> Sent: Tuesday, September 13, 2016 12:05 PM
> To: dev@cloudstack.apache.org
> Subject: RE: [DISCUSS] Replacing the VR
>
> So it looks like we are eliminating CloudRouter. To many missing or non
> API managed features.
>
> But in reading VyOS, it also does not have a remote management API so this
> would have to be a "SSH to CLI" job.
>
> If I am not mistaken is this how it's done now?
>
> -Original Message-
> From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On
> Behalf Of Will Stevens
> Sent: Tuesday, September 13, 2016 12:58 PM
> To: dev@cloudstack.apache.org
> Subject: Re: [DISCUSS] Replacing the VR
>
> Judging from this, it does not look like IPSec is managed via the API
> though:
> https://cloudrouter.atlassian.net/wiki/display/CPD/Bridging+
> Public+Clouds+with+CloudRouter
>
> I believe it is also missing VXLAN and VRRP, but I have not dug into it
> yet.
>
> *Will STEVENS*
> Lead Developer
>
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw
> @CloudOps_
>
> On Tue, Sep 13, 2016 at 12:53 PM, Marty Godsey 
> wrote:
>
> > It does.. Its under Secure Connectivity.
> >
> > -Original Message-
> > From: Syed Ahmed [mailto:sah...@cloudops.com]
> > Sent: Tuesday, September 13, 2016 12:49 PM
> > To: dev@cloudstack.apache.org
> > Subject: Re: [DISCUSS] Replacing the VR
> >
> > Does CloudRouter provide VPN (site-site and client)? Looking from
> > their website I don't seem to find it. Also, missing is VVRP for
> > redundancy. Has anyone used it for this?
> >
> > On Tue, Sep 13, 2016 at 12:43 PM, Zaeem Arshad
> > 
> > wrote:
> >
> > > +1 on cloudrouter. We have been looking at this as a potential
> > > replacement/addon to our existing VRs.
> > >
> > > On Tue, Sep 13, 2016 at 9:07 PM, Will Stevens
> > > 
> > > wrote:
> > >
> > > > yes, technically we should be able to just make a new VR
> > > > implementation available and then when people create their network
> > > > offerings, they just pick which VR implementation they want to use
> > > > for the different capabilities.
> > > >
> > > > *Will STEVENS*
> > > > Lead Developer
> > > >
> > > > *CloudOps* *| *Cloud Solutions Experts
> > > > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|*
> > > > tw @CloudOps_
> > > >
> > > > On Tue, Sep 13, 2016 at 11:41 AM, Dustin Wright <
> > > > dwri...@untangledtechnology.com> wrote:
> > > >
> > > > > I would like to see a "virtual router offering" in the UI which
> > > > > lets
> > > you
> > > > > pick the legacy VR or your own. Probably a component of the
> > > > > network offering. I've had many cases were I needed Mikrotik
> > > > > RouterOS or
> > > pfSense
> > > > to
> > > > > match a clients on-premise gear. ACS should find a way to stay
> > > > > agnostic IMO.
> > > > >
> > > > > On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey
> > > > > 
> > > > > wrote:
> > > > >
> > > > > > I like this idea as well. I would be willing to test both VyOS
> > > > > > and Cloudrouter if you need an active service to test with.
> > > > > > Specifically
> > > I
> > > > am
> > > > > > looking to test IPv6 since I provide IPv6 /64 spaces to my
> > > > > > customers
> > > > and
> > > > > I
> > > > > > am having to provide it via an external router at the moment
> > > > > > which
> > > has
> > > > a
> > > > > > lot of manual configurations.
> > > > > >
> > > > > > Let me know if I can help in anyway.
> > > > > >
> > > > > > -Original Message-
> > > > > > From: Will Stevens [mailto:williamstev...@gmail.com]
> > > > > > Sent: Tuesday, September 13, 2016 7:21 AM
> > > > > > To: dev@cloudstack.apache.org
> > > > > > Subject: Re: [DISCUSS] Replacing the VR
> > > > > >
> > > > > > Ya. If we go this way, I like the approach of building the
> > > integration
> > > > > and
> > > > > > putting it through its paces as a stand alone VR before we
> > > > > > consider replacing the old VR and making it the default.
> > > > > >
> > > > > > On Sep 13, 2016 6:52 AM, "Jayapal Uradi" <
> > > jayapal.ur...@accelerite.com
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > Instead of replacing the VR in first place we should add
> > > > > > > VyOS/cloudrouter as provider. Once it is stable, network
> > > > > > > offerings
> > > > (on
> > > > > > > upgrade) can be updated to use it and we can drop the VR if
> > > > > > > we want
> > > > at
> > > > > > that release onwards.
> > > > > > >
> > > > > > > VR is stabilized over a period of 

RE: [DISCUSS] Replacing the VR

[Will Stevens]

I am trying to find their api documentation to get a feel for what
cloudrouter can do via the API.

On Sep 13, 2016 1:05 PM, "Marty Godsey"  wrote:

> So it looks like we are eliminating CloudRouter. To many missing or non
> API managed features.
>
> But in reading VyOS, it also does not have a remote management API so this
> would have to be a "SSH to CLI" job.
>
> If I am not mistaken is this how it's done now?
>
> -Original Message-
> From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On
> Behalf Of Will Stevens
> Sent: Tuesday, September 13, 2016 12:58 PM
> To: dev@cloudstack.apache.org
> Subject: Re: [DISCUSS] Replacing the VR
>
> Judging from this, it does not look like IPSec is managed via the API
> though:
> https://cloudrouter.atlassian.net/wiki/display/CPD/Bridging+
> Public+Clouds+with+CloudRouter
>
> I believe it is also missing VXLAN and VRRP, but I have not dug into it
> yet.
>
> *Will STEVENS*
> Lead Developer
>
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw
> @CloudOps_
>
> On Tue, Sep 13, 2016 at 12:53 PM, Marty Godsey 
> wrote:
>
> > It does.. Its under Secure Connectivity.
> >
> > -Original Message-
> > From: Syed Ahmed [mailto:sah...@cloudops.com]
> > Sent: Tuesday, September 13, 2016 12:49 PM
> > To: dev@cloudstack.apache.org
> > Subject: Re: [DISCUSS] Replacing the VR
> >
> > Does CloudRouter provide VPN (site-site and client)? Looking from
> > their website I don't seem to find it. Also, missing is VVRP for
> > redundancy. Has anyone used it for this?
> >
> > On Tue, Sep 13, 2016 at 12:43 PM, Zaeem Arshad
> > 
> > wrote:
> >
> > > +1 on cloudrouter. We have been looking at this as a potential
> > > replacement/addon to our existing VRs.
> > >
> > > On Tue, Sep 13, 2016 at 9:07 PM, Will Stevens
> > > 
> > > wrote:
> > >
> > > > yes, technically we should be able to just make a new VR
> > > > implementation available and then when people create their network
> > > > offerings, they just pick which VR implementation they want to use
> > > > for the different capabilities.
> > > >
> > > > *Will STEVENS*
> > > > Lead Developer
> > > >
> > > > *CloudOps* *| *Cloud Solutions Experts
> > > > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|*
> > > > tw @CloudOps_
> > > >
> > > > On Tue, Sep 13, 2016 at 11:41 AM, Dustin Wright <
> > > > dwri...@untangledtechnology.com> wrote:
> > > >
> > > > > I would like to see a "virtual router offering" in the UI which
> > > > > lets
> > > you
> > > > > pick the legacy VR or your own. Probably a component of the
> > > > > network offering. I've had many cases were I needed Mikrotik
> > > > > RouterOS or
> > > pfSense
> > > > to
> > > > > match a clients on-premise gear. ACS should find a way to stay
> > > > > agnostic IMO.
> > > > >
> > > > > On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey
> > > > > 
> > > > > wrote:
> > > > >
> > > > > > I like this idea as well. I would be willing to test both VyOS
> > > > > > and Cloudrouter if you need an active service to test with.
> > > > > > Specifically
> > > I
> > > > am
> > > > > > looking to test IPv6 since I provide IPv6 /64 spaces to my
> > > > > > customers
> > > > and
> > > > > I
> > > > > > am having to provide it via an external router at the moment
> > > > > > which
> > > has
> > > > a
> > > > > > lot of manual configurations.
> > > > > >
> > > > > > Let me know if I can help in anyway.
> > > > > >
> > > > > > -Original Message-
> > > > > > From: Will Stevens [mailto:williamstev...@gmail.com]
> > > > > > Sent: Tuesday, September 13, 2016 7:21 AM
> > > > > > To: dev@cloudstack.apache.org
> > > > > > Subject: Re: [DISCUSS] Replacing the VR
> > > > > >
> > > > > > Ya. If we go this way, I like the approach of building the
> > > integration
> > > > > and
> > > > > > putting it through its paces as a stand alone VR before we
> > > > > > consider replacing the old VR and making it the default.
> > > > > >
> > > > > > On Sep 13, 2016 6:52 AM, "Jayapal Uradi" <
> > > jayapal.ur...@accelerite.com
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > Instead of replacing the VR in first place we should add
> > > > > > > VyOS/cloudrouter as provider. Once it is stable, network
> > > > > > > offerings
> > > > (on
> > > > > > > upgrade) can be updated to use it and we can drop the VR if
> > > > > > > we want
> > > > at
> > > > > > that release onwards.
> > > > > > >
> > > > > > > VR is stabilized over a period of time and some of them are
> > > > > > > running without issues.  When we replicate the ACS VR
> > > > > > > features in new
> > > > solution
> > > > > > > it takes some to find the missing pieces (hidden bugs).
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Jayapal
> > > > > > >
> > > > > > > > On Sep 13, 2016, at 2:52 PM, Nux! <
> > > > > > >
> 

RE: [DISCUSS] Replacing the VR

[Marty Godsey]

So it looks like we are eliminating CloudRouter. To many missing or non API 
managed features.

But in reading VyOS, it also does not have a remote management API so this 
would have to be a "SSH to CLI" job.

If I am not mistaken is this how it's done now?

-Original Message-
From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On Behalf Of 
Will Stevens
Sent: Tuesday, September 13, 2016 12:58 PM
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] Replacing the VR

Judging from this, it does not look like IPSec is managed via the API
though:
https://cloudrouter.atlassian.net/wiki/display/CPD/Bridging+Public+Clouds+with+CloudRouter

I believe it is also missing VXLAN and VRRP, but I have not dug into it yet.

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_

On Tue, Sep 13, 2016 at 12:53 PM, Marty Godsey  wrote:

> It does.. Its under Secure Connectivity.
>
> -Original Message-
> From: Syed Ahmed [mailto:sah...@cloudops.com]
> Sent: Tuesday, September 13, 2016 12:49 PM
> To: dev@cloudstack.apache.org
> Subject: Re: [DISCUSS] Replacing the VR
>
> Does CloudRouter provide VPN (site-site and client)? Looking from 
> their website I don't seem to find it. Also, missing is VVRP for 
> redundancy. Has anyone used it for this?
>
> On Tue, Sep 13, 2016 at 12:43 PM, Zaeem Arshad 
> 
> wrote:
>
> > +1 on cloudrouter. We have been looking at this as a potential
> > replacement/addon to our existing VRs.
> >
> > On Tue, Sep 13, 2016 at 9:07 PM, Will Stevens 
> > 
> > wrote:
> >
> > > yes, technically we should be able to just make a new VR 
> > > implementation available and then when people create their network 
> > > offerings, they just pick which VR implementation they want to use 
> > > for the different capabilities.
> > >
> > > *Will STEVENS*
> > > Lead Developer
> > >
> > > *CloudOps* *| *Cloud Solutions Experts
> > > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* 
> > > tw @CloudOps_
> > >
> > > On Tue, Sep 13, 2016 at 11:41 AM, Dustin Wright < 
> > > dwri...@untangledtechnology.com> wrote:
> > >
> > > > I would like to see a "virtual router offering" in the UI which 
> > > > lets
> > you
> > > > pick the legacy VR or your own. Probably a component of the 
> > > > network offering. I've had many cases were I needed Mikrotik 
> > > > RouterOS or
> > pfSense
> > > to
> > > > match a clients on-premise gear. ACS should find a way to stay 
> > > > agnostic IMO.
> > > >
> > > > On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey 
> > > > 
> > > > wrote:
> > > >
> > > > > I like this idea as well. I would be willing to test both VyOS 
> > > > > and Cloudrouter if you need an active service to test with.
> > > > > Specifically
> > I
> > > am
> > > > > looking to test IPv6 since I provide IPv6 /64 spaces to my 
> > > > > customers
> > > and
> > > > I
> > > > > am having to provide it via an external router at the moment 
> > > > > which
> > has
> > > a
> > > > > lot of manual configurations.
> > > > >
> > > > > Let me know if I can help in anyway.
> > > > >
> > > > > -Original Message-
> > > > > From: Will Stevens [mailto:williamstev...@gmail.com]
> > > > > Sent: Tuesday, September 13, 2016 7:21 AM
> > > > > To: dev@cloudstack.apache.org
> > > > > Subject: Re: [DISCUSS] Replacing the VR
> > > > >
> > > > > Ya. If we go this way, I like the approach of building the
> > integration
> > > > and
> > > > > putting it through its paces as a stand alone VR before we 
> > > > > consider replacing the old VR and making it the default.
> > > > >
> > > > > On Sep 13, 2016 6:52 AM, "Jayapal Uradi" <
> > jayapal.ur...@accelerite.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Instead of replacing the VR in first place we should add 
> > > > > > VyOS/cloudrouter as provider. Once it is stable, network 
> > > > > > offerings
> > > (on
> > > > > > upgrade) can be updated to use it and we can drop the VR if 
> > > > > > we want
> > > at
> > > > > that release onwards.
> > > > > >
> > > > > > VR is stabilized over a period of time and some of them are 
> > > > > > running without issues.  When we replicate the ACS VR 
> > > > > > features in new
> > > solution
> > > > > > it takes some to find the missing pieces (hidden bugs).
> > > > > >
> > > > > > Thanks,
> > > > > > Jayapal
> > > > > >
> > > > > > > On Sep 13, 2016, at 2:52 PM, Nux! <
> > > > > >
> > > > > > > n...@li.nux.ro> wrote:
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > I like the idea.
> > > > > > >
> > > > > > > Cloudrouter looks really promising, I'm not too keen on 
> > > > > > > VyOS (it doesn't
> > > > > > have a proper http api etc).
> > > > > > >
> > > > > > > --
> > > > > > > Sent from the Delta quadrant using Borg technology!
> > > > > > >
> > > > > > > Nux!
> > > > > > > 

Re: [DISCUSS] Replacing the VR

[Will Stevens]

Judging from this, it does not look like IPSec is managed via the API
though:
https://cloudrouter.atlassian.net/wiki/display/CPD/Bridging+Public+Clouds+with+CloudRouter

I believe it is also missing VXLAN and VRRP, but I have not dug into it yet.

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Tue, Sep 13, 2016 at 12:53 PM, Marty Godsey  wrote:

> It does.. Its under Secure Connectivity.
>
> -Original Message-
> From: Syed Ahmed [mailto:sah...@cloudops.com]
> Sent: Tuesday, September 13, 2016 12:49 PM
> To: dev@cloudstack.apache.org
> Subject: Re: [DISCUSS] Replacing the VR
>
> Does CloudRouter provide VPN (site-site and client)? Looking from their
> website I don't seem to find it. Also, missing is VVRP for redundancy. Has
> anyone used it for this?
>
> On Tue, Sep 13, 2016 at 12:43 PM, Zaeem Arshad 
> wrote:
>
> > +1 on cloudrouter. We have been looking at this as a potential
> > replacement/addon to our existing VRs.
> >
> > On Tue, Sep 13, 2016 at 9:07 PM, Will Stevens 
> > wrote:
> >
> > > yes, technically we should be able to just make a new VR
> > > implementation available and then when people create their network
> > > offerings, they just pick which VR implementation they want to use
> > > for the different capabilities.
> > >
> > > *Will STEVENS*
> > > Lead Developer
> > >
> > > *CloudOps* *| *Cloud Solutions Experts
> > > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|*
> > > tw @CloudOps_
> > >
> > > On Tue, Sep 13, 2016 at 11:41 AM, Dustin Wright <
> > > dwri...@untangledtechnology.com> wrote:
> > >
> > > > I would like to see a "virtual router offering" in the UI which
> > > > lets
> > you
> > > > pick the legacy VR or your own. Probably a component of the
> > > > network offering. I've had many cases were I needed Mikrotik
> > > > RouterOS or
> > pfSense
> > > to
> > > > match a clients on-premise gear. ACS should find a way to stay
> > > > agnostic IMO.
> > > >
> > > > On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey
> > > > 
> > > > wrote:
> > > >
> > > > > I like this idea as well. I would be willing to test both VyOS
> > > > > and Cloudrouter if you need an active service to test with.
> > > > > Specifically
> > I
> > > am
> > > > > looking to test IPv6 since I provide IPv6 /64 spaces to my
> > > > > customers
> > > and
> > > > I
> > > > > am having to provide it via an external router at the moment
> > > > > which
> > has
> > > a
> > > > > lot of manual configurations.
> > > > >
> > > > > Let me know if I can help in anyway.
> > > > >
> > > > > -Original Message-
> > > > > From: Will Stevens [mailto:williamstev...@gmail.com]
> > > > > Sent: Tuesday, September 13, 2016 7:21 AM
> > > > > To: dev@cloudstack.apache.org
> > > > > Subject: Re: [DISCUSS] Replacing the VR
> > > > >
> > > > > Ya. If we go this way, I like the approach of building the
> > integration
> > > > and
> > > > > putting it through its paces as a stand alone VR before we
> > > > > consider replacing the old VR and making it the default.
> > > > >
> > > > > On Sep 13, 2016 6:52 AM, "Jayapal Uradi" <
> > jayapal.ur...@accelerite.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Instead of replacing the VR in first place we should add
> > > > > > VyOS/cloudrouter as provider. Once it is stable, network
> > > > > > offerings
> > > (on
> > > > > > upgrade) can be updated to use it and we can drop the VR if we
> > > > > > want
> > > at
> > > > > that release onwards.
> > > > > >
> > > > > > VR is stabilized over a period of time and some of them are
> > > > > > running without issues.  When we replicate the ACS VR features
> > > > > > in new
> > > solution
> > > > > > it takes some to find the missing pieces (hidden bugs).
> > > > > >
> > > > > > Thanks,
> > > > > > Jayapal
> > > > > >
> > > > > > > On Sep 13, 2016, at 2:52 PM, Nux! <
> > > > > >
> > > > > > > n...@li.nux.ro> wrote:
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > I like the idea.
> > > > > > >
> > > > > > > Cloudrouter looks really promising, I'm not too keen on VyOS
> > > > > > > (it doesn't
> > > > > > have a proper http api etc).
> > > > > > >
> > > > > > > --
> > > > > > > Sent from the Delta quadrant using Borg technology!
> > > > > > >
> > > > > > > Nux!
> > > > > > > www.nux.ro
> > > > > > >
> > > > > > > - Original Message -
> > > > > > >> From: "Will Stevens" 
> > > > > > >> To: dev@cloudstack.apache.org
> > > > > > >> Sent: Monday, 12 September, 2016 21:20:11
> > > > > > >> Subject: [DISCUSS] Replacing the VR
> > > > > > >
> > > > > > >> *Disclaimer:* This is a thought experiment and should be
> > > > > > >> treated
> > > as
> > > > > > such.
> > > > > > >> Please weigh in with the good and bad of this idea...
> > > > > > >>
> > > > > > >> A couple 

RE: [DISCUSS] Replacing the VR

[Marty Godsey]

It does.. Its under Secure Connectivity.

-Original Message-
From: Syed Ahmed [mailto:sah...@cloudops.com] 
Sent: Tuesday, September 13, 2016 12:49 PM
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] Replacing the VR

Does CloudRouter provide VPN (site-site and client)? Looking from their website 
I don't seem to find it. Also, missing is VVRP for redundancy. Has anyone used 
it for this?

On Tue, Sep 13, 2016 at 12:43 PM, Zaeem Arshad 
wrote:

> +1 on cloudrouter. We have been looking at this as a potential
> replacement/addon to our existing VRs.
>
> On Tue, Sep 13, 2016 at 9:07 PM, Will Stevens 
> wrote:
>
> > yes, technically we should be able to just make a new VR 
> > implementation available and then when people create their network 
> > offerings, they just pick which VR implementation they want to use 
> > for the different capabilities.
> >
> > *Will STEVENS*
> > Lead Developer
> >
> > *CloudOps* *| *Cloud Solutions Experts
> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* 
> > tw @CloudOps_
> >
> > On Tue, Sep 13, 2016 at 11:41 AM, Dustin Wright < 
> > dwri...@untangledtechnology.com> wrote:
> >
> > > I would like to see a "virtual router offering" in the UI which 
> > > lets
> you
> > > pick the legacy VR or your own. Probably a component of the 
> > > network offering. I've had many cases were I needed Mikrotik 
> > > RouterOS or
> pfSense
> > to
> > > match a clients on-premise gear. ACS should find a way to stay 
> > > agnostic IMO.
> > >
> > > On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey 
> > > 
> > > wrote:
> > >
> > > > I like this idea as well. I would be willing to test both VyOS 
> > > > and Cloudrouter if you need an active service to test with. 
> > > > Specifically
> I
> > am
> > > > looking to test IPv6 since I provide IPv6 /64 spaces to my 
> > > > customers
> > and
> > > I
> > > > am having to provide it via an external router at the moment 
> > > > which
> has
> > a
> > > > lot of manual configurations.
> > > >
> > > > Let me know if I can help in anyway.
> > > >
> > > > -Original Message-
> > > > From: Will Stevens [mailto:williamstev...@gmail.com]
> > > > Sent: Tuesday, September 13, 2016 7:21 AM
> > > > To: dev@cloudstack.apache.org
> > > > Subject: Re: [DISCUSS] Replacing the VR
> > > >
> > > > Ya. If we go this way, I like the approach of building the
> integration
> > > and
> > > > putting it through its paces as a stand alone VR before we 
> > > > consider replacing the old VR and making it the default.
> > > >
> > > > On Sep 13, 2016 6:52 AM, "Jayapal Uradi" <
> jayapal.ur...@accelerite.com
> > >
> > > > wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Instead of replacing the VR in first place we should add 
> > > > > VyOS/cloudrouter as provider. Once it is stable, network 
> > > > > offerings
> > (on
> > > > > upgrade) can be updated to use it and we can drop the VR if we 
> > > > > want
> > at
> > > > that release onwards.
> > > > >
> > > > > VR is stabilized over a period of time and some of them are 
> > > > > running without issues.  When we replicate the ACS VR features 
> > > > > in new
> > solution
> > > > > it takes some to find the missing pieces (hidden bugs).
> > > > >
> > > > > Thanks,
> > > > > Jayapal
> > > > >
> > > > > > On Sep 13, 2016, at 2:52 PM, Nux! <
> > > > >
> > > > > > n...@li.nux.ro> wrote:
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > I like the idea.
> > > > > >
> > > > > > Cloudrouter looks really promising, I'm not too keen on VyOS 
> > > > > > (it doesn't
> > > > > have a proper http api etc).
> > > > > >
> > > > > > --
> > > > > > Sent from the Delta quadrant using Borg technology!
> > > > > >
> > > > > > Nux!
> > > > > > www.nux.ro
> > > > > >
> > > > > > - Original Message -
> > > > > >> From: "Will Stevens" 
> > > > > >> To: dev@cloudstack.apache.org
> > > > > >> Sent: Monday, 12 September, 2016 21:20:11
> > > > > >> Subject: [DISCUSS] Replacing the VR
> > > > > >
> > > > > >> *Disclaimer:* This is a thought experiment and should be 
> > > > > >> treated
> > as
> > > > > such.
> > > > > >> Please weigh in with the good and bad of this idea...
> > > > > >>
> > > > > >> A couple of us have been discussing the idea of potentially 
> > > > > >> replacing
> > > > > the
> > > > > >> ACS VR with the VyOS [1] (Open Source Vyatta VM).  There 
> > > > > >> may be
> a
> > > > > license
> > > > > >> issue because I think it is licensed under GPL, but for the 
> > > > > >> sake
> > of
> > > > > >> discussion, let's assume we can overcome any license issues.
> > > > > >>
> > > > > >> I have spent some time recently with the VyOS and I have to
> admit,
> > > > > >> I was pretty impressed.  It is simple and intuitive and it 
> > > > > >> gives you a lot
> > > > > more
> > > > > >> options for auditing the configuration etc...
> > > > > >>
> > > > > >> Items of potential interest:
> > > > > >> - Clean 

Re: [DISCUSS] Replacing the VR

[Syed Ahmed]

Does CloudRouter provide VPN (site-site and client)? Looking from their
website I don't seem to find it. Also, missing is VVRP for redundancy. Has
anyone used it for this?

On Tue, Sep 13, 2016 at 12:43 PM, Zaeem Arshad 
wrote:

> +1 on cloudrouter. We have been looking at this as a potential
> replacement/addon to our existing VRs.
>
> On Tue, Sep 13, 2016 at 9:07 PM, Will Stevens 
> wrote:
>
> > yes, technically we should be able to just make a new VR implementation
> > available and then when people create their network offerings, they just
> > pick which VR implementation they want to use for the different
> > capabilities.
> >
> > *Will STEVENS*
> > Lead Developer
> >
> > *CloudOps* *| *Cloud Solutions Experts
> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> > w cloudops.com *|* tw @CloudOps_
> >
> > On Tue, Sep 13, 2016 at 11:41 AM, Dustin Wright <
> > dwri...@untangledtechnology.com> wrote:
> >
> > > I would like to see a "virtual router offering" in the UI which lets
> you
> > > pick the legacy VR or your own. Probably a component of the network
> > > offering. I've had many cases were I needed Mikrotik RouterOS or
> pfSense
> > to
> > > match a clients on-premise gear. ACS should find a way to stay agnostic
> > > IMO.
> > >
> > > On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey 
> > > wrote:
> > >
> > > > I like this idea as well. I would be willing to test both VyOS and
> > > > Cloudrouter if you need an active service to test with. Specifically
> I
> > am
> > > > looking to test IPv6 since I provide IPv6 /64 spaces to my customers
> > and
> > > I
> > > > am having to provide it via an external router at the moment which
> has
> > a
> > > > lot of manual configurations.
> > > >
> > > > Let me know if I can help in anyway.
> > > >
> > > > -Original Message-
> > > > From: Will Stevens [mailto:williamstev...@gmail.com]
> > > > Sent: Tuesday, September 13, 2016 7:21 AM
> > > > To: dev@cloudstack.apache.org
> > > > Subject: Re: [DISCUSS] Replacing the VR
> > > >
> > > > Ya. If we go this way, I like the approach of building the
> integration
> > > and
> > > > putting it through its paces as a stand alone VR before we consider
> > > > replacing the old VR and making it the default.
> > > >
> > > > On Sep 13, 2016 6:52 AM, "Jayapal Uradi" <
> jayapal.ur...@accelerite.com
> > >
> > > > wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Instead of replacing the VR in first place we should add
> > > > > VyOS/cloudrouter as provider. Once it is stable, network offerings
> > (on
> > > > > upgrade) can be updated to use it and we can drop the VR if we want
> > at
> > > > that release onwards.
> > > > >
> > > > > VR is stabilized over a period of time and some of them are running
> > > > > without issues.  When we replicate the ACS VR features in new
> > solution
> > > > > it takes some to find the missing pieces (hidden bugs).
> > > > >
> > > > > Thanks,
> > > > > Jayapal
> > > > >
> > > > > > On Sep 13, 2016, at 2:52 PM, Nux! <
> > > > >
> > > > > > n...@li.nux.ro> wrote:
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > I like the idea.
> > > > > >
> > > > > > Cloudrouter looks really promising, I'm not too keen on VyOS (it
> > > > > > doesn't
> > > > > have a proper http api etc).
> > > > > >
> > > > > > --
> > > > > > Sent from the Delta quadrant using Borg technology!
> > > > > >
> > > > > > Nux!
> > > > > > www.nux.ro
> > > > > >
> > > > > > - Original Message -
> > > > > >> From: "Will Stevens" 
> > > > > >> To: dev@cloudstack.apache.org
> > > > > >> Sent: Monday, 12 September, 2016 21:20:11
> > > > > >> Subject: [DISCUSS] Replacing the VR
> > > > > >
> > > > > >> *Disclaimer:* This is a thought experiment and should be treated
> > as
> > > > > such.
> > > > > >> Please weigh in with the good and bad of this idea...
> > > > > >>
> > > > > >> A couple of us have been discussing the idea of potentially
> > > > > >> replacing
> > > > > the
> > > > > >> ACS VR with the VyOS [1] (Open Source Vyatta VM).  There may be
> a
> > > > > license
> > > > > >> issue because I think it is licensed under GPL, but for the sake
> > of
> > > > > >> discussion, let's assume we can overcome any license issues.
> > > > > >>
> > > > > >> I have spent some time recently with the VyOS and I have to
> admit,
> > > > > >> I was pretty impressed.  It is simple and intuitive and it gives
> > > > > >> you a lot
> > > > > more
> > > > > >> options for auditing the configuration etc...
> > > > > >>
> > > > > >> Items of potential interest:
> > > > > >> - Clean up our current VR script spaghetti to a simpler more
> > > > > >> auditable configuration workflow.
> > > > > >> - Gives a cleaner path for IPv6 support.
> > > > > >> - Handles VPN configuration via the same configuration
> interface.
> > > > > >> - Support for OSPF & BGP.
> > > > > >> - VPN support through OpenVPN & StrongSwan.
> > > > > >> - Easily supports HA 

RE: [DISCUSS] Replacing the VR

[Marty Godsey]

I have spent all of 2 mins looking at Cloudrouter so it may do this and I 
haven’t found it but according to the feature list it doesn't support VXLANS. 
Am I missing it somewhere?

-Original Message-
From: Zaeem Arshad [mailto:zaeem.ars...@gmail.com] 
Sent: Tuesday, September 13, 2016 12:43 PM
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] Replacing the VR

+1 on cloudrouter. We have been looking at this as a potential
replacement/addon to our existing VRs.

On Tue, Sep 13, 2016 at 9:07 PM, Will Stevens  wrote:

> yes, technically we should be able to just make a new VR 
> implementation available and then when people create their network 
> offerings, they just pick which VR implementation they want to use for 
> the different capabilities.
>
> *Will STEVENS*
> Lead Developer
>
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw 
> @CloudOps_
>
> On Tue, Sep 13, 2016 at 11:41 AM, Dustin Wright < 
> dwri...@untangledtechnology.com> wrote:
>
> > I would like to see a "virtual router offering" in the UI which lets 
> > you pick the legacy VR or your own. Probably a component of the 
> > network offering. I've had many cases were I needed Mikrotik 
> > RouterOS or pfSense
> to
> > match a clients on-premise gear. ACS should find a way to stay 
> > agnostic IMO.
> >
> > On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey 
> > wrote:
> >
> > > I like this idea as well. I would be willing to test both VyOS and 
> > > Cloudrouter if you need an active service to test with. 
> > > Specifically I
> am
> > > looking to test IPv6 since I provide IPv6 /64 spaces to my 
> > > customers
> and
> > I
> > > am having to provide it via an external router at the moment which 
> > > has
> a
> > > lot of manual configurations.
> > >
> > > Let me know if I can help in anyway.
> > >
> > > -Original Message-
> > > From: Will Stevens [mailto:williamstev...@gmail.com]
> > > Sent: Tuesday, September 13, 2016 7:21 AM
> > > To: dev@cloudstack.apache.org
> > > Subject: Re: [DISCUSS] Replacing the VR
> > >
> > > Ya. If we go this way, I like the approach of building the 
> > > integration
> > and
> > > putting it through its paces as a stand alone VR before we 
> > > consider replacing the old VR and making it the default.
> > >
> > > On Sep 13, 2016 6:52 AM, "Jayapal Uradi" 
> > >  >
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > Instead of replacing the VR in first place we should add 
> > > > VyOS/cloudrouter as provider. Once it is stable, network 
> > > > offerings
> (on
> > > > upgrade) can be updated to use it and we can drop the VR if we 
> > > > want
> at
> > > that release onwards.
> > > >
> > > > VR is stabilized over a period of time and some of them are 
> > > > running without issues.  When we replicate the ACS VR features 
> > > > in new
> solution
> > > > it takes some to find the missing pieces (hidden bugs).
> > > >
> > > > Thanks,
> > > > Jayapal
> > > >
> > > > > On Sep 13, 2016, at 2:52 PM, Nux! <
> > > >
> > > > > n...@li.nux.ro> wrote:
> > > > >
> > > > > Hi,
> > > > >
> > > > > I like the idea.
> > > > >
> > > > > Cloudrouter looks really promising, I'm not too keen on VyOS 
> > > > > (it doesn't
> > > > have a proper http api etc).
> > > > >
> > > > > --
> > > > > Sent from the Delta quadrant using Borg technology!
> > > > >
> > > > > Nux!
> > > > > www.nux.ro
> > > > >
> > > > > - Original Message -
> > > > >> From: "Will Stevens" 
> > > > >> To: dev@cloudstack.apache.org
> > > > >> Sent: Monday, 12 September, 2016 21:20:11
> > > > >> Subject: [DISCUSS] Replacing the VR
> > > > >
> > > > >> *Disclaimer:* This is a thought experiment and should be 
> > > > >> treated
> as
> > > > such.
> > > > >> Please weigh in with the good and bad of this idea...
> > > > >>
> > > > >> A couple of us have been discussing the idea of potentially 
> > > > >> replacing
> > > > the
> > > > >> ACS VR with the VyOS [1] (Open Source Vyatta VM).  There may 
> > > > >> be a
> > > > license
> > > > >> issue because I think it is licensed under GPL, but for the 
> > > > >> sake
> of
> > > > >> discussion, let's assume we can overcome any license issues.
> > > > >>
> > > > >> I have spent some time recently with the VyOS and I have to 
> > > > >> admit, I was pretty impressed.  It is simple and intuitive 
> > > > >> and it gives you a lot
> > > > more
> > > > >> options for auditing the configuration etc...
> > > > >>
> > > > >> Items of potential interest:
> > > > >> - Clean up our current VR script spaghetti to a simpler more 
> > > > >> auditable configuration workflow.
> > > > >> - Gives a cleaner path for IPv6 support.
> > > > >> - Handles VPN configuration via the same configuration interface.
> > > > >> - Support for OSPF & BGP.
> > > > >> - VPN support through OpenVPN & StrongSwan.
> > > > >> - Easily supports HA (redundant routers) through 

Re: [DISCUSS] Replacing the VR

[Zaeem Arshad]

+1 on cloudrouter. We have been looking at this as a potential
replacement/addon to our existing VRs.

On Tue, Sep 13, 2016 at 9:07 PM, Will Stevens  wrote:

> yes, technically we should be able to just make a new VR implementation
> available and then when people create their network offerings, they just
> pick which VR implementation they want to use for the different
> capabilities.
>
> *Will STEVENS*
> Lead Developer
>
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> w cloudops.com *|* tw @CloudOps_
>
> On Tue, Sep 13, 2016 at 11:41 AM, Dustin Wright <
> dwri...@untangledtechnology.com> wrote:
>
> > I would like to see a "virtual router offering" in the UI which lets you
> > pick the legacy VR or your own. Probably a component of the network
> > offering. I've had many cases were I needed Mikrotik RouterOS or pfSense
> to
> > match a clients on-premise gear. ACS should find a way to stay agnostic
> > IMO.
> >
> > On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey 
> > wrote:
> >
> > > I like this idea as well. I would be willing to test both VyOS and
> > > Cloudrouter if you need an active service to test with. Specifically I
> am
> > > looking to test IPv6 since I provide IPv6 /64 spaces to my customers
> and
> > I
> > > am having to provide it via an external router at the moment which has
> a
> > > lot of manual configurations.
> > >
> > > Let me know if I can help in anyway.
> > >
> > > -Original Message-
> > > From: Will Stevens [mailto:williamstev...@gmail.com]
> > > Sent: Tuesday, September 13, 2016 7:21 AM
> > > To: dev@cloudstack.apache.org
> > > Subject: Re: [DISCUSS] Replacing the VR
> > >
> > > Ya. If we go this way, I like the approach of building the integration
> > and
> > > putting it through its paces as a stand alone VR before we consider
> > > replacing the old VR and making it the default.
> > >
> > > On Sep 13, 2016 6:52 AM, "Jayapal Uradi"  >
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > Instead of replacing the VR in first place we should add
> > > > VyOS/cloudrouter as provider. Once it is stable, network offerings
> (on
> > > > upgrade) can be updated to use it and we can drop the VR if we want
> at
> > > that release onwards.
> > > >
> > > > VR is stabilized over a period of time and some of them are running
> > > > without issues.  When we replicate the ACS VR features in new
> solution
> > > > it takes some to find the missing pieces (hidden bugs).
> > > >
> > > > Thanks,
> > > > Jayapal
> > > >
> > > > > On Sep 13, 2016, at 2:52 PM, Nux! <
> > > >
> > > > > n...@li.nux.ro> wrote:
> > > > >
> > > > > Hi,
> > > > >
> > > > > I like the idea.
> > > > >
> > > > > Cloudrouter looks really promising, I'm not too keen on VyOS (it
> > > > > doesn't
> > > > have a proper http api etc).
> > > > >
> > > > > --
> > > > > Sent from the Delta quadrant using Borg technology!
> > > > >
> > > > > Nux!
> > > > > www.nux.ro
> > > > >
> > > > > - Original Message -
> > > > >> From: "Will Stevens" 
> > > > >> To: dev@cloudstack.apache.org
> > > > >> Sent: Monday, 12 September, 2016 21:20:11
> > > > >> Subject: [DISCUSS] Replacing the VR
> > > > >
> > > > >> *Disclaimer:* This is a thought experiment and should be treated
> as
> > > > such.
> > > > >> Please weigh in with the good and bad of this idea...
> > > > >>
> > > > >> A couple of us have been discussing the idea of potentially
> > > > >> replacing
> > > > the
> > > > >> ACS VR with the VyOS [1] (Open Source Vyatta VM).  There may be a
> > > > license
> > > > >> issue because I think it is licensed under GPL, but for the sake
> of
> > > > >> discussion, let's assume we can overcome any license issues.
> > > > >>
> > > > >> I have spent some time recently with the VyOS and I have to admit,
> > > > >> I was pretty impressed.  It is simple and intuitive and it gives
> > > > >> you a lot
> > > > more
> > > > >> options for auditing the configuration etc...
> > > > >>
> > > > >> Items of potential interest:
> > > > >> - Clean up our current VR script spaghetti to a simpler more
> > > > >> auditable configuration workflow.
> > > > >> - Gives a cleaner path for IPv6 support.
> > > > >> - Handles VPN configuration via the same configuration interface.
> > > > >> - Support for OSPF & BGP.
> > > > >> - VPN support through OpenVPN & StrongSwan.
> > > > >> - Easily supports HA (redundant routers) through VRRP.
> > > > >> - VXLAN support.
> > > > >> - Transaction based changes to the VR with rollback on error.
> > > > >>
> > > > >> Items that could be difficult to solve:
> > > > >> - Userdata password reset workflow and implementation.
> > > > >> - Upgrade process.
> > > > >>
> > > > >> The VyOS is not the only option if we were to consider this
> > approach.
> > > > >> Another option, which I don't know as well, would be CloudRouter
> > > > >> (AGPL
> > > > >> license) [2] which is purely API 

Re: CloudStack European User Group

[Wido den Hollander]

> Op 13 september 2016 om 13:33 schreef Steve Roles :
> 
> 
> Hi all,
> 
> We're very excited to announce the Autumn 2016 meetup, in London, Thursday, 
> November 24 (agenda & speakers TBC):
> 
> https://www.eventbrite.co.uk/e/cloudstack-european-user-group-tickets-27604537916
> 
> VENUE: BT Centre showcase, 81 Newgate St, London, EC1A 7AJ. Nearest tube: St. 
> Paul's
> 
> As well as talks from guest speakers, there will be the chance to meet with 
> other CloudStack users, lunch, and time to continue the discussions over a 
> beer or two in the evening.
> 
> It would be great to see some of you there!

Would have loved to come over, but I can't. Hope to see a big audience turn up!

Wido

> 
> Best regards,
> 
> 
> steve.ro...@shapeblue.com 
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>   
>  
>

Re: [DISCUSS] Replacing the VR

[Will Stevens]

yes, technically we should be able to just make a new VR implementation
available and then when people create their network offerings, they just
pick which VR implementation they want to use for the different
capabilities.

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Tue, Sep 13, 2016 at 11:41 AM, Dustin Wright <
dwri...@untangledtechnology.com> wrote:

> I would like to see a "virtual router offering" in the UI which lets you
> pick the legacy VR or your own. Probably a component of the network
> offering. I've had many cases were I needed Mikrotik RouterOS or pfSense to
> match a clients on-premise gear. ACS should find a way to stay agnostic
> IMO.
>
> On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey 
> wrote:
>
> > I like this idea as well. I would be willing to test both VyOS and
> > Cloudrouter if you need an active service to test with. Specifically I am
> > looking to test IPv6 since I provide IPv6 /64 spaces to my customers and
> I
> > am having to provide it via an external router at the moment which has a
> > lot of manual configurations.
> >
> > Let me know if I can help in anyway.
> >
> > -Original Message-
> > From: Will Stevens [mailto:williamstev...@gmail.com]
> > Sent: Tuesday, September 13, 2016 7:21 AM
> > To: dev@cloudstack.apache.org
> > Subject: Re: [DISCUSS] Replacing the VR
> >
> > Ya. If we go this way, I like the approach of building the integration
> and
> > putting it through its paces as a stand alone VR before we consider
> > replacing the old VR and making it the default.
> >
> > On Sep 13, 2016 6:52 AM, "Jayapal Uradi" 
> > wrote:
> >
> > > Hi,
> > >
> > > Instead of replacing the VR in first place we should add
> > > VyOS/cloudrouter as provider. Once it is stable, network offerings (on
> > > upgrade) can be updated to use it and we can drop the VR if we want at
> > that release onwards.
> > >
> > > VR is stabilized over a period of time and some of them are running
> > > without issues.  When we replicate the ACS VR features in new solution
> > > it takes some to find the missing pieces (hidden bugs).
> > >
> > > Thanks,
> > > Jayapal
> > >
> > > > On Sep 13, 2016, at 2:52 PM, Nux! <
> > >
> > > > n...@li.nux.ro> wrote:
> > > >
> > > > Hi,
> > > >
> > > > I like the idea.
> > > >
> > > > Cloudrouter looks really promising, I'm not too keen on VyOS (it
> > > > doesn't
> > > have a proper http api etc).
> > > >
> > > > --
> > > > Sent from the Delta quadrant using Borg technology!
> > > >
> > > > Nux!
> > > > www.nux.ro
> > > >
> > > > - Original Message -
> > > >> From: "Will Stevens" 
> > > >> To: dev@cloudstack.apache.org
> > > >> Sent: Monday, 12 September, 2016 21:20:11
> > > >> Subject: [DISCUSS] Replacing the VR
> > > >
> > > >> *Disclaimer:* This is a thought experiment and should be treated as
> > > such.
> > > >> Please weigh in with the good and bad of this idea...
> > > >>
> > > >> A couple of us have been discussing the idea of potentially
> > > >> replacing
> > > the
> > > >> ACS VR with the VyOS [1] (Open Source Vyatta VM).  There may be a
> > > license
> > > >> issue because I think it is licensed under GPL, but for the sake of
> > > >> discussion, let's assume we can overcome any license issues.
> > > >>
> > > >> I have spent some time recently with the VyOS and I have to admit,
> > > >> I was pretty impressed.  It is simple and intuitive and it gives
> > > >> you a lot
> > > more
> > > >> options for auditing the configuration etc...
> > > >>
> > > >> Items of potential interest:
> > > >> - Clean up our current VR script spaghetti to a simpler more
> > > >> auditable configuration workflow.
> > > >> - Gives a cleaner path for IPv6 support.
> > > >> - Handles VPN configuration via the same configuration interface.
> > > >> - Support for OSPF & BGP.
> > > >> - VPN support through OpenVPN & StrongSwan.
> > > >> - Easily supports HA (redundant routers) through VRRP.
> > > >> - VXLAN support.
> > > >> - Transaction based changes to the VR with rollback on error.
> > > >>
> > > >> Items that could be difficult to solve:
> > > >> - Userdata password reset workflow and implementation.
> > > >> - Upgrade process.
> > > >>
> > > >> The VyOS is not the only option if we were to consider this
> approach.
> > > >> Another option, which I don't know as well, would be CloudRouter
> > > >> (AGPL
> > > >> license) [2] which is purely API driven.
> > > >>
> > > >> Anyway, would love to hear your thoughts...
> > > >>
> > > >> Will
> > > >>
> > > >> [1] https://vyos.io/
> > > >> [2] https://cloudrouter.org/
> > >
> > >
> > >
> > >
> > > DISCLAIMER
> > > ==
> > > This e-mail may contain privileged and confidential information which
> > > is the property of Accelerite, a Persistent Systems business. It is
> > > intended only for the use of the individual or entity to 

HAProxy [native virtual CS Loadbalancer] - SSL offload support - CLOUDSTACK-9499

[Alessandro]

Hi,

SSL offload support in Cloudstack and documented here:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/
SSL+Termination+Support is currently only available to NetScaler LB devices.

If we try to attach a certificate to a CloudStack Virtual Router LB:
assignCertToLoadBalancer=3b0621cd-203f-46a9-
b3ad-97e7e70c77ab=2556
It returns the following error:
2016-09-05 18:32:16,244 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-111:ctx-4f7864f6 job-48170) Complete async job-48170,
jobStatus: FAILED, resultCode: 530, result: org.apache.cloudstack.api.
response.ExceptionResponse/null/
{"uuidList":[],"errorcode":431,"errortext":"Ssl termination not supported
by the loadbalancer"}

The CloudStack VR uses haproxy for LB and ssl offloading is something
haproxy can handle.

The standard type of configuration issued by cloudstack:

listen 8_8_8_8-443 8.8.8.8:443
balance roundrobin
server 8_8_8_8-443_0 192.168.1.2:443 check
server 8_8_8_8-443_1 192.168.1.3:443 check

By default CS configures it's loadbalancers in tcp mode. To enable SSL
offloading we would however need this kind of configuration:

listen 8_8_8_8-443
bind 8.8.8.8:443 ssl crt
/etc/haproxy/ssl-cert-3b0621cd-203f-46a9-b3ad-97e7e70c77ab.pem
crt /etc/haproxy/ssl-cert-----.pem
mode http
balance roundrobin
server 8_8_8_8-443_0 192.168.1.2:443 check ssl verify none
server 8_8_8_8-443_1 192.168.1.3:443 check ssl verify none

This could be implemented by modifying the API and the HAProxyConfigurator
script. Also, in my example configuration I've put two certificates,
HAProxy manages this pretty well so it would be nice to be able to assign
more than one certificate to a LB.

I've already opened a Jira issue for this case: CLOUDSTACK-9499 -
https://issues.apache.org/jira/browse/CLOUDSTACK-9499

Kind regards,
Alessandro

Re: [DISCUSS] Replacing the VR

[Dustin Wright]

I would like to see a "virtual router offering" in the UI which lets you
pick the legacy VR or your own. Probably a component of the network
offering. I've had many cases were I needed Mikrotik RouterOS or pfSense to
match a clients on-premise gear. ACS should find a way to stay agnostic IMO.

On Tue, Sep 13, 2016 at 11:36 AM, Marty Godsey  wrote:

> I like this idea as well. I would be willing to test both VyOS and
> Cloudrouter if you need an active service to test with. Specifically I am
> looking to test IPv6 since I provide IPv6 /64 spaces to my customers and I
> am having to provide it via an external router at the moment which has a
> lot of manual configurations.
>
> Let me know if I can help in anyway.
>
> -Original Message-
> From: Will Stevens [mailto:williamstev...@gmail.com]
> Sent: Tuesday, September 13, 2016 7:21 AM
> To: dev@cloudstack.apache.org
> Subject: Re: [DISCUSS] Replacing the VR
>
> Ya. If we go this way, I like the approach of building the integration and
> putting it through its paces as a stand alone VR before we consider
> replacing the old VR and making it the default.
>
> On Sep 13, 2016 6:52 AM, "Jayapal Uradi" 
> wrote:
>
> > Hi,
> >
> > Instead of replacing the VR in first place we should add
> > VyOS/cloudrouter as provider. Once it is stable, network offerings (on
> > upgrade) can be updated to use it and we can drop the VR if we want at
> that release onwards.
> >
> > VR is stabilized over a period of time and some of them are running
> > without issues.  When we replicate the ACS VR features in new solution
> > it takes some to find the missing pieces (hidden bugs).
> >
> > Thanks,
> > Jayapal
> >
> > > On Sep 13, 2016, at 2:52 PM, Nux! <
> >
> > > n...@li.nux.ro> wrote:
> > >
> > > Hi,
> > >
> > > I like the idea.
> > >
> > > Cloudrouter looks really promising, I'm not too keen on VyOS (it
> > > doesn't
> > have a proper http api etc).
> > >
> > > --
> > > Sent from the Delta quadrant using Borg technology!
> > >
> > > Nux!
> > > www.nux.ro
> > >
> > > - Original Message -
> > >> From: "Will Stevens" 
> > >> To: dev@cloudstack.apache.org
> > >> Sent: Monday, 12 September, 2016 21:20:11
> > >> Subject: [DISCUSS] Replacing the VR
> > >
> > >> *Disclaimer:* This is a thought experiment and should be treated as
> > such.
> > >> Please weigh in with the good and bad of this idea...
> > >>
> > >> A couple of us have been discussing the idea of potentially
> > >> replacing
> > the
> > >> ACS VR with the VyOS [1] (Open Source Vyatta VM).  There may be a
> > license
> > >> issue because I think it is licensed under GPL, but for the sake of
> > >> discussion, let's assume we can overcome any license issues.
> > >>
> > >> I have spent some time recently with the VyOS and I have to admit,
> > >> I was pretty impressed.  It is simple and intuitive and it gives
> > >> you a lot
> > more
> > >> options for auditing the configuration etc...
> > >>
> > >> Items of potential interest:
> > >> - Clean up our current VR script spaghetti to a simpler more
> > >> auditable configuration workflow.
> > >> - Gives a cleaner path for IPv6 support.
> > >> - Handles VPN configuration via the same configuration interface.
> > >> - Support for OSPF & BGP.
> > >> - VPN support through OpenVPN & StrongSwan.
> > >> - Easily supports HA (redundant routers) through VRRP.
> > >> - VXLAN support.
> > >> - Transaction based changes to the VR with rollback on error.
> > >>
> > >> Items that could be difficult to solve:
> > >> - Userdata password reset workflow and implementation.
> > >> - Upgrade process.
> > >>
> > >> The VyOS is not the only option if we were to consider this approach.
> > >> Another option, which I don't know as well, would be CloudRouter
> > >> (AGPL
> > >> license) [2] which is purely API driven.
> > >>
> > >> Anyway, would love to hear your thoughts...
> > >>
> > >> Will
> > >>
> > >> [1] https://vyos.io/
> > >> [2] https://cloudrouter.org/
> >
> >
> >
> >
> > DISCLAIMER
> > ==
> > This e-mail may contain privileged and confidential information which
> > is the property of Accelerite, a Persistent Systems business. It is
> > intended only for the use of the individual or entity to which it is
> > addressed. If you are not the intended recipient, you are not
> > authorized to read, retain, copy, print, distribute or use this
> > message. If you have received this communication in error, please
> > notify the sender and delete all copies of this message. Accelerite, a
> > Persistent Systems business does not accept any liability for virus
> infected mails.
> >
>

[GitHub] cloudstack issue #1666: CLOUDSTACK-9480: Egress Firewall: Incorrect use of A...

[cloudmonger]

Github user cloudmonger commented on the issue:

https://github.com/apache/cloudstack/pull/1666
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 93
 Hypervisor xenserver
 NetworkType Advanced
 Passed=102
 Failed=1
 Skipped=4

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_non_contigiousvlan.py

 * test_extendPhysicalNetworkVlan Failing since 11 runs


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_3d_gpu_support
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_loadbalance.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_network.py
test_router_dns.py
test_login.py
test_deploy_vm_iso.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_ssvm.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1593: CLOUDSTACK-9417: Usage module refactoring

[serg38]

Github user serg38 commented on the issue:

https://github.com/apache/cloudstack/pull/1593
  
@jburwell Creating a new table to hold one setting seems to be excessive. 
How about using sequence table? In this regard last_Id used by usage sanity 
checker is a sequence.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1593: CLOUDSTACK-9417: Usage module refactoring

[jburwell]

Github user jburwell commented on the issue:

https://github.com/apache/cloudstack/pull/1593
  
@serg38 I completely agree that it should be in the database, but it's not 
a configuration setting.  Furthermore, it requires a different transactional 
behavior to operate properly.  Therefore, it should be placed in a separate 
tracking table -- either a new table or as a column on an existing table.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1593: CLOUDSTACK-9417: Usage module refactoring

[serg38]

Github user serg38 commented on the issue:

https://github.com/apache/cloudstack/pull/1593
  
@rhtyd @jburwell @rafaelweingartner I agree with @rhtyd to move sanity 
checker last_id to the DB. No reason to keep in in file system. How about using
"usage.sanity.check.lastid in configuration table with the following 
attributes
Category: Hidden
component : management-server 
default value: 0
isdynamic: 0


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1658: Added an additional JSON diff output to the ApiXmlDo...

[jburwell]

Github user jburwell commented on the issue:

https://github.com/apache/cloudstack/pull/1658
  
@karuturi the point is that there is no discussion about who can commit.  
It is in black and white in Section 2.3 of our bylaws and the Apache Way.  As I 
said in my previous comment, no one ever agreed that only RMs could commit to 
release branches.  We agreed to the criteria for a PR to be merged.  By nature 
of his deep involvement, Remi ended up merging all PRs because he was so 
active.  However, that activity did not imply that committers had relinquished 
their rights under our bylaws.

blueorganatan was under development until we had a hardware failure in the 
lab.  Before development was interrupted, blueorganatan was posted detailed 
results to PRs with public exposure of the logs/results from the environment as 
the next item to address.  When we resume development in the next week or so, 
exposing logs/results will be first item implemented.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1615: CLOUDSTACK-9438: Fix for CLOUDSTACK-9252 - Make NFS ...

[serg38]

Github user serg38 commented on the issue:

https://github.com/apache/cloudstack/pull/1615
  
@koushik-das Yes, an integration test is in the works. I will post results 
here in few days


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1560: CLOUDSTACK-9386: DS template copies don’t get dele...

[rafaelweingartner]

Github user rafaelweingartner commented on the issue:

https://github.com/apache/cloudstack/pull/1560
  
@jburwell someone else already merged ;)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1666: CLOUDSTACK-9480: Egress Firewall: Incorrect use of A...

[karuturi]

Github user karuturi commented on the issue:

https://github.com/apache/cloudstack/pull/1666
  
Started our internal CI to run smoke tests on this PR. It will post the 
results here. Thanks.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1671: Adding support for cross-cluster storage migr...

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/cloudstack/pull/1671


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

CloudStack European User Group

[Steve Roles]

Hi all,

We're very excited to announce the Autumn 2016 meetup, in London, Thursday, 
November 24 (agenda & speakers TBC):

https://www.eventbrite.co.uk/e/cloudstack-european-user-group-tickets-27604537916

VENUE: BT Centre showcase, 81 Newgate St, London, EC1A 7AJ. Nearest tube: St. 
Paul's

As well as talks from guest speakers, there will be the chance to meet with 
other CloudStack users, lunch, and time to continue the discussions over a beer 
or two in the evening.

It would be great to see some of you there!

Best regards,


steve.ro...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

Re: [DISCUSS] Replacing the VR

[Will Stevens]

Ya. If we go this way, I like the approach of building the integration and
putting it through its paces as a stand alone VR before we consider
replacing the old VR and making it the default.

On Sep 13, 2016 6:52 AM, "Jayapal Uradi" 
wrote:

> Hi,
>
> Instead of replacing the VR in first place we should add VyOS/cloudrouter
> as provider. Once it is stable, network offerings (on upgrade) can be
> updated to use it and we can drop the VR if we want at that release onwards.
>
> VR is stabilized over a period of time and some of them are running
> without issues.  When we replicate the ACS VR features in new solution it
> takes some to find the missing pieces (hidden bugs).
>
> Thanks,
> Jayapal
>
> > On Sep 13, 2016, at 2:52 PM, Nux! <
>
> > n...@li.nux.ro> wrote:
> >
> > Hi,
> >
> > I like the idea.
> >
> > Cloudrouter looks really promising, I'm not too keen on VyOS (it doesn't
> have a proper http api etc).
> >
> > --
> > Sent from the Delta quadrant using Borg technology!
> >
> > Nux!
> > www.nux.ro
> >
> > - Original Message -
> >> From: "Will Stevens" 
> >> To: dev@cloudstack.apache.org
> >> Sent: Monday, 12 September, 2016 21:20:11
> >> Subject: [DISCUSS] Replacing the VR
> >
> >> *Disclaimer:* This is a thought experiment and should be treated as
> such.
> >> Please weigh in with the good and bad of this idea...
> >>
> >> A couple of us have been discussing the idea of potentially replacing
> the
> >> ACS VR with the VyOS [1] (Open Source Vyatta VM).  There may be a
> license
> >> issue because I think it is licensed under GPL, but for the sake of
> >> discussion, let's assume we can overcome any license issues.
> >>
> >> I have spent some time recently with the VyOS and I have to admit, I was
> >> pretty impressed.  It is simple and intuitive and it gives you a lot
> more
> >> options for auditing the configuration etc...
> >>
> >> Items of potential interest:
> >> - Clean up our current VR script spaghetti to a simpler more auditable
> >> configuration workflow.
> >> - Gives a cleaner path for IPv6 support.
> >> - Handles VPN configuration via the same configuration interface.
> >> - Support for OSPF & BGP.
> >> - VPN support through OpenVPN & StrongSwan.
> >> - Easily supports HA (redundant routers) through VRRP.
> >> - VXLAN support.
> >> - Transaction based changes to the VR with rollback on error.
> >>
> >> Items that could be difficult to solve:
> >> - Userdata password reset workflow and implementation.
> >> - Upgrade process.
> >>
> >> The VyOS is not the only option if we were to consider this approach.
> >> Another option, which I don't know as well, would be CloudRouter (AGPL
> >> license) [2] which is purely API driven.
> >>
> >> Anyway, would love to hear your thoughts...
> >>
> >> Will
> >>
> >> [1] https://vyos.io/
> >> [2] https://cloudrouter.org/
>
>
>
>
> DISCLAIMER
> ==
> This e-mail may contain privileged and confidential information which is
> the property of Accelerite, a Persistent Systems business. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Accelerite, a Persistent Systems business does not accept any
> liability for virus infected mails.
>

Re: [DISCUSS] Replacing the VR

[Will Stevens]

Ya. CloudRouter is interesting because it has a native api. For that reason
it was brought up as an alternative to VyOS in our internal discussions.

On Sep 13, 2016 5:23 AM, "Nux!"  wrote:

> Hi,
>
> I like the idea.
>
> Cloudrouter looks really promising, I'm not too keen on VyOS (it doesn't
> have a proper http api etc).
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> - Original Message -
> > From: "Will Stevens" 
> > To: dev@cloudstack.apache.org
> > Sent: Monday, 12 September, 2016 21:20:11
> > Subject: [DISCUSS] Replacing the VR
>
> > *Disclaimer:* This is a thought experiment and should be treated as such.
> > Please weigh in with the good and bad of this idea...
> >
> > A couple of us have been discussing the idea of potentially replacing the
> > ACS VR with the VyOS [1] (Open Source Vyatta VM).  There may be a license
> > issue because I think it is licensed under GPL, but for the sake of
> > discussion, let's assume we can overcome any license issues.
> >
> > I have spent some time recently with the VyOS and I have to admit, I was
> > pretty impressed.  It is simple and intuitive and it gives you a lot more
> > options for auditing the configuration etc...
> >
> > Items of potential interest:
> > - Clean up our current VR script spaghetti to a simpler more auditable
> > configuration workflow.
> > - Gives a cleaner path for IPv6 support.
> > - Handles VPN configuration via the same configuration interface.
> > - Support for OSPF & BGP.
> > - VPN support through OpenVPN & StrongSwan.
> > - Easily supports HA (redundant routers) through VRRP.
> > - VXLAN support.
> > - Transaction based changes to the VR with rollback on error.
> >
> > Items that could be difficult to solve:
> > - Userdata password reset workflow and implementation.
> > - Upgrade process.
> >
> > The VyOS is not the only option if we were to consider this approach.
> > Another option, which I don't know as well, would be CloudRouter (AGPL
> > license) [2] which is purely API driven.
> >
> > Anyway, would love to hear your thoughts...
> >
> > Will
> >
> > [1] https://vyos.io/
> > [2] https://cloudrouter.org/
>

Re: [DISCUSS] Replacing the VR

[Jayapal Uradi]

Hi,

Instead of replacing the VR in first place we should add VyOS/cloudrouter as 
provider. Once it is stable, network offerings (on upgrade) can be updated to 
use it and we can drop the VR if we want at that release onwards.

VR is stabilized over a period of time and some of them are running without 
issues.  When we replicate the ACS VR features in new solution it takes some to 
find the missing pieces (hidden bugs).

Thanks,
Jayapal

> On Sep 13, 2016, at 2:52 PM, Nux! <

> n...@li.nux.ro> wrote:
>
> Hi,
>
> I like the idea.
>
> Cloudrouter looks really promising, I'm not too keen on VyOS (it doesn't have 
> a proper http api etc).
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> - Original Message -
>> From: "Will Stevens" 
>> To: dev@cloudstack.apache.org
>> Sent: Monday, 12 September, 2016 21:20:11
>> Subject: [DISCUSS] Replacing the VR
>
>> *Disclaimer:* This is a thought experiment and should be treated as such.
>> Please weigh in with the good and bad of this idea...
>>
>> A couple of us have been discussing the idea of potentially replacing the
>> ACS VR with the VyOS [1] (Open Source Vyatta VM).  There may be a license
>> issue because I think it is licensed under GPL, but for the sake of
>> discussion, let's assume we can overcome any license issues.
>>
>> I have spent some time recently with the VyOS and I have to admit, I was
>> pretty impressed.  It is simple and intuitive and it gives you a lot more
>> options for auditing the configuration etc...
>>
>> Items of potential interest:
>> - Clean up our current VR script spaghetti to a simpler more auditable
>> configuration workflow.
>> - Gives a cleaner path for IPv6 support.
>> - Handles VPN configuration via the same configuration interface.
>> - Support for OSPF & BGP.
>> - VPN support through OpenVPN & StrongSwan.
>> - Easily supports HA (redundant routers) through VRRP.
>> - VXLAN support.
>> - Transaction based changes to the VR with rollback on error.
>>
>> Items that could be difficult to solve:
>> - Userdata password reset workflow and implementation.
>> - Upgrade process.
>>
>> The VyOS is not the only option if we were to consider this approach.
>> Another option, which I don't know as well, would be CloudRouter (AGPL
>> license) [2] which is purely API driven.
>>
>> Anyway, would love to hear your thoughts...
>>
>> Will
>>
>> [1] https://vyos.io/
>> [2] https://cloudrouter.org/




DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Accelerite, a Persistent Systems business. It is intended only for 
the use of the individual or entity to which it is addressed. If you are not 
the intended recipient, you are not authorized to read, retain, copy, print, 
distribute or use this message. If you have received this communication in 
error, please notify the sender and delete all copies of this message. 
Accelerite, a Persistent Systems business does not accept any liability for 
virus infected mails.

[GitHub] cloudstack pull request #1560: CLOUDSTACK-9386: DS template copies don’t g...

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/cloudstack/pull/1560


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1671: Adding support for cross-cluster storage migration f...

[karuturi]

Github user karuturi commented on the issue:

https://github.com/apache/cloudstack/pull/1671
  
the failed test(test_extendPhysicalNetworkVlan) is not due to this PR. Its 
a test case cleanup issue. This PR looks good.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1671: Adding support for cross-cluster storage migration f...

[cloudmonger]

Github user cloudmonger commented on the issue:

https://github.com/apache/cloudstack/pull/1671
  
### ACS CI BVT Run
 **Sumarry:**
 Build Number 92
 Hypervisor xenserver
 NetworkType Advanced
 Passed=102
 Failed=1
 Skipped=4

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**
* test_non_contigiousvlan.py

 * test_extendPhysicalNetworkVlan Failing since 10 runs


**Skipped tests:**
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_3d_gpu_support
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_loadbalance.py
test_routers.py
test_reset_vm_on_reboot.py
test_snapshots.py
test_deploy_vms_with_varied_deploymentplanners.py
test_network.py
test_router_dns.py
test_login.py
test_deploy_vm_iso.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_ssvm.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Re: [DISCUSS] Replacing the VR

[Nux!]

Hi,

I like the idea.

Cloudrouter looks really promising, I'm not too keen on VyOS (it doesn't have a 
proper http api etc).

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "Will Stevens" 
> To: dev@cloudstack.apache.org
> Sent: Monday, 12 September, 2016 21:20:11
> Subject: [DISCUSS] Replacing the VR

> *Disclaimer:* This is a thought experiment and should be treated as such.
> Please weigh in with the good and bad of this idea...
> 
> A couple of us have been discussing the idea of potentially replacing the
> ACS VR with the VyOS [1] (Open Source Vyatta VM).  There may be a license
> issue because I think it is licensed under GPL, but for the sake of
> discussion, let's assume we can overcome any license issues.
> 
> I have spent some time recently with the VyOS and I have to admit, I was
> pretty impressed.  It is simple and intuitive and it gives you a lot more
> options for auditing the configuration etc...
> 
> Items of potential interest:
> - Clean up our current VR script spaghetti to a simpler more auditable
> configuration workflow.
> - Gives a cleaner path for IPv6 support.
> - Handles VPN configuration via the same configuration interface.
> - Support for OSPF & BGP.
> - VPN support through OpenVPN & StrongSwan.
> - Easily supports HA (redundant routers) through VRRP.
> - VXLAN support.
> - Transaction based changes to the VR with rollback on error.
> 
> Items that could be difficult to solve:
> - Userdata password reset workflow and implementation.
> - Upgrade process.
> 
> The VyOS is not the only option if we were to consider this approach.
> Another option, which I don't know as well, would be CloudRouter (AGPL
> license) [2] which is purely API driven.
> 
> Anyway, would love to hear your thoughts...
> 
> Will
> 
> [1] https://vyos.io/
> [2] https://cloudrouter.org/

[GitHub] cloudstack issue #1615: CLOUDSTACK-9438: Fix for CLOUDSTACK-9252 - Make NFS ...

[koushik-das]

Github user koushik-das commented on the issue:

https://github.com/apache/cloudstack/pull/1615
  
@nvazquez @serg38 From last comment looks like there is some open item 
related to marvin tests. Can you please address it?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---