Hello,
My current infrastructure is Apache Cloudstack 4.9.2 with VMware hosts and
the management server on CentOS.
I'm planning to perform an upgrade from the actual 4.9.2 versión to the
latest one.
I found this tutorial from Cloudstack website:
http://docs.cloudstack.apache.org/projects/cloud
Khosrow thanks for the interesting feature. You mention two possible
methods to manage certificates; one using the CA framework, and other using
third party such as Vault and Let’s Encrypt.
Have you considered using the sshKeyPair API methods (is it part of the CA
framework?)? I mean, users alread
Hey Mike,
This week I have been using ACS 4.12 to do some testing. VRs and system VMs
are deploying just fine with the system VM template of 4.11. Of course, by
using this template (the 4.11) I am not receiving the changes already made
to it in both 4.11 and current master branch.
During my teste
Hi Stephan,
Thanks for the summary – can you log these as new issues in the new issues
tracker https://github.com/apache/cloudstack/issues please (note not Jira).
Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue
On 04/04/2018, 10:39, "Stephan Seitz" wrote:
Hi!
We're currently usi
Rafael,
We cannot use SshKeyPair functionality because the proposed VPN
implementation
does need a signed certificate and not a ssh key pair. The process is as
follow:
1) generate root CA (if doesn't exist)
2) generate bunch of intermediate steps (config urls, CRLs, role name, ...)
[I'm not going
So, you need a certificate that is signed by the CA that is used by the VPN
service. Is that it?
It has been a while that I do not configure these VPN systems; do you need
access to the private key of the CA? Or, does the program simply validate
the user (VPN client) certificate to see if it is
On Wed, Apr 4, 2018 at 10:36 AM, Rafael Weingärtner <
rafaelweingart...@gmail.com> wrote:
> So, you need a certificate that is signed by the CA that is used by the VPN
> service. Is that it?
>
>
Correct, a self signed "server certificate" against CA, to be installed
directly on VR.
>
> It has be
Got it. Thanks for the explanations.
There is one other thing I do not understand. This Vault thing that you
mention, how does it work? Is it similar to let's encrypt?
On Wed, Apr 4, 2018 at 12:15 PM, Khosrow Moossavi
wrote:
> On Wed, Apr 4, 2018 at 10:36 AM, Rafael Weingärtner <
> rafaelweingar
One of the things Vault does is essentially one of the thing Let's Encrypt
does,
acting as CA and generating/signing certificates.
>From the Vault website itself:
"HashiCorp Vault secures, stores, and tightly controls access to tokens,
passwords,
certificates, API keys, and other secrets in moder
Thanks for sharing the details. Now I have a better perspective of the
proposal.It is an interesting integration of CloudStack VPN service with
Vault PKI feature.
On Wed, Apr 4, 2018 at 12:38 PM, Khosrow Moossavi
wrote:
> One of the things Vault does is essentially one of the thing Let's Encrypt
You guys should speak to Rohit about the CA framework. CloudStack can manage
certificates now, including creating them itself and acting as a root CA.
Kind regards,
Paul Angus
paul.an...@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
-
Thanks Paul, the proposed feature will enable the functionality to use
Vault to
act as CA if enabled in ACS, otherwise will fall back to "default"
implementation
which Rohit has already done.
On Wed, Apr 4, 2018 at 12:29 PM, Paul Angus
wrote:
> You guys should speak to Rohit about the CA framew
Use case:
In any environment - time to time - administrator needs to perform a
maintenance. Current stop sequence of cloudstack management server will
ignore the fact that there may be long running async jobs - and terminate
the process. This in turn can create a poor user experience and occasional
Khosrow
My 2c, little less than ideal to manage yet another external end point
like.
While i understand that it makes it easier to manage certificates - it also
means going forward - Vault implementation will become a requirement to
validate future ACS release.
With that said - i do like the pro
Big +1 for this feature; I only have a few doubts.
* Regarding the tasks/jobs that management servers (MSs) execute; are these
tasks originate from requests that come to the MS, or is it possible that
requests received by one management server to be executed by other? I mean,
if I execute a reques
I may be remembering this incorrectly, but from what I recall, if a resource is
owned by one MS and a request related to that resource comes in to another MS,
the MS that received the request passes it on to the other MS.
> On Apr 4, 2018, at 2:36 PM, Rafael Weingärtner
> wrote:
>
> Big +1 fo
To complement one thing that Ilya mentioned here. I do not worry much about
the “requirement” for Vault systems to test ACS. This would be the case if
Khosrow, when developing, only created tests using what the community calls
integration tests.
However, it is an implementation from scratch and as
I think everybody that “raised their hands here” already signed up to
review.
Mike, what about if we only gathered the reviews from Apache main review
system, and then we use that to decide which presentations will get in
CloudStack tracks? Then, we reduce the work on our side (we also remove
bias
One comment here (I had to shutdown whole DC for few hours recently),
please make sure to perhaps at least consider snapshoting process as the
special case - it can take few hours for snapshot to complete really (copy
process from Primary to Secondary Storage)
I did (in my recent unfortunate D
Thanks Ilya for the feedback.
The way I currently implemented it, two items need to be set in global
settings beforehand:
- you need to specify the VPN implementation (either L2TP or IKEv2)
- then select the PKI engine backend (Vault or Default)
so there won't be any immediate and blocking coupl
Andrija
This is the reason for this enhancement, snapshot, migration and others -
are all async jobs - and therefore should be tracked in async_job table
under specific MS.It is known they may take a while to complete and last
thing we want is to interrupt it.
Depending on what value you have set
Rafael
> * Regarding the tasks/jobs that management servers (MSs) execute; are
these
tasks originate from requests that come to the MS, or is it possible that
requests received by one management server to be executed by other? I mean,
if I execute a request against MS1, will this request always be
I'm thinking of using a configuration from "job.cancel.threshold.minutes" -
it will be the longest
"category": "Advanced",
"description": "Time (in minutes) for async-jobs to be forcely
cancelled if it has been in process for long",
"name": "job.cancel.threshold.minutes",
Ilya, still regarding the management server that is being shut down issue;
if other MSs/or maybe system VMs (I am not sure to know if they are able to
do such tasks) can direct/redirect/send new jobs to this management server
(the one being shut down), the process might never end because new tasks
This is not simple e.g. for VMware. Each management server also acts as an
agent proxy so tasks against a particular ESX host will be always forwarded.
That right answer will be to a native support for “maintenance mode” for
management server. When entered to such mode the management server shou
Now without spellchecking :)
This is not simple e.g. for VMware. Each management server also acts as an
agent proxy so tasks against a particular ESX host will be always forwarded.
That right answer will be to support a native “maintenance mode” for management
server. When entered to such mode
26 matches
Mail list logo