[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16382086#comment-16382086 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - rhtyd commented on a change in pull request #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#discussion_r171580645 ## File path: agent/src/com/cloud/agent/Agent.java ## @@ -647,7 +647,7 @@ public Answer setupAgentKeystore(final SetupKeyStoreCommand cmd) { _shell.setPersistentProperty(null, KeyStoreUtils.passphrasePropertyName, storedPassword); } -Script script = new Script(_keystoreSetupPath, 6, s_logger); +Script script = new Script(true, _keystoreSetupPath, 6, s_logger); Review comment: @krissterckx this runs the script with sudo (when true is passed). It allows admins to add a KVM host using a non-root sudoer user (see for details https://cwiki.apache.org/confluence/display/CLOUDSTACK/Allow+non-root+user+to+add+KVM+hypervisor) This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16382075#comment-16382075 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - krissterckx commented on a change in pull request #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#discussion_r171577491 ## File path: agent/src/com/cloud/agent/Agent.java ## @@ -647,7 +647,7 @@ public Answer setupAgentKeystore(final SetupKeyStoreCommand cmd) { _shell.setPersistentProperty(null, KeyStoreUtils.passphrasePropertyName, storedPassword); } -Script script = new Script(_keystoreSetupPath, 6, s_logger); +Script script = new Script(true, _keystoreSetupPath, 6, s_logger); Review comment: sorry what does this mean/do ? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16382070#comment-16382070 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - krissterckx commented on a change in pull request #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#discussion_r171577491 ## File path: agent/src/com/cloud/agent/Agent.java ## @@ -647,7 +647,7 @@ public Answer setupAgentKeystore(final SetupKeyStoreCommand cmd) { _shell.setPersistentProperty(null, KeyStoreUtils.passphrasePropertyName, storedPassword); } -Script script = new Script(_keystoreSetupPath, 6, s_logger); +Script script = new Script(true, _keystoreSetupPath, 6, s_logger); Review comment: sorry what does this mean/do ? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16376656#comment-16376656 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - rhtyd commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-368460512 @rafaelweingartner feel free to rekick the discussion and start a vote. I've shared my preference with you which is based on two things - (a) allows git-users like myself who prefers to keep track of changes using command-line, (b) for maintainers who would want to backport a feature/fix which is easier if every fix/pr is a single commit than bunch of them. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16376629#comment-16376629 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - rafaelweingartner commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-368455248 I am sorry @rhtyd, but I find using merge commits when merging PRs a good idea. We do not have a protocol for merges yet (use or not use the merge commit). There was a thread a while ago discussing this topic in [1]. Some people preferred maintaining the merge commits when merging a PR (myself included). However, the thread died after a while, I believe the author (Daan) was busy with something else to finalize the discussion and create something formal. [1] http://mail-archives.apache.org/mod_mbox/cloudstack-dev/201801.mbox/%3CCAGQtxva9xnipUXvc56wA4NT5fuwLXzR3cpD%3DFf1mO%3DxZYoKQ7w%40mail.gmail.com%3E This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16376574#comment-16376574 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - rhtyd commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-368437038 @rafaelweingartner can you kindly squash merge in future, otherwise, we'll have commit+merge commits on the branches that make the git graph look weird and difficult to track changes. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16373663#comment-16373663 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - blueorangutan commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-367856506 Packaging result: ✔centos6 ✖centos7 ✔debian. JID-1731 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16373613#comment-16373613 ] ASF subversion and git services commented on CLOUDSTACK-10283: -- Commit f1cf5f97e97558194a813119876f56bd55d0ff2a in cloudstack's branch refs/heads/4.11 from [~rohit.ya...@shapeblue.com] [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=f1cf5f9 ] CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure This would make keystore utility scripts being executed as sudoer in case the process uid/owner is not root but still a sudoer user. Also fails addHost while securing a KVM host and if keystore fails to be setup for any reason. Signed-off-by: Rohit Yadav > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16373615#comment-16373615 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - blueorangutan commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-367848555 @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16373610#comment-16373610 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - rafaelweingartner commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-367848375 Tests and reviews are ok. I will merge this one then. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16373612#comment-16373612 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - rafaelweingartner closed pull request #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/agent/src/com/cloud/agent/Agent.java b/agent/src/com/cloud/agent/Agent.java index d2669c03aeb..1c5417bf767 100644 --- a/agent/src/com/cloud/agent/Agent.java +++ b/agent/src/com/cloud/agent/Agent.java @@ -647,7 +647,7 @@ public Answer setupAgentKeystore(final SetupKeyStoreCommand cmd) { _shell.setPersistentProperty(null, KeyStoreUtils.passphrasePropertyName, storedPassword); } -Script script = new Script(_keystoreSetupPath, 6, s_logger); +Script script = new Script(true, _keystoreSetupPath, 6, s_logger); script.add(agentFile.getAbsolutePath()); script.add(keyStoreFile); script.add(storedPassword); @@ -691,7 +691,7 @@ private Answer setupAgentCertificate(final SetupCertificateCommand cmd) { throw new CloudRuntimeException("Unable to save received agent client and ca certificates", e); } -Script script = new Script(_keystoreCertImportPath, 6, s_logger); +Script script = new Script(true, _keystoreCertImportPath, 6, s_logger); script.add(agentFile.getAbsolutePath()); script.add(keyStoreFile); script.add(KeyStoreUtils.agentMode); diff --git a/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java b/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java index 63a44b83518..c1afc9a6f88 100644 --- a/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java +++ b/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java @@ -62,6 +62,7 @@ import com.cloud.resource.UnableDeleteHostException; import com.cloud.utils.PasswordGenerator; import com.cloud.utils.StringUtils; +import com.cloud.utils.exception.CloudRuntimeException; import com.cloud.utils.ssh.SSHCmdHelper; import com.trilead.ssh2.Connection; @@ -144,8 +145,7 @@ private void setupAgentSecurity(final Connection sshConnection, final String age } if (sshConnection == null) { -s_logger.warn("Cannot secure agent communication because ssh connection is invalid for host ip=" + agentIp); -return; +throw new CloudRuntimeException("Cannot secure agent communication because ssh connection is invalid for host ip=" + agentIp); } Integer validityPeriod = CAManager.CertValidityPeriod.value(); @@ -154,7 +154,7 @@ private void setupAgentSecurity(final Connection sshConnection, final String age } final SSHCmdHelper.SSHCmdResult keystoreSetupResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection, -String.format("/usr/share/cloudstack-common/scripts/util/%s " + +String.format("sudo /usr/share/cloudstack-common/scripts/util/%s " + "/etc/cloudstack/agent/agent.properties " + "/etc/cloudstack/agent/%s " + "%s %d " + @@ -166,19 +166,17 @@ private void setupAgentSecurity(final Connection sshConnection, final String age KeyStoreUtils.defaultCsrFile)); if (!keystoreSetupResult.isSuccess()) { -s_logger.error("Failing, the keystore setup script failed execution on the KVM host: " + agentIp); -return; +throw new CloudRuntimeException("Failed to setup keystore on the KVM host: " + agentIp); } final Certificate certificate = caManager.issueCertificate(keystoreSetupResult.getStdOut(), Collections.singletonList(agentHostname), Collections.singletonList(agentIp), null, null); if (certificate == null || certificate.getClientCertificate() == null) { -s_logger.error("Failing, the configured CA plugin failed to issue certificates for KVM host agent: " + agentIp); -return; +throw new CloudRuntimeException("Failed to issue certificates for KVM host agent: " + agentIp); } final SetupCertificateCommand certificateCommand = new SetupCertificateCommand(certificate); final SSHCmdHelper.SSHCmdResult setupCertResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection, - String.format("/usr/share/cloudstack-common/scripts
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16373614#comment-16373614 ] ASF subversion and git services commented on CLOUDSTACK-10283: -- Commit cae32925608815f7defa76621ed9c6a23fab1cef in cloudstack's branch refs/heads/4.11 from [~rafaelweingartner] [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=cae3292 ] Merge pull request #2454 from shapeblue/keystore-utils-sudoer CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16364806#comment-16364806 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - blueorangutan commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-365751902 Trillian test result (tid-2258) Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7 Total time taken: 26556 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2454-t2258-kvm-centos7.zip Intermitten failure detected: /marvin/tests/smoke/test_privategw_acl.py Intermitten failure detected: /marvin/tests/smoke/test_host_maintenance.py Smoke tests completed. 67 look OK, 0 have error(s) Only failed tests results shown below: Test | Result | Time (s) | Test File --- | --- | --- | --- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16364054#comment-16364054 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - blueorangutan commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-365611671 @rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16364052#comment-16364052 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - rhtyd commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-365611540 @blueorangutan test This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16363875#comment-16363875 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - blueorangutan commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-365594713 Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1715 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16363863#comment-16363863 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - blueorangutan commented on issue #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454#issuecomment-365589075 @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16363862#comment-16363862 ] ASF GitHub Bot commented on CLOUDSTACK-10283: - rhtyd opened a new pull request #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454 This would make keystore utility scripts being executed as sudoer in case the process uid/owner is not root but still a sudoer user. Also fails addHost while securing a KVM host and if keystore fails to be setup for any reason. @blueorangutan package This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > - > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Rohit Yadav >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)