Hi Rohit,
this is a fresh installed infrastructure, but we had some hardware
problems (a mgms server restart) and now the hosts are in "unsecure" state.
Do you have any idea how it could have happened to go to this state? I'm
analyzing the logs but I do not find much about it.
Il 31/01/19 08:38, Rohit Yadav ha scritto:
Hi Ugo,
If it's a fresh 4.11.2.0 installation you don't need to do anything
you'll get your KVM hosts secured after you add them.
TL;DR - If you're upgrading, you simply need to run the
provisionCertificate API against each of your KVM hosts after
installation and upgrade. Refer:
http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#securing-process
- Rohit
rohit.ya...@shapeblue.com
www.shapeblue.com
@shapeblue
------------------------------------------------------------------------
*From:* Ugo Vasi <ugo.v...@procne.it>
*Sent:* Wednesday, January 30, 2019 6:43:00 PM
*To:* Rohit Yadav; users@cloudstack.apache.org
*Subject:* Re: secure hosts communications
Hi Rohit,
what I do not understand is if in this ACS version (4.11.2.0) you have
to start the procedure manually or it is done during the installation.
Did I skip some steps during the installation?
Thanks
Il 30/01/19 13:37, Rohit Yadav ha scritto:
>
> Hi Ugo,
>
>
> This will be a one-time procedure, and the KVM host and the VMs do not
> need a reboot but the provisionCertificate API will restart the
> libvirtd process (just check if that can have any side effects for
> your VMs/distro, on most modern distros restarting libvirtd does not
> have any side-effects on existing running VMs).
>
>
> - Rohit
>
>
>
> rohit.ya...@shapeblue.com
> www.shapeblue.com <http://www.shapeblue.com>
> @shapeblue
>
> ------------------------------------------------------------------------
> *From:* Ugo Vasi <ugo.v...@procne.it>
> *Sent:* Wednesday, January 30, 2019 4:47:09 PM
> *To:* users@cloudstack.apache.org; Rohit Yadav
> *Subject:* Re: secure hosts communications
> Hi Rohit,
> I have a 4.11.2.0 ACS infrastructure (Ubuntu 16.04 with KVM hypervisor)
> I see that all the hosts are in unsecure state from the UI and so the
> live migration don't works (we had trubles with mgmt server).
>
> I read in the documentation that launching the provisionCertificate API
> (by pressing the appropriate button in the UI) the certificates will be
> renewed/regenerated for already connected agents/hosts.
>
> I do not understand if provisioning should be done manually on each host
> or if the procedure should be done only once.
>
> Do this procedure reboot the host or the instances that it contains?
>
>
> Thanks
>
>
>
> Il 27/11/18 09:49, Rohit Yadav ha scritto:
> > Hi Richard,
> >
> >
> > Please read:
>
http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#security
> >
> >
> > 4.11.2 is out, please consider using it instead of 4.11.1 as it has
> several bugfixes etc.
> >
> > In short, with all of your KVM hosts up and connected to mgmt
> server, first change the auth strictness global setting to true, then
> using API secure the hosts using the provisionCertificate API. In the
> UI, go to your hosts that don't show up as secure and click on the key
> button (a new button) to secure the host which calls the
> provisionCertificate API as well.
> >
> >
> > - Rohit
> >
> > <https://cloudstack.apache.org>
> >
> >
> >
> > ________________________________
> > From: Richard Persaud <richard.pers...@macys.com>
> > Sent: Monday, November 26, 2018 8:19:56 PM
> > To: users@cloudstack.apache.org
> > Subject: RE: secure hosts communications
> >
> > Thank you, Rohit.
> >
> > I am using 4.11.1 with a full KVM environment. They are showing
> unsecure with strictness set to true.
> >
> > What configuration needs to be adjusted to have the KVM hosts show
> secure?
> >
> > Regards,
> >
> > Richard Persaud
> >
> > From: Rohit Yadav <rohit.ya...@shapeblue.com>
> > Sent: Saturday, November 24, 2018 2:02 PM
> > To: users@cloudstack.apache.org
> > Subject: Re: secure hosts communications
> >
> > ⚠ EXT MSG:
> >
> > Richard,
> >
> >
> > Starting 4.11, agent and management servers will use an in-built CA
> framework to secured hosts. Only in case of KVM hosts you may see an
> insecure state, otherwise all KVM hosts (agents) and SSVM/CPVM agents
> will by default in Up state will be secured. There is an auth
> strictness setting that should be true.
> >
> >
> >
> > - Rohit
> >
> > <https://cloudstack.apache.org>
> >
> >
> >
> > ________________________________
> > From: Richard Persaud
> <richard.pers...@macys.com<mailto:richard.pers...@macys.com>>
> > Sent: Saturday, November 24, 2018 4:21:24 AM
> > To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
> > Subject: secure hosts communications
> >
> > Hello,
> >
> > Is there straight-forward to enable secure communications between
> the management and the hosts?
> >
> > I have looked at many documentations but am still unable to get the
> hosts to show a "secure" state.
> >
> > Regards,
> >
> > Richard Persaud
> >
> >
> > rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>
> >
>
www.shapeblue.com<https://isolate.menlosecurity.com/0/eJyrViotylGyUsooKSmw0tcvLy_XK85ILEhNyilN1UvOz1XSUSrKV7Iy1FEqyUwBqjM0MFaqBQDf4BCe>
> > Amadeus House, Floral Street, London WC2E 9DPUK
> > @shapeblue
> >
> >
> >
> >
> > * This is an EXTERNAL EMAIL. Stop and think before clicking a link
> or opening attachments.
> >
> > rohit.ya...@shapeblue.com
> > www.shapeblue.com <http://www.shapeblue.com>
<http://www.shapeblue.com>
> > Amadeus House, Floral Street, London WC2E 9DPUK
> > @shapeblue
> >
> >
> >
> >
> >
> >
>
>
> --
>
> *Ugo Vasi* / System Administrator
> ugo.v...@procne.it <mailto:ugo.v...@procne.it>
>
>
>
>
> *Procne S.r.l.*
> +39 0432 486 523
> via Cotonificio, 45
> 33010 Tavagnacco (UD)
> www.procne.it <http://www.procne.it> <http://www.procne.it>
<http://www.procne.it/>
>
>
> Le informazioni contenute nella presente comunicazione ed i relativi
> allegati possono essere riservate e sono, comunque, destinate
> esclusivamente alle persone od alla Società sopraindicati. La
> diffusione, distribuzione e/o copiatura del documento trasmesso da parte
> di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi
> dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003
> "Codice in materia di protezione dei dati personali". Se avete ricevuto
> questo messaggio per errore, vi preghiamo di distruggerlo e di informare
> immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail
> i...@procne.it <mailto:i...@procne.it>.
>
--
*Ugo Vasi* / System Administrator
ugo.v...@procne.it <mailto:ugo.v...@procne.it>
*Procne S.r.l.*
+39 0432 486 523
via Cotonificio, 45
33010 Tavagnacco (UD)
www.procne.it <http://www.procne.it> <http://www.procne.it/>
Le informazioni contenute nella presente comunicazione ed i relativi
allegati possono essere riservate e sono, comunque, destinate
esclusivamente alle persone od alla Società sopraindicati. La
diffusione, distribuzione e/o copiatura del documento trasmesso da parte
di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi
dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003
"Codice in materia di protezione dei dati personali". Se avete ricevuto
questo messaggio per errore, vi preghiamo di distruggerlo e di informare
immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail
i...@procne.it <mailto:i...@procne.it>.
--
*Ugo Vasi* / System Administrator
ugo.v...@procne.it <mailto:ugo.v...@procne.it>
*Procne S.r.l.*
+39 0432 486 523
via Cotonificio, 45
33010 Tavagnacco (UD)
www.procne.it <http://www.procne.it/>
Le informazioni contenute nella presente comunicazione ed i relativi
allegati possono essere riservate e sono, comunque, destinate
esclusivamente alle persone od alla Società sopraindicati. La
diffusione, distribuzione e/o copiatura del documento trasmesso da parte
di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi
dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003
"Codice in materia di protezione dei dati personali". Se avete ricevuto
questo messaggio per errore, vi preghiamo di distruggerlo e di informare
immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail
i...@procne.it <mailto:i...@procne.it>.
