Hi Nicolas, Where do we stand on this? Is this something that could be easily updated or feature added? I'm not familiar with the code base. If I were to explore the idea of making an update and submitting a PR, where would I start?
Regards, Willard On Fri, Jun 16, 2023 at 6:41 AM Will Conrad <wcon...@hivelocity.net> wrote: > Nicolas, > > "In your requirement do you mean to change the template URL and > re-download the template from a different location or simply download again > the template from the same URL after updating the served file?" > > For our use case the URL will stay the same, but the file will be updated > (though I could imagine other use cases where an update of the URL would be > useful too). Consider a URL like > http://some.distro.com/cloud/latest/imgname.img > where /latest/ automatically takes you to the latest updated version of > that file over time. We would not be looking to trigger an update on all of > the primary storage pools where instances have been deployed, just the > secondary storage such that new deploys use the updated image. > > Over time, distro cloud images get updated with the latest updates (that > one would receive just by running apt update && apt upgrade, for instance). > If we continue to deploy with the same image, updates will cause vm > deployment to take longer and longer over time, as well as consume more and > more network bandwidth, due to the updates each vm will have to perform at > time of deployment. > > "Afaik there is no supported way to safely do this except manually > updating the files on the downloaded storage pools (secondary and primary) > which should be updated carefully. The tables template_store_ref and > template_spool_ref indicate the downloaded copies on secondary and primary > pools of each template." > > I assume you're referring to the question about copying over/updating the > secondary storage image manually. I consider this idea a hack that could > cause issues or at the very least be at risk of breaking when a new > cloudstack update gets deployed. I don't like the idea myself. I'm just > trying to explore all the options available to us and see where your > guidance takes me. > > The reality is that we can make direct download work, but to do so would > require additional infrastructure (for instance, a webserver in each zone > where we point the URL to, that we now have to maintain and monitor). > Ideally we would just like to let the secondary storage server(s) fulfill > their role. > > On Thu, Jun 15, 2023 at 10:30 PM Nicolas Vazquez < > nicolas.vazq...@shapeblue.com> wrote: > >> Hi Will, >> >> When registering a template CloudStack usually downloads it first to >> secondary storage and then copies it through the different primary storage >> pools when a VM deployment requires it. The aim of the direct download >> feature is to skip the first step and directly downloading the templates >> into primary storage pools without any secondary storage intervention. >> >> In your requirement do you mean to change the template URL and >> re-download the template from a different location or simply download again >> the template from the same URL after updating the served file? Afaik there >> is no supported way to safely do this except manually updating the files on >> the downloaded storage pools (secondary and primary) which should be >> updated carefully. The tables template_store_ref and template_spool_ref >> indicate the downloaded copies on secondary and primary pools of each >> template. >> >> Regards, >> Nicolas Vazquez >> >> >> From: Will Conrad <wcon...@hivelocity.net.INVALID> >> Date: Thursday, 15 June 2023 at 14:47 >> To: users@cloudstack.apache.org <users@cloudstack.apache.org> >> Subject: Re: Direct Download/Bypass Secondary Storage option for templates >> Nicolas, >> >> The reason we're considering using the directdownload feature is to >> simplify template maintenance/updates. I presume that's what it was >> designed for. We want to be able to, preferably through cloudstack >> functionality, update the template image file associated with a template. >> We planned on achieving this utilizing directdownload to decouple the >> image >> file from the registered template itself when it occurred to us that a >> "regrab" button in the template properties webui or an API call to tell >> secondary storage to redownload the source would very much simplify this >> process. >> >> This brings my questions to: >> >> How difficult would it be to implement something like that? >> >> Is there another way to update the imagefile associated with a template? I >> mean, could we manually overwrite the file on secondary storage? Would >> that >> break anything? >> >> What is Cloudstack's recommended best practice for managing template >> images? >> >> >> Regards, >> >> Willard (Will) >> >> >> >> On Wed, Jun 14, 2023 at 10:26 AM Nicolas Vazquez < >> nicolas.vazq...@shapeblue.com> wrote: >> >> > No problem, I think these docs do not clearly state the supported >> storage >> > providers, I will fix that. On this blog entry we have mentioned them: >> > >> https://www.shapeblue.com/cloudstack-feature-first-look-direct-download-agnostic-of-the-storage-provider/ >> > >> > Currently the direct download feature is supported on NFS, local storage >> > and shared mount point, but not for Ceph. >> > >> > Regards, >> > Nicolas Vazquez >> > >> > >> > From: Will Conrad <wcon...@hivelocity.net.INVALID> >> > Date: Wednesday, 14 June 2023 at 10:58 >> > To: users@cloudstack.apache.org <users@cloudstack.apache.org> >> > Subject: Re: Direct Download/Bypass Secondary Storage option for >> templates >> > Nicolas, >> > >> > I feel silly for not having read that documentation all the way through. >> > Thank you for your assistance. >> > >> > I have another question, now. Since we've been working with this we >> > have been trying various methods of testing directdownload templates. >> Since >> > we were having problems with HTTPS, we tested HTTP. We have run into a >> > problem where the template fails to download if the guest is using ceph >> > storage. When we change to creating the VM on "local" storage, the >> template >> > download succeeds and the VM creates successfully. Are there any >> insights >> > you can provide here? Is there more documentation I may have missed? >> > >> > On Wed, Jun 14, 2023 at 9:39 AM Nicolas Vazquez < >> > nicolas.vazq...@shapeblue.com> wrote: >> > >> > > Thanks Will, >> > > >> > > Currently it is only possible to upload the certificate via API but >> not >> > > from the UI, please find it documented here: >> > > >> > >> https://docs.cloudstack.apache.org/en/latest/adminguide/templates.html#bypassing-secondary-storage-for-kvm-templates >> > > . >> > > >> > > In your case as the template is stored on Github you may want to >> upload a >> > > Github certificate to the hosts for the download to be trusted >> > > >> > > Regards, >> > > Nicolas Vazquez >> > > >> > > >> > > From: Will Conrad <wcon...@hivelocity.net.INVALID> >> > > Date: Wednesday, 14 June 2023 at 10:06 >> > > To: users@cloudstack.apache.org <users@cloudstack.apache.org> >> > > Subject: Re: Direct Download/Bypass Secondary Storage option for >> > templates >> > > Hi Wei and Nicolas, >> > > >> > > Thank you for you responses. >> > > >> > > Wei, >> > > >> > > I checked the host, and confirmed that yes the ca-certificates >> package is >> > > installed and latest. >> > > "root@lax2-cs-hv01:~# apt list ca-certificates -a >> > > >> > > Listing... Done >> > > >> > > ca-certificates/jammy-updates,jammy-security,now >> 20230311ubuntu0.22.04.1 >> > > all [installed,automatic] >> > > >> > > ca-certificates/jammy 20211016 all >> > > >> > > >> > > >> > > Nicolas, >> > > >> > > "Have you tried uploading the required certificate for the https >> download >> > > via the uploadTemplateDirectDownloadCertificate API?" >> > > >> > > No I have not. I was unaware of the need to do this. Is there >> > documentation >> > > I may have missed? What certificate is supposed to be uploaded and >> how is >> > > it used? >> > > >> > > Regards, >> > > >> > > Willard >> > > >> > > On Tue, Jun 13, 2023 at 10:01 PM Nicolas Vazquez < >> > > nicolas.vazq...@shapeblue.com> wrote: >> > > >> > > > Hi Will, >> > > > >> > > > Have you tried uploading the required certificate for the https >> > download >> > > > via the uploadTemplateDirectDownloadCertificate API? >> > > > >> > > > Regards, >> > > > Nicolas Vazquez >> > > > >> > > > >> > > > From: Wei ZHOU <ustcweiz...@gmail.com> >> > > > Date: Tuesday, 13 June 2023 at 20:01 >> > > > To: users@cloudstack.apache.org <users@cloudstack.apache.org> >> > > > Subject: Re: Direct Download/Bypass Secondary Storage option for >> > > templates >> > > > Hi Will, >> > > > >> > > > What hypervisor do you use ? Have you installed ca-crrtificates >> > package? >> > > > >> > > > -Wei >> > > > >> > > > On Tuesday, 13 June 2023, Will Conrad <wcon...@hivelocity.net >> .invalid> >> > > > wrote: >> > > > >> > > > > Hello again, Community! >> > > > > >> > > > > We're trying to make use of DirectDownload templates which makes >> use >> > of >> > > > the >> > > > > "Bypass Secondary Storage" feature, but we seem to be having >> issues >> > > with >> > > > > this functionality. >> > > > > >> > > > > After setting up a new template with "Direct Download" turned on >> and >> > an >> > > > > HTTPS URL our template file won't download. The download source >> is a >> > > file >> > > > > stored in github. This is what we see in the logs: >> > > > > >> > > > > Jun 13 16:12:07 lax2-cs-hv01 java[26054]: WARN >> > > > > [kvm.storage.KVMStorageProcessor] (agentRequest-Handler-5:) >> > > > > (logid:7b08521c) Error downloading template 209 due to: Error on >> > HTTPS >> > > > > request: PKIX path building failed: >> > > > > sun.security.provider.certpath.SunCertPathBuilderException: >> unable to >> > > > > find valid certification path to requested target >> > > > > Jun 13 16:12:07 lax2-cs-hv01 java[26054]: INFO >> > > > > [kvm.storage.LibvirtStorageAdaptor] (agentRequest-Handler-1:) >> > > > > (logid:7b08521c) Trying to fetch storage pool >> > > > > 3b59a095-9e71-3e97-92a8-56aa3f931a5e from libvirt >> > > > > Jun 13 16:12:07 lax2-cs-hv01 java[26054]: WARN >> > > > > [kvm.storage.KVMStorageProcessor] (agentRequest-Handler-1:) >> > > > > (logid:7b08521c) Error downloading template 209 due to: Error on >> > HTTPS >> > > > > request: PKIX path building failed: >> > > > > sun.security.provider.certpath.SunCertPathBuilderException: >> unable to >> > > > > find valid certification path to requested target >> > > > > Jun 13 16:12:07 lax2-cs-hv01 java[26054]: INFO >> > > > > [kvm.storage.LibvirtStorageAdaptor] (agentRequest-Handler-4:) >> > > > > (logid:78a6fa93) Trying to fetch storage pool >> > > > > 3b59a095-9e71-3e97-92a8-56aa3f931a5e from libvirt >> > > > > Jun 13 16:12:07 lax2-cs-hv01 java[26054]: INFO >> > > > > [kvm.storage.LibvirtStorageAdaptor] (agentRequest-Handler-4:) >> > > > > (logid:78a6fa93) Asking libvirt to refresh storage pool >> > > > > 3b59a095-9e71-3e97-92a8-56aa3f931a5e >> > > > > Jun 13 16:12:07 lax2-cs-hv01 java[26054]: INFO >> > > > > [kvm.storage.LibvirtStorageAdaptor] (agentRequest-Handler-2:) >> > > > > (logid:7b08521c) Trying to fetch storage pool >> > > > > 3b59a095-9e71-3e97-92a8-56aa3f931a5e from libvirt >> > > > > Jun 13 16:12:08 lax2-cs-hv01 java[26054]: INFO >> > > > > [kvm.storage.LibvirtStorageAdaptor] (agentRequest-Handler-3:) >> > > > > (logid:78a6fa93) Trying to fetch storage pool >> > > > > eb9f16ef-3ba3-4c50-9e64-807b6f2c8994 from libvirt >> > > > > Jun 13 16:12:08 lax2-cs-hv01 java[26054]: INFO >> > > > > [kvm.storage.LibvirtStorageAdaptor] (agentRequest-Handler-3:) >> > > > > (logid:78a6fa93) Asking libvirt to refresh storage pool >> > > > > eb9f16ef-3ba3-4c50-9e64-807b6f2c8994 >> > > > > Jun 13 16:12:08 lax2-cs-hv01 java[26054]: WARN >> > > > > [kvm.storage.KVMStorageProcessor] (agentRequest-Handler-2:) >> > > > > (logid:7b08521c) Error downloading template 209 due to: Error on >> > HTTPS >> > > > > request: PKIX path building failed: >> > > > > sun.security.provider.certpath.SunCertPathBuilderException: >> unable to >> > > > > find valid certification path to requested target >> > > > > >> > > > > We've been through this documentation: >> > > > > >> https://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html#< >> > > > https://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html >> ><<< >> https://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html%3e%3c%3c >> > >> > >> https://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html%3e%3c >> >< >> https://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html%3e%3c%3e >> > >> > > https://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html%3e >> ><< >> https://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html%3e%3e%3c >> > >> > >> https://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html%3e%3e >> >< >> https://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html%3e%3e%3e >> > >> > > > > securing-process >> > > > > >> > > > > but everything seems to be in order, on our side. Any insights >> here? >> > > > > Happy to provide any logs or configuration information to assist. >> > > > > >> > > > > Regards, >> > > > > >> > > > > Willard Conrad >> > > > > >> > > > > DevOps Engineer >> > > > > >> > > > > Hivelocity, LLC >> > > > > >> > > > >> > > > >> > > > >> > > > >> > > >> > > >> > > >> > > >> > >> > >> > >> > >> >> >> >>
