Merge dbb83c23cd into 5893ba5a8c

.pre-commit-config.yaml

@@ -151,7 +151,7 @@ repos:
           ^server/src/test/resources/certs/rsa_self_signed\.key$|
           ^services/console-proxy/rdpconsole/src/test/doc/rdp-key\.pem$|
           ^systemvm/agent/certs/localhost\.key$|
-          ^systemvm/agent/certs/realhostip\.key$|
+          ^systemvm/agent/certs/systemvm\.key$|
           ^test/integration/smoke/test_ssl_offloading\.py$
       - id: end-of-file-fixer
         exclude: \.vhd$|\.svg$

engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql

@@ -115,6 +115,11 @@ CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Resource Admin', 'deleteUserKey
 -- Add conserve mode for VPC offerings
 CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.vpc_offerings','conserve_mode', 'tinyint(1) unsigned NULL DEFAULT 0 COMMENT ''True if the VPC offering is IP conserve mode enabled, allowing public IP services to be used across multiple VPC tiers'' ');
 
+-- Remove stale realhostip.com default values; domain has been dead since ~2015.
+UPDATE `cloud`.`configuration`
+    SET value = NULL
+    WHERE name IN ('consoleproxy.url.domain', 'secstorage.ssl.cert.domain')
+      AND value IN ('realhostip.com', '*.realhostip.com');
 --- Disable/enable NICs
 CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.nics','enabled', 'TINYINT(1) NOT NULL DEFAULT 1 COMMENT ''Indicates whether the NIC is enabled or not'' ');
 

server/src/main/java/com/cloud/server/ConfigurationServerImpl.java

@@ -222,9 +222,6 @@ public class ConfigurationServerImpl extends ManagerBase implements Configuratio
             _configDao.update(Config.SecStorageEncryptCopy.key(), Config.SecStorageEncryptCopy.getCategory(), "false");
             logger.debug("ConfigurationServer made secondary storage copy encrypt set to false.");
 
-            _configDao.update("secstorage.secure.copy.cert", "realhostip");
-            logger.debug("ConfigurationServer made secondary storage copy use realhostip.");
-
             _configDao.update("user.password.encoders.exclude", "MD5,LDAP,PLAINTEXT");
             logger.debug("Configuration server excluded insecure encoders");
 

server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java

@@ -87,11 +87,6 @@ public class DownloadMonitorImpl extends ManagerBase implements DownloadMonitor
         final Map<String, String> configs = _configDao.getConfiguration("management-server", params);
         _proxy = configs.get(Config.SecStorageProxy.key());
 
-        String cert = configs.get("secstorage.ssl.cert.domain");
-        if (!"realhostip.com".equalsIgnoreCase(cert)) {
-            logger.warn("Only realhostip.com ssl cert is supported, ignoring self-signed and other certs");
-        }
-
         _copyAuthPasswd = configs.get("secstorage.copy.password");
 
         DownloadListener dl = new DownloadListener(this);

server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java

@@ -231,8 +231,8 @@ public class UploadMonitorImpl extends ManagerBase implements UploadMonitor {
             UploadVO upload = extractURLList.get(0);
             String uploadUrl = extractURLList.get(0).getUploadUrl();
             String[] token = uploadUrl.split("/");
-            // example: uploadUrl = https://10-11-101-112.realhostip.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
-            // then token[2] = 10-11-101-112.realhostip.com, token[4] = 2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
+            // example: uploadUrl = https://10-11-101-112.example.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
+            // then token[2] = 10-11-101-112.example.com, token[4] = 2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
             String hostname = ep.getPublicAddr().replace(".", "-") + ".";
             if ((token != null) && (token.length == 5) && (token[2].equals(hostname + _ssvmUrlDomain))) // ssvm publicip and domain suffix not changed
                 return extractURLList.get(0);
@@ -365,7 +365,9 @@ public class UploadMonitorImpl extends ManagerBase implements UploadMonitor {
             if (_ssvmUrlDomain != null && _ssvmUrlDomain.length() > 0) {
                 hostname = hostname + "." + _ssvmUrlDomain;
             } else {
-                hostname = hostname + ".realhostip.com";
+                logger.warn("SSL copy is enabled but secstorage.ssl.cert.domain is not configured; "
+                    + "using IP address directly. Configure a wildcard SSL certificate domain for proper HTTPS support.");
+                hostname = ipAddress;
             }
         }
         return scheme + "://" + hostname + "/userdata/" + uuid;
@@ -376,11 +378,6 @@ public class UploadMonitorImpl extends ManagerBase implements UploadMonitor {
         final Map<String, String> configs = _configDao.getConfiguration("management-server", params);
         _sslCopy = Boolean.parseBoolean(configs.get("secstorage.encrypt.copy"));
 
-        String cert = configs.get("secstorage.secure.copy.cert");
-        if ("realhostip.com".equalsIgnoreCase(cert)) {
-            logger.warn("Only realhostip.com ssl cert is supported, ignoring self-signed and other certs");
-        }
-
         _ssvmUrlDomain = configs.get("secstorage.ssl.cert.domain");
 
         _agentMgr.registerForHostEvents(new UploadListener(this), true, false, false);

server/src/test/java/com/cloud/keystore/KeystoreTest.java

@@ -75,20 +75,20 @@ public class KeystoreTest extends TestCase {
             ComponentLocator locator = ComponentLocator.getCurrentLocator();
 
             KeystoreDao ksDao = locator.getDao(KeystoreDao.class);
-            ksDao.save("CPVMCertificate", "CPVMCertificate", "KeyForCertificate", "realhostip.com");
+            ksDao.save("CPVMCertificate", "CPVMCertificate", "KeyForCertificate", "example.com");
             ksVo = ksDao.findByName("CPVMCertificate");
             assertTrue(ksVo != null);
             assertTrue(ksVo.getCertificate().equals("CPVMCertificate"));
             assertTrue(ksVo.getKey().equals("KeyForCertificate"));
-            assertTrue(ksVo.getDomainSuffix().equals("realhostip.com"));
+            assertTrue(ksVo.getDomainSuffix().equals("example.com"));
 
-            ksDao.save("CPVMCertificate", "CPVMCertificate Again", "KeyForCertificate Again", "again.realhostip.com");
+            ksDao.save("CPVMCertificate", "CPVMCertificate Again", "KeyForCertificate Again", "again.example.com");
 
             ksVo = ksDao.findByName("CPVMCertificate");
             assertTrue(ksVo != null);
             assertTrue(ksVo.getCertificate().equals("CPVMCertificate Again"));
             assertTrue(ksVo.getKey().equals("KeyForCertificate Again"));
-            assertTrue(ksVo.getDomainSuffix().equals("again.realhostip.com"));
+            assertTrue(ksVo.getDomainSuffix().equals("again.example.com"));
 
             ksDao.expunge(ksVo.getId());
         }
@@ -112,9 +112,9 @@ public class KeystoreTest extends TestCase {
             assertTrue(ksMgr.configure("TaskManager", new HashMap<String, Object>()));
             assertTrue(ksMgr.start());
 
-            ksMgr.saveCertificate("CPVMCertificate", certContent, keyContent, "realhostip.com");
+            ksMgr.saveCertificate("CPVMCertificate", certContent, keyContent, "example.com");
 
-            byte[] ksBits = ksMgr.getKeystoreBits("CPVMCertificate", "realhostip", "vmops.com");
+            byte[] ksBits = ksMgr.getKeystoreBits("CPVMCertificate", "example", "vmops.com");
             assertTrue(ksBits != null);
 
             try {

services/console-proxy/server/pom.xml

@@ -80,7 +80,7 @@
             <resource>
                 <directory>certs</directory>
                 <excludes>
-                    <exclude>realhostip.csr</exclude>
+                    <exclude>systemvm.csr</exclude>
                 </excludes>
             </resource>
         </resources>

services/secondary-storage/server/pom.xml

@@ -107,7 +107,7 @@
                     <systemProperties>
                         <systemProperty>
                             <key>javax.net.ssl.trustStore</key>
-                            <value>certs/realhostip.keystore</value>
+                            <value>certs/systemvm.keystore</value>
                             <key>log.home</key>
                             <value>${PWD}/</value>
                         </systemProperty>

systemvm/agent/scripts/_run.sh

@@ -60,4 +60,4 @@ if [ "$(uname -m | grep '64')" == "" ]; then
   fi
 fi
 
-java -Djavax.net.ssl.trustStore=./certs/realhostip.keystore -Djdk.tls.ephemeralDHKeySize=2048 -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP com.cloud.agent.AgentShell $keyvalues $@
+java -Djavax.net.ssl.trustStore=./certs/systemvm.keystore -Djdk.tls.ephemeralDHKeySize=2048 -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP com.cloud.agent.AgentShell $keyvalues $@

systemvm/agent/scripts/config_ssl.sh

@@ -52,13 +52,13 @@ cflag=
 cpkflag=
 cpcflag=
 cccflag=
-customPrivKey=$(dirname $0)/certs/realhostip.key
-customPrivCert=$(dirname $0)/certs/realhostip.crt
+customPrivKey=$(dirname $0)/certs/systemvm.key
+customPrivCert=$(dirname $0)/certs/systemvm.crt
 customCertChain=
 customCACert=
 publicIp=
 hostName=
-keyStore=$(dirname $0)/certs/realhostip.keystore
+keyStore=$(dirname $0)/certs/systemvm.keystore
 defaultJavaKeyStoreFile=/etc/ssl/certs/java/cacerts
 defaultJavaKeyStorePass="changeit"
 aliasName="CPVMCertificate"

systemvm/debian/opt/cloud/bin/setup/bootstrap.sh

@@ -65,7 +65,7 @@ patch_systemvm() {
   fi
   rm -fr $backupfolder
   # Import global cacerts into 'cloud' service's keystore
-  keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt || true
+  keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/systemvm.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt || true
   return 0
 }
 

systemvm/patch-sysvms.sh

@@ -126,7 +126,7 @@ patch_systemvm() {
 
   if [ "$TYPE" = "consoleproxy" ] || [ "$TYPE" = "secstorage" ]; then
     # Import global cacerts into 'cloud' service's keystore
-    keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt 2>/dev/null || true
+    keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/systemvm.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt 2>/dev/null || true
   fi
 
   update_checksum $newpath/cloud-scripts.tgz

systemvm/pom.xml

@@ -205,7 +205,7 @@
                             <systemProperties>
                                 <systemProperty>
                                     <key>javax.net.ssl.trustStore</key>
-                                    <value>certs/realhostip.keystore</value>
+                                    <value>certs/systemvm.keystore</value>
                                     <key>log.home</key>
                                     <value>${PWD}/</value>
                                 </systemProperty>

utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java

@@ -27,7 +27,7 @@ public class ImageStoreUtilTest {
 
     @Test
     public void testgenerateHttpsPostUploadUrl() throws MalformedURLException {
-        String ssvmdomain = "*.realhostip.com";
+        String ssvmdomain = "*.example.com";
         String ipAddress = "10.147.28.14";
         String uuid = UUID.randomUUID().toString();
         String protocol = "https";
@@ -47,7 +47,7 @@ public class ImageStoreUtilTest {
 
     @Test
     public void testgenerateHttpPostUploadUrl() throws MalformedURLException {
-        String ssvmdomain = "*.realhostip.com";
+        String ssvmdomain = "*.example.com";
         String ipAddress = "10.147.28.14";
         String uuid = UUID.randomUUID().toString();
         String protocol = "http";