From 76793f0fa71651d0cf74ed5938669af2d40274b6 Mon Sep 17 00:00:00 2001
From: Abhisar Sinha <63767682+abh1sar@users.noreply.github.com>
Date: Fri, 3 Apr 2026 18:09:43 +0530
Subject: [PATCH] enable TLS by default and add listen address to
 agent.properties

---
 agent/conf/agent.properties                   | 12 ++++++-----
 .../agent/properties/AgentProperties.java     | 15 ++++----------
 .../resource/LibvirtComputingResource.java    | 19 +++++-------------
 ...virtCreateImageTransferCommandWrapper.java | 20 ++++++++++++-------
 ...rtFinalizeImageTransferCommandWrapper.java |  8 ++++----
 5 files changed, 33 insertions(+), 41 deletions(-)

diff --git a/agent/conf/agent.properties b/agent/conf/agent.properties
index f2fcfd83eb1..7a74c908135 100644
--- a/agent/conf/agent.properties
+++ b/agent/conf/agent.properties
@@ -78,11 +78,13 @@ zone=default
 # Generated with "uuidgen".
 local.storage.uuid=
 
-# Enable TLS for image server transfers.
-# When enabled, certificate and key paths must both be configured.
-# image.server.tls.enabled=false
-# image.server.tls.cert.file=/etc/cloudstack/agent/cloud.crt
-# image.server.tls.key.file=/etc/cloudstack/agent/cloud.key
+# Enable TLS for image server transfers. The keys are read from:
+# cert file = /etc/cloudstack/agent/cloud.crt
+# key file = /etc/cloudstack/agent/cloud.key
+image.server.tls.enabled=true
+
+# The Address for the network interface that the image server listens on. If not specified, it will listen on the Management network.
+#image.server.listen.address=
 
 # Location for KVM virtual router scripts.
 # The path defined in this property is relative to the directory "/usr/share/cloudstack-common/".
diff --git a/agent/src/main/java/com/cloud/agent/properties/AgentProperties.java b/agent/src/main/java/com/cloud/agent/properties/AgentProperties.java
index 22a25eaa6d8..ec60b541605 100644
--- a/agent/src/main/java/com/cloud/agent/properties/AgentProperties.java
+++ b/agent/src/main/java/com/cloud/agent/properties/AgentProperties.java
@@ -126,23 +126,16 @@ public class AgentProperties{
     /**
      * Enables TLS on the KVM image server transfer endpoint.<br>
      * Data type: Boolean.<br>
-     * Default value: <code>false</code>
+     * Default value: <code>true</code>
      */
-    public static final Property<Boolean> IMAGE_SERVER_TLS_ENABLED = new Property<>("image.server.tls.enabled", false);
+    public static final Property<Boolean> IMAGE_SERVER_TLS_ENABLED = new Property<>("image.server.tls.enabled", true);
 
     /**
-     * PEM certificate file used by the KVM image server when TLS is enabled.<br>
+     * The IP address that the KVM image server listens on.<br>
      * Data type: String.<br>
      * Default value: <code>null</code>
      */
-    public static final Property<String> IMAGE_SERVER_TLS_CERT_FILE = new Property<>("image.server.tls.cert.file", null, String.class);
-
-    /**
-     * PEM private key file used by the KVM image server when TLS is enabled.<br>
-     * Data type: String.<br>
-     * Default value: <code>null</code>
-     */
-    public static final Property<String> IMAGE_SERVER_TLS_KEY_FILE = new Property<>("image.server.tls.key.file", null, String.class);
+    public static final Property<String> IMAGE_SERVER_LISTEN_ADDRESS = new Property<>("image.server.listen.address", null, String.class);
 
     /**
      * Directory where Qemu sockets are placed.<br>
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
index 675c9cde266..08d84bb8d6a 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
@@ -383,6 +383,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     public static final String CHECKPOINT_DELETE_COMMAND = "virsh checkpoint-delete --domain %s --checkpointname %s  --metadata";
 
     public static final int IMAGE_SERVER_DEFAULT_PORT = 54322;
+    public static final String IMAGE_SERVER_SYSTEMD_UNIT_NAME = "cloudstack-image-server";
 
     protected int qcow2DeltaMergeTimeout;
 
@@ -399,8 +400,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     private String nasBackupPath;
     private String imageServerPath;
     private boolean imageServerTlsEnabled = false;
-    private String imageServerTlsCertFile;
-    private String imageServerTlsKeyFile;
+    private String imageServerListenAddress;
     private String securityGroupPath;
     private String ovsPvlanDhcpHostPath;
     private String ovsPvlanVmPath;
@@ -823,12 +823,8 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
         return imageServerTlsEnabled;
     }
 
-    public String getImageServerTlsCertFile() {
-        return imageServerTlsCertFile;
-    }
-
-    public String getImageServerTlsKeyFile() {
-        return imageServerTlsKeyFile;
+    public String getImageServerListenAddress() {
+        return imageServerListenAddress;
     }
 
     public String getOvsPvlanDhcpHostPath() {
@@ -1050,12 +1046,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
         cachePath = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.HOST_CACHE_LOCATION);
 
         imageServerTlsEnabled = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.IMAGE_SERVER_TLS_ENABLED);
-        imageServerTlsCertFile = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.IMAGE_SERVER_TLS_CERT_FILE);
-        imageServerTlsKeyFile = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.IMAGE_SERVER_TLS_KEY_FILE);
-
-        if (imageServerTlsEnabled && (StringUtils.isBlank(imageServerTlsCertFile) || StringUtils.isBlank(imageServerTlsKeyFile))) {
-            throw new ConfigurationException("image server TLS is enabled but image.server.tls.cert.file or image.server.tls.key.file is missing");
-        }
+        imageServerListenAddress = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.IMAGE_SERVER_LISTEN_ADDRESS);
 
         params.put("domr.scripts.dir", domrScriptsDir);
 
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCreateImageTransferCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCreateImageTransferCommandWrapper.java
index 01fd11524bc..7cf05da9b21 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCreateImageTransferCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCreateImageTransferCommandWrapper.java
@@ -40,6 +40,9 @@ import com.cloud.utils.script.Script;
 public class LibvirtCreateImageTransferCommandWrapper extends CommandWrapper<CreateImageTransferCommand, Answer, LibvirtComputingResource> {
     protected Logger logger = LogManager.getLogger(getClass());
 
+    private static final String IMAGE_SERVER_TLS_CERT_FILE = "/etc/cloudstack/agent/cloud.crt";
+    private static final String IMAGE_SERVER_TLS_KEY_FILE = "/etc/cloudstack/agent/cloud.key";
+
     private void resetService(String unitName) {
         Script resetScript = new Script("/bin/bash", logger);
         resetScript.add("-c");
@@ -51,13 +54,12 @@ public class LibvirtCreateImageTransferCommandWrapper extends CommandWrapper<Cre
         return "'" + value.replace("'", "'\\''") + "'";
     }
 
-    private boolean startImageServerIfNotRunning(int imageServerPort, LibvirtComputingResource resource) {
+    private boolean startImageServerIfNotRunning(int imageServerPort, String listenAddress, LibvirtComputingResource resource) {
         final String imageServerPackageDir = resource.getImageServerPath();
         final String imageServerParentDir = new File(imageServerPackageDir).getParent();
         final String imageServerModuleName = new File(imageServerPackageDir).getName();
-        final String listenAddress = "0.0.0.0";
         final boolean tlsEnabled = resource.isImageServerTlsEnabled();
-        String unitName = "cloudstack-image-server";
+        String unitName = resource.IMAGE_SERVER_SYSTEMD_UNIT_NAME;
 
         Script checkScript = new Script("/bin/bash", logger);
         checkScript.add("-c");
@@ -75,8 +77,8 @@ public class LibvirtCreateImageTransferCommandWrapper extends CommandWrapper<Cre
 
             if (tlsEnabled) {
                 systemdRunCmd.append(" --tls-enabled");
-                systemdRunCmd.append(" --tls-cert-file ").append(shellQuote(resource.getImageServerTlsCertFile()));
-                systemdRunCmd.append(" --tls-key-file ").append(shellQuote(resource.getImageServerTlsKeyFile()));
+                systemdRunCmd.append(" --tls-cert-file ").append(IMAGE_SERVER_TLS_CERT_FILE);
+                systemdRunCmd.append(" --tls-key-file ").append(IMAGE_SERVER_TLS_KEY_FILE);
             }
 
             Script startScript = new Script("/bin/bash", logger);
@@ -157,7 +159,11 @@ public class LibvirtCreateImageTransferCommandWrapper extends CommandWrapper<Cre
         }
 
         final int imageServerPort = LibvirtComputingResource.IMAGE_SERVER_DEFAULT_PORT;
-        if (!startImageServerIfNotRunning(imageServerPort, resource)) {
+        String listenAddress = resource.getImageServerListenAddress();
+        if (StringUtils.isBlank(listenAddress)) {
+            listenAddress = resource.getPrivateIp();
+        }
+        if (!startImageServerIfNotRunning(imageServerPort, listenAddress, resource)) {
             return new CreateImageTransferAnswer(cmd, false, "Failed to start image server.");
         }
 
@@ -166,7 +172,7 @@ public class LibvirtCreateImageTransferCommandWrapper extends CommandWrapper<Cre
         }
 
         final String transferScheme = resource.isImageServerTlsEnabled() ? "https" : "http";
-        final String transferUrl = String.format("%s://%s:%d/images/%s", transferScheme, resource.getPrivateIp(), imageServerPort, transferId);
+        final String transferUrl = String.format("%s://%s:%d/images/%s", transferScheme, listenAddress, imageServerPort, transferId);
         return new CreateImageTransferAnswer(cmd, true, "Image transfer prepared on KVM host.", transferId, transferUrl);
     }
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtFinalizeImageTransferCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtFinalizeImageTransferCommandWrapper.java
index 6c95720fda7..3d9f6563d5e 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtFinalizeImageTransferCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtFinalizeImageTransferCommandWrapper.java
@@ -39,8 +39,8 @@ public class LibvirtFinalizeImageTransferCommandWrapper extends CommandWrapper<F
         resetScript.execute();
     }
 
-    private boolean stopImageServer(int imageServerPort) {
-        String unitName = "cloudstack-image-server";
+    private boolean stopImageServer(int imageServerPort, LibvirtComputingResource resource) {
+        String unitName = resource.IMAGE_SERVER_SYSTEMD_UNIT_NAME;
 
         Script checkScript = new Script("/bin/bash", logger);
         checkScript.add("-c");
@@ -88,12 +88,12 @@ public class LibvirtFinalizeImageTransferCommandWrapper extends CommandWrapper<F
         int activeTransfers = ImageServerControlSocket.unregisterTransfer(transferId);
         if (activeTransfers < 0) {
             logger.warn("Could not reach image server to unregister transfer {}; assuming server is down", transferId);
-            stopImageServer(imageServerPort);
+            stopImageServer(imageServerPort, resource);
             return new Answer(cmd, true, "Image transfer finalized (server unreachable, forced stop).");
         }
 
         if (activeTransfers == 0) {
-            stopImageServer(imageServerPort);
+            stopImageServer(imageServerPort, resource);
         }
 
         return new Answer(cmd, true, "Image transfer finalized.");