etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove realhostip references from the code (#12856) 

* Remove realhostip references from the code

* remove unused code
This commit is contained in:
Vishesh 2026-06-10 11:39:39 +05:30 committed by GitHub
parent 6bc83a3c46
commit a7f9756d62
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 47 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.pre-commit-config.yaml
View File

@ -151,7 +151,7 @@ repos:
^server/src/test/resources/certs/rsa_self_signed\.key$|
^services/console-proxy/rdpconsole/src/test/doc/rdp-key\.pem$|
^systemvm/agent/certs/localhost\.key$|
^systemvm/agent/certs/realhostip\.key$|
^systemvm/agent/certs/systemvm\.key$|
^test/integration/smoke/test_ssl_offloading\.py$
- id: end-of-file-fixer
exclude: \.vhd$|\.svg$

6
engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
View File

@ -150,6 +150,12 @@ FROM `cloud`.`configuration` `cfg`
WHERE NOT EXISTS (SELECT 1 FROM `cloud`.`configuration` WHERE `name` = 'kvm.cpu.dynamic.scaling.capacity')
AND `cfg`.`name` = 'vm.serviceoffering.cpu.cores.max';
-- Remove stale realhostip.com default values; domain has been dead since ~2015.
UPDATE `cloud`.`configuration`
SET value = NULL
WHERE name IN ('consoleproxy.url.domain', 'secstorage.ssl.cert.domain')
AND value IN ('realhostip.com', '*.realhostip.com');
-- Add management_server_details table to allow ManagementServer scope configs
CREATE TABLE IF NOT EXISTS `management_server_details` (
`id` bigint unsigned NOT NULL AUTO_INCREMENT COMMENT 'id',

19
scripts/util/keystore-cert-import
View File

@ -137,18 +137,19 @@ if [ -f "$SYSTEM_FILE" ]; then
chmod 644 /usr/local/share/ca-certificates/cloudstack/ca.crt
update-ca-certificates > /dev/null 2>&1 || true
# Import CA cert(s) into realhostip.keystore so the SSVM JVM
# (which overrides the truststore via -Djavax.net.ssl.trustStore in _run.sh)
# can trust servers signed by the CloudStack CA
REALHOSTIP_KS_FILE="$(dirname "$(dirname "$PROPS_FILE")")/certs/realhostip.keystore"
REALHOSTIP_PASS="vmops.com"
if [ -f "$REALHOSTIP_KS_FILE" ]; then
# Also import CA cert(s) into systemvm.keystore. KS_FILE (cloud.jks) above
# is the agent's mTLS keystore; the SSVM JVM, however, reads its truststore
# from systemvm.keystore (see -Djavax.net.ssl.trustStore in _run.sh), so the
# CA must be added here too for the SSVM to trust CloudStack-CA-signed servers.
SYSTEMVM_KS_FILE="$(dirname "$(dirname "$PROPS_FILE")")/certs/systemvm.keystore"
SYSTEMVM_PASS="vmops.com"
if [ -f "$SYSTEMVM_KS_FILE" ]; then
awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++} n>0{print > "cloudca." n }' "$CACERT_FILE"
for caChain in $(ls cloudca.* 2>/dev/null); do
keytool -delete -noprompt -alias "$caChain" -keystore "$REALHOSTIP_KS_FILE" \
-storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 || true
keytool -delete -noprompt -alias "$caChain" -keystore "$SYSTEMVM_KS_FILE" \
-storepass "$SYSTEMVM_PASS" > /dev/null 2>&1 || true
keytool -import -noprompt -trustcacerts -alias "$caChain" -file "$caChain" \
-keystore "$REALHOSTIP_KS_FILE" -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1
-keystore "$SYSTEMVM_KS_FILE" -storepass "$SYSTEMVM_PASS" > /dev/null 2>&1
done
rm -f cloudca.*
fi

3
server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
View File

@ -222,9 +222,6 @@ public class ConfigurationServerImpl extends ManagerBase implements Configuratio
_configDao.update(Config.SecStorageEncryptCopy.key(), Config.SecStorageEncryptCopy.getCategory(), "false");
logger.debug("ConfigurationServer made secondary storage copy encrypt set to false.");
_configDao.update("secstorage.secure.copy.cert", "realhostip");
logger.debug("ConfigurationServer made secondary storage copy use realhostip.");
_configDao.update("user.password.encoders.exclude", "MD5,LDAP,PLAINTEXT");
logger.debug("Configuration server excluded insecure encoders");

5
server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java
View File

@ -87,11 +87,6 @@ public class DownloadMonitorImpl extends ManagerBase implements DownloadMonitor
final Map<String, String> configs = _configDao.getConfiguration("management-server", params);
_proxy = configs.get(Config.SecStorageProxy.key());
String cert = configs.get("secstorage.ssl.cert.domain");
if (!"realhostip.com".equalsIgnoreCase(cert)) {
logger.warn("Only realhostip.com ssl cert is supported, ignoring self-signed and other certs");
}
_copyAuthPasswd = configs.get("secstorage.copy.password");
DownloadListener dl = new DownloadListener(this);

13
server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java
View File

@ -231,8 +231,8 @@ public class UploadMonitorImpl extends ManagerBase implements UploadMonitor {
UploadVO upload = extractURLList.get(0);
String uploadUrl = extractURLList.get(0).getUploadUrl();
String[] token = uploadUrl.split("/");
// example: uploadUrl = https://10-11-101-112.realhostip.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
// then token[2] = 10-11-101-112.realhostip.com, token[4] = 2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
// example: uploadUrl = https://10-11-101-112.example.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
// then token[2] = 10-11-101-112.example.com, token[4] = 2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
String hostname = ep.getPublicAddr().replace(".", "-") + ".";
if ((token != null) && (token.length == 5) && (token[2].equals(hostname + _ssvmUrlDomain))) // ssvm publicip and domain suffix not changed
return extractURLList.get(0);
@ -365,7 +365,9 @@ public class UploadMonitorImpl extends ManagerBase implements UploadMonitor {
if (_ssvmUrlDomain != null && _ssvmUrlDomain.length() > 0) {
hostname = hostname + "." + _ssvmUrlDomain;
} else {
hostname = hostname + ".realhostip.com";
logger.warn("SSL copy is enabled but secstorage.ssl.cert.domain is not configured; "
+ "using IP address directly. Configure a wildcard SSL certificate domain for proper HTTPS support.");
hostname = ipAddress;
}
}
return scheme + "://" + hostname + "/userdata/" + uuid;
@ -376,11 +378,6 @@ public class UploadMonitorImpl extends ManagerBase implements UploadMonitor {
final Map<String, String> configs = _configDao.getConfiguration("management-server", params);
_sslCopy = Boolean.parseBoolean(configs.get("secstorage.encrypt.copy"));
String cert = configs.get("secstorage.secure.copy.cert");
if ("realhostip.com".equalsIgnoreCase(cert)) {
logger.warn("Only realhostip.com ssl cert is supported, ignoring self-signed and other certs");
}
_ssvmUrlDomain = configs.get("secstorage.ssl.cert.domain");
_agentMgr.registerForHostEvents(new UploadListener(this), true, false, false);

12
server/src/test/java/com/cloud/keystore/KeystoreTest.java
View File

@ -75,20 +75,20 @@ public class KeystoreTest extends TestCase {
ComponentLocator locator = ComponentLocator.getCurrentLocator();
KeystoreDao ksDao = locator.getDao(KeystoreDao.class);
ksDao.save("CPVMCertificate", "CPVMCertificate", "KeyForCertificate", "realhostip.com");
ksDao.save("CPVMCertificate", "CPVMCertificate", "KeyForCertificate", "example.com");
ksVo = ksDao.findByName("CPVMCertificate");
assertTrue(ksVo != null);
assertTrue(ksVo.getCertificate().equals("CPVMCertificate"));
assertTrue(ksVo.getKey().equals("KeyForCertificate"));
assertTrue(ksVo.getDomainSuffix().equals("realhostip.com"));
assertTrue(ksVo.getDomainSuffix().equals("example.com"));
ksDao.save("CPVMCertificate", "CPVMCertificate Again", "KeyForCertificate Again", "again.realhostip.com");
ksDao.save("CPVMCertificate", "CPVMCertificate Again", "KeyForCertificate Again", "again.example.com");
ksVo = ksDao.findByName("CPVMCertificate");
assertTrue(ksVo != null);
assertTrue(ksVo.getCertificate().equals("CPVMCertificate Again"));
assertTrue(ksVo.getKey().equals("KeyForCertificate Again"));
assertTrue(ksVo.getDomainSuffix().equals("again.realhostip.com"));
assertTrue(ksVo.getDomainSuffix().equals("again.example.com"));
ksDao.expunge(ksVo.getId());
}
@ -112,9 +112,9 @@ public class KeystoreTest extends TestCase {
assertTrue(ksMgr.configure("TaskManager", new HashMap<String, Object>()));
assertTrue(ksMgr.start());
ksMgr.saveCertificate("CPVMCertificate", certContent, keyContent, "realhostip.com");
ksMgr.saveCertificate("CPVMCertificate", certContent, keyContent, "example.com");
byte[] ksBits = ksMgr.getKeystoreBits("CPVMCertificate", "realhostip", "vmops.com");
byte[] ksBits = ksMgr.getKeystoreBits("CPVMCertificate", "example", "vmops.com");
assertTrue(ksBits != null);
try {

2
services/console-proxy/server/pom.xml
View File

@ -80,7 +80,7 @@
<resource>
<directory>certs</directory>
<excludes>
<exclude>realhostip.csr</exclude>
<exclude>systemvm.csr</exclude>
</excludes>
</resource>
</resources>

2
services/secondary-storage/server/pom.xml
View File

@ -107,7 +107,7 @@
<systemProperties>
<systemProperty>
<key>javax.net.ssl.trustStore</key>
<value>certs/realhostip.keystore</value>
<value>certs/systemvm.keystore</value>
<key>log.home</key>
<value>${PWD}/</value>
</systemProperty>

0
systemvm/agent/certs/realhostip.crt → systemvm/agent/certs/systemvm.crt
View File

0
systemvm/agent/certs/realhostip.csr → systemvm/agent/certs/systemvm.csr
View File

0
systemvm/agent/certs/realhostip.key → systemvm/agent/certs/systemvm.key
View File

0
systemvm/agent/certs/realhostip.keystore → systemvm/agent/certs/systemvm.keystore
View File

2
systemvm/agent/scripts/_run.sh
View File

@ -60,4 +60,4 @@ if [ "$(uname -m | grep '64')" == "" ]; then
fi
fi
java -Djavax.net.ssl.trustStore=./certs/realhostip.keystore -Djdk.tls.ephemeralDHKeySize=2048 -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP com.cloud.agent.AgentShell $keyvalues $@
java -Djavax.net.ssl.trustStore=./certs/systemvm.keystore -Djdk.tls.ephemeralDHKeySize=2048 -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP com.cloud.agent.AgentShell $keyvalues $@

6
systemvm/agent/scripts/config_ssl.sh
View File

@ -52,13 +52,13 @@ cflag=
cpkflag=
cpcflag=
cccflag=
customPrivKey=$(dirname $0)/certs/realhostip.key
customPrivCert=$(dirname $0)/certs/realhostip.crt
customPrivKey=$(dirname $0)/certs/systemvm.key
customPrivCert=$(dirname $0)/certs/systemvm.crt
customCertChain=
customCACert=
publicIp=
hostName=
keyStore=$(dirname $0)/certs/realhostip.keystore
keyStore=$(dirname $0)/certs/systemvm.keystore
defaultJavaKeyStoreFile=/etc/ssl/certs/java/cacerts
defaultJavaKeyStorePass="changeit"
aliasName="CPVMCertificate"

2
systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
View File

@ -65,7 +65,7 @@ patch_systemvm() {
fi
rm -fr $backupfolder
# Import global cacerts into 'cloud' service's keystore
keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt || true
keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/systemvm.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt || true
return 0
}

18
systemvm/patch-sysvms.sh
View File

@ -126,25 +126,25 @@ patch_systemvm() {
if [ "$TYPE" = "consoleproxy" ] || [ "$TYPE" = "secstorage" ]; then
# Import global cacerts into 'cloud' service's keystore
REALHOSTIP_KS_FILE="/usr/local/cloud/systemvm/certs/realhostip.keystore"
REALHOSTIP_PASS="vmops.com"
SYSTEMVM_KS_FILE="/usr/local/cloud/systemvm/certs/systemvm.keystore"
SYSTEMVM_PASS="vmops.com"
keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts \
-destkeystore "$REALHOSTIP_KS_FILE" -srcstorepass changeit -deststorepass \
"$REALHOSTIP_PASS" -noprompt 2>/dev/null || true
-destkeystore "$SYSTEMVM_KS_FILE" -srcstorepass changeit -deststorepass \
"$SYSTEMVM_PASS" -noprompt 2>/dev/null || true
# Import CA cert(s) into realhostip.keystore so the SSVM JVM
# Import CA cert(s) into systemvm.keystore so the SSVM JVM
# (which overrides the truststore via -Djavax.net.ssl.trustStore in _run.sh)
# can trust servers signed by the CloudStack CA
CACERT_FILE="/usr/local/share/ca-certificates/cloudstack/ca.crt"
if [ -f "$CACERT_FILE" ] && [ -f "$REALHOSTIP_KS_FILE" ]; then
if [ -f "$CACERT_FILE" ] && [ -f "$SYSTEMVM_KS_FILE" ]; then
awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++} n>0{print > "cloudca." n }' "$CACERT_FILE"
for caChain in $(ls cloudca.* 2>/dev/null); do
keytool -delete -noprompt -alias "$caChain" -keystore "$REALHOSTIP_KS_FILE" \
-storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 || true
keytool -delete -noprompt -alias "$caChain" -keystore "$SYSTEMVM_KS_FILE" \
-storepass "$SYSTEMVM_PASS" > /dev/null 2>&1 || true
keytool -import -noprompt -trustcacerts -alias "$caChain" -file "$caChain" \
-keystore "$REALHOSTIP_KS_FILE" -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1
-keystore "$SYSTEMVM_KS_FILE" -storepass "$SYSTEMVM_PASS" > /dev/null 2>&1
done
rm -f cloudca.*
fi

2
systemvm/pom.xml
View File

@ -205,7 +205,7 @@
<systemProperties>
<systemProperty>
<key>javax.net.ssl.trustStore</key>
<value>certs/realhostip.keystore</value>
<value>certs/systemvm.keystore</value>
<key>log.home</key>
<value>${PWD}/</value>
</systemProperty>

4
utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java
View File

@ -27,7 +27,7 @@ public class ImageStoreUtilTest {
@Test
public void testgenerateHttpsPostUploadUrl() throws MalformedURLException {
String ssvmdomain = "*.realhostip.com";
String ssvmdomain = "*.example.com";
String ipAddress = "10.147.28.14";
String uuid = UUID.randomUUID().toString();
String protocol = "https";
@ -47,7 +47,7 @@ public class ImageStoreUtilTest {
@Test
public void testgenerateHttpPostUploadUrl() throws MalformedURLException {
String ssvmdomain = "*.realhostip.com";
String ssvmdomain = "*.example.com";
String ipAddress = "10.147.28.14";
String uuid = UUID.randomUUID().toString();
String protocol = "http";