The different MAC address for a pair of redundant router have issues when short
time network outrage happened. When this happened:
1. BACKUP(r-2) cannot receive the broadcast from MASTER(r-1).
2. Then r-2 would announce it's MASTER after 3 seconds, and send gratuitous ARP
to the gateway of public ip(usually a rack router).
3. The gateway of public ip would update it's ARP cache to associate the public
ip of the network to the MAC of r-2.
4. In the meantime, r-1 still sending out VRRP broadcast(due to network issue,
the broadcast never arrived at r-2), and acting as MASTER.
5. After network outrage, r-2 would receive the higher priority VRRP broadcast
from MASTER again, then receded as BACKUP.
6. But the public gateway would still associate public ip with MAC of r-2, thus
caused the issue. r-1 would no longer able to receive any packets from public
network.
And there is no way for r-1 to send gratuitous ARP again, because it's always
consider itself as MASTER, no state changed, and no hook existed for receiving
lower priority broadcast.
So I would revert this change, and introduce another commit to ensure the newly
create redundant router would share the same MAC as the first one.
This reverts commit 9f257aa60b.
Detail: Previously in the code we allowed the configuration to create ssh
keypairs and put them in the configuration table so that systemvms could have
ssh key auth and work properly if the user was 'cloud' or if the developer
configuration item was set to true. It got changed to requiring both the cloud
user and the developer flag (using an || on a negative) somwhere along the way.
This changes it back to && on a negative to allow us to run as non-cloud users
with the dev flag set, and for cloud to deploy properly without the developer
flag.
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1358285190 -0700
CS allows to add multiple VLANs and subnets to a shared network, but it doesn't really work, for example , vm on second VLAN or subnet cannot get IP through DHCP
This patch will not allow to add mulitple VLANS or subnets into shared network
CLOUDSTACK-982:Do not allow add multiple VLANs or subnets into shared network
A couple of lines back there is:
if (isSystem != null) {
sc.addAnd("systemUse", SearchCriteria.Op.EQ, isSystem);
}
So it was set redundantly, this can be removed.
Plugin should not be responsible for existence of checking an API, this was wrong.
Throw exception boldly when checkAccess fails.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Makes plugins self contained so they decide their properties file format
- PluggableService creates the contract that implementing entity will return a
properties map which is apiname:rolemask (both are strings)
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
NetworkServiceImpl does not need a cache of system network offerings
Ensure mocks build to new APIs.
Signed-off-by: Chiradeep Vittal <chiradeep@apache.org>
- remove unused public apis
- remove unused members
- change visibility of methods to protected if they do not implement a method in the interface
Signed-off-by: Chiradeep Vittal <chiradeep@apache.org>
to the api project, ensure that all methods use interfaces from the api project.
By moving it to the api project, it lessens the dependency of plugins on the server components.
Signed-off-by: Chiradeep Vittal <chiradeep@apache.org>
NetworkModel is intended as a read-only view on the network model.
This includes Networks, Nics, Ip address, PhysicalNetwork, NetworkOfferings, etc
The code in configure() and start() is used to support queries on the network model which is now the responsibility of the NetworkModel service
Network-refactor: Fix tests so that they get injected with the required NetworkModel mock
Signed-off-by: Chiradeep Vittal <chiradeep@apache.org>
NetworkManager's exclusive focus is now
- handling plugins during orchestration, and
- to deal with ip address allocation.
Those classes that used to refer to NetworkManager to get access to the datamodel now refer to NetworkModel
Signed-off-by: Chiradeep Vittal <chiradeep@apache.org>
Author: Likitha Shetty <likitha.shetty@citrix.com>
Date: Wed Jan 9 11:54:25 2013 +0530
CLOUDSTACK-614: ListTemplates API is not returning "Enable SSH Key" attribute for any given template. Update the TemplateResponse by adding 'sshkeyenabled' attribute to it. This attribute is set to the value that the user passes as input for parameter 'sshkeyenabled' while registering the template.
Signed-off-by: Min Chen <min.chen@citrix.com>
- Introduces api/discovery plugin that helps discover apis on the mgmt server
- It's a pluggable service, therefore has it's own api-discovery_commands.properties
where the discovery api, listApi can be blacklisted (by removing it), or it's
role mask can be changed
- By default its response has all the apis
- Changes in other parts of the code to make it work, viz. components.xml, pom.xml,
and in ApiServer where it is used as an adapter to get apiname, cmd mappings
The ApiDiscoveryService interface is a contract that the implementing class will
provide:
1. A means to get all the apis as a list of response, plugin is free to implement
the response class, as long as it extends on the BaseResponse:
ListResponse<? extends BaseResponse> listApis();
2. Provides a map of apiname as the key and cmd class as the value:
Map<String, Class<?>> getApiNameCmdClassMapping();
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
right approach to populate uuid column since it will impact upgrade as
well), and populate UUID column in seed data sql script.
Signed-off-by: Min Chen <min.chen@citrix.com>
WIP : move stuff between network manager and network service.
at this point there is about 700 lines of duplicated code
WIP: Leave creation of default offerings to NetworkManager init
WIP: clean up imports
Signed-off-by: Chiradeep Vittal <chiradeep@apache.org>
Issue seen during system vm template upgrade and restoreVM command
scenarios for vmware. In these cases CS tries to recreate root disk with
same name as the existing one, in case of vmware this results in creation
of vmdk file with same name for both existing and new root volume.
This results in undesired behavior when storage cleanup thread tries to
cleanup old volume. Made the vmdk file name unique by adding the volume
id to it. This will ensure that during volume recreation in the scenarios
mentioned vmdk will get created with a new name and there will be
no undesired side effects of running the storage cleanup thread.
The basic idea behind this is, deploy a fix sized threadpool for updating RvR
status, then using producer/consumer model. There is a global configuration
router.check.poolsize(10 by default) to control the pool size.
Using pool size 100 for 1000 RvR is tested with simulator and works well.
Also we can adjust the global configuration option router.check.interval to e.g.
60s from default 30s to mitigate the issue.
For LB device in inline mode, the ip deployer(the owner of public ip) is the
firewall in front of it, not itself. So check if it's inline or not, if it's
inline, return the firewall as ip deployer
Use SRX firewall filter as SRX firewall. The old security policy mechanism
cannot be used as IP based. This would enable SRX's ability to control traffic
for F5 behind it.
Excluded test as per test author's comment:
"Currently we commented out this test suite since it requires a real MS and Db running"
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
If you update your build to build a version with a name not ending in -SNAPSHOT,
you are required to declare versions on all your depdendencies. There is already
a cs.mysql.version property, this patch makes sure it is used where appropriate.
Signed-off-by: Chip Childers <chip.childers@gmail.com>
I added this in commit bc94948e06 to be able to bind
the VNC on KVM on the Private IP Address of the Hypervisor.
This got (accidentally) reverted in commit 110903a91a breaking
this behaviour with KVM.
By passing the destination host again in StartCommand we are able to bind the VNC to the private
IP address of the hypervisor.
This makes sure the VNC is not open for the world and users don't have to firewall these ports, nor
do they have to change "vnc_listen" in their qemu.conf libvirt settings.
Incorrect params are silently ignored in 4.0 and before. The fix would log the error
in debug log, but will continue processing. In case of an issue with uuid or param
an empty response is sent, for ex. in case of deleted entities as well.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Fix interface to return array of strings, or filenames
- Fix StaticRoleBased ACL adapter to process config files by going through all pluggable services
- Refactor interface names
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Allow both uuid and id in param for pre 3.x apis
- Enforce uuid as param for all >= 3.x apis
- Use regex to better match uuid param
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
Entities correlated to the Identity and carry a uuid and those
correlated to InternalIdentity carry an id. Those entities that carry
both will correlated to Identity and InternalIdentity.
This refactors entities wherever possible to ensure the VO only
implements the first class entity.
Signed-off-by: Prasanna Santhanam <tsp@apache.org>
- Renames to @EntityReference as @Entity is too general and used in javax's pkg
- Remove redundant imports
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Add new interface method to getId
- Fix method definition in AsyncJob
- Get rid of mechanism to getId using reflect, use Identity interface
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Fix jobid serialization issue that broke the UI
- Fix AsyncJob Result and Response
- Get rid of getUuid(), setUuid(), just use getId, setId for uuid...
- All uuids from over the wire are UUIDs
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
In the past, we use same MAC address therefore once MASTER is down, the packet
to the same MAC would go to BACKUP ASAP.
But now we also have arping after BACKUP become MASTER, which should update the
ARP cache of public gateway router quickly. Though it would be a little
delay(likely less than 1 second), it's still fine for different MAC.
And it would solve some cache issue for same mac on vSwitch different ports.
1. Modified create-schema.sql to add version as 4.1.0 instead of 4.0.0
2. Removed schema-40to41.sql amd moved the content to schema-40to410.sql
3. Added to schema-40to410.sql Upgrade40to41.java
Conflicts:
server/src/com/cloud/upgrade/dao/Upgrade40to41.java
setup/db/create-schema.sql
setup/db/db/schema-40to41.sql
setup/db/db/schema-40to410.sql
Signed-off-by: Min Chen <min.chen@citrix.com>
For some apis, the param=-1 is used to evaluate conditionals. Allow -1 to be passed
for now. This is a APITODO/FIXME to fix stuff in service layer and then only get rid of it.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
1. Modified create-schema.sql to add version as 4.1.0 instead of 4.0.0
2. Removed schema-40to41.sql amd moved the content to schema-40to410.sql
3. Added to schema-40to410.sql Upgrade40to41.java
This is improvement of:
commit 1ca493e4fa
Author: Sheng Yang <sheng.yang@cloud.com>
Date: Wed Feb 29 17:43:50 2012 -0800
bug 14042: Don't set dhcp:router option on DHCP server for non-default
network on CentOS/RHEL
The old solution only works on CentOS/RHEL, this one would enable the ability to more
guest OS, and enable user to choose what policy should be for each guest os
type.
IdentityProxy is only referenced in CreateCmdResponse, which involves
some async job logic change. Since it is not impacting list performance,
will leave it there for now.
Signed-off-by: Min Chen <min.chen@citrix.com>
- Use @Parameter's entityType and type annotation fields
- Use @Entity annotation in Reponse class to get table info for Dao
- Use findByXId to process all entities and translate UUID to ID
- Handle error in reflection method invoking
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
Declare and define findByXId() in GenericDao and EntityManager.
This method would return a VO by UUID and EntityManager's interface would
take in the VO Interface.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
Author: Min Chen <min.chen@citrix.com>
Date: Mon Dec 17 17:42:30 2012 -0800
Remove IdentityProxy from AlertResponse and AsyncJobResponse.
Signed-off-by: Min Chen <min.chen@citrix.com>
As noted in the bug, several of the API command in question
are async calls. I've added a simple regex-based string cleaning
function, and have the request and response strings running through
it prior to being appended to the audit log.
Unit tests added for the new cleaning function as well.
The call to skip logging the createSSHKeyPair response remains intact
for now, although it should probably be scrubbed similarly to the
password fields.
Signed-off-by: Chip Childers <chip.childers@gmail.com>
Detail: Instead of using LibvirtStorageAdaptor for everything, you can create
your own storage adaptor and use it. We select storage adaptor based on storage
pool type, thus we needed to adjust LibvirtComputingResource to pass pool type
to everything in KVMStoragePoolManager. This in turn required that we pass the
info necessary to LibvirtComputingResource as well, so a few agent Commands were
modified.
Note this patch in and of itself shouldn't change any existing behavior, just
allow for new storage adaptors to be selected based on storage pool type.
Reviewed-by: Edison Su
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1355769696 -0700
- All id params are now uuids, basically for documentation
- Use injections and not component locator
- Remove resourceType field checking, it's now called entityType
- Fix indents
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
These unittests do not depend on the componentlocator but instead are
completely dependent on mock objects. This ensures that they can be run
standalone without any requirements on the environment.
Includes some fixes to NiciraNvpGuestNetworkGuru and GuestNetworkGuru
When zoneid is passed an no state is specified listVIrtualMachines does
not return the destroyed vms. This patch fixes the issue.
Signed-off-by: Prasanna Santhanam <tsp@apache.org>
Reverting commit as we don't want the daos to move to cloud-api.
We'll eventually breakout cloud-server and create cloud-api-server for the standalone
api server.
This reverts commit 7597a38f7a.
- Refactor common code to get classname from apiname
- Fix search mechanism within api access checker adapter to:
* check permissions
* get class name for an apiname
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Add getCmd api interface in APIAccessChecker adapter to get cmd properties
- Add mechanism in StaticRoleBasedAPIAccessChecker to get config properties
- Add public interface to get the cmd properties for the adapter impl
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- introduces Capability in the network offering, which
decides when EIP service is enabled, by defualt public IP
should be assigned to the VM or not
- default network offering with EIP/ELB service will still work with old EIP
semantics, i.e) assign a public IP to each VM on start
- Instantiate apiserver by injection, so all its entities are also created and injected
- Make the constructor protected
Thanks to Alex for helping out on this one.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- ApiServer instance assumes cloudstartup servlet will initialize it
- Check and log if initialization fails
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Moved host related apis to admin pkg
- Change namespace to org.a.cs.api, fix mappings in commands-prop.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
the advanced zone
Details:
1). Added validation to check the Vlan Id specified in the createNetwork()
does not overlap with any of the vlan's used by isolated networks or
shared networks in the zone.
2). state change for shared network with services to go to 'Setup' state
on network shutdown instead of 'Allocated'
Bug ID:CLOUDSTACK-312 enable L4-L7 network services in the shared network in the advanced zone
network in the advanced zone
Details : ensure that CIDR specified for shared network does not overlap with any
CloudStack generated CIDR's for isaolated guest networks when using
external networking devices
Bug ID:CLOUDSTACK-312 enable L4-L7 network services in the shared network in the advanced zone
Conflicts:
server/src/com/cloud/network/NetworkManagerImpl.java
network in the advanced zone
Summary: change 'shared network' in advanced zone with L4-L7 services to go through network
implement phase. Add ACL checks to associate IP to shared network in the
advanced zone
Bug ID:CLOUDSTACK-312 enable L4-L7 network services in the shared network in the advanced zone
Conflicts:
server/src/com/cloud/network/NetworkManagerImpl.java
Details:
- changed associateIPAddr API to accept shared network Id and account Id. Ip will be owned by tuple (account Id, network Id)
- chaged createNetwork API to accpet CIDR when network offering has external networking device providers
Bug ID:CLOUDSTACK-312 enable L4-L7 network services in the shared
network in the advanced zone
This is part 1 of list API refactoring. Commands covered:
listVmsCmd, listRoutersCmd Response covered:
UserVmResponse, DomainRouterResponse. DB views created:
user_vm_view, domain_router_view.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
Move ExternalNetworkDeviceManager to cloud-api, as server depends on cloud-api
The api refactoring of one of the api required this interface
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Remove a lot of junk
- Fix commands.prop.
- Move apis from cloud-server to cloud-api
- Rename with org.apache.cloudstack namespace
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Split register apis across template, iso and ssh pkgs
- Fix refactored apis, mappings in commands*.in
- Fix comments etc.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
- Refactor VPN and VM APIs to admin and user pkgs
- Names space, org.apache.cloudstack
- Fix refactored apis in commands*.in
- Fix comments etc.
- Expand tabs, remove trailing whitespace
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
Detail: Because of the way most other primary storage types work with cloudstack
(i.e. backing stores) CLVM actually copies the template to a local logical
volume on primary storage, then uses that. This causes all of your primary
storage to be littered with a copy of every template used. Since we're not
using these, dump the template direct to the newly created logical volume.
This is faster as well since the template is sparse; we're not creating a fat
template on primary storage and then copying that to a logical volume when we
deploy from template.
BUG-ID: CLOUDSTACK-508
Bugfix-for: 4.1
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1353221260 -0700
* enable SG provider if the zone is SG enabled
* don't create public traffic type for the zone if there is no public network exist in the zone in 2.2.x
The code that would propage userdata to router, when updateVirtualMachine api
is called, was missing. As per the docs [0], userdata should be a base64 encoded
string upto 2KB which is put on domr's html directory adn using HTTP GET the
userdata information can be obtained from the domr.
The updateVirtualMachine api [0] would accept a base64 encoded string
and decoded and put into the domr's /var/www/html/userdata/<uservm ip>/user-data
file. The operation does not require the VM to be in stopped state, though it is
advised to stop and call this api in case the user vm has a script which gets
the userdata information from domr while starting.
For example, this script can be used to fetch the data:
server_ip=$(grep dhcp-server-identifier /var/lib/dhclient-eth0.leases | tail -1 | awk '{print $NF}' | tr '\;' ' ')
wget http://${server_ip}/latest/user-data
This feature can be useful, for example to use into puppet facts [1], or to do
automation and horizontal scaling etc. based on userdata.
[0] http://incubator.apache.org/cloudstack/docs/api/apidocs-4.0.0/domain_admin/updateVirtualMachine.html
[1] http://geek.jasonhancock.com/2011/11/09/cloudstack-userdata-into-puppet-facts/
BUG-ID : CLOUDSTACK-424
Reviewed-by: Rohit Yadav <bhaisaab@apache.org>
Reported-by: Nick Wales
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
within cloud.server.ConfigurationServerImpl.generateDefaultKeystore
Description:
The reason which failed in generation of the certificate is not displayed now.
At that time, IOException which does not include the reason is raised.
In order to solve the problem quickly, the reason should be included in the message.
(Now)
WARN [cloud.server.ConfigurationServerImpl] (main:) Would use fail-safe keystore to continue.
java.io.IOException: Fail to generate certificate!
at com.cloud.server.ConfigurationServerImpl.generateDefaultKeystore(ConfigurationServerImpl.java:490)
(Fix)
WARN [cloud.server.ConfigurationServerImpl] (main:) Would use fail-safe keystore to continue.
java.io.IOException: Fail to generate certificate!: sudo: sorry, you must have a tty to run sudo
at com.cloud.server.ConfigurationServerImpl.generateDefaultKeystore(ConfigurationServerImpl.java:490)
Testing Completed:
mvn clean install
mvn -pl :cloud-client-ui jetty:run
And generation of the certificate was made to fail, checked it.
Signed-off-by: Chip Childers <chip.childers@gmail.com>
* send StartupAnswer right after StartupCommand is recieved
* if post processor going wrong, send out readycommand with error message to agent, then agent will exit
Any forked process that runs from maven surefire plugin gets it own separate
heap which may cause build issues. Patch fixes the issue by explicity args to
the surefire plugin for cloud-server.
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
* attache is not forForward()
* and the Disconnect came through cluster notification event
The fix will prevent delayed AgentDisconnect cluster notification processing.
The authenticators now have an encode function that cloudstack will use to encode the user supplied password before storing it in the database. This makes it easier to add other authenticators with other hashing algorithms. The requires a two step approach to creating the admin account at first start as the authenticators are only present in the management-server component locator.
The SHA256 salted authenticator make use of this new system and adds a hashing algorithm based on SHA256 with a salt. This type of hash is far less susceptible to rainbow table attacks.
To make use of these new features the users password will be sent over the wire just as he typed it and it will be transformed into a hash on the server and compared with the stored password. This means that the hash will not go over the wire anymore.
The default authenticator in components.xml is still set to md5 for backwards compatibility. For new installations the sha256 could be enabled.
Murali Reddy
Min Chen
Kelven Yang
Sheng Yang
Marcus Sorensen
Chiradeep Vittal
anthony
Wido den Hollander
Rohit Yadav
Alex Huang
Kishan Kavala
Prachi Damle
Koushik Das
Noa Resare
Hugo Trippaers
John Burwell
Prasanna Santhanam
Isaac Chiang
Chip Childers
Hugo Trippaers
Edison Su
Simon Waterhouse
Vijayendra Bhamidipati
Alena Prokharchyk
Hiroaki Kawai
Edison Su
adefanti
Vijay Venkatachalam
Deepak Garg
Pranav Saxena
Laszlo Hornyak
Satoshi Kobayashi
Dave Cahill
Edison Xu
Joe Brockmeier
Jessica Wang
Kelven Yang