This is happening as ClusterServiceServletAdapter is started after ClusteredAgentManagerImpl.
Fix is to start ClusterServiceServletAdapter before ClusteredAgentManagerImpl.
Before this commit the call to `getResizeScriptType` would throw
an exception (earlier versions returned `null`, which was fine) -
this caused the RBD case to fail. By changing the default to
notify only we fix the case for any non-CLVM and non-QCOW cases.
This is RBD for now, but this should extend to new storage
types suppored by Libvirt natively in future.
Fix site-to-site VPN featureThis is work done together with @jayapalu on fixing the site2site VPN. The first part was done in PR #690 by @jayapalu. On top of that, some other fixes were needed and those are added in this PR. It made sense to make a new PR which includes all fixes so we can actually test it.
The original PR #690 is already merged into this one, so can be closed. Since the commit ids are kept the same, merging this will close both.
I closely compared the 4.4/4.5 implementation with the new 4.6 one. I did not only make it work, but also added some security improvements (some of which were also in 4.4/4.5). I noticed the pre shared key was being logged, so removed that as well.
This is how I tested and verified it:
https://github.com/schubergphilis/MCT-shared/tree/master/helper_scripts/cloudstack/vpn_tests
When I have some time available, I'll write a Marvin test for it that we can include in the repo.
It now works(tm) with one manual step due to CLOUDSTACK-8685:
We need a default gateway before site-to-site VPN will actually work. It will connect, but not forward packets. The reason for this, is due to the iptables setup. VM1 has router1 as gateway, but router1 does not know the route to VM2 so it will give up. With a default gateway, the packets are about to be forwarded to the default gateway but when they reach eth1 the public nic, iptables kicks in, does some magic and forwards it through the ipsec tunnel. So, you need a default gw set to upstream.
Workaround for now is setting the route manually:
``route add default gw 1.2.3.4`` or ``ip route add default via 1.2.3.4``
In other words, we need to fix CLOUDSTACK-8685 soon, too.
Thanks to @snuf @jayapalu!
@jayapalu @snuf could you please review this?
* pr/693:
do not log sensitive site-to-site VPN PSK
tighten security of site-to-site VPN
CLOUDSTACK-8730: fix s2s iptables rules and ipsec config
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn
Signed-off-by: Remi Bergsma <github@remi.nl>
Interface changes related to CLOUDSTACK-8580See issue CLOUDSTACK-8580 and individual commits.
* pr/680:
Made interface changes related to CLOUDSTACK-8580
Signed-off-by: Remi Bergsma <github@remi.nl>
Added responses to ListCapabilities to reflect CLOUDSTACK-8580 changes.
This to add these options to the gui. See issue CLOUDSTACK-8580.
3be14e978a
Removed comments as proposed by Daan Hoogland.
Upgrade paths from 4.5.1 exists to both 4.5.2, and 4.6.0. Since 4.5.2 and 4.6.0
are not release, and the bug affects 4.5 branch; this patch aims to port that
fix from master to both 4.5/master branches.
Ported from commit b6a7804
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn
@remibergsma @wilderrodrigues
Moved applying iptables rules apply after vpn configuration so that vpn specific rules also get applied
* pr/690:
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn
This closes#690
Signed-off-by: Remi Bergsma <github@remi.nl>
Logging before:
2015-08-12 16:30:07,126 Searching for 192.168.23.6 and replacing with 192.168.23.6 192.168.23.5: PSK "preSharedKey"
Logging after:
2015-08-12 16:30:07,126 Searching for 192.168.23.6 and replacing with 192.168.23.6 192.168.23.5: PSK "****"
- Adds unit test for ListAndSwitchSAMLAccountCmd
- Checks and logs in user only if they are enabled
- If saml user switches to a locked account, send appropriate error message
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit b30977911d)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
SAML authorized accounts might be across various domains, this allows for
switching of accounts only in case of SAML authenticated user accounts across
other accounts with the same SAML uid/username.
Moves the previous switch account logic to its own ui-custom module
(cherry picked from commit 1065661cd5)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Conflicts:
plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
ui/index.jsp
When dumping XML use appropriate flags:
1, VIR_DOMAIN_XML_SECURE (dump security sensitive information too)
8, VIR_DOMAIN_XML_MIGRATABLE (dump XML suitable for migration)
Source:
https://libvirt.org/html/libvirt-libvirt-domain.html#virDomainXMLFlags
This fixes CVE 2015-3252: VNC password lost during VM migration across KVM
hosts. The issue is also seen when a VM is rebooted.
(cherry picked from commit cb2aca7516)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
... map returned by the following API calls by filtering these fields from the
details attribute in the HostResponse class:
* listHosts
* addHost
* cancelHostMaintenance
* listHosts
* prepareHostForMaintenance
* reconnectHost
* updateHost
This fix addresses CVE 2015-3251.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 3a48171bd8)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Coverity regressions per 10 aug 2015Not all are in here, the db upgrade code seems to stay the main pitfall.
* pr/681:
coverity 1315775: proper getting of networkLabel
coverity 1315774: improvement of code to negate false positive
Signed-off-by: Daan Hoogland <daan@onecht.net>
Tests will confirm the behaviour of the newly added response fields of listSecurityGroups.
Signed-off-by: Wido den Hollander <wido@widodh.nl>
This closes#679
See issue CLOUDSTACK-8133 for more information.
Added null check by comment of Koushik Das.
Added brackets by comment of Wido den Hollander.
Removed a call to findById() by comment of Koushik Das.
Signed-off-by: Wido den Hollander <wido@widodh.nl>
* pr/674:
getUsedBytes should query the SolidFire cluster to acquire the size of the given volume if there is no volume_details info for that volume (and then create a volume_details row for this volume so we don't have to make that cluster call for this purpose again)
Signed-off-by: Mike Tutkowski
Signed-off-by: Mike Tutkowski <mike.tutkowski@solidfire.com>
- on new functionnality: upload volume/template from Local
- on the zone configuration wizard for the "Next" button
- update French messages properties from transifex
- Improve some French translations ("Téléverser" for "Upload")
Improve cloud-install-sys-tmplt to work in dev environment againThe script that you run to initially setup secondary storage, had some errors. As it now depends on /etc/cloudstack/management/db.properties, it did not work any more on my development environment.
I defined some defaults that work in development environments (those are sane defaults anyway), then check if the /etc/cloudstack/management/db.properties file exists. If so, it reads from there and gets the vars just like before. If not, it keeps the defaults unless of course someone overrides them on the command line.
While working on the script, I also fixed the indentation and found a query that was not yet using the -P mysql port variable.
I tested it both on my development environment as well as in an environment installed from RPM (where you'd have /etc/cloudstack/management/db.properties and that both worked.
PS @snuf please check if it also works again for you.
* pr/678:
clean-ups in the file
this query had no -P port specified so did not work
make sane defaults for MySQL settings
Signed-off-by: Remi Bergsma <github@remi.nl>
Daan Hoogland
Koushik Das
Aaron Brady
Remi Bergsma
Boris Schrijver
Milamber
Rohit Yadav
John Burwell
Radu Stefanache
Rajani Karuturi
shweta agarwal
Jayapal
Priti Sarap
pavan018
Mike Tutkowski
Daan Hoogland