This extends securing of KVM hosts to securing of libvirt on KVM
host as well for TLS enabled live VM migration.
Based on whether keystore and certificates files are available at
/etc/cloudstack/agent, the KVM agent determines whether to use TLS or
TCP based uris for live VM migration. It is also enforced that a secured
host will allow live VM migration to/from other secured host, and an
unsecured hosts will allow live VM migration to/from other unsecured
host only.
Post upgrade the KVM agent on startup will expose its security state
(secured detail is sent as true or false) to the managements server that
gets saved in host_details for the host. This host detail can be accesed
via the listHosts response, and in the UI unsecured KVM hosts will show
up with the host state of ‘unsecured’. Further, a button has been added
that allows admins to provision/renew certificates to KVM hosts and can
be used to secure any unsecured KVM host.
The `cloudstack-setup-agent` was modified to accept a new flag ‘-s’
which reconfigured libvirtd with following settings that enables only
TLS:
listen_tcp=0
listen_tls=1
tcp_port="16509"
auth_tcp="none"
tls_port=”16514”
auth_tls=”none”
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"
For a connected KVM host agent, when the certificate are
renewed/provisioned a background task is scheduled that waits until all
of the agent tasks finish after which libvirt process is restarted and
finally the agent is restarted via AgentShell.
There are no API or DB changes.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
In init.d scripts, the LSB header may specify what kind of service is
provided by an init script. If spaces are used, this means the init
script is providing several boot facilities. We fix that by using an
hyphen.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 2401eb927b)
Replacing whatami with $0 which is how UNIX shell scripts should get the
script's name.
BUG-ID: CLOUDSTACK-6129
Bugfix-for:
Reviewed-by:
Reported-by:
Signed-off-by: John Kinsella <jlk@stratosec.co> 1392660036 -0800
Detail: Previously the cloud user has full password-less sudo access.
This commit changes that to only allow access to a specific list of
commands. Been tested in production on ACS 4.0 and 4.2 mangement servers.
BUG-ID: CLOUDSTACK-967
Bugfix-for:
Reviewed-by:
Reported-by:
Signed-off-by: John Kinsella <jlk@stratosec.co> 1382560936 -0700
Ovs brcompat will be obsolete, so if network.bridge.type was
set to openvswitch, we'll use ovs command explicitly.
Signed-off-by: Hiroaki KAWAI <kawai@stratosphere.co.jp>
Summary: EC2 REST API: AWS APIs are not getting translated on the CloudStack Management Server and AWS API Installation Problems.
This fixes the above two defects and other packaging related issues.
Signed-off-by: Pradeep <pradeep.soundararajan@citrix.com>
The change in package script allowed us to create proper tar under rpmbuild/SOURCES directory
The change in the path enabled us to launch the management server properly.
Signed-off-by: Hugo Trippaers <htrippaers@schubergphilis.com>
Committed-by: Hugo Trippaers <htrippaers@schubergphilis.com>
Introduce UnknownSystemExcpetion to indicate that the system is
is unknonwn. Catch said exception in cloud-setup-management,
print an error and exit.
CLOUDSTACK-966: Improve error reporting when running on unknown OS / version
Signed-off-by: Prasanna Santhanam <tsp@apache.org>
Rohit Yadav
Wido den Hollander
Vincent Bernat
Kishan Kavala
Damodar
Erik Weber
Jayapal
Kishan Kavala
ynojima
Marcus Sorensen
John Kinsella
Edison Su
Hugo Trippaers
Hiroaki KAWAI
Pradeep
Noa Resare
frank
Marcus Sorensen
Chip Childers
Tomoe Sugihara
Robert Schweikert
David Nalley
Edison Su
Edison Su
Edison Su
frank