Detail: Previously in the code we allowed the configuration to create ssh
keypairs and put them in the configuration table so that systemvms could have
ssh key auth and work properly if the user was 'cloud' or if the developer
configuration item was set to true. It got changed to requiring both the cloud
user and the developer flag (using an || on a negative) somwhere along the way.
This changes it back to && on a negative to allow us to run as non-cloud users
with the dev flag set, and for cloud to deploy properly without the developer
flag.
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1358285190 -0700
right approach to populate uuid column since it will impact upgrade as
well), and populate UUID column in seed data sql script.
Signed-off-by: Min Chen <min.chen@citrix.com>
- introduces Capability in the network offering, which
decides when EIP service is enabled, by defualt public IP
should be assigned to the VM or not
- default network offering with EIP/ELB service will still work with old EIP
semantics, i.e) assign a public IP to each VM on start
within cloud.server.ConfigurationServerImpl.generateDefaultKeystore
Description:
The reason which failed in generation of the certificate is not displayed now.
At that time, IOException which does not include the reason is raised.
In order to solve the problem quickly, the reason should be included in the message.
(Now)
WARN [cloud.server.ConfigurationServerImpl] (main:) Would use fail-safe keystore to continue.
java.io.IOException: Fail to generate certificate!
at com.cloud.server.ConfigurationServerImpl.generateDefaultKeystore(ConfigurationServerImpl.java:490)
(Fix)
WARN [cloud.server.ConfigurationServerImpl] (main:) Would use fail-safe keystore to continue.
java.io.IOException: Fail to generate certificate!: sudo: sorry, you must have a tty to run sudo
at com.cloud.server.ConfigurationServerImpl.generateDefaultKeystore(ConfigurationServerImpl.java:490)
Testing Completed:
mvn clean install
mvn -pl :cloud-client-ui jetty:run
And generation of the certificate was made to fail, checked it.
Signed-off-by: Chip Childers <chip.childers@gmail.com>
The authenticators now have an encode function that cloudstack will use to encode the user supplied password before storing it in the database. This makes it easier to add other authenticators with other hashing algorithms. The requires a two step approach to creating the admin account at first start as the authenticators are only present in the management-server component locator.
The SHA256 salted authenticator make use of this new system and adds a hashing algorithm based on SHA256 with a salt. This type of hash is far less susceptible to rainbow table attacks.
To make use of these new features the users password will be sent over the wire just as he typed it and it will be transformed into a hash on the server and compared with the stored password. This means that the hash will not go over the wire anymore.
The default authenticator in components.xml is still set to md5 for backwards compatibility. For new installations the sha256 could be enabled.
1) Always fail to authenticate system user.
2) DB - always create system user with RANDOM not null password
3) Don't allow modifying (setting api/secretKeys, etc) system user via API
Conflicts:
server/src/com/cloud/user/AccountManagerImpl.java
setup/db/db/schema-305to306.sql
* Separate service for NetworkACL - "NetworkACL" service
* allow having just one network supporting LB in the VPC
* perform check against VPC when upgrade network to the new network offering (the same set of checks when you add new network to the VPC)
On systems where sudo is used "echo ~" might return the homedirectory from the user who executed the sudo command.
By specifically using "echo ~username" we make sure we get back the correct homedirectory.
The same story goes for when updating the key on disk.
2) Added services api support for plugging/unplugging the nics to VpcElement
Conflicts:
api/src/com/cloud/network/NetworkService.java
core/src/com/cloud/vm/VMInstanceVO.java
server/src/com/cloud/network/NetworkManagerImpl.java
server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
server/test/com/cloud/network/MockNetworkManagerImpl.java
Changes for Script.java:
1. Even the script is non-timeout one, set default timeout to one hour. This avoid a wrongn script forever hang
2. When InterruptedException happens, check if timeout is really reached, if not, continue
status 13962: resolved fixed
reviewed-by: Alex, Edison
When elb capability is enabled on the network offering, we:
1) on each createLB command:
* associate ip address to the LB rule owner
* create LB rule
2) on each deleteLb command:
* delete the rule
* disassociate ip address
The rule belongs to the owner, so proper usage events are generated
2) Added elasticIp and elasticLb network capabilities. Provided support to create network offering with these capabilities.
3) Added one more default network offering having elasticip and elasticlb
4) Public network support to Basic zone. You can associate/disassociate IP addresses now
Conserve mode means, we can use same IP for different purposes, in order to
"conserve" ip resources. But in this offering, all the service providers should
be the same, and the network created from this offering may be prohibited from
update to different network offering whose services are provided by different
service providers - because different service providers would need different IPs
for different services.
If user want to update the "conserve mode" network with the network offering
that has different service providers, each public IP should have only one usage,
only them the update is allowed.
only owner of the network can access it; if it's domain - all accounts in the domain and domain children can have an access.
* aclType replaces 2 old fields: isShared and isDomainSpecific.
* All 2.2.x account specific networks will have aclType=Account; 2.2.x Domain specific networks - aclType=domain; 2.2.x Zone level networks - aclType=Domain with domainId = Root domain id
* moved all services to the separate table, map them to the network_offering+provider.
* added state/securityGroupEnabled properties for the networkOffering
* added ability to list by state/securityGroupEnabled in listNetworkOfferings api command
2) New service: SourceNat
Since we would introduce a way to specify each service provider in the network
offering, it's better for redundant virtual router as a separate service
provider.
Also isRedundant() flag in the network offering would be removed. Redundant
virtual router temporality won't work from now. Until we're able to add
different network elements/service providers in network_offering.
1) Introduce new managers - ProjectManager and DomainManager. Moved all domain related code from AccountManager to DomainManager.
2) Moved some code from ManagementServerImpl to the correct managers.
3) New resource limit for Domain - Project
status 11036: resolved fixed
1) Use row locks instead of global lock when update resource_count table. When update resource_count for account, make sure that we lock account+all related domains
2) Insert resource_count records for account/domain at the moment when account/domain is created.
3) As a part of DB upgrade, insert missing resource_count records for all non-removed accounts/domains
Conflicts:
core/src/com/cloud/alert/AlertManager.java
server/test/com/cloud/agent/MockAgentManagerImpl.java
status 10305: resolved fixed
While creating a system vm offering specify the type. If no type specified the default to domainrouter.
While requesting a set of system offering specify the paramter systemvmtype.
Block update only in these cases:
* when DNS capability AllowDnsSuffixModification is false for the network
* when target network has running network elements (dhcps or domRs)
Conflicts:
server/src/com/cloud/vm/dao/DomainRouterDao.java
server/src/com/cloud/vm/dao/DomainRouterDaoImpl.java
2) Added new config parameter 'allow.subdomain.network.access' - default value is true. If it's set to false, the child domain can't use the network of the parent domain
This patch enable redundant virtual routers.
1. To enable this feature, db need to be updated using follow SQL by now(we
would get a UI way later):
UPDATE network_offerings SET redundant_router=1 WHERE guest_type="Virtual" AND
system_only=0;
2. System would try to start up two routers at different hosts. But if there is
only one host in the zone, system would start up two routers on it.
3. The failover part is using keepalived, and connection tracking part is using
conntrackd. There would be one master router and one backup router. The status
of router(master or backup) can be query from the database table domain_router
now. Management server would update the status every 30s by default.
4. The routers for the same zone would use same external NIC(same ip and mac).
The script used for fail-over would ensure only one external NIC present in the
network at any time.
5. Currently management server don't got the ability to stop one of router is
both of them reported as master. The feature is in the todo list.
After two routers start up, disconnect anyone of them, the guest network
shouldn't be affected, and established connection(http, ssh, etc.) should still
works. The fail-over on gateway part should be 3~4 seconds.
Currently the patch works with KVM. Would deal with vmware and XenServer soon.
The port remains 8250.
The keystore saved at /etc/cloud/management/cloud.keystore. We also include one
fail-safe keystore/certificate for fallback if we are unable to generate
certificate and keystore. If we use fail-safe keystore, a warning and calltrace would be show.
Notice you need to upgrade agent, as well as systemVM's images.
status 7704: resolved fixed
For user vm:
* for default network, take limit from the corresponding service offering
* for all additional networks, take limit from the network offerings
For domainRouter/SSVM/CPVM:
* get info from the network offering
Added new config parameter: "vm.network.throttling.rate". If nw_rate is NULL for serviceOffering, this parameter would be used for default vm's network
Following was done as a part of checkin:
1) NetworkOffering/Network:
* add PF service support for default Guest network offering.
* Add one more additional network - Public.
* Allow to enable external firewall in Basic zone.
2) Don't allow to deployVm in Public Network.
3) Allow to add vlan ip ranges to Public networks in Basic zone.
4) Associate IP - allow to associate with Direct vms.
5) Allow to create PF/Static nat rules. Rules are being sent to External Firewall Rule only.
6) Add PF support to External Firewall element.
2) Set traffic Type to be Guest for Direct/Virtual non-system default network offerings. Use this guestIpType during the network creation/implementation
status 7803: resolved fixed
Fix overview:
1) Parameter "isDefault" should be defined as a part of createNetwork
* Virtual network is always default
* Parameter can be specified only for DirectNetwork
* Once parameter is set, there is no way to change it as we don't provide updateNetwork command.
2) Added isDefault parameter to listNetworks command so you can sort by that.
3) DeployVmCmd:
* at least one default network should be set
* if more than 1 default network is set - throw an error
4) Return isDefault information as a part of Nic object for the vm response in deploy/stop/start/listVm
status 7863: resolved fixed
Router cleanp thread is fixed, here is functionality description:
* Runs every "router.cleanup.interval" period of time (1 day by default)
* Stops only domRs running in Advance zone
* Thread Flow:
- gets all Running domRs/dhcps, get their networks, select network that
has to be checked (see criteria below):
- checks that there is only one nic in the op_networks table for the
network, and this nic belongs to domR/dhcp
- Stops domR/dhcp
* Criteria to choose the network:
- Network has to be non-system.
- Network should be one of the following: Guest Virtual (TrafficType=Guest; GuestType=Virtual); Direct Tagged (TrafficType=Public; GuestType=Direct)
Couple of other fixes:
* Added isShared parameter to listNetworks command
* Moved guestType from NetworkOffering to Network
Marcus Sorensen
Alex Huang
Min Chen
Sheng Yang
Kelven Yang
Murali Reddy
Vijay
Satoshi Kobayashi
Dave Cahill
Hugo Trippaers
Kishan Kavala
Alena Prokharchyk
David Nalley
Wido den Hollander
Edison Su
Nitin Mehta
Salvatore Orlando
frank
Kelven Yang
anthony
Sheng Yang
alena
prachi
Abhinandan Prateek
Frank
Edison Su
Chiradeep Vittal
Alex Huang
abhishek