This introduces a new certificate authority framework that allows
pluggable CA provider implementations to handle certificate operations
around issuance, revocation and propagation. The framework injects
itself to `NioServer` to handle agent connections securely. The
framework adds assumptions in `NioClient` that a keystore if available
with known name `cloud.jks` will be used for SSL negotiations and
handshake.
This includes a default 'root' CA provider plugin which creates its own
self-signed root certificate authority on first run and uses it for
issuance and provisioning of certificate to CloudStack agents such as
the KVM, CPVM and SSVM agents and also for the management server for
peer clustering.
Additional changes and notes:
- Comma separate list of management server IPs can be set to the 'host'
global setting. Newly provisioned agents (KVM/CPVM/SSVM etc) will get
radomized comma separated list to which they will attempt connection
or reconnection in provided order. This removes need of a TCP LB on
port 8250 (default) of the management server(s).
- All fresh deployment will enforce two-way SSL authentication where
connecting agents will be required to present certificates issued
by the 'root' CA plugin.
- Existing environment on upgrade will continue to use one-way SSL
authentication and connecting agents will not be required to present
certificates.
- A script `keystore-setup` is responsible for initial keystore setup
and CSR generation on the agent/hosts.
- A script `keystore-cert-import` is responsible for import provided
certificate payload to the java keystore file.
- Agent security (keystore, certificates etc) are setup initially using
SSH, and later provisioning is handled via an existing agent connection
using command-answers. The supported clients and agents are limited to
CPVM, SSVM, and KVM agents, and clustered management server (peering).
- Certificate revocation does not revoke an existing agent-mgmt server
connection, however rejects a revoked certificate used during SSL
handshake.
- Older `cloudstackmanagement.keystore` is deprecated and will no longer
be used by mgmt server(s) for SSL negotiations and handshake. New
keystores will be named `cloud.jks`, any additional SSL certificates
should not be imported in it for use with tomcat etc. The `cloud.jks`
keystore is stricly used for agent-server communications.
- Management server keystore are validated and renewed on start up only,
the validity of them are same as the CA certificates.
New APIs:
- listCaProviders: lists all available CA provider plugins
- listCaCertificate: lists the CA certificate(s)
- issueCertificate: issues X509 client certificate with/without a CSR
- provisionCertificate: provisions certificate to a host
- revokeCertificate: revokes a client certificate using its serial
Global settings for the CA framework:
- ca.framework.provider.plugin: The configured CA provider plugin
- ca.framework.cert.keysize: The key size for certificate generation
- ca.framework.cert.signature.algorithm: The certificate signature algorithm
- ca.framework.cert.validity.period: Certificate validity in days
- ca.framework.cert.automatic.renewal: Certificate auto-renewal setting
- ca.framework.background.task.delay: CA background task delay/interval
- ca.framework.cert.expiry.alert.period: Days to check and alert expiring certificates
Global settings for the default 'root' CA provider:
- ca.plugin.root.private.key: (hidden/encrypted) CA private key
- ca.plugin.root.public.key: (hidden/encrypted) CA public key
- ca.plugin.root.ca.certificate: (hidden/encrypted) CA certificate
- ca.plugin.root.issuer.dn: The CA issue distinguished name
- ca.plugin.root.auth.strictness: Are clients required to present certificates
- ca.plugin.root.allow.expired.cert: Are clients with expired certificates allowed
UI changes:
- Button to download/save the CA certificates.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Increases/sets ulimit for cloudstack agent and management. This would fix
any issues with opening more files than permissible limit (usually 1024-4096).
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
In case of rpms, the commands.properties file is bundled at
/usr/share/cloudstack-management/webapps/client/WEB-INF/classes/commands.properties
In case of a rpm upgrade, new rpms won't ship with commands.properties file. For
existing installations this copies the commands.properties file to
/etc/cloudstack/management
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This allows non-root users to add KVM hosts, the user should be an admin or
added to sudoers to execute sudo cloudstack-setup-agent.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Signed-off-by: Remi Bergsma <apache@remi.nl>
This closes#288
CLOUDSTACK-7460: mgmt server package should not create agent directory
Revert "CLOUDSTACK-8402: Depend on openjdk 1.7 for both CentOS 6 and 7"
Revert "CLOUDSTACK-8404: uninstall/conflict if java-1.8.0-openjdk is installed"
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This would force to uninstall openjdk 1.8.0 and only install 1.7 in case of ACS
4.5.x releases. On master/4.6, we might support java 1.8.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This commit forces rpms to depend on java-1.7.0-openjdk which is available
on both CentOS 6 and CentOS 7, also the version that ACS 4.5 supports.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
The initial commit (f96c65416a) missed part of the change to package.sh, so we were not actually passing through the simulator build option to the rpmbuild call. This patch completes the support.
(cherry picked from commit e717450e0e)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
The -Xms value specifies the minimum heap size the JVM should start with and
-Xmx is the maximum heap size it can grow. The previous fix imposed minimum
limit of 1G which is unreasonably for small deployments. The fix is to start
with 256MB and limit to 2G for cloudstack-agent process. This was tested on
DevCloud/KVM and then again on a ACS/KVM deployment on real hardware.
With these values, it's possible for the agent to work in a DevCloud/KVM
environment and if JVM needs it can increase the heap size to 2G. The fix also
ports these settings to Debian cloud-agent init.d script as well.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit bb81082e58)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
In init.d scripts, the LSB header may specify what kind of service is
provided by an init script. If spaces are used, this means the init
script is providing several boot facilities. We fix that by using an
hyphen.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 2401eb927b)
changed the order of preference to check for java first.
Usage server rpm installs JRE 1.7. In the case where JDK 1.6 is already
installed, java version would be 1.7 but, javac would be 1.6
If javac is given preference, usage server fails to start in this case.
On a secured environment (selinux w/ env_reset enabled in sudoers), the
runuser command that is invoked by the daemon() function does not pass
along environment variables, so $JAVA_HOME is empty, and JSVC falls
back to its default behavior, which may not find java or may not find
the intended java.
This fix simply passes $JAVA_HOME explicitly using the -home argument to
JSVC.
Signed-off-by: Rajani Karuturi <rajanikaruturi@gmail.com>
Since we've agreed to use JDK/JRE 1.7, this enforces that for Ubuntu builds
- this fix remove usage of 1.6 paths in JDK_DIR for cloud-{agent, management, usage}.
- adds oracle jdk 1.7 path (in case a user is using that)
- adds mysql-connector-java path to CLASSPATH for usage server
- adds libmysql-java pkg dependency (tested and available for precise and trusty)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 96d6a2a037)
Conflicts:
packaging/debian/init/cloud-usage
Adds pessimistic logic to try the hard coded paths if Rajani's logic fails
Rohit Yadav
Rohit Yadav
Abhinandan Prateek
Harikrishna Patnala
Alex Brett
Keiichi Yusa
Damodar
rayeesn
Nitin Mehta
Vincent Bernat
Rajani Karuturi
Leo Simons
Frank.Zhang
Hugo Trippaers
David Bierce
ynojima
Rajesh Battala
Wido den Hollander
Marcus Sorensen