Merge 1db260f1f5 into cd5bb09d0d

Fix potential leaks in executePipedCommands (#12478 )
UI: fix issues when deploy VNF applicance on network with SG (#12436 )
2026-01-22 09:59:55 +00:00 · 2026-01-22 10:59:41 +01:00 · 2026-01-22 10:56:03 +01:00 · 2025-11-19 14:30:55 +01:00
7 changed files with 31 additions and 4 deletions
--- a/scripts/storage/secondary/cloud-install-sys-tmplt
+++ b/scripts/storage/secondary/cloud-install-sys-tmplt
@ -44,6 +44,7 @@ failed() {
 }

 #set -x
+umask 0022 # ensure we have the proper permissions even on hardened deployments
 mflag=
 fflag=
 ext="vhd"
--- a/scripts/storage/secondary/setup-sysvm-tmplt
+++ b/scripts/storage/secondary/setup-sysvm-tmplt
@ -19,6 +19,7 @@

 # Usage: e.g. failed $? "this is an error"
 set -x
+umask 0022 # ensure we have the proper permissions even on hardened deployments

 failed() {
  local returnval=$1
--- a/ui/public/locales/en.json
+++ b/ui/public/locales/en.json
@ -2527,7 +2527,7 @@
 "label.vnf.app.action.reinstall": "Reinstall VNF Appliance",
 "label.vnf.cidr.list": "CIDR from which access to the VNF appliance's Management interface should be allowed from",
 "label.vnf.cidr.list.tooltip": "the CIDR list to forward traffic from to the VNF management interface. Multiple entries must be separated by a single comma character (,). The default value is 0.0.0.0/0.",
-"label.vnf.configure.management": "Configure Firewall and Port Forwarding rules for VNF's management interfaces",
+"label.vnf.configure.management": "Configure network rules for VNF's management interfaces",
 "label.vnf.configure.management.tooltip": "True by default, security group or network rules (source nat and firewall rules) will be configured for VNF management interfaces. False otherwise. Learn what rules are configured at http://docs.cloudstack.apache.org/en/latest/adminguide/networking/vnf_templates_appliances.html#deploying-vnf-appliances",
 "label.vnf.detail.add": "Add VNF detail",
 "label.vnf.detail.remove": "Remove VNF detail",
--- a/ui/src/config/section/network.js
+++ b/ui/src/config/section/network.js
@ -356,7 +356,10 @@ export default {
      permission: ['listVnfAppliances'],
      resourceType: 'UserVm',
      params: () => {
-        return { details: 'servoff,tmpl,nics', isvnf: true }
+        return {
+          details: 'group,nics,secgrp,tmpl,servoff,diskoff,iso,volume,affgrp,backoff,vnfnics',
+          isvnf: true
+        }
      },
      columns: () => {
        const fields = ['name', 'state', 'ipaddress']
--- a/ui/src/views/compute/DeployVnfAppliance.vue
+++ b/ui/src/views/compute/DeployVnfAppliance.vue
@ -1305,7 +1305,7 @@ export default {
      for (const deviceId of managementDeviceIds) {
        if (this.vnfNicNetworks && this.vnfNicNetworks[deviceId] &&
          ((this.vnfNicNetworks[deviceId].type === 'Isolated' && this.vnfNicNetworks[deviceId].vpcid === undefined) ||
-            (this.vnfNicNetworks[deviceId].type === 'Shared' && this.zone.securitygroupsenabled))) {
+            (this.vnfNicNetworks[deviceId].type === 'Shared' && this.vnfNicNetworks[deviceId].service.filter(svc => svc.name === 'SecurityGroupProvider')))) {
          return true
        }
      }
--- a/ui/src/views/network/VnfAppliancesTab.vue
+++ b/ui/src/views/network/VnfAppliancesTab.vue
@ -120,7 +120,7 @@ export default {
  methods: {
    fetchData () {
      var params = {
-        details: 'servoff,tmpl,nics',
+        details: 'group,nics,secgrp,tmpl,servoff,diskoff,iso,volume,affgrp,backoff,vnfnics',
        isVnf: true,
        listAll: true
      }
--- a/utils/src/main/java/com/cloud/utils/script/Script.java
+++ b/utils/src/main/java/com/cloud/utils/script/Script.java
@ -40,9 +40,11 @@ import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
+import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Collectors;

 import org.apache.cloudstack.utils.security.KeyStoreUtils;
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@ -708,13 +710,31 @@ public class Script implements Callable<String> {
        return executeCommandForExitValue(0, command);
    }

+    private static void cleanupProcesses(AtomicReference<List<Process>> processesRef) {
+        List<Process> processes = processesRef.get();
+        if (CollectionUtils.isNotEmpty(processes)) {
+            for (Process process : processes) {
+                if (process == null) {
+                    continue;
+                }
+                LOGGER.trace(String.format("Cleaning up process [%s] from piped commands.", process.pid()));
+                IOUtils.closeQuietly(process.getErrorStream());
+                IOUtils.closeQuietly(process.getOutputStream());
+                IOUtils.closeQuietly(process.getInputStream());
+                process.destroyForcibly();
+            }
+        }
+    }
+
    public static Pair<Integer, String> executePipedCommands(List<String[]> commands, long timeout) {
        if (timeout <= 0) {
            timeout = DEFAULT_TIMEOUT;
        }
+        final AtomicReference<List<Process>> processesRef = new AtomicReference<>();
        Callable<Pair<Integer, String>> commandRunner = () -> {
            List<ProcessBuilder> builders = commands.stream().map(ProcessBuilder::new).collect(Collectors.toList());
            List<Process> processes = ProcessBuilder.startPipeline(builders);
+            processesRef.set(processes);
            Process last = processes.get(processes.size()-1);
            try (BufferedReader reader = new BufferedReader(new InputStreamReader(last.getInputStream()))) {
                String line;
@ -741,6 +761,8 @@ public class Script implements Callable<String> {
            result.second(ERR_TIMEOUT);
        } catch (InterruptedException | ExecutionException e) {
            LOGGER.error("Error executing piped commands", e);
+        } finally {
+            cleanupProcesses(processesRef);
        }
        return result;
    }
Author	SHA1	Message	Date
Artem Sidorenko	ce332b343c	Merge `1db260f1f5` into `cd5bb09d0d`	2026-01-22 09:59:55 +00:00
Abhisar Sinha	cd5bb09d0d	Fix potential leaks in executePipedCommands (#12478 )	2026-01-22 10:59:41 +01:00
Wei Zhou	b5e9178078	UI: fix issues when deploy VNF applicance on network with SG (#12436 )	2026-01-22 10:56:03 +01:00
Artem Sidorenko	1db260f1f5	Fix: proper permissions for systemvm template registrations on hardened systems Related to https://github.com/apache/cloudstack/issues/10029#issuecomment-2531599607 We have umask 0077, so cloud-install-sys-tmplt is creating by default paths like below ``` $ ls -l /mnt/secondary/template/tmpl/ total 16 drwx------. 3 root root 4096 Nov 19 13:58 1 drwxrwxrwx. 7 root root 4096 Oct 31 09:42 2 drwxrwxrwx. 3 root root 4096 Oct 30 15:59 4 drwxr-xr-x. 2 root root 4096 Oct 31 10:21 5 $ ls -l /mnt/secondary/template/tmpl/1/ total 4 drwx------. 2 root root 4096 Nov 19 13:59 3 $ ls -l /mnt/secondary/template/tmpl/1/3/ total 549848 -rw-------. 1 root root 563032576 Nov 19 13:59 d23a1e19-c563-4f69-85ca-8721cf02082c.qcow2 -rw-------. 1 root root 287 Nov 19 13:59 template.properties ``` This results to the permissions problems later on, when trying to access the image Signed-off-by: Artem Sidorenko <artem.sidorenko@telekom.de>	2025-11-19 14:30:55 +01:00