You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ro...@apache.org on 2018/05/04 07:07:30 UTC
[cloudstack] branch 4.11 updated (314caff -> 05857c7)
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a change to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git.
from 314caff Merge branch '4.10' into 4.11
new 2be45c2 solidfire: fix potential NPE
new eb75c1e ca: Fixes #2530 have all IPs from KVM host in issued X509 cert
new ddc8d13 systemvmtemplate: Fixes #2541 adds Letsencrypt CA cert
new 8533def systemvm: Fixes #2561 patching on XenServer
new 6412e50 saml2: Fixes #2548 SAML2 cert encoding and decoding
new 77172b9 vr: create tables before applying egress iptables rules
new 85ad463 test/integration: fix invalid VMware smoketests failures
new 05857c7 engine/schema: new 4.11.1 systemvmtemplate
The 8 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../com/cloud/upgrade/dao/Upgrade41000to41100.java | 175 --------------------
.../com/cloud/upgrade/dao/Upgrade41100to41110.java | 184 ++++++++++++++++++++-
.../cloudstack/ca/provider/RootCAProvider.java | 49 +++++-
.../datastore/provider/SolidFireHostListener.java | 2 +-
.../cloudstack/saml/SAML2AuthManagerImpl.java | 22 +--
.../src/org/apache/cloudstack/saml/SAMLUtils.java | 89 +++++++++-
.../test/org/apache/cloudstack/SAMLUtilsTest.java | 10 +-
scripts/util/keystore-setup | 3 +-
systemvm/debian/opt/cloud/bin/configure.py | 1 +
.../debian/opt/cloud/bin/setup/cloud-early-config | 8 +-
.../debian/opt/cloud/bin/setup/patchsystemvm.sh | 2 +
test/integration/smoke/test_service_offerings.py | 3 +-
test/integration/smoke/test_vm_life_cycle.py | 10 +-
.../scripts/configure_systemvm_services.sh | 13 +-
.../scripts/install_systemvm_packages.sh | 6 +-
ui/index.html | 1 -
.../cloudstack/utils/security/CertUtils.java | 5 +-
17 files changed, 356 insertions(+), 227 deletions(-)
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.
[cloudstack] 08/08: engine/schema: new 4.11.1 systemvmtemplate
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 05857c717d8bc0bb151f6a7d231d6862c6ebf483
Author: Rohit Yadav <ro...@shapeblue.com>
AuthorDate: Tue May 1 16:55:40 2018 +0530
engine/schema: new 4.11.1 systemvmtemplate
This moves db upgrade paths and checks around a new systemvmtemplate
for 4.11.1. The new systemvmtemplate compared to 4.11.0 template
is slightly smaller and has meltdown/spectre fixes among few other
security fixes from Debian and changes to cloud-early-config.
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
---
.../com/cloud/upgrade/dao/Upgrade41000to41100.java | 175 --------------------
.../com/cloud/upgrade/dao/Upgrade41100to41110.java | 184 ++++++++++++++++++++-
2 files changed, 182 insertions(+), 177 deletions(-)
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
index 20294d1..3900cf0 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
@@ -22,15 +22,11 @@ import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
-import java.util.HashMap;
-import java.util.HashSet;
import java.util.Map;
-import java.util.Set;
import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
-import com.cloud.hypervisor.Hypervisor;
import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.exception.CloudRuntimeException;
@@ -68,7 +64,6 @@ public class Upgrade41000to41100 implements DbUpgrade {
public void performDataMigration(Connection conn) {
checkAndEnableDynamicRoles(conn);
validateUserDataInBase64(conn);
- updateSystemVmTemplates(conn);
}
private void checkAndEnableDynamicRoles(final Connection conn) {
@@ -126,176 +121,6 @@ public class Upgrade41000to41100 implements DbUpgrade {
}
}
- @SuppressWarnings("serial")
- private void updateSystemVmTemplates(final Connection conn) {
- LOG.debug("Updating System Vm template IDs");
- // Get all hypervisors in use
- final Set<Hypervisor.HypervisorType> hypervisorsListInUse = new HashSet<Hypervisor.HypervisorType>();
- try (PreparedStatement pstmt = conn.prepareStatement("select distinct(hypervisor_type) from `cloud`.`cluster` where removed is null"); ResultSet rs = pstmt.executeQuery()) {
- while (rs.next()) {
- switch (Hypervisor.HypervisorType.getType(rs.getString(1))) {
- case XenServer:
- hypervisorsListInUse.add(Hypervisor.HypervisorType.XenServer);
- break;
- case KVM:
- hypervisorsListInUse.add(Hypervisor.HypervisorType.KVM);
- break;
- case VMware:
- hypervisorsListInUse.add(Hypervisor.HypervisorType.VMware);
- break;
- case Hyperv:
- hypervisorsListInUse.add(Hypervisor.HypervisorType.Hyperv);
- break;
- case LXC:
- hypervisorsListInUse.add(Hypervisor.HypervisorType.LXC);
- break;
- case Ovm3:
- hypervisorsListInUse.add(Hypervisor.HypervisorType.Ovm3);
- break;
- default:
- break;
- }
- }
- } catch (final SQLException e) {
- LOG.error("updateSystemVmTemplates: Exception caught while getting hypervisor types from clusters: " + e.getMessage());
- throw new CloudRuntimeException("updateSystemVmTemplates:Exception while getting hypervisor types from clusters", e);
- }
-
- final Map<Hypervisor.HypervisorType, String> NewTemplateNameList = new HashMap<Hypervisor.HypervisorType, String>() {
- {
- put(Hypervisor.HypervisorType.KVM, "systemvm-kvm-4.11");
- put(Hypervisor.HypervisorType.VMware, "systemvm-vmware-4.11");
- put(Hypervisor.HypervisorType.XenServer, "systemvm-xenserver-4.11");
- put(Hypervisor.HypervisorType.Hyperv, "systemvm-hyperv-4.11");
- put(Hypervisor.HypervisorType.LXC, "systemvm-lxc-4.11");
- put(Hypervisor.HypervisorType.Ovm3, "systemvm-ovm3-4.11");
- }
- };
-
- final Map<Hypervisor.HypervisorType, String> routerTemplateConfigurationNames = new HashMap<Hypervisor.HypervisorType, String>() {
- {
- put(Hypervisor.HypervisorType.KVM, "router.template.kvm");
- put(Hypervisor.HypervisorType.VMware, "router.template.vmware");
- put(Hypervisor.HypervisorType.XenServer, "router.template.xenserver");
- put(Hypervisor.HypervisorType.Hyperv, "router.template.hyperv");
- put(Hypervisor.HypervisorType.LXC, "router.template.lxc");
- put(Hypervisor.HypervisorType.Ovm3, "router.template.ovm3");
- }
- };
-
- final Map<Hypervisor.HypervisorType, String> newTemplateUrl = new HashMap<Hypervisor.HypervisorType, String>() {
- {
- put(Hypervisor.HypervisorType.KVM, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.0-kvm.qcow2.bz2");
- put(Hypervisor.HypervisorType.VMware, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.0-vmware.ova");
- put(Hypervisor.HypervisorType.XenServer, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.0-xen.vhd.bz2");
- put(Hypervisor.HypervisorType.Hyperv, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.0-hyperv.vhd.zip");
- put(Hypervisor.HypervisorType.LXC, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.0-kvm.qcow2.bz2");
- put(Hypervisor.HypervisorType.Ovm3, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.0-ovm.raw.bz2");
- }
- };
-
- final Map<Hypervisor.HypervisorType, String> newTemplateChecksum = new HashMap<Hypervisor.HypervisorType, String>() {
- {
- put(Hypervisor.HypervisorType.KVM, "2d8d1e4eacc976814b97f02849481433");
- put(Hypervisor.HypervisorType.XenServer, "a5ecf7ed485e2da5ec1993069aa60553");
- put(Hypervisor.HypervisorType.VMware, "84dab5d1e8267b5dc85eb4eaa21a1efe");
- put(Hypervisor.HypervisorType.Hyperv, "d592ab6a2271303fe75b6a27f8e6bd53");
- put(Hypervisor.HypervisorType.LXC, "2d8d1e4eacc976814b97f02849481433");
- put(Hypervisor.HypervisorType.Ovm3, "60fe2227b89a8980ee09f89dc7b19582");
- }
- };
-
- for (final Map.Entry<Hypervisor.HypervisorType, String> hypervisorAndTemplateName : NewTemplateNameList.entrySet()) {
- LOG.debug("Updating " + hypervisorAndTemplateName.getKey() + " System Vms");
- try (PreparedStatement pstmt = conn.prepareStatement("select id from `cloud`.`vm_template` where name = ? and removed is null order by id desc limit 1")) {
- // Get 4.11.0 systemvm template id for corresponding hypervisor
- long templateId = -1;
- pstmt.setString(1, hypervisorAndTemplateName.getValue());
- try (ResultSet rs = pstmt.executeQuery()) {
- if (rs.next()) {
- templateId = rs.getLong(1);
- }
- } catch (final SQLException e) {
- LOG.error("updateSystemVmTemplates: Exception caught while getting ids of templates: " + e.getMessage());
- throw new CloudRuntimeException("updateSystemVmTemplates: Exception caught while getting ids of templates", e);
- }
-
- // change template type to SYSTEM
- if (templateId != -1) {
- try (PreparedStatement templ_type_pstmt = conn.prepareStatement("update `cloud`.`vm_template` set type='SYSTEM' where id = ?");) {
- templ_type_pstmt.setLong(1, templateId);
- templ_type_pstmt.executeUpdate();
- } catch (final SQLException e) {
- LOG.error("updateSystemVmTemplates:Exception while updating template with id " + templateId + " to be marked as 'system': " + e.getMessage());
- throw new CloudRuntimeException("updateSystemVmTemplates:Exception while updating template with id " + templateId + " to be marked as 'system'", e);
- }
- // update template ID of system Vms
- try (PreparedStatement update_templ_id_pstmt = conn
- .prepareStatement("update `cloud`.`vm_instance` set vm_template_id = ? where type <> 'User' and hypervisor_type = ?");) {
- update_templ_id_pstmt.setLong(1, templateId);
- update_templ_id_pstmt.setString(2, hypervisorAndTemplateName.getKey().toString());
- update_templ_id_pstmt.executeUpdate();
- } catch (final Exception e) {
- LOG.error("updateSystemVmTemplates:Exception while setting template for " + hypervisorAndTemplateName.getKey().toString() + " to " + templateId
- + ": " + e.getMessage());
- throw new CloudRuntimeException("updateSystemVmTemplates:Exception while setting template for " + hypervisorAndTemplateName.getKey().toString() + " to "
- + templateId, e);
- }
-
- // Change value of global configuration parameter
- // router.template.* for the corresponding hypervisor
- try (PreparedStatement update_pstmt = conn.prepareStatement("UPDATE `cloud`.`configuration` SET value = ? WHERE name = ?");) {
- update_pstmt.setString(1, hypervisorAndTemplateName.getValue());
- update_pstmt.setString(2, routerTemplateConfigurationNames.get(hypervisorAndTemplateName.getKey()));
- update_pstmt.executeUpdate();
- } catch (final SQLException e) {
- LOG.error("updateSystemVmTemplates:Exception while setting " + routerTemplateConfigurationNames.get(hypervisorAndTemplateName.getKey()) + " to "
- + hypervisorAndTemplateName.getValue() + ": " + e.getMessage());
- throw new CloudRuntimeException("updateSystemVmTemplates:Exception while setting "
- + routerTemplateConfigurationNames.get(hypervisorAndTemplateName.getKey()) + " to " + hypervisorAndTemplateName.getValue(), e);
- }
-
- // Change value of global configuration parameter
- // minreq.sysvmtemplate.version for the ACS version
- try (PreparedStatement update_pstmt = conn.prepareStatement("UPDATE `cloud`.`configuration` SET value = ? WHERE name = ?");) {
- update_pstmt.setString(1, "4.11.0");
- update_pstmt.setString(2, "minreq.sysvmtemplate.version");
- update_pstmt.executeUpdate();
- } catch (final SQLException e) {
- LOG.error("updateSystemVmTemplates:Exception while setting 'minreq.sysvmtemplate.version' to 4.11.0: " + e.getMessage());
- throw new CloudRuntimeException("updateSystemVmTemplates:Exception while setting 'minreq.sysvmtemplate.version' to 4.11.0", e);
- }
- } else {
- if (hypervisorsListInUse.contains(hypervisorAndTemplateName.getKey())) {
- throw new CloudRuntimeException(getUpgradedVersion() + hypervisorAndTemplateName.getKey() + " SystemVm template not found. Cannot upgrade system Vms");
- } else {
- LOG.warn(getUpgradedVersion() + hypervisorAndTemplateName.getKey() + " SystemVm template not found. " + hypervisorAndTemplateName.getKey()
- + " hypervisor is not used, so not failing upgrade");
- // Update the latest template URLs for corresponding
- // hypervisor
- try (PreparedStatement update_templ_url_pstmt = conn
- .prepareStatement("UPDATE `cloud`.`vm_template` SET url = ? , checksum = ? WHERE hypervisor_type = ? AND type = 'SYSTEM' AND removed is null order by id desc limit 1");) {
- update_templ_url_pstmt.setString(1, newTemplateUrl.get(hypervisorAndTemplateName.getKey()));
- update_templ_url_pstmt.setString(2, newTemplateChecksum.get(hypervisorAndTemplateName.getKey()));
- update_templ_url_pstmt.setString(3, hypervisorAndTemplateName.getKey().toString());
- update_templ_url_pstmt.executeUpdate();
- } catch (final SQLException e) {
- LOG.error("updateSystemVmTemplates:Exception while updating 'url' and 'checksum' for hypervisor type "
- + hypervisorAndTemplateName.getKey().toString() + ": " + e.getMessage());
- throw new CloudRuntimeException("updateSystemVmTemplates:Exception while updating 'url' and 'checksum' for hypervisor type "
- + hypervisorAndTemplateName.getKey().toString(), e);
- }
- }
- }
- } catch (final SQLException e) {
- LOG.error("updateSystemVmTemplates:Exception while getting ids of templates: " + e.getMessage());
- throw new CloudRuntimeException("updateSystemVmTemplates:Exception while getting ids of templates", e);
- }
- }
- LOG.debug("Updating System Vm Template IDs Complete");
- }
-
-
@Override
public InputStream[] getCleanupScripts() {
final String scriptFile = "META-INF/db/schema-41000to41100-cleanup.sql";
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41100to41110.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41100to41110.java
index fc735dd..3443e95 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41100to41110.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41100to41110.java
@@ -19,12 +19,24 @@
package com.cloud.upgrade.dao;
-import com.cloud.utils.exception.CloudRuntimeException;
-
import java.io.InputStream;
import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.log4j.Logger;
+
+import com.cloud.hypervisor.Hypervisor;
+import com.cloud.utils.exception.CloudRuntimeException;
public class Upgrade41100to41110 implements DbUpgrade {
+ final static Logger LOG = Logger.getLogger(Upgrade41000to41100.class);
+
@Override
public String[] getUpgradableVersionRange() {
return new String[]{"4.11.0.0", "4.11.1.0"};
@@ -53,7 +65,175 @@ public class Upgrade41100to41110 implements DbUpgrade {
@Override
public void performDataMigration(Connection conn) {
+ updateSystemVmTemplates(conn);
+ }
+
+ @SuppressWarnings("serial")
+ private void updateSystemVmTemplates(final Connection conn) {
+ LOG.debug("Updating System Vm template IDs");
+ final Set<Hypervisor.HypervisorType> hypervisorsListInUse = new HashSet<Hypervisor.HypervisorType>();
+ try (PreparedStatement pstmt = conn.prepareStatement("select distinct(hypervisor_type) from `cloud`.`cluster` where removed is null"); ResultSet rs = pstmt.executeQuery()) {
+ while (rs.next()) {
+ switch (Hypervisor.HypervisorType.getType(rs.getString(1))) {
+ case XenServer:
+ hypervisorsListInUse.add(Hypervisor.HypervisorType.XenServer);
+ break;
+ case KVM:
+ hypervisorsListInUse.add(Hypervisor.HypervisorType.KVM);
+ break;
+ case VMware:
+ hypervisorsListInUse.add(Hypervisor.HypervisorType.VMware);
+ break;
+ case Hyperv:
+ hypervisorsListInUse.add(Hypervisor.HypervisorType.Hyperv);
+ break;
+ case LXC:
+ hypervisorsListInUse.add(Hypervisor.HypervisorType.LXC);
+ break;
+ case Ovm3:
+ hypervisorsListInUse.add(Hypervisor.HypervisorType.Ovm3);
+ break;
+ default:
+ break;
+ }
+ }
+ } catch (final SQLException e) {
+ LOG.error("updateSystemVmTemplates: Exception caught while getting hypervisor types from clusters: " + e.getMessage());
+ throw new CloudRuntimeException("updateSystemVmTemplates:Exception while getting hypervisor types from clusters", e);
+ }
+ final Map<Hypervisor.HypervisorType, String> NewTemplateNameList = new HashMap<Hypervisor.HypervisorType, String>() {
+ {
+ put(Hypervisor.HypervisorType.KVM, "systemvm-kvm-4.11.1");
+ put(Hypervisor.HypervisorType.VMware, "systemvm-vmware-4.11.1");
+ put(Hypervisor.HypervisorType.XenServer, "systemvm-xenserver-4.11.1");
+ put(Hypervisor.HypervisorType.Hyperv, "systemvm-hyperv-4.11.1");
+ put(Hypervisor.HypervisorType.LXC, "systemvm-lxc-4.11.1");
+ put(Hypervisor.HypervisorType.Ovm3, "systemvm-ovm3-4.11.1");
+ }
+ };
+
+ final Map<Hypervisor.HypervisorType, String> routerTemplateConfigurationNames = new HashMap<Hypervisor.HypervisorType, String>() {
+ {
+ put(Hypervisor.HypervisorType.KVM, "router.template.kvm");
+ put(Hypervisor.HypervisorType.VMware, "router.template.vmware");
+ put(Hypervisor.HypervisorType.XenServer, "router.template.xenserver");
+ put(Hypervisor.HypervisorType.Hyperv, "router.template.hyperv");
+ put(Hypervisor.HypervisorType.LXC, "router.template.lxc");
+ put(Hypervisor.HypervisorType.Ovm3, "router.template.ovm3");
+ }
+ };
+
+ final Map<Hypervisor.HypervisorType, String> newTemplateUrl = new HashMap<Hypervisor.HypervisorType, String>() {
+ {
+ put(Hypervisor.HypervisorType.KVM, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.1-kvm.qcow2.bz2");
+ put(Hypervisor.HypervisorType.VMware, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.1-vmware.ova");
+ put(Hypervisor.HypervisorType.XenServer, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.1-xen.vhd.bz2");
+ put(Hypervisor.HypervisorType.Hyperv, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.1-hyperv.vhd.zip");
+ put(Hypervisor.HypervisorType.LXC, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.1-kvm.qcow2.bz2");
+ put(Hypervisor.HypervisorType.Ovm3, "https://download.cloudstack.org/systemvm/4.11/systemvmtemplate-4.11.1-ovm.raw.bz2");
+ }
+ };
+
+ final Map<Hypervisor.HypervisorType, String> newTemplateChecksum = new HashMap<Hypervisor.HypervisorType, String>() {
+ {
+ put(Hypervisor.HypervisorType.KVM, "6019c2ed1a13669dcf334fe380c776b0");
+ put(Hypervisor.HypervisorType.XenServer, "f2245e912c856ab610d91f88c362a1f9");
+ put(Hypervisor.HypervisorType.VMware, "1dbcd051fcfcd0fd568ff6eb5294988a");
+ put(Hypervisor.HypervisorType.Hyperv, "e68ec90f0dc06821d94a2ee0e88fa646");
+ put(Hypervisor.HypervisorType.LXC, "6019c2ed1a13669dcf334fe380c776b0");
+ put(Hypervisor.HypervisorType.Ovm3, "cd2ac8dcdaf6c05d75e29cb39ee9a10f");
+ }
+ };
+
+ for (final Map.Entry<Hypervisor.HypervisorType, String> hypervisorAndTemplateName : NewTemplateNameList.entrySet()) {
+ LOG.debug("Updating " + hypervisorAndTemplateName.getKey() + " System Vms");
+ try (PreparedStatement pstmt = conn.prepareStatement("select id from `cloud`.`vm_template` where name = ? and removed is null order by id desc limit 1")) {
+ // Get 4.11.0 systemvm template id for corresponding hypervisor
+ long templateId = -1;
+ pstmt.setString(1, hypervisorAndTemplateName.getValue());
+ try (ResultSet rs = pstmt.executeQuery()) {
+ if (rs.next()) {
+ templateId = rs.getLong(1);
+ }
+ } catch (final SQLException e) {
+ LOG.error("updateSystemVmTemplates: Exception caught while getting ids of templates: " + e.getMessage());
+ throw new CloudRuntimeException("updateSystemVmTemplates: Exception caught while getting ids of templates", e);
+ }
+
+ // change template type to SYSTEM
+ if (templateId != -1) {
+ try (PreparedStatement templ_type_pstmt = conn.prepareStatement("update `cloud`.`vm_template` set type='SYSTEM' where id = ?");) {
+ templ_type_pstmt.setLong(1, templateId);
+ templ_type_pstmt.executeUpdate();
+ } catch (final SQLException e) {
+ LOG.error("updateSystemVmTemplates:Exception while updating template with id " + templateId + " to be marked as 'system': " + e.getMessage());
+ throw new CloudRuntimeException("updateSystemVmTemplates:Exception while updating template with id " + templateId + " to be marked as 'system'", e);
+ }
+ // update template ID of system Vms
+ try (PreparedStatement update_templ_id_pstmt = conn
+ .prepareStatement("update `cloud`.`vm_instance` set vm_template_id = ? where type <> 'User' and hypervisor_type = ?");) {
+ update_templ_id_pstmt.setLong(1, templateId);
+ update_templ_id_pstmt.setString(2, hypervisorAndTemplateName.getKey().toString());
+ update_templ_id_pstmt.executeUpdate();
+ } catch (final Exception e) {
+ LOG.error("updateSystemVmTemplates:Exception while setting template for " + hypervisorAndTemplateName.getKey().toString() + " to " + templateId
+ + ": " + e.getMessage());
+ throw new CloudRuntimeException("updateSystemVmTemplates:Exception while setting template for " + hypervisorAndTemplateName.getKey().toString() + " to "
+ + templateId, e);
+ }
+
+ // Change value of global configuration parameter
+ // router.template.* for the corresponding hypervisor
+ try (PreparedStatement update_pstmt = conn.prepareStatement("UPDATE `cloud`.`configuration` SET value = ? WHERE name = ?");) {
+ update_pstmt.setString(1, hypervisorAndTemplateName.getValue());
+ update_pstmt.setString(2, routerTemplateConfigurationNames.get(hypervisorAndTemplateName.getKey()));
+ update_pstmt.executeUpdate();
+ } catch (final SQLException e) {
+ LOG.error("updateSystemVmTemplates:Exception while setting " + routerTemplateConfigurationNames.get(hypervisorAndTemplateName.getKey()) + " to "
+ + hypervisorAndTemplateName.getValue() + ": " + e.getMessage());
+ throw new CloudRuntimeException("updateSystemVmTemplates:Exception while setting "
+ + routerTemplateConfigurationNames.get(hypervisorAndTemplateName.getKey()) + " to " + hypervisorAndTemplateName.getValue(), e);
+ }
+
+ // Change value of global configuration parameter
+ // minreq.sysvmtemplate.version for the ACS version
+ try (PreparedStatement update_pstmt = conn.prepareStatement("UPDATE `cloud`.`configuration` SET value = ? WHERE name = ?");) {
+ update_pstmt.setString(1, "4.11.1");
+ update_pstmt.setString(2, "minreq.sysvmtemplate.version");
+ update_pstmt.executeUpdate();
+ } catch (final SQLException e) {
+ LOG.error("updateSystemVmTemplates:Exception while setting 'minreq.sysvmtemplate.version' to 4.11.1: " + e.getMessage());
+ throw new CloudRuntimeException("updateSystemVmTemplates:Exception while setting 'minreq.sysvmtemplate.version' to 4.11.1", e);
+ }
+ } else {
+ if (hypervisorsListInUse.contains(hypervisorAndTemplateName.getKey())) {
+ throw new CloudRuntimeException(getUpgradedVersion() + hypervisorAndTemplateName.getKey() + " SystemVm template not found. Cannot upgrade system Vms");
+ } else {
+ LOG.warn(getUpgradedVersion() + hypervisorAndTemplateName.getKey() + " SystemVm template not found. " + hypervisorAndTemplateName.getKey()
+ + " hypervisor is not used, so not failing upgrade");
+ // Update the latest template URLs for corresponding
+ // hypervisor
+ try (PreparedStatement update_templ_url_pstmt = conn
+ .prepareStatement("UPDATE `cloud`.`vm_template` SET url = ? , checksum = ? WHERE hypervisor_type = ? AND type = 'SYSTEM' AND removed is null order by id desc limit 1");) {
+ update_templ_url_pstmt.setString(1, newTemplateUrl.get(hypervisorAndTemplateName.getKey()));
+ update_templ_url_pstmt.setString(2, newTemplateChecksum.get(hypervisorAndTemplateName.getKey()));
+ update_templ_url_pstmt.setString(3, hypervisorAndTemplateName.getKey().toString());
+ update_templ_url_pstmt.executeUpdate();
+ } catch (final SQLException e) {
+ LOG.error("updateSystemVmTemplates:Exception while updating 'url' and 'checksum' for hypervisor type "
+ + hypervisorAndTemplateName.getKey().toString() + ": " + e.getMessage());
+ throw new CloudRuntimeException("updateSystemVmTemplates:Exception while updating 'url' and 'checksum' for hypervisor type "
+ + hypervisorAndTemplateName.getKey().toString(), e);
+ }
+ }
+ }
+ } catch (final SQLException e) {
+ LOG.error("updateSystemVmTemplates:Exception while getting ids of templates: " + e.getMessage());
+ throw new CloudRuntimeException("updateSystemVmTemplates:Exception while getting ids of templates", e);
+ }
+ }
+ LOG.debug("Updating System Vm Template IDs Complete");
}
@Override
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.
[cloudstack] 05/08: saml2: Fixes #2548 SAML2 cert encoding and
decoding
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 6412e50471bf447de24c7a72713ec2294cb2ce1e
Author: Rohit Yadav <ro...@shapeblue.com>
AuthorDate: Wed May 2 17:57:32 2018 +0530
saml2: Fixes #2548 SAML2 cert encoding and decoding
This fixes SAML2 certificate encoding/decoding issue due to refactoring
regression introduced in 7ce54bf7a85d6df72f84c00fadf9b0fd42ab0d99 that
did not account for base64 based encoding/decoding. The changes
effectively restore the same logic as used in previous versions.
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
---
.../cloudstack/saml/SAML2AuthManagerImpl.java | 22 ++----
.../src/org/apache/cloudstack/saml/SAMLUtils.java | 89 ++++++++++++++++++++--
.../test/org/apache/cloudstack/SAMLUtilsTest.java | 10 ++-
ui/index.html | 1 -
4 files changed, 94 insertions(+), 28 deletions(-)
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
index d280ed5..f0a5bab 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
@@ -32,7 +32,6 @@ import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
-import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
@@ -147,11 +146,11 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
try {
KeyPair keyPair = CertUtils.generateRandomKeyPair(4096);
_ksDao.save(SAMLPluginConstants.SAMLSP_KEYPAIR,
- CertUtils.privateKeyToPem(keyPair.getPrivate()),
- CertUtils.publicKeyToPem(keyPair.getPublic()), "samlsp-keypair");
+ SAMLUtils.encodePrivateKey(keyPair.getPrivate()),
+ SAMLUtils.encodePublicKey(keyPair.getPublic()), "samlsp-keypair");
keyStoreVO = _ksDao.findByName(SAMLPluginConstants.SAMLSP_KEYPAIR);
s_logger.info("No SAML keystore found, created and saved a new Service Provider keypair");
- } catch (final NoSuchProviderException | NoSuchAlgorithmException | IOException e) {
+ } catch (final NoSuchProviderException | NoSuchAlgorithmException e) {
s_logger.error("Unable to create and save SAML keypair, due to: ", e);
}
}
@@ -166,19 +165,8 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
KeyPair spKeyPair = null;
X509Certificate spX509Key = null;
if (keyStoreVO != null) {
-
- PrivateKey privateKey = null;
- try {
- privateKey = CertUtils.pemToPrivateKey(keyStoreVO.getCertificate());
- } catch (final InvalidKeySpecException | IOException e) {
- s_logger.error("Failed to read private key, due to error: ", e);
- }
- PublicKey publicKey = null;
- try {
- publicKey = CertUtils.pemToPublicKey(keyStoreVO.getKey());
- } catch (final InvalidKeySpecException | IOException e) {
- s_logger.error("Failed to read public key, due to error: ", e);
- }
+ final PrivateKey privateKey = SAMLUtils.decodePrivateKey(keyStoreVO.getCertificate());
+ final PublicKey publicKey = SAMLUtils.decodePublicKey(keyStoreVO.getKey());
if (privateKey != null && publicKey != null) {
spKeyPair = new KeyPair(publicKey, privateKey);
KeystoreVO x509VO = _ksDao.findByName(SAMLPluginConstants.SAMLSP_X509CERT);
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAMLUtils.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAMLUtils.java
index 364ef86..5b00d47 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAMLUtils.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAMLUtils.java
@@ -28,15 +28,20 @@ import java.math.BigInteger;
import java.net.URLEncoder;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
+import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
+import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
import java.util.List;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
@@ -264,12 +269,6 @@ public class SAMLUtils {
return url;
}
- public static X509Certificate generateRandomX509Certificate(KeyPair keyPair) throws NoSuchAlgorithmException, NoSuchProviderException, CertificateException, SignatureException, InvalidKeyException, OperatorCreationException {
- return CertUtils.generateV1Certificate(keyPair,
- "CN=ApacheCloudStack", "CN=ApacheCloudStack",
- 3, "SHA256WithRSA");
- }
-
public static void setupSamlUserCookies(final LoginCmdResponse loginResponse, final HttpServletResponse resp) throws IOException {
resp.addCookie(new Cookie("userid", URLEncoder.encode(loginResponse.getUserId(), HttpUtils.UTF_8)));
resp.addCookie(new Cookie("domainid", URLEncoder.encode(loginResponse.getDomainId(), HttpUtils.UTF_8)));
@@ -284,4 +283,82 @@ public class SAMLUtils {
resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
}
+ /**
+ * Returns base64 encoded PublicKey
+ * @param key PublicKey
+ * @return public key encoded string
+ */
+ public static String encodePublicKey(PublicKey key) {
+ try {
+ KeyFactory keyFactory = CertUtils.getKeyFactory();
+ if (keyFactory == null) return null;
+ X509EncodedKeySpec spec = keyFactory.getKeySpec(key, X509EncodedKeySpec.class);
+ return new String(org.bouncycastle.util.encoders.Base64.encode(spec.getEncoded()), Charset.forName("UTF-8"));
+ } catch (InvalidKeySpecException e) {
+ s_logger.error("Unable to create KeyFactory:" + e.getMessage());
+ }
+ return null;
+ }
+
+ /**
+ * Returns base64 encoded PrivateKey
+ * @param key PrivateKey
+ * @return privatekey encoded string
+ */
+ public static String encodePrivateKey(PrivateKey key) {
+ try {
+ KeyFactory keyFactory = CertUtils.getKeyFactory();
+ if (keyFactory == null) return null;
+ PKCS8EncodedKeySpec spec = keyFactory.getKeySpec(key,
+ PKCS8EncodedKeySpec.class);
+ return new String(org.bouncycastle.util.encoders.Base64.encode(spec.getEncoded()), Charset.forName("UTF-8"));
+ } catch (InvalidKeySpecException e) {
+ s_logger.error("Unable to create KeyFactory:" + e.getMessage());
+ }
+ return null;
+ }
+
+ /**
+ * Decodes base64 encoded public key to PublicKey
+ * @param publicKey encoded public key string
+ * @return returns PublicKey
+ */
+ public static PublicKey decodePublicKey(String publicKey) {
+ byte[] sigBytes = org.bouncycastle.util.encoders.Base64.decode(publicKey);
+ X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(sigBytes);
+ KeyFactory keyFactory = CertUtils.getKeyFactory();
+ if (keyFactory == null)
+ return null;
+ try {
+ return keyFactory.generatePublic(x509KeySpec);
+ } catch (InvalidKeySpecException e) {
+ s_logger.error("Unable to create PrivateKey from privateKey string:" + e.getMessage());
+ }
+ return null;
+ }
+
+ /**
+ * Decodes base64 encoded private key to PrivateKey
+ * @param privateKey encoded private key string
+ * @return returns PrivateKey
+ */
+ public static PrivateKey decodePrivateKey(String privateKey) {
+ byte[] sigBytes = org.bouncycastle.util.encoders.Base64.decode(privateKey);
+ PKCS8EncodedKeySpec pkscs8KeySpec = new PKCS8EncodedKeySpec(sigBytes);
+ KeyFactory keyFactory = CertUtils.getKeyFactory();
+ if (keyFactory == null)
+ return null;
+ try {
+ return keyFactory.generatePrivate(pkscs8KeySpec);
+ } catch (InvalidKeySpecException e) {
+ s_logger.error("Unable to create PrivateKey from privateKey string:" + e.getMessage());
+ }
+ return null;
+ }
+
+ public static X509Certificate generateRandomX509Certificate(KeyPair keyPair) throws NoSuchAlgorithmException, NoSuchProviderException, CertificateException, SignatureException, InvalidKeyException, OperatorCreationException {
+ return CertUtils.generateV1Certificate(keyPair,
+ "CN=ApacheCloudStack", "CN=ApacheCloudStack",
+ 3, "SHA256WithRSA");
+ }
}
diff --git a/plugins/user-authenticators/saml2/test/org/apache/cloudstack/SAMLUtilsTest.java b/plugins/user-authenticators/saml2/test/org/apache/cloudstack/SAMLUtilsTest.java
index 4986d7a..4784134 100644
--- a/plugins/user-authenticators/saml2/test/org/apache/cloudstack/SAMLUtilsTest.java
+++ b/plugins/user-authenticators/saml2/test/org/apache/cloudstack/SAMLUtilsTest.java
@@ -64,12 +64,14 @@ public class SAMLUtilsTest extends TestCase {
public void testX509Helpers() throws Exception {
KeyPair keyPair = CertUtils.generateRandomKeyPair(4096);
- String privateKeyString = CertUtils.privateKeyToPem(keyPair.getPrivate());
- String publicKeyString = CertUtils.publicKeyToPem(keyPair.getPublic());
+ String privateKeyString = SAMLUtils.encodePrivateKey(keyPair.getPrivate());
+ String publicKeyString = SAMLUtils.encodePublicKey(keyPair.getPublic());
- PrivateKey privateKey = CertUtils.pemToPrivateKey(privateKeyString);
- PublicKey publicKey = CertUtils.pemToPublicKey(publicKeyString);
+ PrivateKey privateKey = SAMLUtils.decodePrivateKey(privateKeyString);
+ PublicKey publicKey = SAMLUtils.decodePublicKey(publicKeyString);
+ assertNotNull(privateKey);
+ assertNotNull(publicKey);
assertTrue(privateKey.equals(keyPair.getPrivate()));
assertTrue(publicKey.equals(keyPair.getPublic()));
}
diff --git a/ui/index.html b/ui/index.html
index b94e8e5..5003f00 100644
--- a/ui/index.html
+++ b/ui/index.html
@@ -1881,7 +1881,6 @@
<script type="text/javascript" src="scripts/network.js"></script>
<script type="text/javascript" src="scripts/domains.js"></script>
<script type="text/javascript" src="scripts/docs.js"></script>
- <script type="text/javascript" src="scripts/vm_snapshots.js"></script>
<script type="text/javascript" src="scripts/ui-custom/projectSelect.js"></script>
<script type="text/javascript" src="scripts/ui-custom/saml.js"></script>
<script type="text/javascript" src="scripts/ui-custom/ca.js"></script>
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.
[cloudstack] 02/08: ca: Fixes #2530 have all IPs from KVM host in
issued X509 cert
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit eb75c1eff51e4e121f7ef690cb56b8b22d43f143
Author: Rohit Yadav <ro...@shapeblue.com>
AuthorDate: Mon Apr 30 17:40:20 2018 +0530
ca: Fixes #2530 have all IPs from KVM host in issued X509 cert
This ensures that certificate setup includes all the IP addresses (v4
and v6) when a (KVM) host is added to CloudStack. This fixes #2530.
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
---
.../cloudstack/ca/provider/RootCAProvider.java | 49 +++++++++++++++++++---
scripts/util/keystore-setup | 3 +-
.../cloudstack/utils/security/CertUtils.java | 5 ++-
3 files changed, 49 insertions(+), 8 deletions(-)
diff --git a/plugins/ca/root-ca/src/org/apache/cloudstack/ca/provider/RootCAProvider.java b/plugins/ca/root-ca/src/org/apache/cloudstack/ca/provider/RootCAProvider.java
index 6584b35..f36d067 100644
--- a/plugins/ca/root-ca/src/org/apache/cloudstack/ca/provider/RootCAProvider.java
+++ b/plugins/ca/root-ca/src/org/apache/cloudstack/ca/provider/RootCAProvider.java
@@ -20,6 +20,7 @@ package org.apache.cloudstack.ca.provider;
import java.io.IOException;
import java.io.StringReader;
import java.math.BigInteger;
+import java.net.InetAddress;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.KeyPair;
@@ -34,6 +35,7 @@ import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
@@ -45,6 +47,7 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.xml.bind.DatatypeConverter;
import org.apache.cloudstack.ca.CAManager;
import org.apache.cloudstack.framework.ca.CAProvider;
@@ -55,9 +58,15 @@ import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.utils.security.CertUtils;
import org.apache.cloudstack.utils.security.KeyStoreUtils;
import org.apache.log4j.Logger;
-import org.bouncycastle.jce.PKCS10CertificationRequest;
+import org.bouncycastle.asn1.pkcs.Attribute;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.Extensions;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
@@ -137,7 +146,17 @@ public final class RootCAProvider extends AdapterBase implements CAProvider, Con
return new Certificate(clientCertificate, keyPair.getPrivate(), Collections.singletonList(caCertificate));
}
- private Certificate generateCertificateUsingCsr(final String csr, final List<String> domainNames, final List<String> ipAddresses, final int validityDays) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, CertificateException, SignatureException, IOException, OperatorCreationException {
+ private Certificate generateCertificateUsingCsr(final String csr, final List<String> names, final List<String> ips, final int validityDays) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, CertificateException, SignatureException, IOException, OperatorCreationException {
+ final List<String> dnsNames = new ArrayList<>();
+ final List<String> ipAddresses = new ArrayList<>();
+
+ if (names != null) {
+ dnsNames.addAll(names);
+ }
+ if (ips != null) {
+ ipAddresses.addAll(ips);
+ }
+
PemObject pemObject = null;
try {
@@ -151,13 +170,33 @@ public final class RootCAProvider extends AdapterBase implements CAProvider, Con
throw new CloudRuntimeException("Unable to read/process CSR: " + csr);
}
- final PKCS10CertificationRequest request = new PKCS10CertificationRequest(pemObject.getContent());
+ final JcaPKCS10CertificationRequest request = new JcaPKCS10CertificationRequest(pemObject.getContent());
+ final String subject = request.getSubject().toString();
+ for (final Attribute attribute : request.getAttributes()) {
+ if (attribute == null) {
+ continue;
+ }
+ if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
+ final Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
+ final GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
+ if (gns != null && gns.getNames() != null && gns.getNames().length > 0) {
+ for (final GeneralName name : gns.getNames()) {
+ if (name.getTagNo() == GeneralName.dNSName) {
+ dnsNames.add(name.getName().toString());
+ }
+ if (name.getTagNo() == GeneralName.iPAddress) {
+ final InetAddress address = InetAddress.getByAddress(DatatypeConverter.parseHexBinary(name.getName().toString().substring(1)));
+ ipAddresses.add(address.toString().replace("/", ""));
+ }
+ }
+ }
+ }
+ }
- final String subject = request.getCertificationRequestInfo().getSubject().toString();
final X509Certificate clientCertificate = CertUtils.generateV3Certificate(
caCertificate, caKeyPair, request.getPublicKey(),
subject, CAManager.CertSignatureAlgorithm.value(),
- validityDays, domainNames, ipAddresses);
+ validityDays, dnsNames, ipAddresses);
return new Certificate(clientCertificate, null, Collections.singletonList(caCertificate));
}
diff --git a/scripts/util/keystore-setup b/scripts/util/keystore-setup
index 48ce062..ce96336 100755
--- a/scripts/util/keystore-setup
+++ b/scripts/util/keystore-setup
@@ -42,7 +42,8 @@ keytool -genkey -storepass "$KS_PASS" -keypass "$KS_PASS" -alias "$ALIAS" -keyal
# Generate CSR
rm -f "$CSR_FILE"
-keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" > /dev/null 2>&1
+addresses=$(ip address | grep inet | awk '{print $2}' | sed 's/\/.*//g' | grep -v '^169.254.' | grep -v '^127.0.0.1' | grep -v '^::1' | sed 's/^/ip:/g' | tr '\r\n' ',')
+keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" > /dev/null 2>&1
cat "$CSR_FILE"
# Fix file permissions
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java
index 7e78362..aea65a7 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java
@@ -40,6 +40,7 @@ import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
+import java.util.HashSet;
import java.util.List;
import javax.security.auth.x500.X500Principal;
@@ -219,7 +220,7 @@ public class CertUtils {
final List<ASN1Encodable> subjectAlternativeNames = new ArrayList<ASN1Encodable>();
if (publicIPAddresses != null) {
- for (final String publicIPAddress: publicIPAddresses) {
+ for (final String publicIPAddress: new HashSet<>(publicIPAddresses)) {
if (Strings.isNullOrEmpty(publicIPAddress)) {
continue;
}
@@ -227,7 +228,7 @@ public class CertUtils {
}
}
if (dnsNames != null) {
- for (final String dnsName : dnsNames) {
+ for (final String dnsName : new HashSet<>(dnsNames)) {
if (Strings.isNullOrEmpty(dnsName)) {
continue;
}
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.
[cloudstack] 07/08: test/integration: fix invalid VMware smoketests
failures
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 85ad4639b05ee41b25c154f4ad4650795eca26b9
Author: Rohit Yadav <ro...@shapeblue.com>
AuthorDate: Wed May 2 15:55:14 2018 +0530
test/integration: fix invalid VMware smoketests failures
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
---
test/integration/smoke/test_service_offerings.py | 3 +--
test/integration/smoke/test_vm_life_cycle.py | 10 +++++++---
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/test/integration/smoke/test_service_offerings.py b/test/integration/smoke/test_service_offerings.py
index 2788d0e..9d05a7a 100644
--- a/test/integration/smoke/test_service_offerings.py
+++ b/test/integration/smoke/test_service_offerings.py
@@ -448,7 +448,7 @@ class TestCpuCapServiceOfferings(cloudstackTestCase):
cls.apiclient = testClient.getApiClient()
cls.services = testClient.getParsedTestDataConfig()
cls.hypervisor = testClient.getHypervisorInfo()
-
+ cls._cleanup = []
cls.hypervisorNotSupported = False
if cls.hypervisor.lower() not in ["kvm"]:
cls.hypervisorNotSupported = True
@@ -516,7 +516,6 @@ class TestCpuCapServiceOfferings(cloudstackTestCase):
cls.offering,
cls.account
]
- return
@classmethod
def tearDownClass(cls):
diff --git a/test/integration/smoke/test_vm_life_cycle.py b/test/integration/smoke/test_vm_life_cycle.py
index d882c1f..a2daee8 100644
--- a/test/integration/smoke/test_vm_life_cycle.py
+++ b/test/integration/smoke/test_vm_life_cycle.py
@@ -794,6 +794,10 @@ class TestSecuredVmMigration(cloudstackTestCase):
cls.apiclient = testClient.getApiClient()
cls.services = testClient.getParsedTestDataConfig()
cls.hypervisor = testClient.getHypervisorInfo()
+ cls._cleanup = []
+
+ if cls.hypervisor.lower() not in ["kvm"]:
+ return
# Get Zone, Domain and templates
domain = get_domain(cls.apiclient)
@@ -846,12 +850,12 @@ class TestSecuredVmMigration(cloudstackTestCase):
self.apiclient = self.testClient.getApiClient()
self.dbclient = self.testClient.getDbConnection()
self.cleanup = []
- self.updateConfiguration("ca.plugin.root.auth.strictness", "false")
- self.make_all_hosts_secure()
-
if self.hypervisor.lower() not in ["kvm"]:
self.skipTest("Secured migration is not supported on other than KVM")
+ self.updateConfiguration("ca.plugin.root.auth.strictness", "false")
+ self.make_all_hosts_secure()
+
def tearDown(self):
self.make_all_hosts_secure()
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.
[cloudstack] 03/08: systemvmtemplate: Fixes #2541 adds Letsencrypt
CA cert
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit ddc8d131c080c363d82eadd75c811faaad81e9f9
Author: Rohit Yadav <ro...@shapeblue.com>
AuthorDate: Tue May 1 15:01:11 2018 +0530
systemvmtemplate: Fixes #2541 adds Letsencrypt CA cert
On patching, the global cacerts keystore is imported in 'cloud' service
specific local keystore. This fixes #2541.
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
---
systemvm/debian/opt/cloud/bin/setup/patchsystemvm.sh | 2 ++
.../systemvmtemplate/scripts/configure_systemvm_services.sh | 13 ++++++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/systemvm/debian/opt/cloud/bin/setup/patchsystemvm.sh b/systemvm/debian/opt/cloud/bin/setup/patchsystemvm.sh
index ba5e2d8..c0d6d81 100755
--- a/systemvm/debian/opt/cloud/bin/setup/patchsystemvm.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/patchsystemvm.sh
@@ -37,6 +37,8 @@ patch_systemvm() {
echo "Restored keystore file and certs using backup" >> $logfile
fi
rm -fr $backupfolder
+ # Import global cacerts into 'cloud' service's keystore
+ keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt || true
return 0
}
diff --git a/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh b/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
index 3544806..7af9212 100644
--- a/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
+++ b/tools/appliance/systemvmtemplate/scripts/configure_systemvm_services.sh
@@ -19,7 +19,7 @@
set -e
set -x
-CLOUDSTACK_RELEASE=4.11.0
+CLOUDSTACK_RELEASE=4.11.1
function configure_apache2() {
# Enable ssl, rewrite and auth
@@ -31,6 +31,16 @@ function configure_apache2() {
sed -i 's/SSLProtocol .*$/SSLProtocol TLSv1.2/g' /etc/apache2/mods-available/ssl.conf
}
+function configure_cacerts() {
+ CDIR=$(pwd)
+ cd /tmp
+ # Add LetsEncrypt ca-cert
+ wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.der
+ keytool -trustcacerts -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -importcert -alias letsencryptauthorityx3cross -file lets-encrypt-x3-cross-signed.der
+ rm -f lets-encrypt-x3-cross-signed.der
+ cd $CDIR
+}
+
function install_cloud_scripts() {
# ./cloud_scripts/ has been put there by ../../cloud_scripts_shar_archive.sh
rsync -av ./cloud_scripts/ /
@@ -102,6 +112,7 @@ function configure_services() {
configure_apache2
configure_strongswan
configure_issue
+ configure_cacerts
}
return 2>/dev/null || configure_services
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.
[cloudstack] 01/08: solidfire: fix potential NPE
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 2be45c218650c8bb7159f8d846d4e59768aeb357
Author: Rohit Yadav <ro...@shapeblue.com>
AuthorDate: Mon Apr 30 17:35:01 2018 +0530
solidfire: fix potential NPE
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
---
.../cloudstack/storage/datastore/provider/SolidFireHostListener.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/provider/SolidFireHostListener.java b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/provider/SolidFireHostListener.java
index f9c27e9..f2a4b79 100644
--- a/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/provider/SolidFireHostListener.java
+++ b/plugins/storage/volume/solidfire/src/org/apache/cloudstack/storage/datastore/provider/SolidFireHostListener.java
@@ -152,7 +152,7 @@ public class SolidFireHostListener implements HypervisorHostListener {
}
private void handleVMware(HostVO host, boolean add, ModifyTargetsCommand.TargetTypeToRemove targetTypeToRemove) {
- if (HypervisorType.VMware.equals(host.getHypervisorType())) {
+ if (host != null && HypervisorType.VMware.equals(host.getHypervisorType())) {
List<StoragePoolVO> storagePools = _storagePoolDao.findPoolsByProvider(SolidFireUtil.PROVIDER_NAME);
if (storagePools != null && storagePools.size() > 0) {
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.
[cloudstack] 04/08: systemvm: Fixes #2561 patching on XenServer
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 8533def696dacb989b8fde17403bfca98e6139b0
Author: Rohit Yadav <ro...@shapeblue.com>
AuthorDate: Wed May 2 14:57:10 2018 +0530
systemvm: Fixes #2561 patching on XenServer
This fixes incorrect xenstore-read binary path, this failed systemvm
to be patched/started correctly on xenserver. The other fix is to keep
the xen-domU flag that may be returned by virt-what. This effect
won't change the cmdline being consumed as the mgmt server side (java)
code sets the boot args in both xenstore and as pv args. The systemvm's
/boot is ext2 that can be booted by PyGrub on both old and recent
XenServer versions.
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
---
systemvm/debian/opt/cloud/bin/setup/cloud-early-config | 8 ++++----
.../systemvmtemplate/scripts/install_systemvm_packages.sh | 6 +++---
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/systemvm/debian/opt/cloud/bin/setup/cloud-early-config b/systemvm/debian/opt/cloud/bin/setup/cloud-early-config
index a9ad094..9baed01 100755
--- a/systemvm/debian/opt/cloud/bin/setup/cloud-early-config
+++ b/systemvm/debian/opt/cloud/bin/setup/cloud-early-config
@@ -71,16 +71,16 @@ config_guest() {
get_boot_params() {
case $HYPERVISOR in
- xen-pv)
+ xen-pv|xen-domU)
cat /proc/cmdline > $CMDLINE
sed -i "s/%/ /g" $CMDLINE
;;
xen-hvm)
- if [ ! -f /usr/sbin/xenstore-read ]; then
+ if [ ! -f /usr/bin/xenstore-read ]; then
log_it "ERROR: xentools not installed, cannot found xenstore-read" && exit 5
fi
- /usr/sbin/xenstore-read vm-data/cloudstack/init > /var/cache/cloud/cmdline
- sed -i "s/%/ /g" /var/cache/cloud/cmdline
+ /usr/bin/xenstore-read vm-data/cloudstack/init > $CMDLINE
+ sed -i "s/%/ /g" $CMDLINE
;;
kvm)
VPORT=$(find /dev/virtio-ports -type l -name '*.vport' 2>/dev/null|head -1)
diff --git a/tools/appliance/systemvmtemplate/scripts/install_systemvm_packages.sh b/tools/appliance/systemvmtemplate/scripts/install_systemvm_packages.sh
index a5b1379..c1c3e94 100644
--- a/tools/appliance/systemvmtemplate/scripts/install_systemvm_packages.sh
+++ b/tools/appliance/systemvmtemplate/scripts/install_systemvm_packages.sh
@@ -86,9 +86,9 @@ function install_packages() {
fi
# Install xenserver guest utilities as debian repos don't have it
- wget https://mirrors.kernel.org/ubuntu/pool/universe/x/xe-guest-utilities/xe-guest-utilities_7.4.0-0ubuntu1_amd64.deb
- dpkg -i xe-guest-utilities_7.4.0-0ubuntu1_amd64.deb
- rm -f xe-guest-utilities_7.4.0-0ubuntu1_amd64.deb
+ wget https://mirrors.kernel.org/ubuntu/pool/main/x/xe-guest-utilities/xe-guest-utilities_7.10.0-0ubuntu1_amd64.deb
+ dpkg -i xe-guest-utilities_7.10.0-0ubuntu1_amd64.deb
+ rm -f xe-guest-utilities_7.10.0-0ubuntu1_amd64.deb
}
return 2>/dev/null || install_packages
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.
[cloudstack] 06/08: vr: create tables before applying egress
iptables rules
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 77172b9f032f8df0564e33026178acd579c23cd4
Author: Rohit Yadav <ro...@shapeblue.com>
AuthorDate: Tue May 1 20:06:12 2018 +0530
vr: create tables before applying egress iptables rules
This fixes the issue that post-upgrade egress rules are not applied
on VR, restarting the network with cleanup used to be the workaround.
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
---
systemvm/debian/opt/cloud/bin/configure.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py
index f9247ad..e023a9f 100755
--- a/systemvm/debian/opt/cloud/bin/configure.py
+++ b/systemvm/debian/opt/cloud/bin/configure.py
@@ -957,6 +957,7 @@ class IpTablesExecutor:
acls.process()
acls = CsAcl('firewallrules', self.config)
+ acls.flushAllowAllEgressRules()
acls.process()
fwd = CsForwardingRules("forwardingrules", self.config)
--
To stop receiving notification emails like this one, please contact
rohit@apache.org.