[DISCUSS] VR Password server improvement and expiring

[Rohit Yadav <ro...@shapeblue.com>]

Hi,

I've sent a pull request that replaces the bash/socat based password
server with a Python based server that is backward compatible. In future
I'll be working on an VR-agents framework to make resetting
password/publickeys more secure.

Right now when reset password is called, the password server is sent
over HTTP (unencrypted) and does not expiry until the user VM sends an
acknowledgement back to the VR.

JIRA: https://issues.apache.org/jira/browse/CLOUDSTACK-8272
PR: https://github.com/apache/cloudstack/pull/106

I need your comment on the following proposal:

1. If a password has been served by the password server, we expire it
within next 15 minutes (or suggest other values) if acknowledgement is
not received.

2. If a password is not served by the password server in next 1-24 hours
(because the VM was in stopped state and was never started to receive
new password and send ack to remove it from VR) it gets expired. What
should be a good enough time period, 1 hour? 4 hours? 1 day?
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 8826230892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
PS. If you see any footer below, I did not add it :)
Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: [DISCUSS] VR Password server improvement and expiring

[Pierre-Luc Dion <pd...@apache.org>]

When the password is taken and acknowledge from the VR it should be
destroyed immediately from the VR and as it is currently, I think. Are you
planning to implement SSL capability as well since it as been brought on
the ML recently ?

On Wed, Mar 11, 2015 at 9:39 AM, Nux! <nu...@li.nux.ro> wrote:

> Hi Wido,
>
>
> >> If a guest has confirmed the password was retrieved delete it
> >> straight away. I am not sure this is what you asked. :)
> >>
> >
> > How would the guest confirm? Merely retrieving it doesn't guarantee
> > that the client was able to set it.
> >
> > I'd say keep if for 15 minutes, so that the guest can try a couple of
> > times before we expire the password.
>
> Nothing against keeping the password around for a few more minutes or
> hours.
>
> Looking at this password script[1] for example, it looks like the guest
> can confirm that password was successfully retrieved and set like this:
>
> wget -t 3 -T 20 -O - --header "DomU_Request: saved_password"
> $PASSWORD_SERVER_IP:8080
>
>
> [1] -
> https://raw.githubusercontent.com/shankerbalan/cloudstack-scripts/master/archlinux/cloudstack-set-guest-password
>
>

Re: [DISCUSS] VR Password server improvement and expiring

[Rohit Yadav <ro...@shapeblue.com>]

Hi Wido and everyone,

Thanks for the suggestion, supporting ipv6 can be easily done though I’m not sure which interface/IPv6 address to listen on.

Though, this is tricky as not all networks would have an interface with ipv6 enabled (unless say an admin deploys a shared network with ipv6 address space). Can there be a case where in a VR the password server should listen and serve on both IPv4 and IPv6 addresses.

So should we:

1. listen on all interface instead of just VR IPv4 IP, passwords are only served based on client’s address
2. listen on passed IPV4 IP, but for IPv6 listen on “::” address?
3. or, expect mgmt server to pass appropriate IPv6 address to listen on and only then listen on it

> On 12-Mar-2015, at 12:33 am, Wido den Hollander <wi...@widodh.nl> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 03/11/2015 05:17 PM, Rohit Yadav wrote:
>> Wido - Lucian is right. Once the user VM resets password, they need
>> to send an acknowledgement, for example: wget -t 3 -T 20 -O -
>> --header "DomU_Request: saved_password" $PASSWORD_SERVER_IP:8080
>> This is to say that the password server can now remove the password
>> from its internal storage (file based).
>>
>
> Ah, indeed.
>
>>
>> Lucian - in the proposal what I meant to say was that in case a
>> password was sent to a user VM but the user VM does not respond
>> with an ack (so as to remove the password from its storage/memory)
>> should it expiry it after a period of say 15 mins?
>>
>>
>> Pierre - I would be happy to implement a SSL based http server
>> which is my next step though I’m not sure about the logistics of
>> adding the SSL scripts etc, which could be similar how it is done
>> for the CPVM/SSVM. The first step is to remove bash/socat based
>> password server with a Python based server that uses Threads
>> instead of Forks (so less memory intensive) and cleans up
>> properly.
>>
>
> Shall we make sure this new service listens on IPv6 as well? Let's not
> introduce a new IPv4-only service :-)
>
>>
>>> On 11-Mar-2015, at 7:09 pm, Nux! <nu...@li.nux.ro> wrote:
>>>
>>> Hi Wido,
>>>
>>>
>>>>> If a guest has confirmed the password was retrieved delete
>>>>> it straight away. I am not sure this is what you asked. :)
>>>>>
>>>>
>>>> How would the guest confirm? Merely retrieving it doesn't
>>>> guarantee that the client was able to set it.
>>>>
>>>> I'd say keep if for 15 minutes, so that the guest can try a
>>>> couple of times before we expire the password.
>>>
>>> Nothing against keeping the password around for a few more
>>> minutes or hours.
>>>
>>> Looking at this password script[1] for example, it looks like the
>>> guest can confirm that password was successfully retrieved and
>>> set like this:
>>>
>>> wget -t 3 -T 20 -O - --header "DomU_Request: saved_password"
>>> $PASSWORD_SERVER_IP:8080
>>>
>>>
>>> [1] -
>>> https://raw.githubusercontent.com/shankerbalan/cloudstack-scripts/master/archlinux/cloudstack-set-guest-password
>>>
>>
>>>
>> Regards, Rohit Yadav Software Architect, ShapeBlue M. +91 88 262
>> 30892 | rohit.yadav@shapeblue.com Blog: bhaisaab.org | Twitter:
>> @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related
>> services
>>
>> IaaS Cloud Design &
>> Build<http://shapeblue.com/iaas-cloud-design-and-build//> CSForge –
>> rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack
>> Consulting<http://shapeblue.com/cloudstack-consultancy/> CloudStack
>> Software
>> Engineering<http://shapeblue.com/cloudstack-software-engineering/>
>> CloudStack Infrastructure
>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>> Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are
>> intended solely for the use of the individual to whom it is
>> addressed. Any views or opinions expressed are solely those of the
>> author and do not necessarily represent those of Shape Blue Ltd or
>> related companies. If you are not the intended recipient of this
>> email, you must neither take any action based upon its contents,
>> nor copy or show it to anyone. Please contact the sender if you
>> believe you have received this email in error. Shape Blue Ltd is a
>> company incorporated in England & Wales. ShapeBlue Services India
>> LLP is a company incorporated in India and is operated under
>> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>> a company incorporated in Brasil and is operated under license from
>> Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The
>> Republic of South Africa and is traded under license from Shape
>> Blue Ltd. ShapeBlue is a registered trademark.
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJVAJFwAAoJEAGbWC3bPspC++8QALGc/ggAhOTuv4YH/H5k+kdo
> ccUbOdRd5YDaVwuc0lqAVz1mfiCu2KWSV8dMAH60Xty3H7Yz3CtfNt2LF6EUEPs8
> McorD6eR4WjmlUwjl+kl/vcyPcMgkKhQ2Im75EvTkoAhDpxeD25damqU9dOjTcZq
> w4njFO8Q0lJRdssAQpQhampPDY0A2Itdb3TwEOAhu+/3gQiHPUkQKi6pTJfJZVf/
> yzux8yCEXup9w3VzaWU3zpc2O9VNDyuWzQkSarxvZucP3kFFfoQkiDJekg4ooijP
> wpN4Y6QyIy9djVKA7gh7miky5z7RZfkr8aLUi5BjOrH6Beh+wNKI5xAmCIt9rV7C
> +DapHEQO9P6hMzXawAoojazLuSz8X/4H6Ds7b/9/XVe8bxueDMdsk1uMDVp2Shqf
> UztJ4Ik/iWypReuJjEKSxx9BJq+CJHUDgUQQcdfIAv+V2s7WjHMj94bPxUbf6a48
> lHTtJH4sQdwK3GLV7nN0dnpxo3lOEkQmn7sTILbKXCo5+Kx2qEKap4122CvthyT2
> 3WpBsEAhxDGDUKfisp1zzf+JRKnLAS/Ve5oWm9uQ+76CvbSfrl6i4NXzviPKdjfk
> bFklM7xaO+JY/dH0PnOA5XrBGNGAqiEczvtjWQub+gWi2k03R4tQns1maYgW1d2U
> 3GIjru7LyLBYMIQmudZA
> =a25U
> -----END PGP SIGNATURE-----

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: [DISCUSS] VR Password server improvement and expiring

[Wido den Hollander <wi...@widodh.nl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 03/11/2015 05:17 PM, Rohit Yadav wrote:
> Wido - Lucian is right. Once the user VM resets password, they need
> to send an acknowledgement, for example: wget -t 3 -T 20 -O -
> --header "DomU_Request: saved_password" $PASSWORD_SERVER_IP:8080 
> This is to say that the password server can now remove the password
> from its internal storage (file based).
> 

Ah, indeed.

> 
> Lucian - in the proposal what I meant to say was that in case a
> password was sent to a user VM but the user VM does not respond
> with an ack (so as to remove the password from its storage/memory)
> should it expiry it after a period of say 15 mins?
> 
> 
> Pierre - I would be happy to implement a SSL based http server
> which is my next step though I’m not sure about the logistics of
> adding the SSL scripts etc, which could be similar how it is done
> for the CPVM/SSVM. The first step is to remove bash/socat based
> password server with a Python based server that uses Threads
> instead of Forks (so less memory intensive) and cleans up
> properly.
> 

Shall we make sure this new service listens on IPv6 as well? Let's not
introduce a new IPv4-only service :-)

> 
>> On 11-Mar-2015, at 7:09 pm, Nux! <nu...@li.nux.ro> wrote:
>> 
>> Hi Wido,
>> 
>> 
>>>> If a guest has confirmed the password was retrieved delete
>>>> it straight away. I am not sure this is what you asked. :)
>>>> 
>>> 
>>> How would the guest confirm? Merely retrieving it doesn't
>>> guarantee that the client was able to set it.
>>> 
>>> I'd say keep if for 15 minutes, so that the guest can try a
>>> couple of times before we expire the password.
>> 
>> Nothing against keeping the password around for a few more
>> minutes or hours.
>> 
>> Looking at this password script[1] for example, it looks like the
>> guest can confirm that password was successfully retrieved and
>> set like this:
>> 
>> wget -t 3 -T 20 -O - --header "DomU_Request: saved_password"
>> $PASSWORD_SERVER_IP:8080
>> 
>> 
>> [1] -
>> https://raw.githubusercontent.com/shankerbalan/cloudstack-scripts/master/archlinux/cloudstack-set-guest-password
>>
>
>> 
> Regards, Rohit Yadav Software Architect, ShapeBlue M. +91 88 262
> 30892 | rohit.yadav@shapeblue.com Blog: bhaisaab.org | Twitter:
> @_bhaisaab
> 
> 
> 
> Find out more about ShapeBlue and our range of CloudStack related
> services
> 
> IaaS Cloud Design &
> Build<http://shapeblue.com/iaas-cloud-design-and-build//> CSForge –
> rapid IaaS deployment framework<http://shapeblue.com/csforge/> 
> CloudStack
> Consulting<http://shapeblue.com/cloudstack-consultancy/> CloudStack
> Software
> Engineering<http://shapeblue.com/cloudstack-software-engineering/> 
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/> 
> CloudStack Bootcamp Training
> Courses<http://shapeblue.com/cloudstack-training/>
> 
> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is
> addressed. Any views or opinions expressed are solely those of the
> author and do not necessarily represent those of Shape Blue Ltd or
> related companies. If you are not the intended recipient of this
> email, you must neither take any action based upon its contents,
> nor copy or show it to anyone. Please contact the sender if you
> believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India
> LLP is a company incorporated in India and is operated under
> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
> a company incorporated in Brasil and is operated under license from
> Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The
> Republic of South Africa and is traded under license from Shape
> Blue Ltd. ShapeBlue is a registered trademark.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVAJFwAAoJEAGbWC3bPspC++8QALGc/ggAhOTuv4YH/H5k+kdo
ccUbOdRd5YDaVwuc0lqAVz1mfiCu2KWSV8dMAH60Xty3H7Yz3CtfNt2LF6EUEPs8
McorD6eR4WjmlUwjl+kl/vcyPcMgkKhQ2Im75EvTkoAhDpxeD25damqU9dOjTcZq
w4njFO8Q0lJRdssAQpQhampPDY0A2Itdb3TwEOAhu+/3gQiHPUkQKi6pTJfJZVf/
yzux8yCEXup9w3VzaWU3zpc2O9VNDyuWzQkSarxvZucP3kFFfoQkiDJekg4ooijP
wpN4Y6QyIy9djVKA7gh7miky5z7RZfkr8aLUi5BjOrH6Beh+wNKI5xAmCIt9rV7C
+DapHEQO9P6hMzXawAoojazLuSz8X/4H6Ds7b/9/XVe8bxueDMdsk1uMDVp2Shqf
UztJ4Ik/iWypReuJjEKSxx9BJq+CJHUDgUQQcdfIAv+V2s7WjHMj94bPxUbf6a48
lHTtJH4sQdwK3GLV7nN0dnpxo3lOEkQmn7sTILbKXCo5+Kx2qEKap4122CvthyT2
3WpBsEAhxDGDUKfisp1zzf+JRKnLAS/Ve5oWm9uQ+76CvbSfrl6i4NXzviPKdjfk
bFklM7xaO+JY/dH0PnOA5XrBGNGAqiEczvtjWQub+gWi2k03R4tQns1maYgW1d2U
3GIjru7LyLBYMIQmudZA
=a25U
-----END PGP SIGNATURE-----

Re: [DISCUSS] VR Password server improvement and expiring

[Nux! <nu...@li.nux.ro>]

> Lucian - in the proposal what I meant to say was that in case a password was
> sent to a user VM but the user VM does not respond with an ack (so as to remove
> the password from its storage/memory) should it expiry it after a period of say
> 15 mins?

Rohit, seeing that there is logic built into these scripts, then the expected action would be to just wait for the script's ACK indefinitely.
If the ACK doesn't come it means the VM is either crashed, or stopped (waiting to be started when the customer wants) etc; there is a reason behind it.

> Pierre - I would be happy to implement a SSL based http server which is my next
> step though I’m not sure about the logistics of adding the SSL scripts etc,
> which could be similar how it is done for the CPVM/SSVM. The first step is to
> remove bash/socat based password server with a Python based server that uses
> Threads instead of Forks (so less memory intensive) and cleans up properly.

+1 for SSL, particularly important in basic and adv+sg zones.

Personally I would not change the current implementation since it works well, although I could see why you would want to as a programmer.
Also, by using a proper programming language you've just locked out non-programmers (like me) from being able to debug problems with it - not necessarilly a good argument though.

One advantage of the current implementation is that socat can be very easily made to serve SSL http://www.dest-unreach.org/socat/doc/socat-openssltunnel.html , we might end up using socat with your program, too.



Lucian

Re: [DISCUSS] VR Password server improvement and expiring

[Rohit Yadav <ro...@shapeblue.com>]

Wido - Lucian is right. Once the user VM resets password, they need to send an acknowledgement, for example:
wget -t 3 -T 20 -O - --header "DomU_Request: saved_password" $PASSWORD_SERVER_IP:8080
This is to say that the password server can now remove the password from its internal storage (file based).


Lucian - in the proposal what I meant to say was that in case a password was sent to a user VM but the user VM does not respond with an ack (so as to remove the password from its storage/memory) should it expiry it after a period of say 15 mins?


Pierre - I would be happy to implement a SSL based http server which is my next step though I’m not sure about the logistics of adding the SSL scripts etc, which could be similar how it is done for the CPVM/SSVM. The first step is to remove bash/socat based password server with a Python based server that uses Threads instead of Forks (so less memory intensive) and cleans up properly.


> On 11-Mar-2015, at 7:09 pm, Nux! <nu...@li.nux.ro> wrote:
>
> Hi Wido,
>
>
>>> If a guest has confirmed the password was retrieved delete it
>>> straight away. I am not sure this is what you asked. :)
>>>
>>
>> How would the guest confirm? Merely retrieving it doesn't guarantee
>> that the client was able to set it.
>>
>> I'd say keep if for 15 minutes, so that the guest can try a couple of
>> times before we expire the password.
>
> Nothing against keeping the password around for a few more minutes or hours.
>
> Looking at this password script[1] for example, it looks like the guest can confirm that password was successfully retrieved and set like this:
>
> wget -t 3 -T 20 -O - --header "DomU_Request: saved_password" $PASSWORD_SERVER_IP:8080
>
>
> [1] - https://raw.githubusercontent.com/shankerbalan/cloudstack-scripts/master/archlinux/cloudstack-set-guest-password
>

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: [DISCUSS] VR Password server improvement and expiring

[Nux! <nu...@li.nux.ro>]

Hi Wido,


>> If a guest has confirmed the password was retrieved delete it
>> straight away. I am not sure this is what you asked. :)
>> 
> 
> How would the guest confirm? Merely retrieving it doesn't guarantee
> that the client was able to set it.
> 
> I'd say keep if for 15 minutes, so that the guest can try a couple of
> times before we expire the password.

Nothing against keeping the password around for a few more minutes or hours.

Looking at this password script[1] for example, it looks like the guest can confirm that password was successfully retrieved and set like this:

wget -t 3 -T 20 -O - --header "DomU_Request: saved_password" $PASSWORD_SERVER_IP:8080


[1] - https://raw.githubusercontent.com/shankerbalan/cloudstack-scripts/master/archlinux/cloudstack-set-guest-password

Re: [DISCUSS] VR Password server improvement and expiring

[Wido den Hollander <wi...@widodh.nl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 03/11/2015 02:09 PM, Nux! wrote:
> Hello,
> 
> See inline.
> 
>> JIRA: https://issues.apache.org/jira/browse/CLOUDSTACK-8272 PR:
>> https://github.com/apache/cloudstack/pull/106
>> 
>> I need your comment on the following proposal:
>> 
>> 1. If a password has been served by the password server, we
>> expire it within next 15 minutes (or suggest other values) if
>> acknowledgement is not received.
> 
> If a guest has confirmed the password was retrieved delete it
> straight away. I am not sure this is what you asked. :)
> 

How would the guest confirm? Merely retrieving it doesn't guarantee
that the client was able to set it.

I'd say keep if for 15 minutes, so that the guest can try a couple of
times before we expire the password.

>> 
>> 2. If a password is not served by the password server in next
>> 1-24 hours (because the VM was in stopped state and was never
>> started to receive new password and send ack to remove it from
>> VR) it gets expired. What should be a good enough time period, 1
>> hour? 4 hours? 1 day?
> 
> Imho the password should be kept forever, awaiting the guest to
> retrieve it. There may be cases where people will regularly reset
> the passwords, a VM could stay offline for a while before being
> started and getting the new password.
> 
> Will this new python implementation handle SSL connections as
> well? I'd be nice if it did https by default with a self-signed
> cert unless otherwise specified.
> 
> 
> Lucian
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVAEAFAAoJEAGbWC3bPspC2pUP/RC/CZwAADZLeAJO3iTkmthQ
thMfAk+E4tzFOANSp+63yMZ6rWpjLOPZdb47Tf0Wyyyjgpzk+jMjVZhUXcpq72rb
4LHkKBGlotDHiPsybBslivcBVMEvL1zvDLUgDO2dYJNJA/gNhHICPQ6lvboa3a5W
Je0HhspKm8d/hJUYlO+mIZBNt2lARQdv1YZi+KUbTxKU7qWpaCg5B+d7PYK61oxX
8iAmdSBgX3A6xtOwAwZaD/F3AG1R945vyp8ttQZ7bzatG3TO750ULCzGtjhPApeT
GYy4EYn5T1qzQVHZe99B9KhMDUadoF3VxjPZ+n2Hu58/20Bm98TJdNrS4HBun4e2
Gwn+u6ankKcgG+5QNsPTO7I+WcYRFVQ6FXTY1CqtWU8PTKuA79Op2Sb71OTu2UrQ
BR8VldwIN0CS2mwXZQhLbW6Z6KcjMbjGtoxCZ+yC4HRFPkqbsQ9lsZ5yTv+vq12f
b+keYVpWgAfLl7K0LnMYAP+pwzC5Byh52QH2NskkhcdxK5zEAU83cqGaWSXiPXZ0
+z8cK8RP0jQvGrFRpr/S4Ydx96GFoANo8LbTlulP+Oj4x12yh7U5O+gnoiWP/G4b
ZKt5GVz9/Akx4rYUlE6ICSyxEiQO0+Tyf4nt64C7ezKRHU21tEeKPSyCRrkyo/8Q
JVT7aODxVXRDzdP3fbWK
=rbC4
-----END PGP SIGNATURE-----

Re: [DISCUSS] VR Password server improvement and expiring

[Nux! <nu...@li.nux.ro>]

Hello,

See inline.

> JIRA: https://issues.apache.org/jira/browse/CLOUDSTACK-8272
> PR: https://github.com/apache/cloudstack/pull/106
> 
> I need your comment on the following proposal:
> 
> 1. If a password has been served by the password server, we expire it
> within next 15 minutes (or suggest other values) if acknowledgement is
> not received.

If a guest has confirmed the password was retrieved delete it straight away. I am not sure this is what you asked. :)

> 
> 2. If a password is not served by the password server in next 1-24 hours
> (because the VM was in stopped state and was never started to receive
> new password and send ack to remove it from VR) it gets expired. What
> should be a good enough time period, 1 hour? 4 hours? 1 day?

Imho the password should be kept forever, awaiting the guest to retrieve it.
There may be cases where people will regularly reset the passwords, a VM could stay offline for a while before being started and getting the new password.

Will this new python implementation handle SSL connections as well?
I'd be nice if it did https by default with a self-signed cert unless otherwise specified.


Lucian