(cloudstack) branch main updated: Remove realhostip references from the code (#12856)

harikrishna Tue, 09 Jun 2026 23:10:09 -0700

This is an automated email from the ASF dual-hosted git repository.

harikrishna-patnala pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack.git



The following commit(s) were added to refs/heads/main by this push:
     new a7f9756d626 Remove realhostip references from the code (#12856)
a7f9756d626 is described below

commit a7f9756d6267869b96a9209af58c0335835a773d
Author: Vishesh <[email protected]>
AuthorDate: Wed Jun 10 11:39:39 2026 +0530

    Remove realhostip references from the code (#12856)
    
    * Remove realhostip references from the code
    
    * remove unused code
---
 .pre-commit-config.yaml                              |   2 +-
 .../resources/META-INF/db/schema-42210to42300.sql    |   6 ++++++
 scripts/util/keystore-cert-import                    |  19 ++++++++++---------
 .../com/cloud/server/ConfigurationServerImpl.java    |   3 ---
 .../cloud/storage/download/DownloadMonitorImpl.java  |   5 -----
 .../com/cloud/storage/upload/UploadMonitorImpl.java  |  13 +++++--------
 .../test/java/com/cloud/keystore/KeystoreTest.java   |  12 ++++++------
 services/console-proxy/server/pom.xml                |   2 +-
 services/secondary-storage/server/pom.xml            |   2 +-
 .../agent/certs/{realhostip.crt => systemvm.crt}     |   0
 .../agent/certs/{realhostip.csr => systemvm.csr}     |   0
 .../agent/certs/{realhostip.key => systemvm.key}     |   0
 .../certs/{realhostip.keystore => systemvm.keystore} | Bin
 systemvm/agent/scripts/_run.sh                       |   2 +-
 systemvm/agent/scripts/config_ssl.sh                 |   6 +++---
 systemvm/debian/opt/cloud/bin/setup/bootstrap.sh     |   2 +-
 systemvm/patch-sysvms.sh                             |  18 +++++++++---------
 systemvm/pom.xml                                     |   2 +-
 .../utils/imagestore/ImageStoreUtilTest.java         |   4 ++--
 19 files changed, 47 insertions(+), 51 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 755ae125edf..91537e25267 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -151,7 +151,7 @@ repos:
           ^server/src/test/resources/certs/rsa_self_signed\.key$|
           ^services/console-proxy/rdpconsole/src/test/doc/rdp-key\.pem$|
           ^systemvm/agent/certs/localhost\.key$|
-          ^systemvm/agent/certs/realhostip\.key$|
+          ^systemvm/agent/certs/systemvm\.key$|
           ^test/integration/smoke/test_ssl_offloading\.py$
       - id: end-of-file-fixer
         exclude: \.vhd$|\.svg$
diff --git 
a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql 
b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
index 478125335e7..d999cbcd509 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
@@ -150,6 +150,12 @@ FROM `cloud`.`configuration` `cfg`
 WHERE NOT EXISTS (SELECT 1 FROM `cloud`.`configuration` WHERE `name` = 
'kvm.cpu.dynamic.scaling.capacity')
   AND `cfg`.`name` = 'vm.serviceoffering.cpu.cores.max';
 
+-- Remove stale realhostip.com default values; domain has been dead since 
~2015.
+UPDATE `cloud`.`configuration`
+    SET value = NULL
+    WHERE name IN ('consoleproxy.url.domain', 'secstorage.ssl.cert.domain')
+      AND value IN ('realhostip.com', '*.realhostip.com');
+
 -- Add management_server_details table to allow ManagementServer scope configs
 CREATE TABLE IF NOT EXISTS `management_server_details` (
                                                            `id` bigint 
unsigned NOT NULL AUTO_INCREMENT COMMENT 'id',
diff --git a/scripts/util/keystore-cert-import 
b/scripts/util/keystore-cert-import
index cf355e09845..447dcd71745 100755
--- a/scripts/util/keystore-cert-import
+++ b/scripts/util/keystore-cert-import
@@ -137,18 +137,19 @@ if [ -f "$SYSTEM_FILE" ]; then
     chmod 644 /usr/local/share/ca-certificates/cloudstack/ca.crt
     update-ca-certificates > /dev/null 2>&1 || true
 
-    # Import CA cert(s) into realhostip.keystore so the SSVM JVM
-    # (which overrides the truststore via -Djavax.net.ssl.trustStore in 
_run.sh)
-    # can trust servers signed by the CloudStack CA
-    REALHOSTIP_KS_FILE="$(dirname "$(dirname 
"$PROPS_FILE")")/certs/realhostip.keystore"
-    REALHOSTIP_PASS="vmops.com"
-    if [ -f "$REALHOSTIP_KS_FILE" ]; then
+    # Also import CA cert(s) into systemvm.keystore. KS_FILE (cloud.jks) above
+    # is the agent's mTLS keystore; the SSVM JVM, however, reads its truststore
+    # from systemvm.keystore (see -Djavax.net.ssl.trustStore in _run.sh), so 
the
+    # CA must be added here too for the SSVM to trust CloudStack-CA-signed 
servers.
+    SYSTEMVM_KS_FILE="$(dirname "$(dirname 
"$PROPS_FILE")")/certs/systemvm.keystore"
+    SYSTEMVM_PASS="vmops.com"
+    if [ -f "$SYSTEMVM_KS_FILE" ]; then
         awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++} n>0{print > 
"cloudca." n }' "$CACERT_FILE"
         for caChain in $(ls cloudca.* 2>/dev/null); do
-            keytool -delete -noprompt -alias "$caChain" -keystore 
"$REALHOSTIP_KS_FILE" \
-                -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 || true
+            keytool -delete -noprompt -alias "$caChain" -keystore 
"$SYSTEMVM_KS_FILE" \
+                -storepass "$SYSTEMVM_PASS" > /dev/null 2>&1 || true
             keytool -import -noprompt -trustcacerts -alias "$caChain" -file 
"$caChain" \
-                -keystore "$REALHOSTIP_KS_FILE" -storepass "$REALHOSTIP_PASS" 
> /dev/null 2>&1
+                -keystore "$SYSTEMVM_KS_FILE" -storepass "$SYSTEMVM_PASS" > 
/dev/null 2>&1
         done
         rm -f cloudca.*
     fi
diff --git a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java 
b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
index 8f10dd84b54..def564dfdc6 100644
--- a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
@@ -222,9 +222,6 @@ public class ConfigurationServerImpl extends ManagerBase 
implements Configuratio
             _configDao.update(Config.SecStorageEncryptCopy.key(), 
Config.SecStorageEncryptCopy.getCategory(), "false");
             logger.debug("ConfigurationServer made secondary storage copy 
encrypt set to false.");
 
-            _configDao.update("secstorage.secure.copy.cert", "realhostip");
-            logger.debug("ConfigurationServer made secondary storage copy use 
realhostip.");
-
             _configDao.update("user.password.encoders.exclude", 
"MD5,LDAP,PLAINTEXT");
             logger.debug("Configuration server excluded insecure encoders");
 
diff --git 
a/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java 
b/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java
index 67d5b091a03..5258f433755 100644
--- a/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java
+++ b/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java
@@ -87,11 +87,6 @@ public class DownloadMonitorImpl extends ManagerBase 
implements DownloadMonitor
         final Map<String, String> configs = 
_configDao.getConfiguration("management-server", params);
         _proxy = configs.get(Config.SecStorageProxy.key());
 
-        String cert = configs.get("secstorage.ssl.cert.domain");
-        if (!"realhostip.com".equalsIgnoreCase(cert)) {
-            logger.warn("Only realhostip.com ssl cert is supported, ignoring 
self-signed and other certs");
-        }
-
         _copyAuthPasswd = configs.get("secstorage.copy.password");
 
         DownloadListener dl = new DownloadListener(this);
diff --git 
a/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java 
b/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java
index 7962d9dced9..a32790c135d 100644
--- a/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java
+++ b/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java
@@ -231,8 +231,8 @@ public class UploadMonitorImpl extends ManagerBase 
implements UploadMonitor {
             UploadVO upload = extractURLList.get(0);
             String uploadUrl = extractURLList.get(0).getUploadUrl();
             String[] token = uploadUrl.split("/");
-            // example: uploadUrl = 
https://10-11-101-112.realhostip.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
-            // then token[2] = 10-11-101-112.realhostip.com, token[4] = 
2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
+            // example: uploadUrl = 
https://10-11-101-112.example.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
+            // then token[2] = 10-11-101-112.example.com, token[4] = 
2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
             String hostname = ep.getPublicAddr().replace(".", "-") + ".";
             if ((token != null) && (token.length == 5) && 
(token[2].equals(hostname + _ssvmUrlDomain))) // ssvm publicip and domain 
suffix not changed
                 return extractURLList.get(0);
@@ -365,7 +365,9 @@ public class UploadMonitorImpl extends ManagerBase 
implements UploadMonitor {
             if (_ssvmUrlDomain != null && _ssvmUrlDomain.length() > 0) {
                 hostname = hostname + "." + _ssvmUrlDomain;
             } else {
-                hostname = hostname + ".realhostip.com";
+                logger.warn("SSL copy is enabled but 
secstorage.ssl.cert.domain is not configured; "
+                    + "using IP address directly. Configure a wildcard SSL 
certificate domain for proper HTTPS support.");
+                hostname = ipAddress;
             }
         }
         return scheme + "://" + hostname + "/userdata/" + uuid;
@@ -376,11 +378,6 @@ public class UploadMonitorImpl extends ManagerBase 
implements UploadMonitor {
         final Map<String, String> configs = 
_configDao.getConfiguration("management-server", params);
         _sslCopy = 
Boolean.parseBoolean(configs.get("secstorage.encrypt.copy"));
 
-        String cert = configs.get("secstorage.secure.copy.cert");
-        if ("realhostip.com".equalsIgnoreCase(cert)) {
-            logger.warn("Only realhostip.com ssl cert is supported, ignoring 
self-signed and other certs");
-        }
-
         _ssvmUrlDomain = configs.get("secstorage.ssl.cert.domain");
 
         _agentMgr.registerForHostEvents(new UploadListener(this), true, false, 
false);
diff --git a/server/src/test/java/com/cloud/keystore/KeystoreTest.java 
b/server/src/test/java/com/cloud/keystore/KeystoreTest.java
index 970892dc325..2b991d4a4f7 100644
--- a/server/src/test/java/com/cloud/keystore/KeystoreTest.java
+++ b/server/src/test/java/com/cloud/keystore/KeystoreTest.java
@@ -75,20 +75,20 @@ public class KeystoreTest extends TestCase {
             ComponentLocator locator = ComponentLocator.getCurrentLocator();
 
             KeystoreDao ksDao = locator.getDao(KeystoreDao.class);
-            ksDao.save("CPVMCertificate", "CPVMCertificate", 
"KeyForCertificate", "realhostip.com");
+            ksDao.save("CPVMCertificate", "CPVMCertificate", 
"KeyForCertificate", "example.com");
             ksVo = ksDao.findByName("CPVMCertificate");
             assertTrue(ksVo != null);
             assertTrue(ksVo.getCertificate().equals("CPVMCertificate"));
             assertTrue(ksVo.getKey().equals("KeyForCertificate"));
-            assertTrue(ksVo.getDomainSuffix().equals("realhostip.com"));
+            assertTrue(ksVo.getDomainSuffix().equals("example.com"));
 
-            ksDao.save("CPVMCertificate", "CPVMCertificate Again", 
"KeyForCertificate Again", "again.realhostip.com");
+            ksDao.save("CPVMCertificate", "CPVMCertificate Again", 
"KeyForCertificate Again", "again.example.com");
 
             ksVo = ksDao.findByName("CPVMCertificate");
             assertTrue(ksVo != null);
             assertTrue(ksVo.getCertificate().equals("CPVMCertificate Again"));
             assertTrue(ksVo.getKey().equals("KeyForCertificate Again"));
-            assertTrue(ksVo.getDomainSuffix().equals("again.realhostip.com"));
+            assertTrue(ksVo.getDomainSuffix().equals("again.example.com"));
 
             ksDao.expunge(ksVo.getId());
         }
@@ -112,9 +112,9 @@ public class KeystoreTest extends TestCase {
             assertTrue(ksMgr.configure("TaskManager", new HashMap<String, 
Object>()));
             assertTrue(ksMgr.start());
 
-            ksMgr.saveCertificate("CPVMCertificate", certContent, keyContent, 
"realhostip.com");
+            ksMgr.saveCertificate("CPVMCertificate", certContent, keyContent, 
"example.com");
 
-            byte[] ksBits = ksMgr.getKeystoreBits("CPVMCertificate", 
"realhostip", "vmops.com");
+            byte[] ksBits = ksMgr.getKeystoreBits("CPVMCertificate", 
"example", "vmops.com");
             assertTrue(ksBits != null);
 
             try {
diff --git a/services/console-proxy/server/pom.xml 
b/services/console-proxy/server/pom.xml
index 3f5b9db68c2..6e18a13bc57 100644
--- a/services/console-proxy/server/pom.xml
+++ b/services/console-proxy/server/pom.xml
@@ -80,7 +80,7 @@
             <resource>
                 <directory>certs</directory>
                 <excludes>
-                    <exclude>realhostip.csr</exclude>
+                    <exclude>systemvm.csr</exclude>
                 </excludes>
             </resource>
         </resources>
diff --git a/services/secondary-storage/server/pom.xml 
b/services/secondary-storage/server/pom.xml
index e6aec8a42f7..ca26bf2bbbe 100644
--- a/services/secondary-storage/server/pom.xml
+++ b/services/secondary-storage/server/pom.xml
@@ -107,7 +107,7 @@
                     <systemProperties>
                         <systemProperty>
                             <key>javax.net.ssl.trustStore</key>
-                            <value>certs/realhostip.keystore</value>
+                            <value>certs/systemvm.keystore</value>
                             <key>log.home</key>
                             <value>${PWD}/</value>
                         </systemProperty>
diff --git a/systemvm/agent/certs/realhostip.crt 
b/systemvm/agent/certs/systemvm.crt
similarity index 100%
rename from systemvm/agent/certs/realhostip.crt
rename to systemvm/agent/certs/systemvm.crt
diff --git a/systemvm/agent/certs/realhostip.csr 
b/systemvm/agent/certs/systemvm.csr
similarity index 100%
rename from systemvm/agent/certs/realhostip.csr
rename to systemvm/agent/certs/systemvm.csr
diff --git a/systemvm/agent/certs/realhostip.key 
b/systemvm/agent/certs/systemvm.key
similarity index 100%
rename from systemvm/agent/certs/realhostip.key
rename to systemvm/agent/certs/systemvm.key
diff --git a/systemvm/agent/certs/realhostip.keystore 
b/systemvm/agent/certs/systemvm.keystore
similarity index 100%
rename from systemvm/agent/certs/realhostip.keystore
rename to systemvm/agent/certs/systemvm.keystore
diff --git a/systemvm/agent/scripts/_run.sh b/systemvm/agent/scripts/_run.sh
index 11158ecf5bd..bb024f71c08 100755
--- a/systemvm/agent/scripts/_run.sh
+++ b/systemvm/agent/scripts/_run.sh
@@ -60,4 +60,4 @@ if [ "$(uname -m | grep '64')" == "" ]; then
   fi
 fi
 
-java -Djavax.net.ssl.trustStore=./certs/realhostip.keystore 
-Djdk.tls.ephemeralDHKeySize=2048 -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP 
com.cloud.agent.AgentShell $keyvalues $@
+java -Djavax.net.ssl.trustStore=./certs/systemvm.keystore 
-Djdk.tls.ephemeralDHKeySize=2048 -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP 
com.cloud.agent.AgentShell $keyvalues $@
diff --git a/systemvm/agent/scripts/config_ssl.sh 
b/systemvm/agent/scripts/config_ssl.sh
index e9340b099f6..3968b2617f2 100755
--- a/systemvm/agent/scripts/config_ssl.sh
+++ b/systemvm/agent/scripts/config_ssl.sh
@@ -52,13 +52,13 @@ cflag=
 cpkflag=
 cpcflag=
 cccflag=
-customPrivKey=$(dirname $0)/certs/realhostip.key
-customPrivCert=$(dirname $0)/certs/realhostip.crt
+customPrivKey=$(dirname $0)/certs/systemvm.key
+customPrivCert=$(dirname $0)/certs/systemvm.crt
 customCertChain=
 customCACert=
 publicIp=
 hostName=
-keyStore=$(dirname $0)/certs/realhostip.keystore
+keyStore=$(dirname $0)/certs/systemvm.keystore
 defaultJavaKeyStoreFile=/etc/ssl/certs/java/cacerts
 defaultJavaKeyStorePass="changeit"
 aliasName="CPVMCertificate"
diff --git a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh 
b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
index f7c071c8cc0..c601f6ad221 100755
--- a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
@@ -65,7 +65,7 @@ patch_systemvm() {
   fi
   rm -fr $backupfolder
   # Import global cacerts into 'cloud' service's keystore
-  keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts 
-destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore -srcstorepass 
changeit -deststorepass vmops.com -noprompt || true
+  keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts 
-destkeystore /usr/local/cloud/systemvm/certs/systemvm.keystore -srcstorepass 
changeit -deststorepass vmops.com -noprompt || true
   return 0
 }
 
diff --git a/systemvm/patch-sysvms.sh b/systemvm/patch-sysvms.sh
index 8d96de9ba3b..e8fa06018ed 100755
--- a/systemvm/patch-sysvms.sh
+++ b/systemvm/patch-sysvms.sh
@@ -126,25 +126,25 @@ patch_systemvm() {
 
   if [ "$TYPE" = "consoleproxy" ] || [ "$TYPE" = "secstorage" ]; then
     # Import global cacerts into 'cloud' service's keystore
-    REALHOSTIP_KS_FILE="/usr/local/cloud/systemvm/certs/realhostip.keystore"
-    REALHOSTIP_PASS="vmops.com"
+    SYSTEMVM_KS_FILE="/usr/local/cloud/systemvm/certs/systemvm.keystore"
+    SYSTEMVM_PASS="vmops.com"
 
     keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts \
-        -destkeystore "$REALHOSTIP_KS_FILE" -srcstorepass changeit 
-deststorepass \
-        "$REALHOSTIP_PASS" -noprompt 2>/dev/null || true
+        -destkeystore "$SYSTEMVM_KS_FILE" -srcstorepass changeit 
-deststorepass \
+        "$SYSTEMVM_PASS" -noprompt 2>/dev/null || true
 
-    # Import CA cert(s) into realhostip.keystore so the SSVM JVM
+    # Import CA cert(s) into systemvm.keystore so the SSVM JVM
     # (which overrides the truststore via -Djavax.net.ssl.trustStore in 
_run.sh)
     # can trust servers signed by the CloudStack CA
     CACERT_FILE="/usr/local/share/ca-certificates/cloudstack/ca.crt"
 
-    if [ -f "$CACERT_FILE" ] && [ -f "$REALHOSTIP_KS_FILE" ]; then
+    if [ -f "$CACERT_FILE" ] && [ -f "$SYSTEMVM_KS_FILE" ]; then
         awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++} n>0{print > 
"cloudca." n }' "$CACERT_FILE"
         for caChain in $(ls cloudca.* 2>/dev/null); do
-            keytool -delete -noprompt -alias "$caChain" -keystore 
"$REALHOSTIP_KS_FILE" \
-                -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 || true
+            keytool -delete -noprompt -alias "$caChain" -keystore 
"$SYSTEMVM_KS_FILE" \
+                -storepass "$SYSTEMVM_PASS" > /dev/null 2>&1 || true
             keytool -import -noprompt -trustcacerts -alias "$caChain" -file 
"$caChain" \
-                -keystore "$REALHOSTIP_KS_FILE" -storepass "$REALHOSTIP_PASS" 
> /dev/null 2>&1
+                -keystore "$SYSTEMVM_KS_FILE" -storepass "$SYSTEMVM_PASS" > 
/dev/null 2>&1
         done
         rm -f cloudca.*
     fi
diff --git a/systemvm/pom.xml b/systemvm/pom.xml
index 9bffc45cf4e..ca9176ee85f 100644
--- a/systemvm/pom.xml
+++ b/systemvm/pom.xml
@@ -205,7 +205,7 @@
                             <systemProperties>
                                 <systemProperty>
                                     <key>javax.net.ssl.trustStore</key>
-                                    <value>certs/realhostip.keystore</value>
+                                    <value>certs/systemvm.keystore</value>
                                     <key>log.home</key>
                                     <value>${PWD}/</value>
                                 </systemProperty>
diff --git 
a/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java
 
b/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java
index b7df14dc85d..e50eefd466b 100644
--- 
a/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java
+++ 
b/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java
@@ -27,7 +27,7 @@ public class ImageStoreUtilTest {
 
     @Test
     public void testgenerateHttpsPostUploadUrl() throws MalformedURLException {
-        String ssvmdomain = "*.realhostip.com";
+        String ssvmdomain = "*.example.com";
         String ipAddress = "10.147.28.14";
         String uuid = UUID.randomUUID().toString();
         String protocol = "https";
@@ -47,7 +47,7 @@ public class ImageStoreUtilTest {
 
     @Test
     public void testgenerateHttpPostUploadUrl() throws MalformedURLException {
-        String ssvmdomain = "*.realhostip.com";
+        String ssvmdomain = "*.example.com";
         String ipAddress = "10.147.28.14";
         String uuid = UUID.randomUUID().toString();
         String protocol = "http";

(cloudstack) branch main updated: Remove realhostip references from the code (#12856)

Reply via email to