Hi Rohit, Thanks for your reply.
I do not object to show these value to users. However, user should not be able to change/remove the settings, at least we can enable/disable it by some settings. If we can fix it in next minor release, this is not a blocker for me. -Wei Rohit Yadav <rohit.ya...@shapeblue.com> 于2018年11月22日周四 下午12:19写道: > Hi Wei, > > > I think the details were available via the list API in past releases > (certainly 4.11.0, 4.11.1), and update API also existed therefore I think > it is not a blocker but could be major security issue. As a workaround, > admins may set the display field of keys in user_vm_details details to 0, > or hide the tab in UI and even disable access to the update API (I get that > it may not be ideal). > > > Let's plan to fix this and other bugs that we'll discover from 4.11.2.0 > towards 4.11.3.0 and we can work on 4.11.3.0's release effort in next 1-2 > months? > > > - Rohit > > <https://cloudstack.apache.org> > > > > ________________________________ > From: Wei ZHOU <ustcweiz...@gmail.com> > Sent: Thursday, November 22, 2018 4:32:07 PM > To: dev@cloudstack.apache.org > Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5 > > found one blocker issue > > users can see the setting tab of vms, and change the value of > settings...... > for example, memoryOvercommitRatio, cpuOvercommitRatio, SSH.PublicKey > > -Wei > > Wei ZHOU <ustcweiz...@gmail.com> 于2018年11月22日周四 上午11:46写道: > > > +0 > > > > tested with 4.11.2.0-rc6 > > > > the following operations are ok on Ubuntu 16.04 > > > > (0) build packages with the PR Rohit created > > https://github.com/apache/cloudstack/pull/3038. (also works on Ubuntu > > 18.04) > > (1) installation > > (2) created advanced zone with security groups by Marvin 4.11.2.0 > > (3) system vms are Up. > > (4) upload ssl certificate, vm console works > > (5) install template > > (6) create vm > > (7) create vm with rootdisksize and datadisk > > (8) add domain/user, move vm to new user > > (9) change ip/mac, add new ip in vm, new ip/mac do not work. that's fine > > > > Found some issues below > > (1) upgrade from 4.7.1 to 4.11.2.0, need to > > copy /etc/default/cloudstack-management.dpkg-dist to > > /etc/default/cloudstack-management. otherwise mgt server will not be up > > (2) create L2 network will get error "Unable to execute API command > > listnetworkofferings due to invalid value.". zoneid is not passed to UI > > (3) reset sshkey will reset password. new password not in response, and > > not shown on UI. cannot find new password anywhere > > (4) add network to vm, the second nic will not work. vm will be stuck at > > start up after reboot. We should disable it if it is not supported by > > cloudstack > > > > I will test advanced zone (without security groups) later. > > > > Kind regards, > > Wei > > > > > > > > Paul Angus <paul.an...@shapeblue.com> 于2018年11月22日周四 上午9:16写道: > > > >> Hi Wido, > >> > >> We're in a position to upload the 4.11.2.0 binaries to > >> download.cloudstack.org could you build the RPMs and DEBs please? > >> If it helps we can build the RPMs and put them up for you to sign. > >> > >> > >> Kind regards, > >> > >> Paul Angus > >> > >> paul.an...@shapeblue.com > >> www.shapeblue.com<http://www.shapeblue.com> > >> Amadeus House, Floral Street, London WC2E 9DPUK > >> @shapeblue > >> > >> > >> > >> > >> -----Original Message----- > >> From: Rohit Yadav <rohit.ya...@shapeblue.com> > >> Sent: 21 November 2018 16:26 > >> To: dev@cloudstack.apache.org > >> Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5 > >> > >> Hi Andrija, > >> > >> In 4.11.2 VR we've restricted the maximum size of systemd/journald files > >> so you should not see any significant memory increase than say > 25-50MBs. In > >> my local testing with kvm, xenserver and vmware, I was never able to > >> reproduce the memory issue on VRs. > >> > >> Regards, > >> Rohit Yadav > >> > >> ________________________________ > >> From: Andrija Panic <andrija.pa...@gmail.com> > >> Sent: Wednesday, November 21, 2018 6:24:30 PM > >> To: dev > >> Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5 > >> > >> FYI, I also t tested this on KVM (ssh into VR many times with while > >> true..do ...as Rene suggested) and also observed small increase in > memory, > >> after 10min of script running, it went up by 10-20MB...but not sure how > >> significant this is... > >> > >> Andrija > >> > >> On Wed, Nov 21, 2018, 13:27 Zehnder, Samuel <zehn...@netcloud.ch wrote: > >> > >> > Hi Rohit > >> > > >> > I think I've found something regarding memory issues with vmware: > >> > Schema-update only updates default system-vm, but not newly registered > >> > ones: > >> > > >> > > >> > > https://github.com/apache/cloudstack/blob/master/engine/schema/src/mai > >> > n/resources/META-INF/db/schema-41000to41100.sql > >> > : > >> > 448: -- Use 'Other Linux 64-bit' as guest os for the default > >> > systemvmtemplate for VMware > >> > 449: -- This fixes a memory allocation issue to systemvms on > >> > VMware/ESXi > >> > 450: UPDATE `cloud`.`vm_template` SET guest_os_id=99 WHERE id=8; > >> > > >> > When I registered the new templates I selected Debian something as OS > >> > type. I now changed this to "Other Linux (64bit)", which is what above > >> > update is doing, and I can see significantly less memory used by VRs. > >> > I do not understand the reasons behind this behavior, I tried also > >> > other settings (Debian 9 64-bit, Other 3.x Linux), neither seem to > >> > handle memory well... > >> > > >> > As for the VPN part, you suggested > >> > > you can build a custom systemvm.iso file with those settings. > >> > Is it possible to simply replace the systemvm.iso file on mgmt-server, > >> > remove it from secondary and restart mgmt-server? Maybe you can point > >> > me here in the right direction. > >> > > >> > Thanks, > >> > Sam > >> > > >> > > >> > > -----Original Message----- > >> > > From: Rohit Yadav <rohit.ya...@shapeblue.com> > >> > > Sent: Dienstag, 20. November 2018 12:55 > >> > > To: dev@cloudstack.apache.org > >> > > Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5 > >> > > > >> > > Hi Samuel, > >> > > > >> > > > >> > > Thanks for your email. I've opened this ticket for your first issue: > >> > > https://github.com/apache/cloudstack/issues/3039 > >> > > > >> > > Please follow René's advice to (a) try increase the VR memory and > >> > > see if > >> > it > >> > > helps, (b) have a script for reducing memory over time. We'll also > >> > > work > >> > with > >> > > the systemd project to see if they can fix and backport this for > >> > > Debian > >> > 9.6+. > >> > > > >> > > > >> > > For your second issue, in 4.9 which used a Debian7 based VR and > >> > > openswan for VPN, we've moved to strongswan. If your external Cisco > >> > > endpoint/integration can work with strongswan, please create a VPC > >> > > VR and manipulate the strongswan configs in that VR and share your > >> > > results or > >> > send > >> > > a PR, the changes need to be in one of the python files such as > >> > configure.py. > >> > > The #2 issue is very specific to your environment and is not a > >> > > general > >> > error, if > >> > > you're able to optimize the configuration for a VR, you can build a > >> > custom > >> > > systemvm.iso file with those settings. In addition, you can send a > >> > > PR or submit a Github issue with details, logs, configurations etc: > >> > > https://github.com/apache/cloudstack/issues > >> > > > >> > > > >> > > I think both the issues are not general blockers and should not void > >> > 4.11.2.0 > >> > > voting. > >> > > > >> > > > >> > > - Rohit > >> > > > >> > > <https://cloudstack.apache.org> > >> > > > >> > > > >> > > > >> > > ________________________________ > >> > > From: Zehnder, Samuel <zehn...@netcloud.ch> > >> > > Sent: Monday, November 19, 2018 9:13:04 PM > >> > > To: dev@cloudstack.apache.org > >> > > Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5 > >> > > > >> > > > >> > > Hi Group > >> > > > >> > > First, sorry that I wasn't able to use the mailto-link for the > >> > > reply. It > >> > somehow > >> > > did not work.. > >> > > > >> > > > >> > > > >> > > After Upgrading from 4.9 to 4.11 we are seeing two issues with > >> > > vRouter > >> > > systemVMs: > >> > > > >> > > > >> > > > >> > > 1) Memory Consumption on vSphere > >> > > > >> > > vRouter are starting to swap with low memory available, this also > >> > > starts happening after increasing memory size to 512m. > >> > > Interestingly, there's no process nor cache using the memory as far > >> > > as "top", "ps", or other tools report. > >> > > > >> > > > >> > > > >> > > 2) Site-2-Site VPN > >> > > > >> > > a) After a restart of the VPC (vRouter rebuild) VPN Tunnels are not > >> > > configured on vRouter. This has to be triggered manually with a call > >> > > to resetVpnConnection API. > >> > > > >> > > b) StrongSwan configuration does not work well with Cisco endpoints, > >> > > I've found following inputs: > >> > > > >> > > - multiple "rightsubnet=" entries are not supported with ikev1 > >> > > [1], so multiple conns should be configured instead > >> > > > >> > > - multiple subnets are supported with ikev2, but not with Cisco > >> > endpoints, > >> > > use multiple conns as well [2] > >> > > > >> > > > >> > > > >> > > For me it is unclear, what script should be modified for above > >> > > issues, > >> > one of > >> > > those look promising: > >> > > > >> > > > https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt > >> > > / > >> > > cloud/bin/ipsectunnel.sh > >> > > > >> > > > https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt > >> > > / > >> > > cloud/bin/configure.py > >> > > > >> > > > >> > > > >> > > Regards, > >> > > > >> > > Sam > >> > > > >> > > > >> > > > >> > > [1] > >> > > > >> > > https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection#leftr > >> > igh > >> > > t-End-Parameters > >> > > > >> > > [2] > >> > > https://serverfault.com/questions/904028/strongswan-to-cisco-asa-with- > >> > > multiple-right-subnet > >> > > > >> > > > >> > > > >> > > rohit.ya...@shapeblue.com > >> > > www.shapeblue.com<http://www.shapeblue.com> > >> > > Amadeus House, Floral Street, London WC2E 9DPUK @shapeblue > >> > > > >> > > > >> > > >> > >> rohit.ya...@shapeblue.com > >> www.shapeblue.com<http://www.shapeblue.com> > >> Amadeus House, Floral Street, London WC2E 9DPUK @shapeblue > >> > >> > >> > >> > >> > > rohit.ya...@shapeblue.com > www.shapeblue.com > Amadeus House, Floral Street, London WC2E 9DPUK > @shapeblue > > > >
