Re: [GitHub] cloudstack pull request: Feature cenik123 vpcvrr 1.1.1

[sebgoa]

On Dec 2, 2014, at 8:32 AM, bhaisaab  wrote:

> Github user bhaisaab commented on the pull request:
> 
>https://github.com/apache/cloudstack/pull/33#issuecomment-65192819
> 
>Wrong question, I should asked about veewee vs packer. The current 
> systemvm building scripts uses veewee to build systemvms and to export 
> appliances in various image/file formats (such as vhd, qcow2, raw, ova) we 
> depend on vbox-manage, qemu etc. We further use veewee to build vagrant 
> boxes. I just want to understand how easy it is to build/export appliances 
> using packer as I have never played with it and veewee/vagrant requires ruby 
> and other dependencies that are hard to setup?
> 

veewee is being "abandoned" in favor of packer. so ultimately we should start 
using packer.

> 
> ---
> If your project is set up for it, you can reply to this email and have your
> reply appear on GitHub as well. If your project does not have this feature
> enabled and wishes so, or if the feature is enabled but not working, please
> contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
> with INFRA.
> ---

Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

[Nux!]

As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat 
option, so it's not only 1.7+.
Personally I'm in favour of Will's approach.

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "Rohit Yadav" 
> To: "Will Stevens" 
> Cc: "Edison Su" , "Wilder Rodrigues" 
> , dev@cloudstack.apache.org,
> "Leo Simons" 
> Sent: Tuesday, 2 December, 2014 07:36:21
> Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

> Hi Will,
> 
> While we can use your first solution that checks exit status ($?) but in
> case some is running the script with a "set -e", the script will simply
> break when $? is not zero. I think if we know above which qemu-img version
> we should we the compat option (1.7?) than that's great we should we that.
> Thanks for looking into this.
> 
> Regards.
> 
> On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens  wrote:
> 
>> Thanks for that. Does that mean that we prefer to do an if else based on
>> version rather than basically doing a try catch?
>>
>> I have not been involved in previous bash scripting for CS, so I am
>> willing to fall in line with the preferred method. What I proposed was
>> based on how similar problems were solved in other code in the same file.
>>
>> If I check for version, do you agree that I should check for 1.7 as the
>> version since that is the version where the compact default changed?
>>
>> I will try to get this resolved tomorrow.
>>
>> Cheers,
>>
>> Will
>> On Dec 1, 2014 9:16 PM, "Edison Su"  wrote:
>>
>>>  qemu-img |head -n 1|awk '{print $3}'
>>>
>>> should show the version of qemu-img
>>>
>>>
>>>
>>> *From:* williamstev...@gmail.com [mailto:williamstev...@gmail.com] *On
>>> Behalf Of *Will Stevens
>>> *Sent:* Monday, December 01, 2014 2:17 PM
>>> *To:* dev@cloudstack.apache.org
>>> *Cc:* Leo Simons; Wilder Rodrigues; Rohit Yadav; Edison Su
>>> *Subject:* Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
>>>
>>>
>>>
>>> Alright, so far I have found the following:
>>> https://github.com/qemu/qemu/commit/9117b47717ad208b12786ce88eacb013f9b3dd1c
>>>
>>>
>>>
>>> Basically, if the qemu-img version is less than 1.7, we should run the
>>> non 'compat' option version and if the version is 1.7 or greater, we should
>>> run the new command with the 'compat' version.
>>>
>>>
>>>
>>> Unfortunately I am not able to find a way to get the qemu-img version
>>> from the command line.
>>>
>>>
>>>
>>> I am looking to basically add a conditional to try running with the
>>> compat option and if that fails, then run it without the compat option.
>>>
>>>
>>>
>>> Basically, I would be replacing this:
>>>
>>>
>>>
>>> qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img
>>> "${appliance_build_name}-kvm.qcow2"
>>>
>>>
>>>
>>> With this:
>>>
>>>
>>>
>>> set +e
>>>
>>> qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img
>>> "${appliance_build_name}-kvm.qcow2"
>>>
>>> local qemuresult=$?
>>>
>>> set -e
>>>
>>> if [ ${qemuresult} != 0 ]; then
>>>
>>>   log INFO "qemu-img convert failed, trying without compat option"
>>>
>>>   qemu-img convert -f raw -c -O qcow2 raw.img
>>> "${appliance_build_name}-kvm.qcow2"
>>>
>>> fi
>>>
>>>
>>>
>>> What do you guys think?  Is this a good enough solution?  If you guys
>>> agree I will implement it in master and make sure it works, then we can
>>> merge the change back to 4.5 to fix that branch as well.
>>>
>>>
>>>
>>> Let me know if you have issues with this approach...
>>>
>>>
>>>
>>> Cheers,
>>>
>>>
>>>
>>> Will
>>>
>>>
>>>
>>>
>>> *Will STEVENS*
>>>
>>> Lead Developer
>>>
>>>
>>>
>>> *CloudOps | *Cloud Solutions Experts
>>>
>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>>
>>> w cloudops.com *|* tw @CloudOps_
>>>
>>>
>>>
>>> On Mon, Dec 1, 2014 at 4:06 PM, Will Stevens 
>>> wrote:
>>>
>>> Edison,
>>>
>>> According to this page the default compat option is 0.10:
>>> http://manpages.ubuntu.com/manpages/trusty/man1/qemu-img.1.html
>>>
>>>
>>>
>>> Did you find that to not be the case and is that why you had to add the
>>> compat option?
>>>
>>>
>>>
>>> BTW, in an attempt to get the master system vms building again, I
>>> committed a change to master to remove the compat option.  We now have
>>> master system vms building correctly, but Rohit rightly pointed out that I
>>> had basically reverted your change.
>>>
>>>
>>>
>>> I created a Jira ticket for this issue:
>>> https://issues.apache.org/jira/browse/CLOUDSTACK-7959
>>>
>>>
>>>
>>> I have not reverted my change in master at this point, so it is building
>>> right now, but I also did not make the change to 4.5, so that branch is
>>> currently failing to build system vms.
>>>
>>>
>>>
>>> I will see if I can track down in which version of qemu the compat option
>>> was added so we can add some intelligent logic around this command.
>>>
>>>
>>>
>>> Will
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *Will STEVENS*
>>>
>>> Lead Developer
>>>
>>>
>>>
>>> *CloudOps | *Cloud Solutions Experts
>>>
>>> 420 rue Guy *|* Mont

Re: NFS overprovisioning of 0.5 ???

[Nux!]

I think your approaching this from the wrong side. 
Why not just nfs export half of the space instead? (you could use lvm, thin-lvm 
etc)?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "Andrija Panic" 
> To: us...@cloudstack.apache.org, dev@cloudstack.apache.org
> Sent: Tuesday, 2 December, 2014 07:53:37
> Subject: NFS overprovisioning of 0.5 ???

> Hi.
> 
> wondering if it is possible to set overprovisioning factor to less than 1 ?
> 
> I have 1 NFS box, 2 x 10GB cards inside, don't want to do bonding, but
> efectively present this single box as 2 boxes via 2 IP adresses - so in
> this scenario I need to set overprovisioning factor to less than 1, to i.e.
> 0.5 - because of disk space etc...
> 
> This is for test purposes, but again...
> 
> --
> 
> Andrija Panić

Re: NFS overprovisioning of 0.5 ???

[Andrija Panic]

true... ZFS pool under NFS...will consider...but I;'m just wondering, since
it is math of available space = overprovisioningFactor x realspace - I
guess this is technicaly possible...

On 2 December 2014 at 09:34, Nux!  wrote:

> I think your approaching this from the wrong side.
> Why not just nfs export half of the space instead? (you could use lvm,
> thin-lvm etc)?
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> - Original Message -
> > From: "Andrija Panic" 
> > To: us...@cloudstack.apache.org, dev@cloudstack.apache.org
> > Sent: Tuesday, 2 December, 2014 07:53:37
> > Subject: NFS overprovisioning of 0.5 ???
>
> > Hi.
> >
> > wondering if it is possible to set overprovisioning factor to less than
> 1 ?
> >
> > I have 1 NFS box, 2 x 10GB cards inside, don't want to do bonding, but
> > efectively present this single box as 2 boxes via 2 IP adresses - so in
> > this scenario I need to set overprovisioning factor to less than 1, to
> i.e.
> > 0.5 - because of disk space etc...
> >
> > This is for test purposes, but again...
> >
> > --
> >
> > Andrija Panić
>



-- 

Andrija Panić

[GitHub] cloudstack pull request: Feature cenik123 vpcvrr 1.1.1

[lsimons]

Github user lsimons commented on the pull request:

https://github.com/apache/cloudstack/pull/33#issuecomment-65199170
  
Hey folks,

Karl thanks for contributing. Looks like quite a bit of work!

Rohit thanks for CC-ing me in :)

It's a bit hard to read the pull request right now and provide review 
comments:
* Github says there's nearly 7000 changed files so at a guess something 
went wrong there? I had a look, and it looks like 
KarlHarrisSungardAS/cloudstack is quite a ways behind master, which may explain 
that...? It's probably a good idea to make a copy of the feature branch, rebase 
it against current master, squash some of the commits together, and then 
re-send the pull request. Or, start another branch, and cherry-pick over just 
the changes that _should_ be in the change set.
* git hasn't picked up on the relation between veewee and packer, it's 
probably good idea to give it some more hints. For example it would be good to 
see

https://github.com/KarlHarrisSungardAS/cloudstack/commit/892b11ec0230ce87d14370fd1055ac223096cc77#diff-67bdab8b08f1e110ceabe1a23c3d4011R1
compared to the veewee equivalent.
* there's a lot of 'shuffling' and/or adding comments intermixed with 
functional changes. For example 
https://github.com/KarlHarrisSungardAS/cloudstack/commit/7f55a1ef032c29cb955e02c90da43c91739108d7#diff-95748c84d8b6be2da502091e69b748d9L30
 you might think the 'set -x' is getting removed here, but it just moved down a 
bit amidst a few new comments.
* there's a lot of commits that are seemingly unrelated to the actual 
change (probably cherry-picked from master onto the feature branch?), those 
will need to be filtered out I think.
* there's a lot of 'archive' commits which have unfinished 'checkpoint' 
code. I imagine all that work gets finished 'later on' (like renaming 
_gitignore to .gitignore is one that I tracked) but it's not so easy to see. 
It'd be great if those things could be squashed together.

As far as content goes...

1) Like sebastien says, veewee is in maintenance mode and moving to packer 
(replacing veewee) is definitely a good idea. This looks like a straightforward 
port, which if it works ok seems like the way to go. We _should_ make sure to 
do it in a way that's somewhat compatible with the jenkins.buildacloud.org 
setup. I don't think we could sustain maintenance of both packer and veewee 
builds for long, it'll be a pain to keep changes in sync. I'd want to drop 
veewee use completely.

2) Testing the systemvm using vagrant is also obviously a good idea (we're 
doing much the same, over at 
https://github.com/schubergphilis/cloudstack/tree/feature/systemvm-persistent-config/tools/vagrant/systemvm
 see https://github.com/schubergphilis/cloudstack/commits/feature/systemvm-test 
for an abandoned branch having just test-related commits), though I don't 
understand why we'd need to use vagrant templates? The .box file that we get 
out of the veewee-based systemvm build imports 
(https://github.com/apache/cloudstack/blob/master/tools/appliance/build.sh#L466)
 just fine...

3) For the stuff that seems to be planned _beyond_ these changes, it might 
be a good idea to pop by on the development mailing list and discuss plans. A 
few people at Schuberg Philis (my employer, where there's a few people working 
on cloudstack) have been working on redundancy for the virtual router for a few 
months now. We've found that making it work also involves a lot of changes 
outside of the systemvm, too, i.e. changing the orchestration logic in the java 
code to match changed behavior of the vpc router (see 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Refactor+for+Redundant+Virtual+Router+Implementation
 / https://www.slideshare.net/LeoSimons1/toolkit-posterccceu14-v2 ). @spark404 
please do have a look at Karl's approach :)

cheers,

Leo


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Review Request 28597: CLOUDSTACK-8001: test_add_remove_network.py - Tag invalid test case as invalid

[Gaurav Aradhye]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28597/
---

Review request for cloudstack and SrikanteswaraRao Talluri.


Bugs: CLOUDSTACK-8001
https://issues.apache.org/jira/browse/CLOUDSTACK-8001


Repository: cloudstack-git


Description
---

test_18_add_nic_basic_zone tries to add isolated network to basic zone.
This is invalid test and should be marked as invalid.


Diffs
-

  test/integration/component/test_add_remove_network.py bc9be6f 

Diff: https://reviews.apache.org/r/28597/diff/


Testing
---

N/A


Thanks,

Gaurav Aradhye

Re: Review Request 28597: CLOUDSTACK-8001: test_add_remove_network.py - Tag invalid test case as invalid

[SrikanteswaraRao Talluri]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28597/#review63508
---

Ship it!


2fa1b02e3c6cf31e77ac08fde789006859eb095e master
e6236297a12c07b63309867fcc166d25483aed25 4.5

- SrikanteswaraRao Talluri


On Dec. 2, 2014, 9:13 a.m., Gaurav Aradhye wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/28597/
> ---
> 
> (Updated Dec. 2, 2014, 9:13 a.m.)
> 
> 
> Review request for cloudstack and SrikanteswaraRao Talluri.
> 
> 
> Bugs: CLOUDSTACK-8001
> https://issues.apache.org/jira/browse/CLOUDSTACK-8001
> 
> 
> Repository: cloudstack-git
> 
> 
> Description
> ---
> 
> test_18_add_nic_basic_zone tries to add isolated network to basic zone.
> This is invalid test and should be marked as invalid.
> 
> 
> Diffs
> -
> 
>   test/integration/component/test_add_remove_network.py bc9be6f 
> 
> Diff: https://reviews.apache.org/r/28597/diff/
> 
> 
> Testing
> ---
> 
> N/A
> 
> 
> Thanks,
> 
> Gaurav Aradhye
> 
>

[DOCS]4.4 dos at readthedocs

[Daan Hoogland]

H,

I saw the 4.4 branch at read the docs does not exist. Is this
intentional? I am looking for the update procedure for the 4.4.1
templates in there.

-- 
Daan

Re: [ACS450] remove some upgrade path from Release Notes

[Daan Hoogland]

Wilder (sitting next to me) is testing 4.3.0 to 4.4.2 and is having
some template issues. So I wanted to look up howto in the release
notes but can only find the goto 4.4.0 art of it. you have a link?

On Mon, Dec 1, 2014 at 10:54 PM, Pierre-Luc Dion  wrote:
>  Actually, here is the best thread to ask the question...
>
>
> Does anyone validate upgrade instruction from 2.x, 3.x. 4.0.x, 4.1.x  since
> 4.3.0 ?
>
> Thanks,
>
>
>
> On Mon, Dec 1, 2014 at 4:52 PM, Pierre-Luc Dion  wrote:
>
>> Well, I've never heard some someone tested upgrading a 2.2.x, 3.x.x, 4.0.x
>> or 4.1.x since  4.4 as been released. I know for sure those upgrade path
>> have not been tested.
>>
>> I'll ask for 4.5...
>>
>> Thanks,
>>
>>
>>
>> On Mon, Dec 1, 2014 at 3:07 AM, Leo Simons 
>> wrote:
>>
>>> Hey hey,
>>>
>>> Thinking as an administrator, I definitely don't want release notes (or
>>> upgrade paths themselves, or other documentation that contains procedures
>>> that have huge impact) that have not been tested.
>>>
>>> If I'm running cloudstack 2.2.14, and I want to upgrade to 4.4.2, and I
>>> ask on the users list what to do, what is the answer?
>>>
>>> If it is "just follow the upgrade instructions for all consecutive
>>> releases and it'll be fine", keep it. Otherwise, remove it.
>>>
>>> My two cents :)
>>>
>>>
>>> cheers,
>>>
>>>
>>> Leo
>>>
>>> On Dec 1, 2014, at 12:39 AM, Pierre-Luc Dion  wrote:
>>> > I'm wondering if I should remove the upgrade instructions of 4.1.x,
>>> 4.0.x,
>>> > 3.0.x and 2.2.14 from the 4.5.0 release notes. These upgrade
>>> instructions
>>> > are fairly outdated and has not been tested(at least in 4.4). They also
>>> > contain errors and some inconsistency.
>>> >
>>> > Unless someone is willing to validate them and fix instructions?
>>> >
>>> > any thoughts?
>>> >
>>> > thanks,
>>> >
>>> > PL
>>>
>>>
>>



-- 
Daan

Re: Is issue status can only change by owner on jira system ?

[Daan Hoogland]

On Tue, Dec 2, 2014 at 1:11 AM, ChunFeng  wrote:
> chunfeng


is in

-- 
Daan

Re: Review Request 28523: CLOUDSTACK-7991: test_security_groups.py - Move config data to test_data.py and fix pep8 issues

[Gaurav Aradhye]

> On Nov. 30, 2014, 10:16 p.m., Pierre-Luc Dion wrote:
> > Cannot be merge into 4.5 branch their is conflict in 
> > ``test/integration/component/test_security_groups.py``
> 
> Gaurav Aradhye wrote:
> Thanks Pierre-Luc, I will check, and put rebased patch.

Can you please try now? It wasn't applying cleanly because one of the commits 
was missing in branch 4.5. It applies cleanly now.


- Gaurav


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28523/#review63320
---


On Nov. 28, 2014, 2:25 p.m., Gaurav Aradhye wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/28523/
> ---
> 
> (Updated Nov. 28, 2014, 2:25 p.m.)
> 
> 
> Review request for cloudstack and SrikanteswaraRao Talluri.
> 
> 
> Bugs: CLOUDSTACK-7991
> https://issues.apache.org/jira/browse/CLOUDSTACK-7991
> 
> 
> Repository: cloudstack-git
> 
> 
> Description
> ---
> 
> Moving the config data in the test case to test_data.py
> Keeping host credentails in configurableData section.
> Fixing pep8 issues.
> 
> 
> Diffs
> -
> 
>   test/integration/component/test_security_groups.py eb242c7 
>   tools/marvin/marvin/config/test_data.py f0802a5 
> 
> Diff: https://reviews.apache.org/r/28523/diff/
> 
> 
> Testing
> ---
> 
> Yes. Two test cases failing for different reason.
> 
> Log:
> Test authorize ingress rule ... === TestName: test_01_authorizeIngressRule | 
> Status : SUCCESS ===
> ok
> Test deploy VM in default security group ... === TestName: 
> test_01_deployVM_InDefaultSecurityGroup | Status : SUCCESS ===
> ok
> Test list security groups for admin account ... === TestName: 
> test_02_listSecurityGroups | Status : SUCCESS ===
> ok
> Test access in default security group ... === TestName: 
> test_03_accessInDefaultSecurityGroup | Status : SUCCESS ===
> ok
> Test delete security group with running VM ... === TestName: 
> test_01_delete_security_grp_running_vm | Status : SUCCESS ===
> ok
> Test delete security group without running VM ... === TestName: 
> test_02_delete_security_grp_withoout_running_vm | Status : SUCCESS ===
> ok
> Test router services for user account ... === TestName: 
> test_01_dhcpOnlyRouter | Status : SUCCESS ===
> ok
> Test delete security group with running VM ... === TestName: 
> test_01_authorizeIngressRule_AfterDeployVM | Status : SUCCESS ===
> ok
> Test Revoke ingress rule after deploy VM ... === TestName: 
> test_02_revokeIngressRule_AfterDeployVM | Status : FAILED ===
> FAIL
> Test Start/Stop VM and Verify ingress rule ... === TestName: 
> test_03_stopStartVM_verifyIngressAccess | Status : SUCCESS ===
> ok
> Test revoke ingress rule ... === TestName: test_01_revokeIngressRule | Status 
> : FAILED ===
> FAIL
> Test Deploy VM with User data ... === TestName: test_01_deployVMWithUserData 
> | Status : SUCCESS ===
> ok
> 
> 
> Thanks,
> 
> Gaurav Aradhye
> 
>

Re: WTF: Difference between schemas across branches?

[Daan Hoogland]

Nitin,

On Tue, Dec 2, 2014 at 6:38 AM, Nitin Mehta  wrote:
> The changes from the commit 0e2e6995 are right, but this is not exactly
> schema change but view definition changes.
> This has been fixed in 4.5 through acc9c79 so that any one upgrading to
> 4.5 do not miss these changes. Do note that this change is idempotent so
> even if you do or do not make this change, anyone upgrading to 4.5
> shouldn¹t have an issue, but yes 4.3 do not have these changes.

This is not just a matter of working functionality. It concerns
maintainability of the code base as well. It is assumed in the project
that schema and upgrade files do not change and only forward changes
are added to newer schema- and Upgrade-files. different fies in
different branches mean we are painting ourselves in a corner,
especially if we want to do any sustainable LTS.

>
> Thanks,
> -Nitin
>
> On 01/12/14 1:47 PM, "Rohit Yadav"  wrote:
>
>>Hi,
>>
>>While I¹m working to backport changes on 4.3 branch, I discovered some
>>changes between 4.3 branch¹s schema-421to431.sql and master branch¹s
>>421to431.sql files. While most changes are inserts/update related which
>>may not severely harm a user upgrading from a previous version of
>>CloudStack, but I found there were changes in the schema itself; in this
>>case the `cloud`.`template_view`:
>>
>>0e2e6995 setup/db/db/schema-421to430.sql (Nitin Mehta 2014-01-30
>>17:59:55 -0800  306) `cloud`.`template_store_ref` ON
>>template_store_ref.template_id = vm_template.id and
>>template_store_ref.store_role = 'Image' and template_store_ref.destroyed=0
>>
>>While on 4.3 branch:
>>abbae2aa setup/db/db/schema-420to430.sql (Alex Huang  2013-08-26
>>17:30:58 -0700  306) `cloud`.`template_store_ref` ON
>>template_store_ref.template_id = vm_template.id and
>>template_store_ref.store_role = ŒImage¹
>>
>>
>>Which version should we keep? Here¹s the complete diff:
>>http://pastebin.com/PB6N7aCt
>>
>>You may do it locally against 4.3 (4.4/4.5 etc.) and master as well:
>>git diff master 4.3 -- setup/db/db/schema-421to430.sql
>>
>>I think such issues are seen time and time again due to the way paid
>>contributors work on private forks and upstream ACS. We simply don¹t want
>>to use code thrown over corporate fences to ACS branches.
>>
>>While who am I to tell you how to do your job - I simply request that all
>>of the committers are expected to have some level of commitment to the
>>project and ethics of their contributions. The best way to work together
>>is to work in the upstream first and then work on your forks that is
>>based on the upstream. Hope this will improve with time.
>>
>>Regards,
>>Rohit Yadav
>>Software Architect, ShapeBlue
>>M. +91 88 262 30892 | rohit.ya...@shapeblue.com
>>Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>Find out more about ShapeBlue and our range of CloudStack related services
>>
>>IaaS Cloud Design &
>>Build
>>CSForge ­ rapid IaaS deployment framework
>>CloudStack Consulting
>>CloudStack Software
>>Engineering
>>CloudStack Infrastructure
>>Support
>>CloudStack Bootcamp Training
>>Courses
>>
>>This email and any attachments to it may be confidential and are intended
>>solely for the use of the individual to whom it is addressed. Any views
>>or opinions expressed are solely those of the author and do not
>>necessarily represent those of Shape Blue Ltd or related companies. If
>>you are not the intended recipient of this email, you must neither take
>>any action based upon its contents, nor copy or show it to anyone. Please
>>contact the sender if you believe you have received this email in error.
>>Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>>Services India LLP is a company incorporated in India and is operated
>>under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>>a company incorporated in Brasil and is operated under license from Shape
>>Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>>South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>>is a registered trademark.
>



-- 
Daan

Re: Review Request 28549: CLOUDSTACK-7993: Code enhancement - test_egress_fw_rules.py - Removing unncessary waits

[SrikanteswaraRao Talluri]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28549/#review63517
---

Ship it!


6a2c18a989a081cdf79dc8453b488b14a72cdd01 master
3d279bbb190f9907a80cc5d3f8142b3f9eb90f01 4.5

- SrikanteswaraRao Talluri


On Dec. 1, 2014, 11:14 a.m., Gaurav Aradhye wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/28549/
> ---
> 
> (Updated Dec. 1, 2014, 11:14 a.m.)
> 
> 
> Review request for cloudstack and SrikanteswaraRao Talluri.
> 
> 
> Bugs: CLOUDSTACK-7993
> https://issues.apache.org/jira/browse/CLOUDSTACK-7993
> 
> 
> Repository: cloudstack-git
> 
> 
> Description
> ---
> 
> All test cases in this test suite wait for vm expungement time period after 
> destroying VMs. It is not necessary as now th VM is destroyed by default from 
> Marvin with expunge parameter as True, hence it will be immediately destroyed 
> and expunged.
> 
> 
> Diffs
> -
> 
>   test/integration/component/test_egress_fw_rules.py 0122e4f 
> 
> Diff: https://reviews.apache.org/r/28549/diff/
> 
> 
> Testing
> ---
> 
> Yes.
> 
> 
> Thanks,
> 
> Gaurav Aradhye
> 
>

Review Request 28598: CLOUDSTACK-8002: test_high_availability.py - Skip test cases if enough hosts are not available

[Gaurav Aradhye]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28598/
---

Review request for cloudstack and SrikanteswaraRao Talluri.


Bugs: CLOUDSTACK-8002
https://issues.apache.org/jira/browse/CLOUDSTACK-8002


Repository: cloudstack-git


Description
---

The test cases in this test suite raise an exception if enough hosts are not 
present n the cluster.
Instead the test cases should be skipped in such situation.

Also fixed imports and pep8 issues.


Diffs
-

  test/integration/component/maint/test_high_availability.py 3e69fd5 

Diff: https://reviews.apache.org/r/28598/diff/


Testing
---

yes.


Thanks,

Gaurav Aradhye

SSH Keypairs listing is missing under the account tab

[Ilia Shakitko]

Hi,

Didn't get any reaction on this. In 4.4.2 RC the account tab doesn't have the 
dropdown box to find SSH Keypairs. Is that expected?

Earlier versions of ACS had that option, was it moved somewhere or that's a bug?


Kind regards,

Ilia Shakitko
Innovation Engineer
LeaseWeb Technologies B.V.

T: +31 20 316 0235
M:
E: i.shaki...@tech.leaseweb.com
W: http://www.leaseweb.com

Luttenbergweg 8, 1101 EC Amsterdam, Netherlands


-Original Message-
From: Ilia Shakitko [mailto:i.shaki...@tech.leaseweb.com]
Sent: maandag, 01 december, 2014 11:01
To: dev@cloudstack.apache.org
Subject: RE: [4.4][CLOUDSTACK][BUG?] - SSH Keypairs listing is missing under 
the account tab

Sorry for long reply. I am looking at release. And latest branch 4.4 - same 
bug. No SSH Keypairs selector.


Kind regards,

Ilia Shakitko
Innovation Engineer
LeaseWeb Technologies B.V.

T: +31 20 316 0235
M:
E: i.shaki...@tech.leaseweb.com
W: http://www.leaseweb.com

Luttenbergweg 8, 1101 EC Amsterdam, Netherlands


-Original Message-
From: Daan Hoogland [mailto:daan.hoogl...@gmail.com]
Sent: maandag, 24 november, 2014 15:29
To: dev
Subject: Re: [4.4][CLOUDSTACK][BUG?] - SSH Keypairs listing is missing under 
the account tab

Ilia,

were you testing the release candidate or a release?

On Mon, Nov 24, 2014 at 3:16 PM, Ilia Shakitko  
wrote:
> Hi everybody,
>
> Today I found (or actually not found) an option to list/manage SSH
> Keypairs under the Account tab which was here:
> http://clip2net.com/s/jlj2EP
>
> Is that a bug or it has been moved somewhere explicitly?
>
> Kind regards,
>
> Ilia Shakitko
> Innovation Engineer
> LeaseWeb Technologies B.V.
>
> T: +31 20 316 0235
>
> E: i.shaki...@tech.leaseweb.com
> W: www.leaseweb.com
>
> Luttenbergweg 8,1101 EC Amsterdam,  Netherlands
>
>
>



--
Daan

Re: SSH Keypairs listing is missing under the account tab

[Nux!]

It's probably a bug, the UI has been a bit messed up, the additional IP info 
was also removed and added back in when I reported it.

You should open a issue in jira.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "Ilia Shakitko" 
> To: dev@cloudstack.apache.org
> Sent: Tuesday, 2 December, 2014 11:24:15
> Subject: SSH Keypairs listing is missing under the account tab

> Hi,
> 
> Didn't get any reaction on this. In 4.4.2 RC the account tab doesn't have the
> dropdown box to find SSH Keypairs. Is that expected?
> 
> Earlier versions of ACS had that option, was it moved somewhere or that's a 
> bug?
> 
> 
> Kind regards,
> 
> Ilia Shakitko
> Innovation Engineer
> LeaseWeb Technologies B.V.
> 
> T: +31 20 316 0235
> M:
> E: i.shaki...@tech.leaseweb.com
> W: http://www.leaseweb.com
> 
> Luttenbergweg 8, 1101 EC Amsterdam, Netherlands
> 
> 
> -Original Message-
> From: Ilia Shakitko [mailto:i.shaki...@tech.leaseweb.com]
> Sent: maandag, 01 december, 2014 11:01
> To: dev@cloudstack.apache.org
> Subject: RE: [4.4][CLOUDSTACK][BUG?] - SSH Keypairs listing is missing under 
> the
> account tab
> 
> Sorry for long reply. I am looking at release. And latest branch 4.4 - same 
> bug.
> No SSH Keypairs selector.
> 
> 
> Kind regards,
> 
> Ilia Shakitko
> Innovation Engineer
> LeaseWeb Technologies B.V.
> 
> T: +31 20 316 0235
> M:
> E: i.shaki...@tech.leaseweb.com
> W: http://www.leaseweb.com
> 
> Luttenbergweg 8, 1101 EC Amsterdam, Netherlands
> 
> 
> -Original Message-
> From: Daan Hoogland [mailto:daan.hoogl...@gmail.com]
> Sent: maandag, 24 november, 2014 15:29
> To: dev
> Subject: Re: [4.4][CLOUDSTACK][BUG?] - SSH Keypairs listing is missing under 
> the
> account tab
> 
> Ilia,
> 
> were you testing the release candidate or a release?
> 
> On Mon, Nov 24, 2014 at 3:16 PM, Ilia Shakitko 
> wrote:
>> Hi everybody,
>>
>> Today I found (or actually not found) an option to list/manage SSH
>> Keypairs under the Account tab which was here:
>> http://clip2net.com/s/jlj2EP
>>
>> Is that a bug or it has been moved somewhere explicitly?
>>
>> Kind regards,
>>
>> Ilia Shakitko
>> Innovation Engineer
>> LeaseWeb Technologies B.V.
>>
>> T: +31 20 316 0235
>>
>> E: i.shaki...@tech.leaseweb.com
>> W: www.leaseweb.com
>>
>> Luttenbergweg 8,1101 EC Amsterdam,  Netherlands
>>
>>
>>
> 
> 
> 
> --
> Daan

Re: WTF: Difference between schemas across branches?

[Rohit Yadav]

Thanks for replying Nitin. I've picked the latest fix, both schema files
are semantically same now.

If we're fixing/back-porting bug-fixes to all branches where a bug
exists and making sure we're not introducing differences in schema, by
doing that in a way we're helping the overall community (and not just
coding) and living the Apache way of community over code.

I think if our day-job allow us to fix then it should *ideally* allow us
to fix a bug on all the affected branches. I noticed recently within the
community that a lot of companies who may provide such ideal
environments are looking for good developers.

Some folks expressed concerns over the email subject. They were all
right, the subject contains a typo that I forgot to remove.

On Tuesday 02 December 2014 11:08 AM, Nitin Mehta wrote:

The changes from the commit 0e2e6995 are right, but this is not exactly
schema change but view definition changes.
This has been fixed in 4.5 through acc9c79 so that any one upgrading to
4.5 do not miss these changes. Do note that this change is idempotent so
even if you do or do not make this change, anyone upgrading to 4.5
shouldn¹t have an issue, but yes 4.3 do not have these changes.

Thanks,
-Nitin

On 01/12/14 1:47 PM, "Rohit Yadav"  wrote:


Hi,

While I¹m working to backport changes on 4.3 branch, I discovered some
changes between 4.3 branch¹s schema-421to431.sql and master branch¹s
421to431.sql files. While most changes are inserts/update related which
may not severely harm a user upgrading from a previous version of
CloudStack, but I found there were changes in the schema itself; in this
case the `cloud`.`template_view`:

0e2e6995 setup/db/db/schema-421to430.sql (Nitin Mehta 2014-01-30
17:59:55 -0800  306) `cloud`.`template_store_ref` ON
template_store_ref.template_id = vm_template.id and
template_store_ref.store_role = 'Image' and template_store_ref.destroyed=0

While on 4.3 branch:
abbae2aa setup/db/db/schema-420to430.sql (Alex Huang  2013-08-26
17:30:58 -0700  306) `cloud`.`template_store_ref` ON
template_store_ref.template_id = vm_template.id and
template_store_ref.store_role = ŒImage¹


Which version should we keep? Here¹s the complete diff:
http://pastebin.com/PB6N7aCt

You may do it locally against 4.3 (4.4/4.5 etc.) and master as well:
git diff master 4.3 -- setup/db/db/schema-421to430.sql

I think such issues are seen time and time again due to the way paid
contributors work on private forks and upstream ACS. We simply don¹t want
to use code thrown over corporate fences to ACS branches.

While who am I to tell you how to do your job - I simply request that all
of the committers are expected to have some level of commitment to the
project and ethics of their contributions. The best way to work together
is to work in the upstream first and then work on your forks that is
based on the upstream. Hope this will improve with time.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.ya...@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab


--
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.ya...@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build
CSForge – rapid IaaS deployment framework
CloudStack Consulting
CloudStack Software 
Engineering
CloudStack Infrastructure 
Support
CloudStack Bootcamp Training Courses

This email and any attachments to it may be confidential and are intended solely 
for the use of the individual to whom it is addressed. Any views or opinions 
expressed are solely those of the author and do not necessarily represent those of 
Shape Blue Ltd or related companies. If you are not the intended recipient of this 
email, you must neither take any action based upon its contents, nor copy or show 
it to anyone. Please contact the sender if you believe you have received this email 
in error. Shape Blue Ltd is a company incorporated in England & Wales. 
ShapeBlue Services India LLP is a company incorporated in India and is operated 
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company 
incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue 
SA Pty Ltd is a company registered by The Republic of South Africa and is traded 
under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

time zones

[Alireza Eskandari]

Hi,Does CloudStack accepted time zones limited to list 
below?http://docs.cloudstack.apache.org/en/latest/dev.html?highlight=time%20zones#time-zones
Is it possible to use different time zone outside of the above list?Thanks

Re: time zones

[Francois Gaudreault]

Hmm... AFAIK this list covers all timezones available. Pick the one that
match your timezone? Even if its not Your city thata written. I dont think
any is missing. (?)

FG
On Dec 2, 2014 7:41 AM, "Alireza Eskandari" 
wrote:

> Hi,Does CloudStack accepted time zones limited to list below?
> http://docs.cloudstack.apache.org/en/latest/dev.html?highlight=time%20zones#time-zones
> Is it possible to use different time zone outside of the above list?Thanks
>

Re: time zones

[Alireza Eskandari]

Francois, you are right but unfortunately our time zone isn't standard. We use 
+3.5 (+4.5 with DST)Thanks

   

Re: time zones

[Francois Gaudreault]

Interesting. I guess you should do a JIRA ticket to track it. Most of these
timezone probably comes from Java tho.

FG
On Dec 2, 2014 7:56 AM, "Alireza Eskandari" 
wrote:

> Francois, you are right but unfortunately our time zone isn't standard. We
> use +3.5 (+4.5 with DST)Thanks
>
>

Jenkins 4.4.2 release?

[Matthew Midgett]

In Jenkins I can find the 4.4.3 snapshots but where can I find the 4.4.2 so I 
can test it?


Matthew Midgett

Re: Jenkins 4.4.2 release?

[Daan Hoogland]

the source tarball is in
https://dist.apache.org/repos/dist/release/cloudstack/releases/4.4.2/

On Tue, Dec 2, 2014 at 3:33 PM, Matthew Midgett
 wrote:
> In Jenkins I can find the 4.4.3 snapshots but where can I find the 4.4.2 so I 
> can test it?
>
>
> Matthew Midgett
>



-- 
Daan

Re: Review Request 28523: CLOUDSTACK-7991: test_security_groups.py - Move config data to test_data.py and fix pep8 issues

[Pierre-Luc Dion]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28523/#review63535
---


Pushed into master and 4.5 branches.

- Pierre-Luc Dion


On Nov. 28, 2014, 8:55 a.m., Gaurav Aradhye wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/28523/
> ---
> 
> (Updated Nov. 28, 2014, 8:55 a.m.)
> 
> 
> Review request for cloudstack and SrikanteswaraRao Talluri.
> 
> 
> Bugs: CLOUDSTACK-7991
> https://issues.apache.org/jira/browse/CLOUDSTACK-7991
> 
> 
> Repository: cloudstack-git
> 
> 
> Description
> ---
> 
> Moving the config data in the test case to test_data.py
> Keeping host credentails in configurableData section.
> Fixing pep8 issues.
> 
> 
> Diffs
> -
> 
>   test/integration/component/test_security_groups.py eb242c7 
>   tools/marvin/marvin/config/test_data.py f0802a5 
> 
> Diff: https://reviews.apache.org/r/28523/diff/
> 
> 
> Testing
> ---
> 
> Yes. Two test cases failing for different reason.
> 
> Log:
> Test authorize ingress rule ... === TestName: test_01_authorizeIngressRule | 
> Status : SUCCESS ===
> ok
> Test deploy VM in default security group ... === TestName: 
> test_01_deployVM_InDefaultSecurityGroup | Status : SUCCESS ===
> ok
> Test list security groups for admin account ... === TestName: 
> test_02_listSecurityGroups | Status : SUCCESS ===
> ok
> Test access in default security group ... === TestName: 
> test_03_accessInDefaultSecurityGroup | Status : SUCCESS ===
> ok
> Test delete security group with running VM ... === TestName: 
> test_01_delete_security_grp_running_vm | Status : SUCCESS ===
> ok
> Test delete security group without running VM ... === TestName: 
> test_02_delete_security_grp_withoout_running_vm | Status : SUCCESS ===
> ok
> Test router services for user account ... === TestName: 
> test_01_dhcpOnlyRouter | Status : SUCCESS ===
> ok
> Test delete security group with running VM ... === TestName: 
> test_01_authorizeIngressRule_AfterDeployVM | Status : SUCCESS ===
> ok
> Test Revoke ingress rule after deploy VM ... === TestName: 
> test_02_revokeIngressRule_AfterDeployVM | Status : FAILED ===
> FAIL
> Test Start/Stop VM and Verify ingress rule ... === TestName: 
> test_03_stopStartVM_verifyIngressAccess | Status : SUCCESS ===
> ok
> Test revoke ingress rule ... === TestName: test_01_revokeIngressRule | Status 
> : FAILED ===
> FAIL
> Test Deploy VM with User data ... === TestName: test_01_deployVMWithUserData 
> | Status : SUCCESS ===
> ok
> 
> 
> Thanks,
> 
> Gaurav Aradhye
> 
>

Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

[Will Stevens]

@Rohit:  If the script is run with 'set -e' it should not be a problem
because I was planning to do an explicit 'set +e' before the call and then
a 'set -e' after the call.  This should handle this case, no?

@Nux: When you say "EL7 comes with qemu-img 1.5.3 and it requires the
compat option", what do you mean by that?  Are you saying that if you run
the build system vms job on EL7, that you have to specify the compat option
even though it comes with qemu-img 1.5.3?  That should not be the case
because the default compat flag should not have been changed till 1.7.  If
you are talking about having a KVM host which runs EL7 and has a qemu-img
version of 1.5.3, then that is not really relevant for this bash script.
The version of qemu-img which this script  checking is the version on the
build system, not on the KVM host.  It is validating if the compat option
needs to be passed to the 'qemu-img convert' command in order for the image
to have the 'compat=0.10' option set.  We are not debating that the
'compat=0.10' option needs to be set, that is for sure.  We are determining
when it needs to be explicitly set on the build systems.

In short...
Jenkins kicks off a job to build the system vms.  This build system could
have one of many different qemu-img versions.  When this script runs on the
build system, we need to determine which command needs to be run in order
to output a 'compat=0.10' compatible image.

I will do some testing with Edison's suggestion and see if I can come up
with a solution that way as well and then we can pick which we want to
implement.

Cheers,

Will


*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Tue, Dec 2, 2014 at 3:32 AM, Nux!  wrote:

> As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat
> option, so it's not only 1.7+.
> Personally I'm in favour of Will's approach.
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> - Original Message -
> > From: "Rohit Yadav" 
> > To: "Will Stevens" 
> > Cc: "Edison Su" , "Wilder Rodrigues" <
> wrodrig...@schubergphilis.com>, dev@cloudstack.apache.org,
> > "Leo Simons" 
> > Sent: Tuesday, 2 December, 2014 07:36:21
> > Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
>
> > Hi Will,
> >
> > While we can use your first solution that checks exit status ($?) but in
> > case some is running the script with a "set -e", the script will simply
> > break when $? is not zero. I think if we know above which qemu-img
> version
> > we should we the compat option (1.7?) than that's great we should we
> that.
> > Thanks for looking into this.
> >
> > Regards.
> >
> > On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens 
> wrote:
> >
> >> Thanks for that. Does that mean that we prefer to do an if else based on
> >> version rather than basically doing a try catch?
> >>
> >> I have not been involved in previous bash scripting for CS, so I am
> >> willing to fall in line with the preferred method. What I proposed was
> >> based on how similar problems were solved in other code in the same
> file.
> >>
> >> If I check for version, do you agree that I should check for 1.7 as the
> >> version since that is the version where the compact default changed?
> >>
> >> I will try to get this resolved tomorrow.
> >>
> >> Cheers,
> >>
> >> Will
> >> On Dec 1, 2014 9:16 PM, "Edison Su"  wrote:
> >>
> >>>  qemu-img |head -n 1|awk '{print $3}'
> >>>
> >>> should show the version of qemu-img
> >>>
> >>>
> >>>
> >>> *From:* williamstev...@gmail.com [mailto:williamstev...@gmail.com] *On
> >>> Behalf Of *Will Stevens
> >>> *Sent:* Monday, December 01, 2014 2:17 PM
> >>> *To:* dev@cloudstack.apache.org
> >>> *Cc:* Leo Simons; Wilder Rodrigues; Rohit Yadav; Edison Su
> >>> *Subject:* Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
> >>>
> >>>
> >>>
> >>> Alright, so far I have found the following:
> >>>
> https://github.com/qemu/qemu/commit/9117b47717ad208b12786ce88eacb013f9b3dd1c
> >>>
> >>>
> >>>
> >>> Basically, if the qemu-img version is less than 1.7, we should run the
> >>> non 'compat' option version and if the version is 1.7 or greater, we
> should
> >>> run the new command with the 'compat' version.
> >>>
> >>>
> >>>
> >>> Unfortunately I am not able to find a way to get the qemu-img version
> >>> from the command line.
> >>>
> >>>
> >>>
> >>> I am looking to basically add a conditional to try running with the
> >>> compat option and if that fails, then run it without the compat option.
> >>>
> >>>
> >>>
> >>> Basically, I would be replacing this:
> >>>
> >>>
> >>>
> >>> qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img
> >>> "${appliance_build_name}-kvm.qcow2"
> >>>
> >>>
> >>>
> >>> With this:
> >>>
> >>>
> >>>
> >>> set +e
> >>>
> >>> qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img
> >>> "${appliance_build_name}-kvm.qcow2"
> >>>
> >>> local qemuresult=$?
> >>>

Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

[Nux!]

Will, I might have gotten lost in the details, apologies if it's the case.

What I wanted to point out is that the qemu-img in EL7 (v1.5.3 which is _lower_ 
than 1.7) will by default produce an image with compat = 1.1 which older 
qemu-kvm will not be able to use, such as the one in CentOS 6.
So if you are running a systemvm build job on EL7 you should be aware of this. 
That's why I preferred your script, because it doesn't just rely on version 
numbers.
I myself am not running any systemvm build jobs.

qemu-img create -f raw test.raw 1G
qemu-img convert -f raw test.raw -O qcow2 test.qcow2
qemu-img info test.qcow2 
image: test.qcow2
file format: qcow2
virtual size: 1.0G (1073741824 bytes)
disk size: 196K
cluster_size: 65536
Format specific information:
compat: 1.1
lazy refcounts: false



--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "Will Stevens" 
> To: "Nux!" 
> Cc: dev@cloudstack.apache.org, "Edison Su" , "Wilder 
> Rodrigues" ,
> "Leo Simons" 
> Sent: Tuesday, 2 December, 2014 15:11:40
> Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

> @Rohit:  If the script is run with 'set -e' it should not be a problem
> because I was planning to do an explicit 'set +e' before the call and then
> a 'set -e' after the call.  This should handle this case, no?
> 
> @Nux: When you say "EL7 comes with qemu-img 1.5.3 and it requires the
> compat option", what do you mean by that?  Are you saying that if you run
> the build system vms job on EL7, that you have to specify the compat option
> even though it comes with qemu-img 1.5.3?  That should not be the case
> because the default compat flag should not have been changed till 1.7.  If
> you are talking about having a KVM host which runs EL7 and has a qemu-img
> version of 1.5.3, then that is not really relevant for this bash script.
> The version of qemu-img which this script  checking is the version on the
> build system, not on the KVM host.  It is validating if the compat option
> needs to be passed to the 'qemu-img convert' command in order for the image
> to have the 'compat=0.10' option set.  We are not debating that the
> 'compat=0.10' option needs to be set, that is for sure.  We are determining
> when it needs to be explicitly set on the build systems.
> 
> In short...
> Jenkins kicks off a job to build the system vms.  This build system could
> have one of many different qemu-img versions.  When this script runs on the
> build system, we need to determine which command needs to be run in order
> to output a 'compat=0.10' compatible image.
> 
> I will do some testing with Edison's suggestion and see if I can come up
> with a solution that way as well and then we can pick which we want to
> implement.
> 
> Cheers,
> 
> Will
> 
> 
> *Will STEVENS*
> Lead Developer
> 
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> w cloudops.com *|* tw @CloudOps_
> 
> On Tue, Dec 2, 2014 at 3:32 AM, Nux!  wrote:
> 
>> As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat
>> option, so it's not only 1.7+.
>> Personally I'm in favour of Will's approach.
>>
>> Lucian
>>
>> --
>> Sent from the Delta quadrant using Borg technology!
>>
>> Nux!
>> www.nux.ro
>>
>> - Original Message -
>> > From: "Rohit Yadav" 
>> > To: "Will Stevens" 
>> > Cc: "Edison Su" , "Wilder Rodrigues" <
>> wrodrig...@schubergphilis.com>, dev@cloudstack.apache.org,
>> > "Leo Simons" 
>> > Sent: Tuesday, 2 December, 2014 07:36:21
>> > Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
>>
>> > Hi Will,
>> >
>> > While we can use your first solution that checks exit status ($?) but in
>> > case some is running the script with a "set -e", the script will simply
>> > break when $? is not zero. I think if we know above which qemu-img
>> version
>> > we should we the compat option (1.7?) than that's great we should we
>> that.
>> > Thanks for looking into this.
>> >
>> > Regards.
>> >
>> > On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens 
>> wrote:
>> >
>> >> Thanks for that. Does that mean that we prefer to do an if else based on
>> >> version rather than basically doing a try catch?
>> >>
>> >> I have not been involved in previous bash scripting for CS, so I am
>> >> willing to fall in line with the preferred method. What I proposed was
>> >> based on how similar problems were solved in other code in the same
>> file.
>> >>
>> >> If I check for version, do you agree that I should check for 1.7 as the
>> >> version since that is the version where the compact default changed?
>> >>
>> >> I will try to get this resolved tomorrow.
>> >>
>> >> Cheers,
>> >>
>> >> Will
>> >> On Dec 1, 2014 9:16 PM, "Edison Su"  wrote:
>> >>
>> >>>  qemu-img |head -n 1|awk '{print $3}'
>> >>>
>> >>> should show the version of qemu-img
>> >>>
>> >>>
>> >>>
>> >>> *From:* williamstev...@gmail.com [mailto:williamstev...@gmail.com] *On
>> >>> Behalf Of *Will Stevens
>> >>> *Sent:

Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

[Will Stevens]

Interesting.  Thanks for that...

So it seems that if you run the build system on a EL7 the version check
approach won't even help us because they have changed the default behavior
of the installed qemu-img version to make it default to '1.1'.

In light of this and considering what a PITA it is to compare version
numbers in bash, I will solve the problem with my original code.  I will do
some testing on a local system to work out the kinks and try to validate
that Rohit's concerns are addressed.

I will report back later today.

Thanks for the help on this Nux...  :)

Cheers,

Will


*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Tue, Dec 2, 2014 at 10:27 AM, Nux!  wrote:

> Will, I might have gotten lost in the details, apologies if it's the case.
>
> What I wanted to point out is that the qemu-img in EL7 (v1.5.3 which is
> _lower_ than 1.7) will by default produce an image with compat = 1.1 which
> older qemu-kvm will not be able to use, such as the one in CentOS 6.
> So if you are running a systemvm build job on EL7 you should be aware of
> this. That's why I preferred your script, because it doesn't just rely on
> version numbers.
> I myself am not running any systemvm build jobs.
>
> qemu-img create -f raw test.raw 1G
> qemu-img convert -f raw test.raw -O qcow2 test.qcow2
> qemu-img info test.qcow2
> image: test.qcow2
> file format: qcow2
> virtual size: 1.0G (1073741824 bytes)
> disk size: 196K
> cluster_size: 65536
> Format specific information:
> compat: 1.1
> lazy refcounts: false
>
>
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> - Original Message -
> > From: "Will Stevens" 
> > To: "Nux!" 
> > Cc: dev@cloudstack.apache.org, "Edison Su" ,
> "Wilder Rodrigues" ,
> > "Leo Simons" 
> > Sent: Tuesday, 2 December, 2014 15:11:40
> > Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
>
> > @Rohit:  If the script is run with 'set -e' it should not be a problem
> > because I was planning to do an explicit 'set +e' before the call and
> then
> > a 'set -e' after the call.  This should handle this case, no?
> >
> > @Nux: When you say "EL7 comes with qemu-img 1.5.3 and it requires the
> > compat option", what do you mean by that?  Are you saying that if you run
> > the build system vms job on EL7, that you have to specify the compat
> option
> > even though it comes with qemu-img 1.5.3?  That should not be the case
> > because the default compat flag should not have been changed till 1.7.
> If
> > you are talking about having a KVM host which runs EL7 and has a qemu-img
> > version of 1.5.3, then that is not really relevant for this bash script.
> > The version of qemu-img which this script  checking is the version on the
> > build system, not on the KVM host.  It is validating if the compat option
> > needs to be passed to the 'qemu-img convert' command in order for the
> image
> > to have the 'compat=0.10' option set.  We are not debating that the
> > 'compat=0.10' option needs to be set, that is for sure.  We are
> determining
> > when it needs to be explicitly set on the build systems.
> >
> > In short...
> > Jenkins kicks off a job to build the system vms.  This build system could
> > have one of many different qemu-img versions.  When this script runs on
> the
> > build system, we need to determine which command needs to be run in order
> > to output a 'compat=0.10' compatible image.
> >
> > I will do some testing with Edison's suggestion and see if I can come up
> > with a solution that way as well and then we can pick which we want to
> > implement.
> >
> > Cheers,
> >
> > Will
> >
> >
> > *Will STEVENS*
> > Lead Developer
> >
> > *CloudOps* *| *Cloud Solutions Experts
> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> > w cloudops.com *|* tw @CloudOps_
> >
> > On Tue, Dec 2, 2014 at 3:32 AM, Nux!  wrote:
> >
> >> As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat
> >> option, so it's not only 1.7+.
> >> Personally I'm in favour of Will's approach.
> >>
> >> Lucian
> >>
> >> --
> >> Sent from the Delta quadrant using Borg technology!
> >>
> >> Nux!
> >> www.nux.ro
> >>
> >> - Original Message -
> >> > From: "Rohit Yadav" 
> >> > To: "Will Stevens" 
> >> > Cc: "Edison Su" , "Wilder Rodrigues" <
> >> wrodrig...@schubergphilis.com>, dev@cloudstack.apache.org,
> >> > "Leo Simons" 
> >> > Sent: Tuesday, 2 December, 2014 07:36:21
> >> > Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
> >>
> >> > Hi Will,
> >> >
> >> > While we can use your first solution that checks exit status ($?) but
> in
> >> > case some is running the script with a "set -e", the script will
> simply
> >> > break when $? is not zero. I think if we know above which qemu-img
> >> version
> >> > we should we the compat option (1.7?) than that's great we should we
> >> that.
> >> > Thanks for looking into this.
> >> >

RE: Jenkins 4.4.2 release?

[Matthew Midgett]

Thanks Daan, Going to get coffee as this build might take a while on the small 
VM that its running on.  Awesome!

I'm super stoked that now I have created my own repo. :)

BTW thanks for good documnetion 
http://docs.cloudstack.apache.org/projects/cloudstack-installation/en/latest/building_from_source.html

I did upgrade to the latest version of maven.



-Original Message-
From: Daan Hoogland [mailto:daan.hoogl...@gmail.com] 
Sent: Tuesday, December 02, 2014 9:36 AM
To: dev
Subject: Re: Jenkins 4.4.2 release?

the source tarball is in
https://dist.apache.org/repos/dist/release/cloudstack/releases/4.4.2/

On Tue, Dec 2, 2014 at 3:33 PM, Matthew Midgett 
 wrote:
> In Jenkins I can find the 4.4.3 snapshots but where can I find the 4.4.2 so I 
> can test it?
>
>
> Matthew Midgett
>



--
Daan

Re: git commit: updated refs/heads/master to 6dd30ea

[Rohit Yadav]

Hi Daan/Wilder,

Quick question about fixing the following coverity issue (in-line);

On Tue, Dec 2, 2014 at 8:45 PM,  wrote:

> Repository: cloudstack
> Updated Branches:
>   refs/heads/master 818957de0 -> 6dd30eaf1
>
>
> CID-1256273/CID-1256274/CID-1256275 leaky resources plus switch
> statement warning
>
> reviewed by Wilder Rodrigues
>
> Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
> Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6dd30eaf
> Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6dd30eaf
> Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6dd30eaf
>
> Branch: refs/heads/master
> Commit: 6dd30eaf14f323cd84252647c490e84982b0a853
> Parents: 818957d
> Author: Daan Hoogland 
> Authored: Tue Dec 2 16:14:34 2014 +0100
> Committer: Daan Hoogland 
> Committed: Tue Dec 2 16:14:34 2014 +0100
>
> --
>  .../com/cloud/upgrade/dao/Upgrade442to450.java  | 28 ++--
>  1 file changed, 8 insertions(+), 20 deletions(-)
> --
>
>
>
> http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6dd30eaf/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
> --
> diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
> b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
> index aeb44a1..9fe1319 100644
> --- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
> +++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
> @@ -115,9 +115,6 @@ public class Upgrade442to450 implements DbUpgrade {
>  }
>
>  private void upgradeMemoryOfInternalLoadBalancervmOffering(Connection
> conn) {
> -PreparedStatement updatePstmt = null;
> -PreparedStatement selectPstmt = null;
> -ResultSet selectResultSet = null;
>  int newRamSize = 256; //256MB
>  long serviceOfferingId = 0;
>
> @@ -126,10 +123,9 @@ public class Upgrade442to450 implements DbUpgrade {
>   * We should not update/modify any user-defined offering.
>   */
>
> -try {
> -selectPstmt = conn.prepareStatement("SELECT id FROM
> `cloud`.`service_offering` WHERE vm_type='internalloadbalancervm'");
> -updatePstmt = conn.prepareStatement("UPDATE
> `cloud`.`service_offering` SET ram_size=? WHERE id=?");
> -selectResultSet = selectPstmt.executeQuery();
> +try (PreparedStatement selectPstmt =
> conn.prepareStatement("SELECT id FROM `cloud`.`service_offering` WHERE
> vm_type='internalloadbalancervm'");
> + PreparedStatement updatePstmt =
> conn.prepareStatement("UPDATE `cloud`.`service_offering` SET ram_size=?
> WHERE id=?");
> + ResultSet selectResultSet = selectPstmt.executeQuery()){
>  if(selectResultSet.next()) {
>  serviceOfferingId = selectResultSet.getLong("id");
>  }
> @@ -139,19 +135,6 @@ public class Upgrade442to450 implements DbUpgrade {
>  updatePstmt.executeUpdate();
>  } catch (SQLException e) {
>  throw new CloudRuntimeException("Unable to upgrade ram_size
> of service offering for internal loadbalancer vm. ", e);
> -} finally {
> -try {
> -if (selectPstmt != null) {
> -selectPstmt.close();
> -}
> -if (selectResultSet != null) {
> -selectResultSet.close();
> -}
> -if (updatePstmt != null) {
> -updatePstmt.close();
> -}
> -} catch (SQLException e) {
> -}
>

Why are we removing closing statements and resultsets here?


>  }
>  s_logger.debug("Done upgrading RAM for service offering of
> internal loadbalancer vm to " + newRamSize);
>  }
> @@ -188,6 +171,8 @@ public class Upgrade442to450 implements DbUpgrade {
>  break;
>  case LXC:
>  hypervisorsListInUse.add(Hypervisor.HypervisorType.LXC);
>  break;
> +default:  // no action on cases Any, BareMetal,
> None, Ovm, Parralels, Simulator and VirtualBox:
> +break;
>  }
>  }
>  } catch (SQLException e) {
> @@ -258,6 +243,8 @@ public class Upgrade442to450 implements DbUpgrade {
>  pstmt.executeUpdate();
>  pstmt.close();
>  } else {
> +rs.close();
> +pstmt.close();
>  if
> (hypervisorsListInUse.contains(hypervisorAndTemplateName.getKey())){
>  throw new CloudRuntimeException("4.5.0 " +
> hypervisorAndTemplateName.getKey() + " SystemVm templa

Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

[Rohit Yadav]

Hi Will,

Reply in-line;

On Tuesday 02 December 2014 08:41 PM, Will Stevens wrote:

@Rohit:  If the script is run with 'set -e' it should not be a problem
because I was planning to do an explicit 'set +e' before the call and then
a 'set -e' after the call.  This should handle this case, no?


Yes, I think that will work as well. If we are not sure about qemu
version, it should be alright to try once without compat and check $?
and retry again with compat option. The only corner case I can think of
is when qemu-img genuinely exits with a non-zero exit code during image
conversion.



@Nux: When you say "EL7 comes with qemu-img 1.5.3 and it requires the
compat option", what do you mean by that?  Are you saying that if you run
the build system vms job on EL7, that you have to specify the compat option
even though it comes with qemu-img 1.5.3?  That should not be the case
because the default compat flag should not have been changed till 1.7.  If
you are talking about having a KVM host which runs EL7 and has a qemu-img
version of 1.5.3, then that is not really relevant for this bash script.
The version of qemu-img which this script  checking is the version on the
build system, not on the KVM host.  It is validating if the compat option
needs to be passed to the 'qemu-img convert' command in order for the image
to have the 'compat=0.10' option set.  We are not debating that the
'compat=0.10' option needs to be set, that is for sure.  We are determining
when it needs to be explicitly set on the build systems.

In short...
Jenkins kicks off a job to build the system vms.  This build system could
have one of many different qemu-img versions.  When this script runs on the
build system, we need to determine which command needs to be run in order
to output a 'compat=0.10' compatible image.

I will do some testing with Edison's suggestion and see if I can come up
with a solution that way as well and then we can pick which we want to
implement.

Cheers,

Will


*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Tue, Dec 2, 2014 at 3:32 AM, Nux!  wrote:


As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat
option, so it's not only 1.7+.
Personally I'm in favour of Will's approach.

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -

From: "Rohit Yadav" 
To: "Will Stevens" 
Cc: "Edison Su" , "Wilder Rodrigues" <

wrodrig...@schubergphilis.com>, dev@cloudstack.apache.org,

"Leo Simons" 
Sent: Tuesday, 2 December, 2014 07:36:21
Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat



Hi Will,

While we can use your first solution that checks exit status ($?) but in
case some is running the script with a "set -e", the script will simply
break when $? is not zero. I think if we know above which qemu-img

version

we should we the compat option (1.7?) than that's great we should we

that.

Thanks for looking into this.

Regards.

On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens 

wrote:



Thanks for that. Does that mean that we prefer to do an if else based on
version rather than basically doing a try catch?

I have not been involved in previous bash scripting for CS, so I am
willing to fall in line with the preferred method. What I proposed was
based on how similar problems were solved in other code in the same

file.


If I check for version, do you agree that I should check for 1.7 as the
version since that is the version where the compact default changed?

I will try to get this resolved tomorrow.

Cheers,

Will
On Dec 1, 2014 9:16 PM, "Edison Su"  wrote:


  qemu-img |head -n 1|awk '{print $3}'

should show the version of qemu-img



*From:* williamstev...@gmail.com [mailto:williamstev...@gmail.com] *On
Behalf Of *Will Stevens
*Sent:* Monday, December 01, 2014 2:17 PM
*To:* dev@cloudstack.apache.org
*Cc:* Leo Simons; Wilder Rodrigues; Rohit Yadav; Edison Su
*Subject:* Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat



Alright, so far I have found the following:


https://github.com/qemu/qemu/commit/9117b47717ad208b12786ce88eacb013f9b3dd1c




Basically, if the qemu-img version is less than 1.7, we should run the
non 'compat' option version and if the version is 1.7 or greater, we

should

run the new command with the 'compat' version.



Unfortunately I am not able to find a way to get the qemu-img version
from the command line.



I am looking to basically add a conditional to try running with the
compat option and if that fails, then run it without the compat option.



Basically, I would be replacing this:



qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img
"${appliance_build_name}-kvm.qcow2"



With this:



set +e

qemu-img convert -o compat=0.10 -f raw -c -O qcow2 raw.img
"${appliance_build_name}-kvm.qcow2"

local qemuresult=$?

set -e

if [ ${qemuresult} != 0 ]; then

   log INFO "qemu-img convert failed, tryin

Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

[Will Stevens]

I will do some testing and see what I can come up with.

BTW, I would be doing it the reverse of what you said.  I would try to
specify the 'compat=0.10' option initially and if that is OK, then we are
good.  If it fails (it is currently failing on the 4.5 branch) this is most
likely because the version of qemu-img does not support the 'compat' option
being passed to the convert call (which is what is happening right now on
our build systems).  In that case, we will want to run the command without
the compat option because if it is too old to support the 'compat' option
then it will have the compat=0.10 default.

Basically, I will try it the new way that Edison introduced.  If that
fails, I will fall back to the way it was being done before Edison's
change...

Will


*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Tue, Dec 2, 2014 at 10:53 AM, Rohit Yadav 
wrote:

> Hi Will,
>
> Reply in-line;
>
> On Tuesday 02 December 2014 08:41 PM, Will Stevens wrote:
>
>> @Rohit:  If the script is run with 'set -e' it should not be a problem
>> because I was planning to do an explicit 'set +e' before the call and then
>> a 'set -e' after the call.  This should handle this case, no?
>>
>
> Yes, I think that will work as well. If we are not sure about qemu
> version, it should be alright to try once without compat and check $?
> and retry again with compat option. The only corner case I can think of
> is when qemu-img genuinely exits with a non-zero exit code during image
> conversion.
>
>
>> @Nux: When you say "EL7 comes with qemu-img 1.5.3 and it requires the
>> compat option", what do you mean by that?  Are you saying that if you run
>> the build system vms job on EL7, that you have to specify the compat
>> option
>> even though it comes with qemu-img 1.5.3?  That should not be the case
>> because the default compat flag should not have been changed till 1.7.  If
>> you are talking about having a KVM host which runs EL7 and has a qemu-img
>> version of 1.5.3, then that is not really relevant for this bash script.
>> The version of qemu-img which this script  checking is the version on the
>> build system, not on the KVM host.  It is validating if the compat option
>> needs to be passed to the 'qemu-img convert' command in order for the
>> image
>> to have the 'compat=0.10' option set.  We are not debating that the
>> 'compat=0.10' option needs to be set, that is for sure.  We are
>> determining
>> when it needs to be explicitly set on the build systems.
>>
>> In short...
>> Jenkins kicks off a job to build the system vms.  This build system could
>> have one of many different qemu-img versions.  When this script runs on
>> the
>> build system, we need to determine which command needs to be run in order
>> to output a 'compat=0.10' compatible image.
>>
>> I will do some testing with Edison's suggestion and see if I can come up
>> with a solution that way as well and then we can pick which we want to
>> implement.
>>
>> Cheers,
>>
>> Will
>>
>>
>> *Will STEVENS*
>> Lead Developer
>>
>> *CloudOps* *| *Cloud Solutions Experts
>>
>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>> w cloudops.com *|* tw @CloudOps_
>>
>> On Tue, Dec 2, 2014 at 3:32 AM, Nux!  wrote:
>>
>>  As I said above EL7 comes with qemu-img 1.5.3 and it requires the compat
>>> option, so it's not only 1.7+.
>>> Personally I'm in favour of Will's approach.
>>>
>>> Lucian
>>>
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>>
>>> Nux!
>>> www.nux.ro
>>>
>>> - Original Message -
>>>
 From: "Rohit Yadav" 
 To: "Will Stevens" 
 Cc: "Edison Su" , "Wilder Rodrigues" <

>>> wrodrig...@schubergphilis.com>, dev@cloudstack.apache.org,
>>>
 "Leo Simons" 
 Sent: Tuesday, 2 December, 2014 07:36:21
 Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

>>>
>>>  Hi Will,

 While we can use your first solution that checks exit status ($?) but in
 case some is running the script with a "set -e", the script will simply
 break when $? is not zero. I think if we know above which qemu-img

>>> version
>>>
 we should we the compat option (1.7?) than that's great we should we

>>> that.
>>>
 Thanks for looking into this.

 Regards.

 On Tue, Dec 2, 2014 at 8:01 AM, Will Stevens 

>>> wrote:
>>>

  Thanks for that. Does that mean that we prefer to do an if else based
> on
> version rather than basically doing a try catch?
>
> I have not been involved in previous bash scripting for CS, so I am
> willing to fall in line with the preferred method. What I proposed was
> based on how similar problems were solved in other code in the same
>
 file.
>>>

> If I check for version, do you agree that I should check for 1.7 as the
> version since that is the version where the compact default changed?
>
> I wi

Re: Review Request 24991: CLOUDSTACK-6697: BigSwitchVns plugin update

[Hugo Trippaers]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/24991/#review63543
---


Hey KC,

I had some trouble applying the latest patch too, it appears a couple of other 
commits got into your patch as well. I've applied the patch as i think it 
should be, but could you check the cloudstack branch reviews/24991 to see if 
everything is in order?

Cheers,

Hugo

- Hugo Trippaers


On Nov. 30, 2014, 2:49 a.m., Kuang-Ching Wang wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/24991/
> ---
> 
> (Updated Nov. 30, 2014, 2:49 a.m.)
> 
> 
> Review request for cloudstack, Chiradeep Vittal, David Nalley, Sebastien 
> Goasguen, and Hugo Trippaers.
> 
> 
> Repository: cloudstack-git
> 
> 
> Description
> ---
> 
> CLOUDSTACK-6697: Big Switch network plugin update
> 1. provide compatibility with the Big Cloud Fabric (BCF) controller
>L2 Connectivity Service in both VPC and non-VPC modes
> 2. virtual network terminology updates: VNS --> BCF_SEGMENT
> 3. uses HTTPS with trust-always certificate handling
> 4. topology sync support with BCF controller
> 5. support multiple (two) BCF controllers with HA
> 6. support VM migration
> 
> 
> Diffs
> -
> 
>   .travis.yml cb07a68cb3e7decf7cdb593172d8c9011c418e36 
>   api/src/com/cloud/network/Network.java 
> c5a9bf286df8d502a6ca33661fb52ee717643566 
>   api/src/com/cloud/network/PhysicalNetwork.java 
> 7c9349d932771fdbecc4a0b1ae4cad28b3d67857 
>   api/src/org/apache/cloudstack/api/response/UserVmResponse.java 
> 9fe3475f57afebbd976294e4fd5231cdf77612c2 
>   client/WEB-INF/classes/resources/messages.properties 
> 3228578ce81a826f49166a72a6c67143fb12c95d 
>   client/WEB-INF/classes/resources/messages_fr_FR.properties 
> 54dc6215a8339b9f8c2bad9fe4c3ed18b4a702e7 
>   client/WEB-INF/classes/resources/messages_ja_JP.properties 
> 1962e92a4cf47978dae35a3d2b090b4c1765fecb 
>   client/WEB-INF/classes/resources/messages_ko_KR.properties 
> ced576cb23598e7d3e5005bc24c2adf20b66a826 
>   client/WEB-INF/classes/resources/messages_nl_NL.properties 
> 86653a5f5144c75e67b5a6f02c47d37bd5a71ef0 
>   client/WEB-INF/classes/resources/messages_pt_BR.properties 
> fa77633a650f1b37d8398a8936bbf84f5b4a40e3 
>   client/WEB-INF/classes/resources/messages_ru_RU.properties 
> 7f57daa58bef379ddb47acb88965d0defe32ad73 
>   client/WEB-INF/classes/resources/messages_zh_CN.properties 
> 217849582b41cb2c63a0e305e5613af6f659d11d 
>   client/pom.xml 6803f9a11fd2c80523ea16bdd35f2a4d163f953c 
>   client/tomcatconf/commands.properties.in 
> a87d1677f24657299ec24d4ce9df9a180a62bd0c 
>   engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java 
> dc1057f9033fd783900e6c3b623d3b28fb7d6836 
>   engine/schema/src/com/cloud/user/dao/VmDiskStatisticsDaoImpl.java 
> e1136d3cf567b73fd1198181aea4d6995df6b78a 
>   
> engine/storage/datamotion/src/org/apache/cloudstack/storage/motion/AncientDataMotionStrategy.java
>  5b01f95eef164e725001f34528e46dde0eb15f99 
>   packaging/centos63/cloud.spec 072a0b94884c5f32176df3ac0083249a52a1f9ed 
>   packaging/centos63/default/macros.spec 
> f3c937cac37afb39c1d95d223a0debd42c19a505 
>   packaging/centos63/default/tomcat.sh 
> 0908da4696e300d0b26a1aef18ce08b1816e9af9 
>   packaging/centos63/package.sh 00c19478ea0125fbf1ec5902cc7da11d7bbdc5de 
>   packaging/centos63/rhel7/cloud-management.service 
> 5d69885640416bbf1760eb644a062a1f79b5022a 
>   packaging/centos63/rhel7/macros.spec 
> 4b7109280abcb22b3f846edd81147391477289e9 
>   packaging/centos63/rhel7/tomcat.sh 03c6e7b97848a923bf69b57abd2970aeb883c4c7 
>   packaging/centos63/tomcat.sh PRE-CREATION 
>   packaging/centos7/cloud-agent.rc PRE-CREATION 
>   packaging/centos7/cloud-ipallocator.rc PRE-CREATION 
>   packaging/centos7/cloud-management.service PRE-CREATION 
>   packaging/centos7/cloud-management.sudoers PRE-CREATION 
>   packaging/centos7/cloud-management.sysconfig PRE-CREATION 
>   packaging/centos7/cloud-usage-sysd PRE-CREATION 
>   packaging/centos7/cloud-usage.service PRE-CREATION 
>   packaging/centos7/cloud-usage.sysconfig PRE-CREATION 
>   packaging/centos7/cloud.limits PRE-CREATION 
>   packaging/centos7/cloud.spec PRE-CREATION 
>   packaging/centos7/cloudstack-agent.te PRE-CREATION 
>   packaging/centos7/cloudstack-sccs PRE-CREATION 
>   packaging/centos7/replace.properties PRE-CREATION 
>   packaging/centos7/tomcat7/catalina.properties PRE-CREATION 
>   packaging/centos7/tomcat7/cloud-bridge.properties PRE-CREATION 
>   packaging/centos7/tomcat7/commons-logging.properties PRE-CREATION 
>   packaging/centos7/tomcat7/db.properties PRE-CREATION 
>   packaging/centos7/tomcat7/ec2-service.properties PRE-CREATION 
>   packaging/centos7/tomcat7/environment.properties PRE-CREATION 
>   packaging/centos7/tomc

Can't ping/ssh any guest from a laptop attached in same vlan - guests can talk wth each other though

[papu bhattcharaya]

Hi ,
I am using cloudstack(4.4.1) with KVM host. I have a L3 switch - partitioned to 
4 vlans 
public(CIDR:-192.168.1.0/24)
guest vlan (CIDR:-10.0.0.0/24)
management vlan (CIDR:-10.0.1.0/24)
storage vlan (CIDR:-10.0.2.0/24)

I have a kvm host with four physical NICS that a connected in switch and each 
NIC is connected in each different vlan.
I have created bridge over each physical nics:-
Cloudrbr0:-ip address:-10.0.0.24 connected on the port of the switch belongs to 
guest vlan)
Cloudbr1:-ip address:-10.0.1.24  (connected on the port of the switch belongs 
to management vlan)
Cloudbr2:-ip address:-10.0.2.24 (connected on the port of the switch belongs to 
storage vlan)
Cloudbr3:-ip address:-192.168.1.24  (connected on the port of the switch 
belongs to public vlan)

I have a physical machine with four NICS and CloudStack management is installed 
on it and four NICS are connected in four vlans with ip.
=>I have created a zone with advanced networking and everything been success so 
far.

when I created two instances(guests) on kvm host,  I can ping this instances 
with each other.( guest1/ guest2)
i.e
Instance1:-ip address:-10.0.0.90
Instance2:-ip address:-10.0.0.91
Virtual router:-ip address:-10.0.0.4
Now when I tried to ping /ssh the guest from a laptop attached in same vlan 
(guest vlan) , I can’t ping guests.
>From the laptop , I can ping 10.0.0.24 ( my cloudbr0 ip – in KVM host machine) 
>, but cant ping/ssh any guest.
There is no firewall issues - i checked.

I have attached a network diagram also for better understanding of issues.

Could you please help me so that I can ping /ssh to any guest from any machine 
in guest vlan.
Thanks in advance

Best Regards 
Papu Bhattacharya 
CEO- PTR Technologies 
http://www.ptrsoft.com 
91-9963111687 

Re: git commit: updated refs/heads/master to 6dd30ea

[Daan Hoogland]

On Tue, Dec 2, 2014 at 4:50 PM, Rohit Yadav  wrote:
> Hi Daan/Wilder,
>
> Quick question about fixing the following coverity issue (in-line);
>
> On Tue, Dec 2, 2014 at 8:45 PM,  wrote:
>
>> Repository: cloudstack
>> Updated Branches:
>>   refs/heads/master 818957de0 -> 6dd30eaf1
>>
>>
>> CID-1256273/CID-1256274/CID-1256275 leaky resources plus switch
>> statement warning
>>
>> reviewed by Wilder Rodrigues
>>
>> Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
>> Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6dd30eaf
>> Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6dd30eaf
>> Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6dd30eaf
>>
>> Branch: refs/heads/master
>> Commit: 6dd30eaf14f323cd84252647c490e84982b0a853
>> Parents: 818957d
>> Author: Daan Hoogland 
>> Authored: Tue Dec 2 16:14:34 2014 +0100
>> Committer: Daan Hoogland 
>> Committed: Tue Dec 2 16:14:34 2014 +0100
>>
>> --
>>  .../com/cloud/upgrade/dao/Upgrade442to450.java  | 28 ++--
>>  1 file changed, 8 insertions(+), 20 deletions(-)
>> --
>>
>>
>>
>> http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6dd30eaf/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
>> --
>> diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
>> b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
>> index aeb44a1..9fe1319 100644
>> --- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
>> +++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
>> @@ -115,9 +115,6 @@ public class Upgrade442to450 implements DbUpgrade {
>>  }
>>
>>  private void upgradeMemoryOfInternalLoadBalancervmOffering(Connection
>> conn) {
>> -PreparedStatement updatePstmt = null;
>> -PreparedStatement selectPstmt = null;
>> -ResultSet selectResultSet = null;
>>  int newRamSize = 256; //256MB
>>  long serviceOfferingId = 0;
>>
>> @@ -126,10 +123,9 @@ public class Upgrade442to450 implements DbUpgrade {
>>   * We should not update/modify any user-defined offering.
>>   */
>>
>> -try {
>> -selectPstmt = conn.prepareStatement("SELECT id FROM
>> `cloud`.`service_offering` WHERE vm_type='internalloadbalancervm'");
>> -updatePstmt = conn.prepareStatement("UPDATE
>> `cloud`.`service_offering` SET ram_size=? WHERE id=?");
>> -selectResultSet = selectPstmt.executeQuery();
>> +try (PreparedStatement selectPstmt =
>> conn.prepareStatement("SELECT id FROM `cloud`.`service_offering` WHERE
>> vm_type='internalloadbalancervm'");
>> + PreparedStatement updatePstmt =
>> conn.prepareStatement("UPDATE `cloud`.`service_offering` SET ram_size=?
>> WHERE id=?");
>> + ResultSet selectResultSet = selectPstmt.executeQuery()){
>>  if(selectResultSet.next()) {
>>  serviceOfferingId = selectResultSet.getLong("id");
>>  }
>> @@ -139,19 +135,6 @@ public class Upgrade442to450 implements DbUpgrade {
>>  updatePstmt.executeUpdate();
>>  } catch (SQLException e) {
>>  throw new CloudRuntimeException("Unable to upgrade ram_size
>> of service offering for internal loadbalancer vm. ", e);
>> -} finally {
>> -try {
>> -if (selectPstmt != null) {
>> -selectPstmt.close();
>> -}
>> -if (selectResultSet != null) {
>> -selectResultSet.close();
>> -}
>> -if (updatePstmt != null) {
>> -updatePstmt.close();
>> -}
>> -} catch (SQLException e) {
>> -}
>>
>
> Why are we removing closing statements and resultsets here?

because of the try-with-resource (automatic closing of resources)

>
>
>>  }
>>  s_logger.debug("Done upgrading RAM for service offering of
>> internal loadbalancer vm to " + newRamSize);
>>  }
>> @@ -188,6 +171,8 @@ public class Upgrade442to450 implements DbUpgrade {
>>  break;
>>  case LXC:
>>  hypervisorsListInUse.add(Hypervisor.HypervisorType.LXC);
>>  break;
>> +default:  // no action on cases Any, BareMetal,
>> None, Ovm, Parralels, Simulator and VirtualBox:
>> +break;
>>  }
>>  }
>>  } catch (SQLException e) {
>> @@ -258,6 +243,8 @@ public class Upgrade442to450 implements DbUpgrade {
>>  pstmt.executeUpdate();
>>  pstmt.close();
>>  } else {
>> +rs.close();
>> +pstm

Re: Can't ping/ssh any guest from a laptop attached in same vlan - guests can talk wth each other though

[papu bhattcharaya]

Hi, ( sending same mail with attachments image- seems early mail image was not 
attached),
I am using cloudstack(4.4.1) with KVM host. I have a L3 switch - partitioned to 
4 vlans 
public(CIDR:-192.168.1.0/24)
guest vlan (CIDR:-10.0.0.0/24)
management vlan (CIDR:-10.0.1.0/24)
storage vlan (CIDR:-10.0.2.0/24)

I have a kvm host with four physical NICS that a connected in switch and each 
NIC is connected in each different vlan.
I have created bridge over each physical nics:-
Cloudrbr0:-ip address:-10.0.0.24 connected on the port of the switch belongs to 
guest vlan)
Cloudbr1:-ip address:-10.0.1.24  (connected on the port of the switch belongs 
to management vlan)
Cloudbr2:-ip address:-10.0.2.24 (connected on the port of the switch belongs to 
storage vlan)
Cloudbr3:-ip address:-192.168.1.24  (connected on the port of the switch 
belongs to public vlan)

I have a physical machine with four NICS and CloudStack management is installed 
on it and four NICS are connected in four vlans with ip.
=>I have created a zone with advanced networking and everything been success so 
far.

when I created two instances(guests) on kvm host,  I can ping this instances 
with each other.( guest1/ guest2)
i.e
Instance1:-ip address:-10.0.0.90
Instance2:-ip address:-10.0.0.91
Virtual router:-ip address:-10.0.0.4
Now when I tried to ping /ssh the guest from a laptop attached in same vlan 
(guest vlan) , I can’t ping guests.
>From the laptop , I can ping 10.0.0.24 ( my cloudbr0 ip – in KVM host machine) 
>, but cant ping/ssh any guest.
There is no firewall issues - i checked.

I have attached a network diagram also for better understanding of issues.

Could you please help me so that I can ping /ssh to any guest from any machine 
in guest vlan.
Thanks in advance


Best Regards 
Papu Bhattacharya 
CEO- PTR Technologies 
http://www.ptrsoft.com 
91-9963111687 

- Original Message -
From: "papu bhattcharaya" 
To: papub...@gmail.com
Sent: Tuesday, December 2, 2014 10:15:30 PM
Subject: Fwd: Can't ping/ssh  any guest from a laptop attached in same vlan -  
guests can talk wth each other though



Best Regards 
Papu Bhattacharya 
CEO- PTR Technologies 
http://www.ptrsoft.com 
91-9963111687 

- Forwarded Message -
From: "papu bhattcharaya" 
To: dev@cloudstack.apache.org
Sent: Tuesday, December 2, 2014 10:05:11 PM
Subject: Can't ping/ssh  any guest from a laptop attached in same vlan -  
guests can talk wth each other though

Hi ,
I am using cloudstack(4.4.1) with KVM host. I have a L3 switch - partitioned to 
4 vlans 
public(CIDR:-192.168.1.0/24)
guest vlan (CIDR:-10.0.0.0/24)
management vlan (CIDR:-10.0.1.0/24)
storage vlan (CIDR:-10.0.2.0/24)

I have a kvm host with four physical NICS that a connected in switch and each 
NIC is connected in each different vlan.
I have created bridge over each physical nics:-
Cloudrbr0:-ip address:-10.0.0.24 connected on the port of the switch belongs to 
guest vlan)
Cloudbr1:-ip address:-10.0.1.24  (connected on the port of the switch belongs 
to management vlan)
Cloudbr2:-ip address:-10.0.2.24 (connected on the port of the switch belongs to 
storage vlan)
Cloudbr3:-ip address:-192.168.1.24  (connected on the port of the switch 
belongs to public vlan)

I have a physical machine with four NICS and CloudStack management is installed 
on it and four NICS are connected in four vlans with ip.
=>I have created a zone with advanced networking and everything been success so 
far.

when I created two instances(guests) on kvm host,  I can ping this instances 
with each other.( guest1/ guest2)
i.e
Instance1:-ip address:-10.0.0.90
Instance2:-ip address:-10.0.0.91
Virtual router:-ip address:-10.0.0.4
Now when I tried to ping /ssh the guest from a laptop attached in same vlan 
(guest vlan) , I can’t ping guests.
>From the laptop , I can ping 10.0.0.24 ( my cloudbr0 ip – in KVM host machine) 
>, but cant ping/ssh any guest.
There is no firewall issues - i checked.

I have attached a network diagram also for better understanding of issues.

Could you please help me so that I can ping /ssh to any guest from any machine 
in guest vlan.
Thanks in advance

Best Regards 
Papu Bhattacharya 
CEO- PTR Technologies 
http://www.ptrsoft.com 
91-9963111687 

RE: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

[Edison Su]

> -Original Message-
> From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On
> Behalf Of Will Stevens
> Sent: Tuesday, December 02, 2014 8:06 AM
> To: dev@cloudstack.apache.org
> Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
> 
> I will do some testing and see what I can come up with.
> 
> BTW, I would be doing it the reverse of what you said.  I would try to specify
> the 'compat=0.10' option initially and if that is OK, then we are good.  If 
> it fails
> (it is currently failing on the 4.5 branch) this is most likely because the 
> version
> of qemu-img does not support the 'compat' option being passed to the
> convert call (which is what is happening right now on our build systems).  In
> that case, we will want to run the command without the compat option
> because if it is too old to support the 'compat' option then it will have the
> compat=0.10 default.
Seems the qemu version is a little bit of mess, I think above method is good 
enough.
BTW, thanks to look into the issue...

> 
> Basically, I will try it the new way that Edison introduced.  If that fails, 
> I will fall
> back to the way it was being done before Edison's change...
> 
> Will
> 
> 
> *Will STEVENS*
> Lead Developer
> 
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw
> @CloudOps_
> 
> On Tue, Dec 2, 2014 at 10:53 AM, Rohit Yadav 
> wrote:
> 
> > Hi Will,
> >
> > Reply in-line;
> >
> > On Tuesday 02 December 2014 08:41 PM, Will Stevens wrote:
> >
> >> @Rohit:  If the script is run with 'set -e' it should not be a
> >> problem because I was planning to do an explicit 'set +e' before the
> >> call and then a 'set -e' after the call.  This should handle this case, no?
> >>
> >
> > Yes, I think that will work as well. If we are not sure about qemu
> > version, it should be alright to try once without compat and check $?
> > and retry again with compat option. The only corner case I can think
> > of is when qemu-img genuinely exits with a non-zero exit code during
> > image conversion.
> >
> >
> >> @Nux: When you say "EL7 comes with qemu-img 1.5.3 and it requires the
> >> compat option", what do you mean by that?  Are you saying that if you
> >> run the build system vms job on EL7, that you have to specify the
> >> compat option even though it comes with qemu-img 1.5.3?  That should
> >> not be the case because the default compat flag should not have been
> >> changed till 1.7.  If you are talking about having a KVM host which
> >> runs EL7 and has a qemu-img version of 1.5.3, then that is not really
> >> relevant for this bash script.
> >> The version of qemu-img which this script  checking is the version on
> >> the build system, not on the KVM host.  It is validating if the
> >> compat option needs to be passed to the 'qemu-img convert' command in
> >> order for the image to have the 'compat=0.10' option set.  We are not
> >> debating that the 'compat=0.10' option needs to be set, that is for
> >> sure.  We are determining when it needs to be explicitly set on the
> >> build systems.
> >>
> >> In short...
> >> Jenkins kicks off a job to build the system vms.  This build system
> >> could have one of many different qemu-img versions.  When this script
> >> runs on the build system, we need to determine which command needs
> to
> >> be run in order to output a 'compat=0.10' compatible image.
> >>
> >> I will do some testing with Edison's suggestion and see if I can come
> >> up with a solution that way as well and then we can pick which we
> >> want to implement.
> >>
> >> Cheers,
> >>
> >> Will
> >>
> >>
> >> *Will STEVENS*
> >> Lead Developer
> >>
> >> *CloudOps* *| *Cloud Solutions Experts
> >>
> >> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|*
> tw
> >> @CloudOps_
> >>
> >> On Tue, Dec 2, 2014 at 3:32 AM, Nux!  wrote:
> >>
> >>  As I said above EL7 comes with qemu-img 1.5.3 and it requires the
> >> compat
> >>> option, so it's not only 1.7+.
> >>> Personally I'm in favour of Will's approach.
> >>>
> >>> Lucian
> >>>
> >>> --
> >>> Sent from the Delta quadrant using Borg technology!
> >>>
> >>> Nux!
> >>> www.nux.ro
> >>>
> >>> - Original Message -
> >>>
>  From: "Rohit Yadav" 
>  To: "Will Stevens" 
>  Cc: "Edison Su" , "Wilder Rodrigues" <
> 
> >>> wrodrig...@schubergphilis.com>, dev@cloudstack.apache.org,
> >>>
>  "Leo Simons" 
>  Sent: Tuesday, 2 December, 2014 07:36:21
>  Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
> 
> >>>
> >>>  Hi Will,
> 
>  While we can use your first solution that checks exit status ($?)
>  but in case some is running the script with a "set -e", the script
>  will simply break when $? is not zero. I think if we know above
>  which qemu-img
> 
> >>> version
> >>>
>  we should we the compat option (1.7?) than that's great we should
>  we
> 
> >>> that.
> >>>
>  Thanks for looking into this

Re: git commit: updated refs/heads/master to 6dd30ea

[Rohit Yadav]

Hi Daan,

Thanks for confirming, I’ll use this pattern in future.


> On 02-Dec-2014, at 10:05 pm, Daan Hoogland  wrote:
>
> On Tue, Dec 2, 2014 at 4:50 PM, Rohit Yadav  wrote:
>> Hi Daan/Wilder,
>>
>> Quick question about fixing the following coverity issue (in-line);
>>
>> On Tue, Dec 2, 2014 at 8:45 PM,  wrote:
>>
>>> Repository: cloudstack
>>> Updated Branches:
>>>  refs/heads/master 818957de0 -> 6dd30eaf1
>>>
>>>
>>> CID-1256273/CID-1256274/CID-1256275 leaky resources plus switch
>>> statement warning
>>>
>>> reviewed by Wilder Rodrigues
>>>
>>> Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
>>> Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6dd30eaf
>>> Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6dd30eaf
>>> Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6dd30eaf
>>>
>>> Branch: refs/heads/master
>>> Commit: 6dd30eaf14f323cd84252647c490e84982b0a853
>>> Parents: 818957d
>>> Author: Daan Hoogland 
>>> Authored: Tue Dec 2 16:14:34 2014 +0100
>>> Committer: Daan Hoogland 
>>> Committed: Tue Dec 2 16:14:34 2014 +0100
>>>
>>> --
>>> .../com/cloud/upgrade/dao/Upgrade442to450.java  | 28 ++--
>>> 1 file changed, 8 insertions(+), 20 deletions(-)
>>> --
>>>
>>>
>>>
>>> http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6dd30eaf/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
>>> --
>>> diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
>>> b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
>>> index aeb44a1..9fe1319 100644
>>> --- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
>>> +++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade442to450.java
>>> @@ -115,9 +115,6 @@ public class Upgrade442to450 implements DbUpgrade {
>>> }
>>>
>>> private void upgradeMemoryOfInternalLoadBalancervmOffering(Connection
>>> conn) {
>>> -PreparedStatement updatePstmt = null;
>>> -PreparedStatement selectPstmt = null;
>>> -ResultSet selectResultSet = null;
>>> int newRamSize = 256; //256MB
>>> long serviceOfferingId = 0;
>>>
>>> @@ -126,10 +123,9 @@ public class Upgrade442to450 implements DbUpgrade {
>>>  * We should not update/modify any user-defined offering.
>>>  */
>>>
>>> -try {
>>> -selectPstmt = conn.prepareStatement("SELECT id FROM
>>> `cloud`.`service_offering` WHERE vm_type='internalloadbalancervm'");
>>> -updatePstmt = conn.prepareStatement("UPDATE
>>> `cloud`.`service_offering` SET ram_size=? WHERE id=?");
>>> -selectResultSet = selectPstmt.executeQuery();
>>> +try (PreparedStatement selectPstmt =
>>> conn.prepareStatement("SELECT id FROM `cloud`.`service_offering` WHERE
>>> vm_type='internalloadbalancervm'");
>>> + PreparedStatement updatePstmt =
>>> conn.prepareStatement("UPDATE `cloud`.`service_offering` SET ram_size=?
>>> WHERE id=?");
>>> + ResultSet selectResultSet = selectPstmt.executeQuery()){
>>> if(selectResultSet.next()) {
>>> serviceOfferingId = selectResultSet.getLong("id");
>>> }
>>> @@ -139,19 +135,6 @@ public class Upgrade442to450 implements DbUpgrade {
>>> updatePstmt.executeUpdate();
>>> } catch (SQLException e) {
>>> throw new CloudRuntimeException("Unable to upgrade ram_size
>>> of service offering for internal loadbalancer vm. ", e);
>>> -} finally {
>>> -try {
>>> -if (selectPstmt != null) {
>>> -selectPstmt.close();
>>> -}
>>> -if (selectResultSet != null) {
>>> -selectResultSet.close();
>>> -}
>>> -if (updatePstmt != null) {
>>> -updatePstmt.close();
>>> -}
>>> -} catch (SQLException e) {
>>> -}
>>>
>>
>> Why are we removing closing statements and resultsets here?
>
> because of the try-with-resource (automatic closing of resources)
>
>>
>>
>>> }
>>> s_logger.debug("Done upgrading RAM for service offering of
>>> internal loadbalancer vm to " + newRamSize);
>>> }
>>> @@ -188,6 +171,8 @@ public class Upgrade442to450 implements DbUpgrade {
>>> break;
>>> case LXC:
>>> hypervisorsListInUse.add(Hypervisor.HypervisorType.LXC);
>>> break;
>>> +default:  // no action on cases Any, BareMetal,
>>> None, Ovm, Parralels, Simulator and VirtualBox:
>>> +break;
>>> }
>>> }
>>> } catch (SQLException e) {
>>> @@ -258,6 +243,8 @@ public class Upgrade442to450 imple

RE: Re:CloudStack Quality Process

[Paul Angus]

I'll throw my hat in the ring and do whatever my skillset allows.



Regards,

Paul Angus
Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: @CloudyAngus
paul.an...@shapeblue.com

-Original Message-
From: ChunFeng [mailto:chunf...@domolo.com]
Sent: 02 December 2014 00:31
To: dev
Subject: Re:CloudStack Quality Process

Hi Steve,


I am now focus on test automation , and I willing to be one of this team.

--
Regards,
ChunFeng


@accesine







-- Original --
From:  "Steve Wilson";
Date:  Tue, Dec 2, 2014 03:12 AM
To:  "dev@cloudstack.apache.org";

Subject:  CloudStack Quality Process


Hi Everyone,

It was great to get to see a number of you at the recent CCC in Budapest.  
While I was there, I got to meet face to face with individuals working for 
several companies that have a real stake in the commercial success of the 
CloudStack project.

After joining Citrix (and becoming involved in CloudStack) about a year ago, 
I’ve come to believe that we need to do more to mature our quality practices 
around this codebase.  We all like to say #cloudstackworks (and it’s true), but 
this is a massive codebase that’s used in the most demanding situations.  We 
have large telecommunications companies and enterprises who are betting their 
businesses on this software.  It has to be great!

There has been quite a bit of discussion on the mailing list in recent months 
about how we improve in this area.  There is plenty of passion, but we haven’t 
made enough concrete progress as a community.  In my discussions with key 
contributors as CCC, there was general agreement that the DEV list isn’t a good 
forum for hashing out these kinds of things.  Email is too low-bandwidth and 
too impersonal.

At CCC, I discussed with several people the idea that we commission a small sub 
team to go hash out a proposal for how we handle the following topics within 
the ACS community (which can then be brought back to the larger community for 
ratification):

  *   Continuous integration and test automation
  *   Gating of commits
  *   Overall commit workflow

We are looking for volunteers to commit to being part of this team.  This would 
imply a serious commitment.  We don’t want hangers on or observers. This will 
entail real work and late night meetings.  We’re looking for people who are 
serious contributors to the codebase.

From Citrix, David Nalley and Animesh Chaturvedi have booth told me they’re 
willing to commit to this project.  They’ve both managed ACS releases and have 
a really good view into the current process — and I know both are passionate 
about improving our process.  From my CCC discussions, I believe there are 
individuals from Schuberg Philis, Shape Blue and Cloud Ops who are willing to 
commit to this process.

If you are willing to be part of this team to drive forward our community, 
please reply here.

Thanks,

-Steve

Steve Wilson
VP & Product Unit Manager
Cloud Software
Citrix
@virtualsteve
Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build
CSForge – rapid IaaS deployment framework
CloudStack Consulting
CloudStack Software 
Engineering
CloudStack Infrastructure 
Support
CloudStack Bootcamp Training Courses

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company 
registered by The Republic of South Africa and is traded under license from 
Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: CloudStack Quality Process

[Rohit Yadav]

I'll be happy to participate and contribute to this effort.

On Wednesday 03 December 2014 02:04 AM, Paul Angus wrote:

I'll throw my hat in the ring and do whatever my skillset allows.



Regards,

Paul Angus
Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: @CloudyAngus
paul.an...@shapeblue.com

-Original Message-
From: ChunFeng [mailto:chunf...@domolo.com]
Sent: 02 December 2014 00:31
To: dev
Subject: Re:CloudStack Quality Process

Hi Steve,


I am now focus on test automation , and I willing to be one of this team.

--
Regards,
ChunFeng


@accesine







-- Original --
From:  "Steve Wilson";
Date:  Tue, Dec 2, 2014 03:12 AM
To:  "dev@cloudstack.apache.org";

Subject:  CloudStack Quality Process


Hi Everyone,

It was great to get to see a number of you at the recent CCC in Budapest.  
While I was there, I got to meet face to face with individuals working for 
several companies that have a real stake in the commercial success of the 
CloudStack project.

After joining Citrix (and becoming involved in CloudStack) about a year ago, 
I’ve come to believe that we need to do more to mature our quality practices 
around this codebase.  We all like to say #cloudstackworks (and it’s true), but 
this is a massive codebase that’s used in the most demanding situations.  We 
have large telecommunications companies and enterprises who are betting their 
businesses on this software.  It has to be great!

There has been quite a bit of discussion on the mailing list in recent months 
about how we improve in this area.  There is plenty of passion, but we haven’t 
made enough concrete progress as a community.  In my discussions with key 
contributors as CCC, there was general agreement that the DEV list isn’t a good 
forum for hashing out these kinds of things.  Email is too low-bandwidth and 
too impersonal.

At CCC, I discussed with several people the idea that we commission a small sub 
team to go hash out a proposal for how we handle the following topics within 
the ACS community (which can then be brought back to the larger community for 
ratification):

   *   Continuous integration and test automation
   *   Gating of commits
   *   Overall commit workflow

We are looking for volunteers to commit to being part of this team.  This would 
imply a serious commitment.  We don’t want hangers on or observers. This will 
entail real work and late night meetings.  We’re looking for people who are 
serious contributors to the codebase.

 From Citrix, David Nalley and Animesh Chaturvedi have booth told me they’re 
willing to commit to this project.  They’ve both managed ACS releases and have 
a really good view into the current process — and I know both are passionate 
about improving our process.  From my CCC discussions, I believe there are 
individuals from Schuberg Philis, Shape Blue and Cloud Ops who are willing to 
commit to this process.

If you are willing to be part of this team to drive forward our community, 
please reply here.

Thanks,

-Steve

Steve Wilson
VP & Product Unit Manager
Cloud Software
Citrix
@virtualsteve
Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build
CSForge – rapid IaaS deployment framework
CloudStack Consulting
CloudStack Software 
Engineering
CloudStack Infrastructure 
Support
CloudStack Bootcamp Training Courses

This email and any attachments to it may be confidential and are intended solely 
for the use of the individual to whom it is addressed. Any views or opinions 
expressed are solely those of the author and do not necessarily represent those of 
Shape Blue Ltd or related companies. If you are not the intended recipient of this 
email, you must neither take any action based upon its contents, nor copy or show 
it to anyone. Please contact the sender if you believe you have received this email 
in error. Shape Blue Ltd is a company incorporated in England & Wales. 
ShapeBlue Services India LLP is a company incorporated in India and is operated 
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company 
incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue 
SA Pty Ltd is a company registered by The Republic of South Africa and is traded 
under license from Shape Blue Ltd. ShapeBlue is a registered trademark.



--
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.ya...@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab

Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build
CSForge – rapid IaaS deployment frame

Re: A secure way to reset VMs password

[John Kinsella]

That password reset infrastructure has bigger issues than just SSL. The server 
side works, but that’s about all I can say for it. This topic comes up every 
6-12 months. :)

I thought there was a Jira entry but I can’t find it…personally I’d love to see 
the client and server sides both rewritten from scratch.

John

> On Nov 28, 2014, at 11:33 AM, Nux!  wrote:
> 
> Jayapal,
> 
> Not necesarily, one could run stunnel or nginx as SSL proxy on some other 
> port (8443?), this way SSL and non-SSL connections will still work and give 
> you plenty of time to update your templates, if you so wish.
> 
> Am I missing any important bits here?
> 
> Lucian
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro
> 
> - Original Message -
>> From: "Jayapal Reddy Uradi" 
>> To: "" 
>> Cc: "Alireza Eskandari" 
>> Sent: Friday, 28 November, 2014 09:34:02
>> Subject: Re: A secure way to reset VMs password
> 
>> Another point to note is all the vms in production has to update
>> with the new cloud-set-guest-password scripts because of the new password 
>> reset
>> method.
>> 
>> Thanks,
>> Jayapal
>> 
>> 
>> 
>> On 28-Nov-2014, at 2:28 PM, Erik Weber 
>> wrote:
>> 
>>> On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
>>> astro.alir...@yahoo.com.invalid> wrote:
>>> 
 HiI viewed the bash script that resets Linux password (
 http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
 seems that it doesn't use a secure way for transferring password string to
 instance.Instances on a shared network can sniff password requests and
 export requested password of other instances.I suggest to use SSL (https)
 instead of plan text.Regards
 
 
>>> I like the idea, but there's a couple of obstacles to overcome, namely
>>> which SSL certificates to use.
>>> - certificates need a subject name, ie. IP or hostname for web pages, you
>>> could solve this by making the mgmt server a CA and have each VR get a
>>> signed certificate by it, but it's complicated
>>> - if the community bundle a pre generated certificate it is commonly known
>>> and not to be trusted, also not sure how to handle subject name
>>> - assuming everyone to supply a valid certificate is quite complicated (CA
>>> must be on VR etc), and makes it considerably harder to get a working setup
>>> - using self signed causes issues with validation
>>> 
>>> 
>>> Don't get me wrong, I love the idea, but it's not just to flip a switch and
>>> have (proper) SSL in place.
>>> 
>>> --
>>> Erik

Re: Review Request 28579: CLOUDSTACK-7996: Fixed the script "test_tags.py" - Tags and Template should belong to the User Account to test the case

[sangeetha hariharan]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28579/#review63580
---

Ship it!


Ship It!

- sangeetha hariharan


On Dec. 1, 2014, 10:35 p.m., Chandan Purushothama wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/28579/
> ---
> 
> (Updated Dec. 1, 2014, 10:35 p.m.)
> 
> 
> Review request for cloudstack and sangeetha hariharan.
> 
> 
> Bugs: CLOUDSTACK-7996
> https://issues.apache.org/jira/browse/CLOUDSTACK-7996
> 
> 
> Repository: cloudstack-git
> 
> 
> Description
> ---
> 
> Currently the tags and template belong to the Admin Account and not the User 
> Account. Listing tags is being done as the regular User Account. This results 
> in test case failure as no tags are returned to the regular User. Hence the 
> inconsistency in creation of template, tags and listing them needs to be 
> corrected for the test case to work. 
> 
> 
> Diffs
> -
> 
>   test/integration/component/test_tags.py c5a8ced 
> 
> Diff: https://reviews.apache.org/r/28579/diff/
> 
> 
> Testing
> ---
> 
> Test creation, listing and deletion tag on templates ... === TestName: 
> test_06_template_tag | Status : SUCCESS ===
> ok
> 
> --
> Ran 1 test in 441.116s
> 
> OK
> 
> 
> Thanks,
> 
> Chandan Purushothama
> 
>

Re: A secure way to reset VMs password

[Chiradeep Vittal]

You would need client-side certs as well since the password server needs to be 
able to validate WHO is asking for the password. Currently it is based on the 
client's IP address.
Also the current scheme is a single-use password — as soon as the password is 
retrieved, it is not available to anybody else (of course a MITM could sniff 
the first exchange).

You could eliminate a lot of MITM-style attacks by running the password server 
locally on each hypervisor (hard for VMW), or by attaching an ISO (containing 
the password) to the VM.

From: John Kinsella mailto:j...@stratosec.co>>
Reply-To: "dev@cloudstack.apache.org" 
mailto:dev@cloudstack.apache.org>>
Date: Tuesday, December 2, 2014 at 1:32 PM
To: "dev@cloudstack.apache.org" 
mailto:dev@cloudstack.apache.org>>
Subject: Re: A secure way to reset VMs password

That password reset infrastructure has bigger issues than just SSL. The server 
side works, but that’s about all I can say for it. This topic comes up every 
6-12 months. :)

I thought there was a Jira entry but I can’t find it…personally I’d love to see 
the client and server sides both rewritten from scratch.

John

On Nov 28, 2014, at 11:33 AM, Nux! mailto:n...@li.nux.ro>> 
wrote:
Jayapal,
Not necesarily, one could run stunnel or nginx as SSL proxy on some other port 
(8443?), this way SSL and non-SSL connections will still work and give you 
plenty of time to update your templates, if you so wish.
Am I missing any important bits here?
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
- Original Message -
From: "Jayapal Reddy Uradi" 
mailto:jayapalreddy.ur...@citrix.com>>
To: "mailto:dev@cloudstack.apache.org>>" 
mailto:dev@cloudstack.apache.org>>
Cc: "Alireza Eskandari" 
mailto:astro.alir...@yahoo.com>>
Sent: Friday, 28 November, 2014 09:34:02
Subject: Re: A secure way to reset VMs password
Another point to note is all the vms in production has to update
with the new cloud-set-guest-password scripts because of the new password reset
method.
Thanks,
Jayapal
On 28-Nov-2014, at 2:28 PM, Erik Weber 
mailto:terbol...@gmail.com>>
wrote:
On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
astro.alir...@yahoo.com.invalid> wrote:
HiI viewed the bash script that resets Linux password (
http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
seems that it doesn't use a secure way for transferring password string to
instance.Instances on a shared network can sniff password requests and
export requested password of other instances.I suggest to use SSL (https)
instead of plan text.Regards
I like the idea, but there's a couple of obstacles to overcome, namely
which SSL certificates to use.
- certificates need a subject name, ie. IP or hostname for web pages, you
could solve this by making the mgmt server a CA and have each VR get a
signed certificate by it, but it's complicated
- if the community bundle a pre generated certificate it is commonly known
and not to be trusted, also not sure how to handle subject name
- assuming everyone to supply a valid certificate is quite complicated (CA
must be on VR etc), and makes it considerably harder to get a working setup
- using self signed causes issues with validation
Don't get me wrong, I love the idea, but it's not just to flip a switch and
have (proper) SSL in place.
--
Erik

RE: review board cleanup

[Animesh Chaturvedi]

> -Original Message-
> From: Rohit Yadav [mailto:rohit.ya...@shapeblue.com]
> Sent: Friday, November 28, 2014 1:44 AM
> To: dev@cloudstack.apache.org
> Subject: Re: review board cleanup
> 
> 
> > On 28-Nov-2014, at 2:43 pm, Rajani Karuturi  wrote:
> >
> > Is there a way to 'force' close a review if its already submitted?
> 
> Some of us can do it. I went through some of them yesterday and closed a few.
> There are many review requests on it which are too old and lack information.
> I’m not sure what to do with them.
[Animesh] Call the list out here for things older than 6 months and  provide a 
week to respond failing which we can close them out.
> 
> I’ll try to close a few more today.
> 
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 88 262 30892 | rohit.ya...@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
> 
> 
> 
> Find out more about ShapeBlue and our range of CloudStack related services
> 
> IaaS Cloud Design & Build
> CSForge – rapid IaaS deployment framework
> CloudStack Consulting
> CloudStack Software Engineering engineering/>
> CloudStack Infrastructure Support infrastructure-support/>
> CloudStack Bootcamp Training Courses training/>
> 
> This email and any attachments to it may be confidential and are intended 
> solely
> for the use of the individual to whom it is addressed. Any views or opinions
> expressed are solely those of the author and do not necessarily represent 
> those
> of Shape Blue Ltd or related companies. If you are not the intended recipient 
> of
> this email, you must neither take any action based upon its contents, nor 
> copy or
> show it to anyone. Please contact the sender if you believe you have received
> this email in error. Shape Blue Ltd is a company incorporated in England & 
> Wales.
> ShapeBlue Services India LLP is a company incorporated in India and is 
> operated
> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape Blue
> Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South
> Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a 
> registered
> trademark.

Review Request 28611: CLOUDSTACK-8007: Fixed the script 'test_vm_passwdenabled.py' - Template created by Admin should have public access to be used for regular User VM Deployment

[Chandan Purushothama]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28611/
---

Review request for cloudstack and sangeetha hariharan.


Bugs: CLOUDSTACK-8007
https://issues.apache.org/jira/browse/CLOUDSTACK-8007


Repository: cloudstack-git


Description
---

Based on Fix for CLOUDSTACK-7394, Caller should be owner after creating 
template from snapshot/volume. Since the Admin created the template from the 
Volume, the Admin is the owner of the private template. In order to deploy a VM 
for the Regular Account the template created by Admin should have public Access.


Diffs
-

  test/integration/component/test_vm_passwdenabled.py 1b556da 

Diff: https://reviews.apache.org/r/28611/diff/


Testing
---

Test get VM password for password enabled template ... === TestName: 
test_11_get_vm_password | Status : SUCCESS ===
ok

--
Ran 1 test in 706.715s

OK


Thanks,

Chandan Purushothama

Re: [ACS44] release 4.4.2 imminent

[Rohit Yadav]

CloudStack 4.4.2 deb/rpm repository is available now, for more information and 
release notes, checkout:
http://shapeblue.com/packages

> On 18-Nov-2014, at 1:20 am, Andrija Panic  wrote:
>
> Upgrade fine for me - no issues at all... - from the RPMs snapshots
>
> On 17 November 2014 14:36, Daan Hoogland  wrote:
>
>> On Mon, Nov 17, 2014 at 2:12 PM, Pierre-Luc Dion 
>> wrote:
>>> Trying devcloud4 with 4.4 branch  and I'm having this issue:
>>
>>> I don't see the schema-441to442.sql files in the db folder too.
>>>
>>> does 442 is on a different branch?
>>
>> no, I added the file locallly and forgot to commit. it is pushed now, sorry
>>
>>
>> --
>> Daan
>>
>
>
>
> --
>
> Andrija Panić
> --
>  http://admintweets.com
> --

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.ya...@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build
CSForge – rapid IaaS deployment framework
CloudStack Consulting
CloudStack Software 
Engineering
CloudStack Infrastructure 
Support
CloudStack Bootcamp Training Courses

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company 
registered by The Republic of South Africa and is traded under license from 
Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat

[Will Stevens]

I have gotten a bit side tracked with other work today.  I have pushed this
change to master and I have verified that everything is working correctly.

I will be pushing a MERGE REQUEST for the same (ish) change to the 4.5
branch.  Once it is committed I will validate that everything works as
expected since I have to kick off a build of the system vms to be positive
that everything works as expected.

Cheers,

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Tue, Dec 2, 2014 at 11:34 AM, Edison Su  wrote:

>
>
> > -Original Message-
> > From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On
> > Behalf Of Will Stevens
> > Sent: Tuesday, December 02, 2014 8:06 AM
> > To: dev@cloudstack.apache.org
> > Subject: Re: 05bec59c - kvm, qcow, systemvm qemu-img -o compat
> >
> > I will do some testing and see what I can come up with.
> >
> > BTW, I would be doing it the reverse of what you said.  I would try to
> specify
> > the 'compat=0.10' option initially and if that is OK, then we are good.
> If it fails
> > (it is currently failing on the 4.5 branch) this is most likely because
> the version
> > of qemu-img does not support the 'compat' option being passed to the
> > convert call (which is what is happening right now on our build
> systems).  In
> > that case, we will want to run the command without the compat option
> > because if it is too old to support the 'compat' option then it will
> have the
> > compat=0.10 default.
> Seems the qemu version is a little bit of mess, I think above method is
> good enough.
> BTW, thanks to look into the issue...
>
> >
> > Basically, I will try it the new way that Edison introduced.  If that
> fails, I will fall
> > back to the way it was being done before Edison's change...
> >
> > Will
> >
> >
> > *Will STEVENS*
> > Lead Developer
> >
> > *CloudOps* *| *Cloud Solutions Experts
> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw
> > @CloudOps_
> >
> > On Tue, Dec 2, 2014 at 10:53 AM, Rohit Yadav 
> > wrote:
> >
> > > Hi Will,
> > >
> > > Reply in-line;
> > >
> > > On Tuesday 02 December 2014 08:41 PM, Will Stevens wrote:
> > >
> > >> @Rohit:  If the script is run with 'set -e' it should not be a
> > >> problem because I was planning to do an explicit 'set +e' before the
> > >> call and then a 'set -e' after the call.  This should handle this
> case, no?
> > >>
> > >
> > > Yes, I think that will work as well. If we are not sure about qemu
> > > version, it should be alright to try once without compat and check $?
> > > and retry again with compat option. The only corner case I can think
> > > of is when qemu-img genuinely exits with a non-zero exit code during
> > > image conversion.
> > >
> > >
> > >> @Nux: When you say "EL7 comes with qemu-img 1.5.3 and it requires the
> > >> compat option", what do you mean by that?  Are you saying that if you
> > >> run the build system vms job on EL7, that you have to specify the
> > >> compat option even though it comes with qemu-img 1.5.3?  That should
> > >> not be the case because the default compat flag should not have been
> > >> changed till 1.7.  If you are talking about having a KVM host which
> > >> runs EL7 and has a qemu-img version of 1.5.3, then that is not really
> > >> relevant for this bash script.
> > >> The version of qemu-img which this script  checking is the version on
> > >> the build system, not on the KVM host.  It is validating if the
> > >> compat option needs to be passed to the 'qemu-img convert' command in
> > >> order for the image to have the 'compat=0.10' option set.  We are not
> > >> debating that the 'compat=0.10' option needs to be set, that is for
> > >> sure.  We are determining when it needs to be explicitly set on the
> > >> build systems.
> > >>
> > >> In short...
> > >> Jenkins kicks off a job to build the system vms.  This build system
> > >> could have one of many different qemu-img versions.  When this script
> > >> runs on the build system, we need to determine which command needs
> > to
> > >> be run in order to output a 'compat=0.10' compatible image.
> > >>
> > >> I will do some testing with Edison's suggestion and see if I can come
> > >> up with a solution that way as well and then we can pick which we
> > >> want to implement.
> > >>
> > >> Cheers,
> > >>
> > >> Will
> > >>
> > >>
> > >> *Will STEVENS*
> > >> Lead Developer
> > >>
> > >> *CloudOps* *| *Cloud Solutions Experts
> > >>
> > >> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|*
> > tw
> > >> @CloudOps_
> > >>
> > >> On Tue, Dec 2, 2014 at 3:32 AM, Nux!  wrote:
> > >>
> > >>  As I said above EL7 comes with qemu-img 1.5.3 and it requires the
> > >> compat
> > >>> option, so it's not only 1.7+.
> > >>> Personally I'm in favour of Will's approach.
> > >>>
> > >>> Lucian
> > >>>
> > >>> --
> > >>> Sent from the Delta quadrant using Borg technology!
> > >>>
> > >>> 

[MERGE REQUEST] hotfix/4.5-7959

[Will Stevens]

I have tested the equivalent fix in master and it is working perfectly.
The code in 4.5 is a bit different, but this should fix it in 4.5.  I have
tested the basic logic on my system, but once this gets merged I will kick
off a 4.5 build of the system vms to verify that it fixes the build systems
(they are currently broken).

This fix is related to this issue:
https://issues.apache.org/jira/browse/CLOUDSTACK-7959

---

I have created a separate topic in the dev list to discuss the workflow I
am using here...

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

[DISCUSS] "MERGE REQUEST"

[Will Stevens]

I just posted a topic called: [MERGE REQUEST] hotfix/4.5-7959

This is a workflow that I am going to adopt and test out for a little while
to see if it has real benefits.  I have added some notes below as to why I
decided to start doing this.  This came out of a lot of conversations at
CCCEU.

I am going to adopt this approach for getting fixes merged into release
branches.  The 'hotfix' branch method that we adopted for 4.4 seems to work
very well, so I want to continue to use a similar technique.

In addition to the benefits that we got from the hotfix branches,
requesting a MERGE REQUEST also gives us the following benefits:
- If the branch's release manager wants to manage all of the commits they
can, but not every release manager wants to have to do every merge.  This
way a release manager can delegate some helpers who they trust to help them
merge in hotfixes.
- This seems to me like the cheapest (least overhead) way to implement some
basic peer review of commits.  Yes, I have access to commit directly to the
4.5 branch, but that does not mean that I should.  This way we at least get
another committers approval before changes get merged.
- As a committer, it is my responsibility for creating a hotfix branch for
each of the releases my change fixes and test them.  This way me as the
developer who made the initial changes can make sure there will not be
merge conflicts in the other branches when I create my hotfix branches.
This will simplify the job for the release managers and will reduce the
need for cherry picking.  If I am asking for multiple hotfixes for the same
issue I could do the following; [MERGE REQUEST] hotfix/4.4-1234,
hotfix/4.5-1234  then the respective release managers or delegates can
merge the hotfixes and post back MERGED so there is a bit of a feedback
loop.

Anyway, this is a workflow I am going to adopt for changes to the release
branches and we will see if there are any issues with it.  If you have
ideas to improve this, please join the conversation...

Cheers,

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

Re: A secure way to reset VMs password

[Alireza Eskandari]

A stupid question!
I can't find the source of windows version of password manager! Where is it?

Sent from Samsung Mobile.

 Original message From: Chiradeep Vittal 
 Date:03/12/2014  02:05  (GMT+03:30) 
To: dev@cloudstack.apache.org Subject: Re: A secure way 
to reset VMs password 
You would need client-side certs as well since the password server needs 
to be able to validate WHO is asking for the password. Currently it is based on 
the client's IP address.
Also the current scheme is a single-use password — as soon as the password is 
retrieved, it is not available to anybody else (of course a MITM could sniff 
the first exchange).

You could eliminate a lot of MITM-style attacks by running the password server 
locally on each hypervisor (hard for VMW), or by attaching an ISO (containing 
the password) to the VM.

From: John Kinsella mailto:j...@stratosec.co>>
Reply-To: "dev@cloudstack.apache.org" 
mailto:dev@cloudstack.apache.org>>
Date: Tuesday, December 2, 2014 at 1:32 PM
To: "dev@cloudstack.apache.org" 
mailto:dev@cloudstack.apache.org>>
Subject: Re: A secure way to reset VMs password

That password reset infrastructure has bigger issues than just SSL. The server 
side works, but that’s about all I can say for it. This topic comes up every 
6-12 months. :)

I thought there was a Jira entry but I can’t find it…personally I’d love to see 
the client and server sides both rewritten from scratch.

John

On Nov 28, 2014, at 11:33 AM, Nux! mailto:n...@li.nux.ro>> 
wrote:
Jayapal,
Not necesarily, one could run stunnel or nginx as SSL proxy on some other port 
(8443?), this way SSL and non-SSL connections will still work and give you 
plenty of time to update your templates, if you so wish.
Am I missing any important bits here?
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
- Original Message -
From: "Jayapal Reddy Uradi" 
mailto:jayapalreddy.ur...@citrix.com>>
To: "mailto:dev@cloudstack.apache.org>>" 
mailto:dev@cloudstack.apache.org>>
Cc: "Alireza Eskandari" 
mailto:astro.alir...@yahoo.com>>
Sent: Friday, 28 November, 2014 09:34:02
Subject: Re: A secure way to reset VMs password
Another point to note is all the vms in production has to update
with the new cloud-set-guest-password scripts because of the new password reset
method.
Thanks,
Jayapal
On 28-Nov-2014, at 2:28 PM, Erik Weber 
mailto:terbol...@gmail.com>>
wrote:
On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
astro.alir...@yahoo.com.invalid> wrote:
HiI viewed the bash script that resets Linux password (
http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
seems that it doesn't use a secure way for transferring password string to
instance.Instances on a shared network can sniff password requests and
export requested password of other instances.I suggest to use SSL (https)
instead of plan text.Regards
I like the idea, but there's a couple of obstacles to overcome, namely
which SSL certificates to use.
- certificates need a subject name, ie. IP or hostname for web pages, you
could solve this by making the mgmt server a CA and have each VR get a
signed certificate by it, but it's complicated
- if the community bundle a pre generated certificate it is commonly known
and not to be trusted, also not sure how to handle subject name
- assuming everyone to supply a valid certificate is quite complicated (CA
must be on VR etc), and makes it considerably harder to get a working setup
- using self signed causes issues with validation
Don't get me wrong, I love the idea, but it's not just to flip a switch and
have (proper) SSL in place.
--
Erik

Re: A secure way to reset VMs password

[Carlos Reategui]

Why do passwords at all?  Why not just use ssh keys like AWS does. The 
functionality is already there just not in the ACS UI. Cloud-init already 
supports it which is available in most distros and therefore would not require 
CS specific scripts. At least not for linux. On windows I'm not exactly sure 
how AWS does it but I think it is also some kind of terminal services 
certificates so I think it could be made to work too. 

-Carlos



> On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal  
> wrote:
> 
> You would need client-side certs as well since the password server needs to 
> be able to validate WHO is asking for the password. Currently it is based on 
> the client's IP address.
> Also the current scheme is a single-use password — as soon as the password is 
> retrieved, it is not available to anybody else (of course a MITM could sniff 
> the first exchange).
> 
> You could eliminate a lot of MITM-style attacks by running the password 
> server locally on each hypervisor (hard for VMW), or by attaching an ISO 
> (containing the password) to the VM.
> 
> From: John Kinsella mailto:j...@stratosec.co>>
> Reply-To: "dev@cloudstack.apache.org" 
> mailto:dev@cloudstack.apache.org>>
> Date: Tuesday, December 2, 2014 at 1:32 PM
> To: "dev@cloudstack.apache.org" 
> mailto:dev@cloudstack.apache.org>>
> Subject: Re: A secure way to reset VMs password
> 
> That password reset infrastructure has bigger issues than just SSL. The 
> server side works, but that’s about all I can say for it. This topic comes up 
> every 6-12 months. :)
> 
> I thought there was a Jira entry but I can’t find it…personally I’d love to 
> see the client and server sides both rewritten from scratch.
> 
> John
> 
> On Nov 28, 2014, at 11:33 AM, Nux! mailto:n...@li.nux.ro>> 
> wrote:
> Jayapal,
> Not necesarily, one could run stunnel or nginx as SSL proxy on some other 
> port (8443?), this way SSL and non-SSL connections will still work and give 
> you plenty of time to update your templates, if you so wish.
> Am I missing any important bits here?
> Lucian
> --
> Sent from the Delta quadrant using Borg technology!
> Nux!
> www.nux.ro
> - Original Message -
> From: "Jayapal Reddy Uradi" 
> mailto:jayapalreddy.ur...@citrix.com>>
> To: "mailto:dev@cloudstack.apache.org>>" 
> mailto:dev@cloudstack.apache.org>>
> Cc: "Alireza Eskandari" 
> mailto:astro.alir...@yahoo.com>>
> Sent: Friday, 28 November, 2014 09:34:02
> Subject: Re: A secure way to reset VMs password
> Another point to note is all the vms in production has to update
> with the new cloud-set-guest-password scripts because of the new password 
> reset
> method.
> Thanks,
> Jayapal
> On 28-Nov-2014, at 2:28 PM, Erik Weber 
> mailto:terbol...@gmail.com>>
> wrote:
> On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
> astro.alir...@yahoo.com.invalid> 
> wrote:
> HiI viewed the bash script that resets Linux password (
> http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
> seems that it doesn't use a secure way for transferring password string to
> instance.Instances on a shared network can sniff password requests and
> export requested password of other instances.I suggest to use SSL (https)
> instead of plan text.Regards
> I like the idea, but there's a couple of obstacles to overcome, namely
> which SSL certificates to use.
> - certificates need a subject name, ie. IP or hostname for web pages, you
> could solve this by making the mgmt server a CA and have each VR get a
> signed certificate by it, but it's complicated
> - if the community bundle a pre generated certificate it is commonly known
> and not to be trusted, also not sure how to handle subject name
> - assuming everyone to supply a valid certificate is quite complicated (CA
> must be on VR etc), and makes it considerably harder to get a working setup
> - using self signed causes issues with validation
> Don't get me wrong, I love the idea, but it's not just to flip a switch and
> have (proper) SSL in place.
> --
> Erik
> 
> 

Re: A secure way to reset VMs password

[John Kinsella]

Correct...I've chatted with Folks in the past, it wasnt open-sourced.

Excuse any typos - sent from mobile device

> On Dec 2, 2014, at 20:50, Alireza Eskandari  
> wrote:
> 
> A stupid question!
> I can't find the source of windows version of password manager! Where is it?
> 
> Sent from Samsung Mobile.
> 
>  Original message From: Chiradeep Vittal 
>  Date:03/12/2014  02:05  (GMT+03:30) 
> To: dev@cloudstack.apache.org Subject: Re: A secure way 
> to reset VMs password 
> You would need client-side certs as well since the password server 
> needs to be able to validate WHO is asking for the password. Currently it is 
> based on the client's IP address.
> Also the current scheme is a single-use password — as soon as the password is 
> retrieved, it is not available to anybody else (of course a MITM could sniff 
> the first exchange).
> 
> You could eliminate a lot of MITM-style attacks by running the password 
> server locally on each hypervisor (hard for VMW), or by attaching an ISO 
> (containing the password) to the VM.
> 
> From: John Kinsella mailto:j...@stratosec.co>>
> Reply-To: "dev@cloudstack.apache.org" 
> mailto:dev@cloudstack.apache.org>>
> Date: Tuesday, December 2, 2014 at 1:32 PM
> To: "dev@cloudstack.apache.org" 
> mailto:dev@cloudstack.apache.org>>
> Subject: Re: A secure way to reset VMs password
> 
> That password reset infrastructure has bigger issues than just SSL. The 
> server side works, but that’s about all I can say for it. This topic comes up 
> every 6-12 months. :)
> 
> I thought there was a Jira entry but I can’t find it…personally I’d love to 
> see the client and server sides both rewritten from scratch.
> 
> John
> 
> On Nov 28, 2014, at 11:33 AM, Nux! mailto:n...@li.nux.ro>> 
> wrote:
> Jayapal,
> Not necesarily, one could run stunnel or nginx as SSL proxy on some other 
> port (8443?), this way SSL and non-SSL connections will still work and give 
> you plenty of time to update your templates, if you so wish.
> Am I missing any important bits here?
> Lucian
> --
> Sent from the Delta quadrant using Borg technology!
> Nux!
> www.nux.ro
> - Original Message -
> From: "Jayapal Reddy Uradi" 
> mailto:jayapalreddy.ur...@citrix.com>>
> To: "mailto:dev@cloudstack.apache.org>>" 
> mailto:dev@cloudstack.apache.org>>
> Cc: "Alireza Eskandari" 
> mailto:astro.alir...@yahoo.com>>
> Sent: Friday, 28 November, 2014 09:34:02
> Subject: Re: A secure way to reset VMs password
> Another point to note is all the vms in production has to update
> with the new cloud-set-guest-password scripts because of the new password 
> reset
> method.
> Thanks,
> Jayapal
> On 28-Nov-2014, at 2:28 PM, Erik Weber 
> mailto:terbol...@gmail.com>>
> wrote:
> On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
> astro.alir...@yahoo.com.invalid> 
> wrote:
> HiI viewed the bash script that resets Linux password (
> http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
> seems that it doesn't use a secure way for transferring password string to
> instance.Instances on a shared network can sniff password requests and
> export requested password of other instances.I suggest to use SSL (https)
> instead of plan text.Regards
> I like the idea, but there's a couple of obstacles to overcome, namely
> which SSL certificates to use.
> - certificates need a subject name, ie. IP or hostname for web pages, you
> could solve this by making the mgmt server a CA and have each VR get a
> signed certificate by it, but it's complicated
> - if the community bundle a pre generated certificate it is commonly known
> and not to be trusted, also not sure how to handle subject name
> - assuming everyone to supply a valid certificate is quite complicated (CA
> must be on VR etc), and makes it considerably harder to get a working setup
> - using self signed causes issues with validation
> Don't get me wrong, I love the idea, but it's not just to flip a switch and
> have (proper) SSL in place.
> --
> Erik
> 
> 

Re: A secure way to reset VMs password

[John Kinsella]

It's not our place to enforce how users authenticate to their VMs. We provide 
flexible options, suggest best practices, and let them use the tool as best 
suits their needs.

Excuse any typos - sent from mobile device

> On Dec 2, 2014, at 21:22, Carlos Reategui  wrote:
> 
> Why do passwords at all?  Why not just use ssh keys like AWS does. The 
> functionality is already there just not in the ACS UI. Cloud-init already 
> supports it which is available in most distros and therefore would not 
> require CS specific scripts. At least not for linux. On windows I'm not 
> exactly sure how AWS does it but I think it is also some kind of terminal 
> services certificates so I think it could be made to work too. 
> 
> -Carlos
> 
> 
> 
>> On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal  
>> wrote:
>> 
>> You would need client-side certs as well since the password server needs to 
>> be able to validate WHO is asking for the password. Currently it is based on 
>> the client's IP address.
>> Also the current scheme is a single-use password — as soon as the password 
>> is retrieved, it is not available to anybody else (of course a MITM could 
>> sniff the first exchange).
>> 
>> You could eliminate a lot of MITM-style attacks by running the password 
>> server locally on each hypervisor (hard for VMW), or by attaching an ISO 
>> (containing the password) to the VM.
>> 
>> From: John Kinsella mailto:j...@stratosec.co>>
>> Reply-To: "dev@cloudstack.apache.org" 
>> mailto:dev@cloudstack.apache.org>>
>> Date: Tuesday, December 2, 2014 at 1:32 PM
>> To: "dev@cloudstack.apache.org" 
>> mailto:dev@cloudstack.apache.org>>
>> Subject: Re: A secure way to reset VMs password
>> 
>> That password reset infrastructure has bigger issues than just SSL. The 
>> server side works, but that’s about all I can say for it. This topic comes 
>> up every 6-12 months. :)
>> 
>> I thought there was a Jira entry but I can’t find it…personally I’d love to 
>> see the client and server sides both rewritten from scratch.
>> 
>> John
>> 
>> On Nov 28, 2014, at 11:33 AM, Nux! mailto:n...@li.nux.ro>> 
>> wrote:
>> Jayapal,
>> Not necesarily, one could run stunnel or nginx as SSL proxy on some other 
>> port (8443?), this way SSL and non-SSL connections will still work and give 
>> you plenty of time to update your templates, if you so wish.
>> Am I missing any important bits here?
>> Lucian
>> --
>> Sent from the Delta quadrant using Borg technology!
>> Nux!
>> www.nux.ro
>> - Original Message -
>> From: "Jayapal Reddy Uradi" 
>> mailto:jayapalreddy.ur...@citrix.com>>
>> To: "mailto:dev@cloudstack.apache.org>>" 
>> mailto:dev@cloudstack.apache.org>>
>> Cc: "Alireza Eskandari" 
>> mailto:astro.alir...@yahoo.com>>
>> Sent: Friday, 28 November, 2014 09:34:02
>> Subject: Re: A secure way to reset VMs password
>> Another point to note is all the vms in production has to update
>> with the new cloud-set-guest-password scripts because of the new password 
>> reset
>> method.
>> Thanks,
>> Jayapal
>> On 28-Nov-2014, at 2:28 PM, Erik Weber 
>> mailto:terbol...@gmail.com>>
>> wrote:
>> On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
>> astro.alir...@yahoo.com.invalid> 
>> wrote:
>> HiI viewed the bash script that resets Linux password (
>> http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
>> seems that it doesn't use a secure way for transferring password string to
>> instance.Instances on a shared network can sniff password requests and
>> export requested password of other instances.I suggest to use SSL (https)
>> instead of plan text.Regards
>> I like the idea, but there's a couple of obstacles to overcome, namely
>> which SSL certificates to use.
>> - certificates need a subject name, ie. IP or hostname for web pages, you
>> could solve this by making the mgmt server a CA and have each VR get a
>> signed certificate by it, but it's complicated
>> - if the community bundle a pre generated certificate it is commonly known
>> and not to be trusted, also not sure how to handle subject name
>> - assuming everyone to supply a valid certificate is quite complicated (CA
>> must be on VR etc), and makes it considerably harder to get a working setup
>> - using self signed causes issues with validation
>> Don't get me wrong, I love the idea, but it's not just to flip a switch and
>> have (proper) SSL in place.
>> --
>> Erik
>> 
>> 

Re: CI improvment part 1

[Rohit Yadav]

Hi Edison,

Just curious, any update on the pytest effort? Thanks.

On Friday 26 September 2014 10:13 AM, Edison Su wrote:

Highlights the improvements on marvin I made in these days on pytest branch:
1. Switch test framework from nose to pytest, while also maintain the 
back-compatibility for existing test cases.
 pytest is more flexible than nose, more enjoyable to work with.
2. Speed up test speed a LOT: It only takes 250-300 seconds for a single run 
for all the test cases under test/integration/smoke folder, while it usually 
takes 40 minutes to run before.
The speed up is coming from running test cases in parallel. pytest-xdist is 
modified to fix the issue: 
https://bitbucket.org/hpk42/pytest/issue/175/way-to-control-how-pytest-xdist-runs-tests.
 we have a lot of existing test cases have to run in sequence per test class.
3. Add a new Jenkins job at http://jenkins.buildacloud.org/job/fastsimulatorbuild/, 
which only takes 22 minutes for a full cycle build&test.
 A new VM is created on digitalocean: 4G memory, 40G SSD, and added into 
Jenkins.buildacloud.org. SSD is life saver, it really makes big difference 
during build/test.
 A new docker image is created, which has all the tools installed in order 
to build and test: e.g. java/mysql/python/git/ installed.
 A new Jenkins job is created to build and test periodically in every 20 
minutes.

So far, the Jenkins job works very well, if everybody ok with what I am doing, 
I want to merge pytest branch into master later. With a quick CI in hand, we 
then can start to think about how to add gerrit into our system.


--
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 8826230892 | rohit.ya...@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build
CSForge – rapid IaaS deployment framework
CloudStack Consulting
CloudStack Software 
Engineering
CloudStack Infrastructure 
Support
CloudStack Bootcamp Training Courses

This email and any attachments to it may be confidential and are intended solely 
for the use of the individual to whom it is addressed. Any views or opinions 
expressed are solely those of the author and do not necessarily represent those of 
Shape Blue Ltd or related companies. If you are not the intended recipient of this 
email, you must neither take any action based upon its contents, nor copy or show 
it to anyone. Please contact the sender if you believe you have received this email 
in error. Shape Blue Ltd is a company incorporated in England & Wales. 
ShapeBlue Services India LLP is a company incorporated in India and is operated 
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company 
incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue 
SA Pty Ltd is a company registered by The Republic of South Africa and is traded 
under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: A secure way to reset VMs password

[Alireza Eskandari]

John, +1If we provide password reset capability it should be secure, if not it 
is better to make it disable at all.About source of windows version, so what 
did we do? Should we write it from scratch? Why it isn't open?I open a jira 
ticket, if you have any comment or suggestion please write 
there.https://issues.apache.org/jira/browse/CLOUDSTACK-8009
Thanks
  From: John Kinsella 
 To: ""  
 Sent: Wednesday, December 3, 2014 9:18 AM
 Subject: Re: A secure way to reset VMs password
   
It's not our place to enforce how users authenticate to their VMs. We provide 
flexible options, suggest best practices, and let them use the tool as best 
suits their needs.

Excuse any typos - sent from mobile device



> On Dec 2, 2014, at 21:22, Carlos Reategui  wrote:
> 
> Why do passwords at all?  Why not just use ssh keys like AWS does. The 
> functionality is already there just not in the ACS UI. Cloud-init already 
> supports it which is available in most distros and therefore would not 
> require CS specific scripts. At least not for linux. On windows I'm not 
> exactly sure how AWS does it but I think it is also some kind of terminal 
> services certificates so I think it could be made to work too. 
> 
> -Carlos
> 
> 
> 
>> On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal  
>> wrote:
>> 
>> You would need client-side certs as well since the password server needs to 
>> be able to validate WHO is asking for the password. Currently it is based on 
>> the client's IP address.
>> Also the current scheme is a single-use password — as soon as the password 
>> is retrieved, it is not available to anybody else (of course a MITM could 
>> sniff the first exchange).
>> 
>> You could eliminate a lot of MITM-style attacks by running the password 
>> server locally on each hypervisor (hard for VMW), or by attaching an ISO 
>> (containing the password) to the VM.
>> 
>> From: John Kinsella mailto:j...@stratosec.co>>
>> Reply-To: "dev@cloudstack.apache.org" 
>> mailto:dev@cloudstack.apache.org>>
>> Date: Tuesday, December 2, 2014 at 1:32 PM
>> To: "dev@cloudstack.apache.org" 
>> mailto:dev@cloudstack.apache.org>>
>> Subject: Re: A secure way to reset VMs password
>> 
>> That password reset infrastructure has bigger issues than just SSL. The 
>> server side works, but that’s about all I can say for it. This topic comes 
>> up every 6-12 months. :)
>> 
>> I thought there was a Jira entry but I can’t find it…personally I’d love to 
>> see the client and server sides both rewritten from scratch.
>> 
>> John
>> 
>> On Nov 28, 2014, at 11:33 AM, Nux! mailto:n...@li.nux.ro>> 
>> wrote:
>> Jayapal,
>> Not necesarily, one could run stunnel or nginx as SSL proxy on some other 
>> port (8443?), this way SSL and non-SSL connections will still work and give 
>> you plenty of time to update your templates, if you so wish.
>> Am I missing any important bits here?
>> Lucian
>> --
>> Sent from the Delta quadrant using Borg technology!
>> Nux!
>> www.nux.ro
>> - Original Message -
>> From: "Jayapal Reddy Uradi" 
>> mailto:jayapalreddy.ur...@citrix.com>>
>> To: "mailto:dev@cloudstack.apache.org>>" 
>> mailto:dev@cloudstack.apache.org>>
>> Cc: "Alireza Eskandari" 
>> mailto:astro.alir...@yahoo.com>>
>> Sent: Friday, 28 November, 2014 09:34:02
>> Subject: Re: A secure way to reset VMs password
>> Another point to note is all the vms in production has to update
>> with the new cloud-set-guest-password scripts because of the new password 
>> reset
>> method.
>> Thanks,
>> Jayapal
>> On 28-Nov-2014, at 2:28 PM, Erik Weber 
>> mailto:terbol...@gmail.com>>
>> wrote:
>> On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
>> astro.alir...@yahoo.com.invalid> 
>> wrote:
>> HiI viewed the bash script that resets Linux password (
>> http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
>> seems that it doesn't use a secure way for transferring password string to
>> instance.Instances on a shared network can sniff password requests and
>> export requested password of other instances.I suggest to use SSL (https)
>> instead of plan text.Regards
>> I like the idea, but there's a couple of obstacles to overcome, namely
>> which SSL certificates to use.
>> - certificates need a subject name, ie. IP or hostname for web pages, you
>> could solve this by making the mgmt server a CA and have each VR get a
>> signed certificate by it, but it's complicated
>> - if the community bundle a pre generated certificate it is commonly known
>> and not to be trusted, also not sure how to handle subject name
>> - assuming everyone to supply a valid certificate is quite complicated (CA
>> must be on VR etc), and makes it considerably harder to get a working setup
>> - using self signed causes issues with validation
>> Don't get me wrong, I love the idea, but it's not just to flip a switch and
>> have (proper) SSL in place.
>> --
>> Erik
>> 
>> 

Re: A secure way to reset VMs password

[Carlos Reátegui]

I’m all for providing choice, but not when one of them is not a good/secure one.


> On Dec 2, 2014, at 9:48 PM, John Kinsella  wrote:
> 
> It's not our place to enforce how users authenticate to their VMs. We provide 
> flexible options, suggest best practices, and let them use the tool as best 
> suits their needs.
> 
> Excuse any typos - sent from mobile device
> 
>> On Dec 2, 2014, at 21:22, Carlos Reategui  wrote:
>> 
>> Why do passwords at all?  Why not just use ssh keys like AWS does. The 
>> functionality is already there just not in the ACS UI. Cloud-init already 
>> supports it which is available in most distros and therefore would not 
>> require CS specific scripts. At least not for linux. On windows I'm not 
>> exactly sure how AWS does it but I think it is also some kind of terminal 
>> services certificates so I think it could be made to work too. 
>> 
>> -Carlos
>> 
>> 
>> 
>>> On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal  
>>> wrote:
>>> 
>>> You would need client-side certs as well since the password server needs to 
>>> be able to validate WHO is asking for the password. Currently it is based 
>>> on the client's IP address.
>>> Also the current scheme is a single-use password — as soon as the password 
>>> is retrieved, it is not available to anybody else (of course a MITM could 
>>> sniff the first exchange).
>>> 
>>> You could eliminate a lot of MITM-style attacks by running the password 
>>> server locally on each hypervisor (hard for VMW), or by attaching an ISO 
>>> (containing the password) to the VM.
>>> 
>>> From: John Kinsella mailto:j...@stratosec.co>>
>>> Reply-To: "dev@cloudstack.apache.org" 
>>> mailto:dev@cloudstack.apache.org>>
>>> Date: Tuesday, December 2, 2014 at 1:32 PM
>>> To: "dev@cloudstack.apache.org" 
>>> mailto:dev@cloudstack.apache.org>>
>>> Subject: Re: A secure way to reset VMs password
>>> 
>>> That password reset infrastructure has bigger issues than just SSL. The 
>>> server side works, but that’s about all I can say for it. This topic comes 
>>> up every 6-12 months. :)
>>> 
>>> I thought there was a Jira entry but I can’t find it…personally I’d love to 
>>> see the client and server sides both rewritten from scratch.
>>> 
>>> John
>>> 
>>> On Nov 28, 2014, at 11:33 AM, Nux! mailto:n...@li.nux.ro>> 
>>> wrote:
>>> Jayapal,
>>> Not necesarily, one could run stunnel or nginx as SSL proxy on some other 
>>> port (8443?), this way SSL and non-SSL connections will still work and give 
>>> you plenty of time to update your templates, if you so wish.
>>> Am I missing any important bits here?
>>> Lucian
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>> Nux!
>>> www.nux.ro
>>> - Original Message -
>>> From: "Jayapal Reddy Uradi" 
>>> mailto:jayapalreddy.ur...@citrix.com>>
>>> To: "mailto:dev@cloudstack.apache.org>>" 
>>> mailto:dev@cloudstack.apache.org>>
>>> Cc: "Alireza Eskandari" 
>>> mailto:astro.alir...@yahoo.com>>
>>> Sent: Friday, 28 November, 2014 09:34:02
>>> Subject: Re: A secure way to reset VMs password
>>> Another point to note is all the vms in production has to update
>>> with the new cloud-set-guest-password scripts because of the new password 
>>> reset
>>> method.
>>> Thanks,
>>> Jayapal
>>> On 28-Nov-2014, at 2:28 PM, Erik Weber 
>>> mailto:terbol...@gmail.com>>
>>> wrote:
>>> On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
>>> astro.alir...@yahoo.com.invalid> 
>>> wrote:
>>> HiI viewed the bash script that resets Linux password (
>>> http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
>>> seems that it doesn't use a secure way for transferring password string to
>>> instance.Instances on a shared network can sniff password requests and
>>> export requested password of other instances.I suggest to use SSL (https)
>>> instead of plan text.Regards
>>> I like the idea, but there's a couple of obstacles to overcome, namely
>>> which SSL certificates to use.
>>> - certificates need a subject name, ie. IP or hostname for web pages, you
>>> could solve this by making the mgmt server a CA and have each VR get a
>>> signed certificate by it, but it's complicated
>>> - if the community bundle a pre generated certificate it is commonly known
>>> and not to be trusted, also not sure how to handle subject name
>>> - assuming everyone to supply a valid certificate is quite complicated (CA
>>> must be on VR etc), and makes it considerably harder to get a working setup
>>> - using self signed causes issues with validation
>>> Don't get me wrong, I love the idea, but it's not just to flip a switch and
>>> have (proper) SSL in place.
>>> --
>>> Erik
>>> 
>>> 

Review Request 28635: CLOUDSTACK-8003: test_egress_fw_rules.py - Remove test case dependency on each other and improve cleanup code

[Gaurav Aradhye]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28635/
---

Review request for cloudstack and SrikanteswaraRao Talluri.


Bugs: CLOUDSTACK-8003
https://issues.apache.org/jira/browse/CLOUDSTACK-8003


Repository: cloudstack-git


Description
---

Test cases in this test suite use a common account and hence in cleanup 
operations, we explicitly delete all the resources created in a test case.

This adds to the running time of the test cases.
Also in case, there is any issue in cleanup operation, all other test cases 
will get affected.

Hence, it is wise to create a new account for each test cases and delete the 
account in cleanup.


Diffs
-

  test/integration/component/test_egress_fw_rules.py 4f95925 

Diff: https://reviews.apache.org/r/28635/diff/


Testing
---

Yes.

2 test cases failed because db info in my config was wrong.

Test By-default the communication from guest n/w to public n/w is NOT allowed. 
... === TestName: test_01_1_egress_fr1 | Status : SUCCESS ===
ok
Test By-default the communication from guest n/w to public n/w is allowed. ... 
=== TestName: test_01_egress_fr1 | Status : SUCCESS ===
ok
Test Allow Communication using Egress rule with CIDR + Port Range + Protocol. 
... === TestName: test_02_1_egress_fr2 | Status : SUCCESS ===
ok
Test Allow Communication using Egress rule with CIDR + Port Range + Protocol. 
... === TestName: test_02_egress_fr2 | Status : SUCCESS ===
ok
Test Communication blocked with network that is other than specified ... === 
TestName: test_03_1_egress_fr3 | Status : EXCEPTION ===
ERROR
Test Communication blocked with network that is other than specified ... === 
TestName: test_03_egress_fr3 | Status : SUCCESS ===
ok
Test Create Egress rule and check the Firewall_Rules DB table ... === TestName: 
test_04_1_egress_fr4 | Status : FAILED ===
FAIL
Test Create Egress rule and check the Firewall_Rules DB table ... === TestName: 
test_04_egress_fr4 | Status : FAILED ===
FAIL
Test Create Egress rule and check the IP tables ... SKIP: Skip
Test Create Egress rule and check the IP tables ... SKIP: Skip
Test Create Egress rule without CIDR ... === TestName: test_06_1_egress_fr6 | 
Status : SUCCESS ===
ok
Test Create Egress rule without CIDR ... === TestName: test_06_egress_fr6 | 
Status : SUCCESS ===
ok
Test Create Egress rule without End Port ... === TestName: test_07_1_egress_fr7 
| Status : SUCCESS ===
ok
Test Create Egress rule without End Port ... === TestName: test_07_egress_fr7 | 
Status : SUCCESS ===
ok
Test Port Forwarding and Egress Conflict ... SKIP: Skip
Test Port Forwarding and Egress Conflict ... SKIP: Skip
Test Delete Egress rule ... === TestName: test_09_1_egress_fr9 | Status : 
SUCCESS ===
ok
Test Delete Egress rule ... === TestName: test_09_egress_fr9 | Status : SUCCESS 
===
ok
Test Invalid CIDR and Invalid Port ranges ... === TestName: 
test_10_1_egress_fr10 | Status : SUCCESS ===
ok
Test Invalid CIDR and Invalid Port ranges ... === TestName: test_10_egress_fr10 
| Status : SUCCESS ===
ok
Test Regression on Firewall + PF + LB + SNAT ... === TestName: 
test_11_1_egress_fr11 | Status : EXCEPTION ===
ERROR
Test Regression on Firewall + PF + LB + SNAT ... === TestName: 
test_11_egress_fr11 | Status : SUCCESS ===
ok
Test Reboot Router ... === TestName: test_12_1_egress_fr12 | Status : SUCCESS 
===
ok
Test Reboot Router ... === TestName: test_12_egress_fr12 | Status : SUCCESS ===
ok
Test Redundant Router : Master failover ... === TestName: test_13_1_egress_fr13 
| Status : SUCCESS ===
ok
Test Redundant Router : Master failover ... === TestName: test_13_egress_fr13 | 
Status : SUCCESS ===
ok


Thanks,

Gaurav Aradhye

Re: A secure way to reset VMs password

[John Kinsella]

While they might be better than weak passwords, ssh keys are not a silver 
bullet - they're harder to use and a case can be made that they're no more 
secure (think: attacker compromises desktop, accesses ssh key file)

And no, from my previous research, you can't enforce that an ssh key has a 
passphrase...

Excuse any typos - sent from mobile device

> On Dec 2, 2014, at 22:01, Carlos Reátegui  wrote:
> 
> I’m all for providing choice, but not when one of them is not a good/secure 
> one.
> 
> 
>> On Dec 2, 2014, at 9:48 PM, John Kinsella  wrote:
>> 
>> It's not our place to enforce how users authenticate to their VMs. We 
>> provide flexible options, suggest best practices, and let them use the tool 
>> as best suits their needs.
>> 
>> Excuse any typos - sent from mobile device
>> 
>>> On Dec 2, 2014, at 21:22, Carlos Reategui  wrote:
>>> 
>>> Why do passwords at all?  Why not just use ssh keys like AWS does. The 
>>> functionality is already there just not in the ACS UI. Cloud-init already 
>>> supports it which is available in most distros and therefore would not 
>>> require CS specific scripts. At least not for linux. On windows I'm not 
>>> exactly sure how AWS does it but I think it is also some kind of terminal 
>>> services certificates so I think it could be made to work too. 
>>> 
>>> -Carlos
>>> 
>>> 
>>> 
 On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal  
 wrote:
 
 You would need client-side certs as well since the password server needs 
 to be able to validate WHO is asking for the password. Currently it is 
 based on the client's IP address.
 Also the current scheme is a single-use password — as soon as the password 
 is retrieved, it is not available to anybody else (of course a MITM could 
 sniff the first exchange).
 
 You could eliminate a lot of MITM-style attacks by running the password 
 server locally on each hypervisor (hard for VMW), or by attaching an ISO 
 (containing the password) to the VM.
 
 From: John Kinsella mailto:j...@stratosec.co>>
 Reply-To: "dev@cloudstack.apache.org" 
 mailto:dev@cloudstack.apache.org>>
 Date: Tuesday, December 2, 2014 at 1:32 PM
 To: "dev@cloudstack.apache.org" 
 mailto:dev@cloudstack.apache.org>>
 Subject: Re: A secure way to reset VMs password
 
 That password reset infrastructure has bigger issues than just SSL. The 
 server side works, but that’s about all I can say for it. This topic comes 
 up every 6-12 months. :)
 
 I thought there was a Jira entry but I can’t find it…personally I’d love 
 to see the client and server sides both rewritten from scratch.
 
 John
 
 On Nov 28, 2014, at 11:33 AM, Nux! mailto:n...@li.nux.ro>> 
 wrote:
 Jayapal,
 Not necesarily, one could run stunnel or nginx as SSL proxy on some other 
 port (8443?), this way SSL and non-SSL connections will still work and 
 give you plenty of time to update your templates, if you so wish.
 Am I missing any important bits here?
 Lucian
 --
 Sent from the Delta quadrant using Borg technology!
 Nux!
 www.nux.ro
 - Original Message -
 From: "Jayapal Reddy Uradi" 
 mailto:jayapalreddy.ur...@citrix.com>>
 To: "mailto:dev@cloudstack.apache.org>>" 
 mailto:dev@cloudstack.apache.org>>
 Cc: "Alireza Eskandari" 
 mailto:astro.alir...@yahoo.com>>
 Sent: Friday, 28 November, 2014 09:34:02
 Subject: Re: A secure way to reset VMs password
 Another point to note is all the vms in production has to update
 with the new cloud-set-guest-password scripts because of the new password 
 reset
 method.
 Thanks,
 Jayapal
 On 28-Nov-2014, at 2:28 PM, Erik Weber 
 mailto:terbol...@gmail.com>>
 wrote:
 On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
 astro.alir...@yahoo.com.invalid> 
 wrote:
 HiI viewed the bash script that resets Linux password (
 http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
 seems that it doesn't use a secure way for transferring password string to
 instance.Instances on a shared network can sniff password requests and
 export requested password of other instances.I suggest to use SSL (https)
 instead of plan text.Regards
 I like the idea, but there's a couple of obstacles to overcome, namely
 which SSL certificates to use.
 - certificates need a subject name, ie. IP or hostname for web pages, you
 could solve this by making the mgmt server a CA and have each VR get a
 signed certificate by it, but it's complicated
 - if the community bundle a pre generated certificate it is commonly known
 and not to be trusted, also not sure how to handle subject name
 - assuming everyone to supply a valid certificate is quite complicated (CA
>

Re: A secure way to reset VMs password

[Carlos Reátegui]

BTW If anyone wants to upvote the the key management GUI Jira here it is: 
https://issues.apache.org/jira/browse/CLOUDSTACK-1230

> On Dec 2, 2014, at 9:59 PM, Carlos Reátegui  wrote:
> 
> I’m all for providing choice, but not when one of them is not a good/secure 
> one.
> 
> 
>> On Dec 2, 2014, at 9:48 PM, John Kinsella  wrote:
>> 
>> It's not our place to enforce how users authenticate to their VMs. We 
>> provide flexible options, suggest best practices, and let them use the tool 
>> as best suits their needs.
>> 
>> Excuse any typos - sent from mobile device
>> 
>>> On Dec 2, 2014, at 21:22, Carlos Reategui  wrote:
>>> 
>>> Why do passwords at all?  Why not just use ssh keys like AWS does. The 
>>> functionality is already there just not in the ACS UI. Cloud-init already 
>>> supports it which is available in most distros and therefore would not 
>>> require CS specific scripts. At least not for linux. On windows I'm not 
>>> exactly sure how AWS does it but I think it is also some kind of terminal 
>>> services certificates so I think it could be made to work too. 
>>> 
>>> -Carlos
>>> 
>>> 
>>> 
 On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal  
 wrote:
 
 You would need client-side certs as well since the password server needs 
 to be able to validate WHO is asking for the password. Currently it is 
 based on the client's IP address.
 Also the current scheme is a single-use password — as soon as the password 
 is retrieved, it is not available to anybody else (of course a MITM could 
 sniff the first exchange).
 
 You could eliminate a lot of MITM-style attacks by running the password 
 server locally on each hypervisor (hard for VMW), or by attaching an ISO 
 (containing the password) to the VM.
 
 From: John Kinsella mailto:j...@stratosec.co>>
 Reply-To: "dev@cloudstack.apache.org" 
 mailto:dev@cloudstack.apache.org>>
 Date: Tuesday, December 2, 2014 at 1:32 PM
 To: "dev@cloudstack.apache.org" 
 mailto:dev@cloudstack.apache.org>>
 Subject: Re: A secure way to reset VMs password
 
 That password reset infrastructure has bigger issues than just SSL. The 
 server side works, but that’s about all I can say for it. This topic comes 
 up every 6-12 months. :)
 
 I thought there was a Jira entry but I can’t find it…personally I’d love 
 to see the client and server sides both rewritten from scratch.
 
 John
 
 On Nov 28, 2014, at 11:33 AM, Nux! mailto:n...@li.nux.ro>> 
 wrote:
 Jayapal,
 Not necesarily, one could run stunnel or nginx as SSL proxy on some other 
 port (8443?), this way SSL and non-SSL connections will still work and 
 give you plenty of time to update your templates, if you so wish.
 Am I missing any important bits here?
 Lucian
 --
 Sent from the Delta quadrant using Borg technology!
 Nux!
 www.nux.ro
 - Original Message -
 From: "Jayapal Reddy Uradi" 
 mailto:jayapalreddy.ur...@citrix.com>>
 To: "mailto:dev@cloudstack.apache.org>>" 
 mailto:dev@cloudstack.apache.org>>
 Cc: "Alireza Eskandari" 
 mailto:astro.alir...@yahoo.com>>
 Sent: Friday, 28 November, 2014 09:34:02
 Subject: Re: A secure way to reset VMs password
 Another point to note is all the vms in production has to update
 with the new cloud-set-guest-password scripts because of the new password 
 reset
 method.
 Thanks,
 Jayapal
 On 28-Nov-2014, at 2:28 PM, Erik Weber 
 mailto:terbol...@gmail.com>>
 wrote:
 On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
 astro.alir...@yahoo.com.invalid> 
 wrote:
 HiI viewed the bash script that resets Linux password (
 http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
 seems that it doesn't use a secure way for transferring password string to
 instance.Instances on a shared network can sniff password requests and
 export requested password of other instances.I suggest to use SSL (https)
 instead of plan text.Regards
 I like the idea, but there's a couple of obstacles to overcome, namely
 which SSL certificates to use.
 - certificates need a subject name, ie. IP or hostname for web pages, you
 could solve this by making the mgmt server a CA and have each VR get a
 signed certificate by it, but it's complicated
 - if the community bundle a pre generated certificate it is commonly known
 and not to be trusted, also not sure how to handle subject name
 - assuming everyone to supply a valid certificate is quite complicated (CA
 must be on VR etc), and makes it considerably harder to get a working setup
 - using self signed causes issues with validation
 Don't get me wrong, I love the idea, but it's not just to flip a switch and
 ha

Re: A secure way to reset VMs password

[John Kinsella]

Probably should be re-written. 

Excuse any typos - sent from mobile device

> On Dec 2, 2014, at 21:58, Alireza Eskandari  
> wrote:
> 
> John, +1If we provide password reset capability it should be secure, if not 
> it is better to make it disable at all.About source of windows version, so 
> what did we do? Should we write it from scratch? Why it isn't open?I open a 
> jira ticket, if you have any comment or suggestion please write 
> there.https://issues.apache.org/jira/browse/CLOUDSTACK-8009
> Thanks
>  From: John Kinsella 
> To: ""  
> Sent: Wednesday, December 3, 2014 9:18 AM
> Subject: Re: A secure way to reset VMs password
> 
> It's not our place to enforce how users authenticate to their VMs. We provide 
> flexible options, suggest best practices, and let them use the tool as best 
> suits their needs.
> 
> Excuse any typos - sent from mobile device
> 
> 
> 
>> On Dec 2, 2014, at 21:22, Carlos Reategui  wrote:
>> 
>> Why do passwords at all?  Why not just use ssh keys like AWS does. The 
>> functionality is already there just not in the ACS UI. Cloud-init already 
>> supports it which is available in most distros and therefore would not 
>> require CS specific scripts. At least not for linux. On windows I'm not 
>> exactly sure how AWS does it but I think it is also some kind of terminal 
>> services certificates so I think it could be made to work too. 
>> 
>> -Carlos
>> 
>> 
>> 
>>> On Dec 2, 2014, at 2:35 PM, Chiradeep Vittal  
>>> wrote:
>>> 
>>> You would need client-side certs as well since the password server needs to 
>>> be able to validate WHO is asking for the password. Currently it is based 
>>> on the client's IP address.
>>> Also the current scheme is a single-use password — as soon as the password 
>>> is retrieved, it is not available to anybody else (of course a MITM could 
>>> sniff the first exchange).
>>> 
>>> You could eliminate a lot of MITM-style attacks by running the password 
>>> server locally on each hypervisor (hard for VMW), or by attaching an ISO 
>>> (containing the password) to the VM.
>>> 
>>> From: John Kinsella mailto:j...@stratosec.co>>
>>> Reply-To: "dev@cloudstack.apache.org" 
>>> mailto:dev@cloudstack.apache.org>>
>>> Date: Tuesday, December 2, 2014 at 1:32 PM
>>> To: "dev@cloudstack.apache.org" 
>>> mailto:dev@cloudstack.apache.org>>
>>> Subject: Re: A secure way to reset VMs password
>>> 
>>> That password reset infrastructure has bigger issues than just SSL. The 
>>> server side works, but that’s about all I can say for it. This topic comes 
>>> up every 6-12 months. :)
>>> 
>>> I thought there was a Jira entry but I can’t find it…personally I’d love to 
>>> see the client and server sides both rewritten from scratch.
>>> 
>>> John
>>> 
>>> On Nov 28, 2014, at 11:33 AM, Nux! mailto:n...@li.nux.ro>> 
>>> wrote:
>>> Jayapal,
>>> Not necesarily, one could run stunnel or nginx as SSL proxy on some other 
>>> port (8443?), this way SSL and non-SSL connections will still work and give 
>>> you plenty of time to update your templates, if you so wish.
>>> Am I missing any important bits here?
>>> Lucian
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>> Nux!
>>> www.nux.ro
>>> - Original Message -
>>> From: "Jayapal Reddy Uradi" 
>>> mailto:jayapalreddy.ur...@citrix.com>>
>>> To: "mailto:dev@cloudstack.apache.org>>" 
>>> mailto:dev@cloudstack.apache.org>>
>>> Cc: "Alireza Eskandari" 
>>> mailto:astro.alir...@yahoo.com>>
>>> Sent: Friday, 28 November, 2014 09:34:02
>>> Subject: Re: A secure way to reset VMs password
>>> Another point to note is all the vms in production has to update
>>> with the new cloud-set-guest-password scripts because of the new password 
>>> reset
>>> method.
>>> Thanks,
>>> Jayapal
>>> On 28-Nov-2014, at 2:28 PM, Erik Weber 
>>> mailto:terbol...@gmail.com>>
>>> wrote:
>>> On Thu, Nov 27, 2014 at 3:54 PM, Alireza Eskandari <
>>> astro.alir...@yahoo.com.invalid> 
>>> wrote:
>>> HiI viewed the bash script that resets Linux password (
>>> http://download.cloud.com/templates/4.2/bindir/cloud-set-guest-password.in)It
>>> seems that it doesn't use a secure way for transferring password string to
>>> instance.Instances on a shared network can sniff password requests and
>>> export requested password of other instances.I suggest to use SSL (https)
>>> instead of plan text.Regards
>>> I like the idea, but there's a couple of obstacles to overcome, namely
>>> which SSL certificates to use.
>>> - certificates need a subject name, ie. IP or hostname for web pages, you
>>> could solve this by making the mgmt server a CA and have each VR get a
>>> signed certificate by it, but it's complicated
>>> - if the community bundle a pre generated certificate it is commonly known
>>> and not to be trusted, also not sure how to handle subject name
>>> - assuming everyone to supply a valid certificate is quite complicated (CA
>>> 

broken schema450to460.sql in cloudstack master?

[Kuang-Ching Wang]

Hi,

Pardon me if this is already a known issue - wonder if anyone noticed the 
schema450to460.sql file in master now is actually broken?  It has a truncated 
line, and a line ending with ‘,’.  

KC