Review Request: modify cloud-set-guest-sshkey.in initscript to handle SELinux configuration
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/11934/ --- Review request for cloudstack. Description --- With SELinux enabled on a CentOS VM template the automatic creation process of ~/.ssh and ~/.ssh/authorized_keys doesn't contain the metadata required for those files to be used for public key authentication. Running "restorecon -R -v ~/.ssh" restores the configuration and allows public key authentication to function with SELinux in the enforcing state. This patch checks for the existence of /sbin/restorecon when /etc/init.d/cloud-set-guest-sshkey.in is run, after it would have updated the .ssh directory and if it exists it restores the configuration. Diffs - setup/bindir/cloud-set-guest-sshkey.in 15008b8 Diff: https://reviews.apache.org/r/11934/diff/ Testing --- Tested on latest CentOS 6.4 template. Without this modification, machines generated with with Cloudstack API's deployVirtualMachine and the keypair parameter which have SELinux enabled still prompt for password even if the correct private key is supplied to SSH. Once this patch is applied those same VMs will allow login via public key. Thanks, Ian Service
Re: Review Request: modify cloud-set-guest-sshkey.in initscript to handle SELinux configuration
> On June 18, 2013, 1:58 p.m., David Nalley wrote: > > Would you mind creating a bug for this?? > > > > --David Not at all, not sure what detail was required, let me know if I need to update it. https://issues.apache.org/jira/browse/CLOUDSTACK-3054 - Ian --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/11934/#review22060 --- On June 18, 2013, 1:53 p.m., Ian Service wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/11934/ > --- > > (Updated June 18, 2013, 1:53 p.m.) > > > Review request for cloudstack. > > > Description > --- > > With SELinux enabled on a CentOS VM template the automatic creation process > of ~/.ssh and ~/.ssh/authorized_keys doesn't contain the metadata required > for those files to be used for public key authentication. Running > "restorecon -R -v ~/.ssh" restores the configuration and allows public key > authentication to function with SELinux in the enforcing state. > > This patch checks for the existence of /sbin/restorecon when > /etc/init.d/cloud-set-guest-sshkey.in is run, after it would have updated the > .ssh directory and if it exists it restores the configuration. > > > Diffs > - > > setup/bindir/cloud-set-guest-sshkey.in 15008b8 > > Diff: https://reviews.apache.org/r/11934/diff/ > > > Testing > --- > > Tested on latest CentOS 6.4 template. Without this modification, machines > generated with with Cloudstack API's deployVirtualMachine and the keypair > parameter which have SELinux enabled still prompt for password even if the > correct private key is supplied to SSH. Once this patch is applied those > same VMs will allow login via public key. > > > Thanks, > > Ian Service > >
Modify Site-to-Site VPN interface to include ID/FQQN capabilites
After working with a few different hardware VPN gateways in a few different configurations I've found there's a relatively simple component missing to allow us to easily support those other configurations. I've been able to get the networks to connect with some modifications in the VPC router VM, but it would be great if they would work within CloudStack's interface so that The current /opt/cloud/bin/ipsectunnel.sh script includes the following options: Usage: ipsectunnel.sh: (-A|-D) -l -n -g -r -N -e -i -t -T -s -d I can modify it to include -L and -R which would add leftid=@ and rightid=@ to /etc/ipsec.d/ipsec.vpn-.conf and @ @: PSK "" to /etc/ipsec.d/ipsec.vpn-.secrets But, I'm not a Java dev so I'd need someone to help add the fields to the web interface and I'd need someone with experience to properly update the schema to add the new fields to the database. Any interest? Thanks, - Ian
Re: Trigger System VM Upgrade - without destroy and deploy
Yes! Shut them down and then *very quickly* (before they're automatically restarted) you can issue the changeServiceForSystemVm API call to change their Service Offering. - Ian On Fri, Jul 19, 2013 at 4:48 PM, Musayev, Ilya wrote: > Is there a way to trigger system VM upgrade without destroying and > recreating? > > Reason behind this question, i don't want to mess up current system VMs as > they have firewall rules bound to them and recreating them would mean new > IP set and new firewall requests. > > Thanks > ilya >
Upgrade System VM Template
I'm having no end of NAT issues with the System VM template I installed with 4.1 and I noticed there's a newer one available. Is there a documented upgrade procedure somewhere or is it as simple as install the new one and update a mysql table to point to the new template? Thanks, - Ian
