Re: [VOTE] Accept the donation of RDP client code into Apache CloudStack

[John Kinsella]

+1

On Oct 21, 2013, at 11:11 AM, Donal Lafferty  wrote:

> As stated in a previous thread [1], Citrix is proposing the donation of 
> source for an RDP client.  After donation, the client would be integrated 
> with the console system VM in order to provide access to Hyper-V based VMs.
> 
> The client's source is in the diff attached to the Review Board submission 
> https://reviews.apache.org/r/14701/
> 
> [1] http://markmail.org/thread/q6sfqrhosmirm3bg
> 
> I would like to call a vote here, so that we have a formal consensus on 
> accepting the code into the project.  I suggest that it be accepted into a 
> branch, and then we work through any technical concerns / reviews / changes 
> prior to a master branch merge.
> 
> VOTING will be left open for 72 hours.
> 
> This is a technical decision, which means committer and PMC votes are binding.
> 
> 
> DL
> 

Re: how to use hashes on c.a.o?

[John Kinsella]

This is the output of gpg -v --print-md SHA512, generated as part of the 
release procedure [1] by tools/build/build_asf.sh

1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+Procedure


On Oct 17, 2013, at 7:56 PM, Darren Shepherd  
wrote:

> The hashes that are on c.a.o for the releases have a format like
> 
> http://www.apache.org/dist/cloudstack/releases/4.2.0/apache-cloudstack-4.2.0-src.tar.bz2.sha
> 
> apache-cloudstack-4.2.0-src.tar.bz2: CC487DF3 7E7B6800 F9DC05A3 5B72DEFD
> 684E0094 F1666F57 5D694916 CF74ED98
> 9D7CDF35 4021D3C5 8BFD4BB9 39AB02CD
> EA82D42C 78880EDB 04F2532A 61376537
> 
> I've never seen this.  Is this some hip new format I'm not aware of,
> and I'm the uncool kid still using GNU coreutils?
> 
> Darren

Re: how to use hashes on c.a.o?

[John Kinsella]

Instructions for testing the hash are in the release test page [1]. It is also 
documented in the install guide.

It is the way it is I believe because Chip took the release build script from 
CouchDB, as mentioned in the release build page.

1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+test+procedure

On Oct 24, 2013, at 12:53 AM, Darren Shepherd 
mailto:darren.s.sheph...@gmail.com>> wrote:

But how does one validate it?  I just wrote a dumb script to
concatenation, remove whitespace, lowercase and then pass to
"sha512sum -c."  I've never seen anyone provide SHAs in that format.
I wouldn't expect many people to know how to use them.  Why can't we
use the good old GNU coreutils style?

Darren

On Wed, Oct 23, 2013 at 7:14 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:
This is the output of gpg -v --print-md SHA512, generated as part of the 
release procedure [1] by tools/build/build_asf.sh

1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+Procedure


On Oct 17, 2013, at 7:56 PM, Darren Shepherd 
mailto:darren.s.sheph...@gmail.com>> wrote:

The hashes that are on c.a.o for the releases have a format like

http://www.apache.org/dist/cloudstack/releases/4.2.0/apache-cloudstack-4.2.0-src.tar.bz2.sha

apache-cloudstack-4.2.0-src.tar.bz2: CC487DF3 7E7B6800 F9DC05A3 5B72DEFD
   684E0094 F1666F57 5D694916 CF74ED98
   9D7CDF35 4021D3C5 8BFD4BB9 39AB02CD
   EA82D42C 78880EDB 04F2532A 61376537

I've never seen this.  Is this some hip new format I'm not aware of,
and I'm the uncool kid still using GNU coreutils?

Darren




Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

parallel mvn builds

[John Kinsella]

I've been tinkering with adding -T to builds on my laptop - e.g. "mvn -T 2C 
install" (Means run two build threads on each CPU core the system has)

I'm seeing a 20-30% improvement in build time vs a single-thread build, and 
things seem to work so far, but I do get this warning a few times during the 
build:

[WARNING] *
[WARNING] * Your build is requesting parallel execution, but project  *
[WARNING] * contains the following plugin(s) that are not marked as   *
[WARNING] * @threadSafe to support parallel building. *
[WARNING] * While this /may/ work fine, please look for plugin updates*
[WARNING] * and/or request plugins be made thread-safe.   *
[WARNING] * If reporting an issue, report it against the plugin in*
[WARNING] * question, not against maven-core  *
[WARNING] *
[WARNING] The following plugins are not marked @threadSafe in Apache CloudStack:
[WARNING] org.apache.maven.plugins:maven-site-plugin:3.1
[WARNING] *

Curious if anybody else has tried this or if we should recommend it to folks?

Re: parallel mvn builds

[John Kinsella]

Makes sense, and now documented in the mailing list. :)

On Oct 31, 2013, at 5:00 PM, Darren Shepherd 
mailto:darren.s.sheph...@gmail.com>> wrote:

I use it all the time with -T 1.5C and it makes my build twice as fast.
But I do it with the assumption that "it may void your warranty."
Sometimes things blow up, and then I go back to single threaded.  So it
kinda works, but it does blow up.

I wouldn't recommend most people use it.  For people who are closer to full
time ACS developers it can be helpful.  For people that don't use ACS much,
its not worth the hassle because its not guaranteed to work and I have seen
it fail.

Darren


On Thu, Oct 31, 2013 at 3:36 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

I've been tinkering with adding -T to builds on my laptop - e.g. "mvn -T
2C install" (Means run two build threads on each CPU core the system has)

I'm seeing a 20-30% improvement in build time vs a single-thread build,
and things seem to work so far, but I do get this warning a few times
during the build:

[WARNING] *
[WARNING] * Your build is requesting parallel execution, but project  *
[WARNING] * contains the following plugin(s) that are not marked as   *
[WARNING] * @threadSafe to support parallel building. *
[WARNING] * While this /may/ work fine, please look for plugin updates*
[WARNING] * and/or request plugins be made thread-safe.   *
[WARNING] * If reporting an issue, report it against the plugin in*
[WARNING] * question, not against maven-core  *
[WARNING] *
[WARNING] The following plugins are not marked @threadSafe in Apache
CloudStack:
[WARNING] org.apache.maven.plugins:maven-site-plugin:3.1
[WARNING] *

Curious if anybody else has tried this or if we should recommend it to
folks?



Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: checkstyle

[John Kinsella]

I think it'd be fairly painful to make it mandatory - maybe see if we can set 
that as a goal for 6 months out?

On Nov 4, 2013, at 6:29 AM, Hugo Trippaers 
mailto:h...@trippaers.nl>>
 wrote:

Hey,

Just added a very basic checkstyle configuration to maven. The configuration 
file is in parents/checkstyle and it checks just a few very basic things, like 
trailing whitespace and tabs where there should be spaces.

I’ve enabled it for a single plugin to just the impact on build time and the 
amount of generated errors. Quite considerable, but i hope other parts of the 
code are better ;-)

You can enable check style for your plugin by adding the following to your 
build plugins config in maven:

 
   org.apache.maven.plugins
   maven-checkstyle-plugin
   ${cs.checkstyle.version}
   
 
   org.apache.cloudstack
   checkstyle
   0.0.1-SNAPSHOT
 
   
   
 
   process-sources
   
 check
   
 
   
   
 true
 tooling/checkstyle.xml
 true
 true
 ${project.basedir}
 **\/*.java,**\/*.xml,**\/*.ini,**\/*.sh,**\/*.bat
 **\/target\/,**\/bin\/
   
 


For now its voluntary, but i would like your opinion on making this a mandatory 
part of the build process. Meaning a compile with not succeed when check style 
reports errors.

Cheers,

Hugo

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Wiki issues: Redirect loop

[John Kinsella]

What URL are you trying to hit? 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Home seems fine here in 
FF25, OSX Chrome 6.1 and Chrome 30...

On Nov 3, 2013, at 3:31 PM, Ian Duffy 
 wrote:

> Hi,
> 
> I'm unable to access the wiki. Chrome keeps reporting a redirect loop.
> 
> Anybody know whats causing that?
> 
> Thanks!
> Ian

Re: checkstyle

[John Kinsella]

On Nov 4, 2013, at 7:54 AM, Chip Childers  wrote:

> On Mon, Nov 04, 2013 at 04:33:07PM +0100, Hugo Trippaers wrote:
>> Hey John,
>> 
>> That would be my idea.
>> 
>> Make it mandatory for new (maven) projects coming into the code base and 
>> slowly start working on fixing the existing projects.  The current 
>> checkstyle setting is very relaxed, just a few basic checks. Stuff that we 
>> could technically fix with a few well written regular expressions even.  
>> Over time we can start implementing parts of our code style in the 
>> checkstyle config, but that is long term planning.
>> 
>> Cheers,
>> 
>> Hugo
> 
> We've had people correct the whitespace issues in bulk previously, but
> then someone does a merge and it goes to hell again.
> 
> I'd actually be +1 on a quick fix of the code, then the enforcement of
> the rules.  That is...  only for the things that can be easily
> regex-fixed.

Makes sense I guess, +1 from me too.

Only thing that's really nails-on-chalkboard to me is fixing formatting and 
code changes in the same commit, but I haven't seen that in ACS…

Re: Coverity static code analysis

[John Kinsella]

I'll guess Coverity counts executable lines. LOC can be a little tricky to 
calculate…comments, whitespace, things like include statements usually don't 
count (from a licensing POV).

John

On Nov 4, 2013, at 8:55 AM, Sebastien Goasguen 
mailto:run...@gmail.com>>
 wrote:


On Nov 4, 2013, at 11:39 AM, Hugo Trippaers 
mailto:h...@trippaers.nl>> wrote:

Hey all,

At CloudOpen in Edinburgh i joined a presentation on Coverity, a static code 
analysis tool. Some of you may have heard of it already, it is famous for doing 
the code analysis on the Linux kernel for quite some years already. They added  
support for the java language quite a while back. The presenter dropped by our 
CloudStack booth and we had a nice chat on static code analysis.

You might have guessed the next step, i added CloudStack to the Coverity 
scanning service at scan.coverity.com: 
http://scan.coverity.com/projects/943.
- 1.044.609 lines of code

why does Ohloh lists 4.2 M loc when coverty only 1M ?

- 6.70 defect density
- 6997 outstanding defects

The reasoning is obviously that anything that will help us improve quality 
should be considered. However just adding the CloudStack sources to the scan 
isn’t going to solve anything. For that we all need to pitch in an help out 
with getting the scan results triaged, assigned and fixed. So signup en-masse 
and go fix ;-)

Note to new and aspiring CloudStack developers, don’t know where to start but 
you want to help out? This is a great way to get to know the code and the 
community. Have a look at one of the open items on Coverity, fix it and submit 
it for review at reviews.apache.org.

Cheers,

Hugo





Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: [PROPOSAL] Liaison with ETSI NFV ISG

[John Kinsella]

+1

On Nov 5, 2013, at 11:58 AM, Sebastien Goasguen  wrote:

> I volunteer you.
> 
> We need to do this.
> 
> -Sebastien
> 
> On 5 Nov 2013, at 20:28, Chiradeep Vittal  wrote:
> 
>> Network Functions Virtualisation (NFV) is an effort to utilize server
>> virtualization in conjunction with industry standard servers, network
>> hardware switches and storage hardware to achieve significant time and
>> costs reductions in the Telecommunication industry. ETSI [1] has a group
>> (NFV ISG [2]) that is trying to develop guidelines and frameworks around
>> NFV (note: not standards). They have published a White Paper [3] which
>> makes very interesting reading.
>> 
>> 
>> Among other things, the group identifies
>> 
>> "The NFVI (Network Functions Virtualisation Infrastructure), which
>> provides the virtual
>> resources required to support the execution of the Virtualised Network
>> Functions. It includes
>> Commercial-Off-The-Shelf (COTS) hardware, accelerator components where
>> necessary, and
>> a software layer which virtualises and abstracts the underlying hardware."
>> 
>> This software layer is assumed to be a form of IAAS software. Currently
>> the group members use OpenStack as an example, but it should be our (the
>> CloudStack community) goal to popularize and encourage the adoption of
>> CloudStack as well.
>> 
>> The white paper [3] also goes on to say:
>> "
>>   We are interested to ensure that the Open Source 
>> community actively
>> engages in NFV to help create
>> virtualised network capabilitiesŠ
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ...we intend to actively collaborate with existing reference
>> open-source initiatives in the areas relevant to NFV, as well as to
>> encourage and support new ones
>> aligned with the NFV goals, especially when addressing new issues
>> identified by the NFV community."
>> 
>> One way to improve visibility and collaborate actively with this community
>> is to have a liaison with the ISG.
>> The liaison can contribute to the activities of the various working groups
>> (e.g., Management and Orchestration MANO WG) and convey the activities
>> and requirements of the NFV ISG back to the CloudStack community.
>> 
>> If the community is OK with the Liaison idea, then we could solicit
>> volunteers on this list to act as the Liaison(s)
>> 
>> Comments?
>> 
>> 
>> 
>> 
>> 
>> [1] http://en.wikipedia.org/wiki/ETSI
>> [2] http://www.etsi.org/technologies-clusters/technologies/nfv
>> [3] http://portal.etsi.org/NFV/NFV_White_Paper2.pdf

Re: [PROPOSAL] Service monitoring tool in virtual router

[John Kinsella]

Thx for putting this together, Jayapal. A few comments:

I'd really like to have a config flag to specify if things should be restarted 
automatically or not. Worst case, track the restarts - if a service is 
restarted more than X times in Y seconds, something's obviously wrong so stop 
tail-chasing[1]. Personally I'm much more interested in knowing there's a 
problem and then taking whatever happens to be the appropriate actions for our 
situation.

Regarding communicating with a monitoring system - what makes more sense to me 
is setting up a solid framework that provides folks flexibility to use various 
monitoring tools, from sending an email to contacting pager duty or whatever.

So, to me there's 3 parts to that:
1) At VR creation, ACS calls defined hook-script which knows how to contact 
monitoring system to tell it about system to monitor
2) At boot, VR sends API query to which the mgmt server responds with a URL for 
an install script - VR runs that to download/setup appropriate monitoring agent
3) VR has standardized scripts for agent to call to find out what should be 
running, and then agent can go check for itself.

With a setup like this, you can support SNMP, Opsview/Nagios, Monit, NSA, 
Zenoss, HPOV, Tivoli, etc etc etc. I'll happily write the Opsview/Nagios module 
(I'm thinking module is hosted outside ACS, but I guess it could be a plugin - 
see earlier licensing points).

Thoughts?

Just my 2c. Happy to tweak wiki if folks lean towards this.

John
1: Aside - this applies to SSVM creation currently - that hamster[2] keeps 
trying to spin that create SSVM wheel..
2: Apache CloudHamster, CloudMonkey's furry monitoring friend?

On Nov 6, 2013, at 7:58 AM, Jayapal Reddy Uradi  
wrote:

> Please find below update FS
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Monitoring+VR+services
> 
> Thanks,
> Jayapal
> 
> On 05-Oct-2013, at 6:54 PM, Santhosh Edukulla  
> wrote:
> 
>> A shell script can be used. Few thoughts below:
>> 
>> 1. Collect the process id of all daemons you wanted to monitor using "pidof" 
>> of command and then use "kill" command to check if the pid you got is valid. 
>> Using kill we can send a signal 0, then check the status using echo $? . For 
>> sending a notification use linux syslog call ( man 3 syslogd) or "logger" 
>> command to send to syslog. If wanted to send email then you may also have to 
>> look for firewall not allowing outbound smtp port communiation. Even for 
>> snmp this holds same( i mean if any blocking through firewall rules ).  
>> Using syslog may be good as it by default exposes various debug log levels 
>> through its api call.
>> 
>> Now, to keep the monitor script up always up and runninig. Keep the monitor 
>> script run continuosly through cron or at at regular\scheduled intervals. 
>> This way even if monitor script goes down, the next xth interval, it is up 
>> again. 
>> 
>> With this there is a catch though, we may got multiple pids for a given 
>> daemon provided if there are multiple daemons spawned by same\multiple 
>> applications, if this scenario is not common then its ok, otherwise we may 
>> have to track it differently maintaining state of each spawned daemon and 
>> see if it exists. If multiple applications launch the same daemon, you may 
>> also wanted to say its application which got killed. EX: A launched httpd, 
>> and during its exit logic, it is killing all daemons it launched, then you 
>> may wanted to add  A is not available, rather than just http is not 
>> available. 
>> 
>> 
>> 2.  Using  netstat command : Check for available, listening and active ports 
>> on local host, provided all the daemons you wanted to monitor are running on 
>> "standard" ports or if we know the listening ports of those deamons to be 
>> monitored. Again, this script can be added through cron\at to be scheduled 
>> to run x units, if it gets killed the next x units after the monitor script 
>> is up again. 
>> 
>> Also, there could be many other approaches as well.
>> 
>> 
>> Thanks!
>> Santhosh 
>> 
>> From: Jayapal Reddy Uradi [jayapalreddy.ur...@citrix.com]
>> Sent: Saturday, October 05, 2013 5:17 AM
>> To: 
>> Cc: 
>> Subject: Re: [PROPOSAL] Service monitoring tool in virtual router
>> 
>> Hi,
>> 
>> +users list
>> If any one is already using any tools for monitoring then please share your 
>> ideas.
>> Also share the cases where you experienced service crashes.
>> 
>> Thanks,
>> Jayapal
>> 
>> On 05-Oct-2013, at 4:12 AM, Chiradeep Vittal  
>> wrote:
>> 
>>> Well just make sure that your script is resilient to its own crashes as
>>> well.
>>> 
>>> On 10/4/13 1:59 AM, "Jayapal Reddy Uradi" 
>>> wrote:
>>> 
 Hi,
 
 I am planning to write script utility to monitor processes and restart on
 the event of failure. It will also logs the events.
 
 Thanks,
 Jayapal
 
 On 02-Oct-2013, at 3:25 AM, Simon Weller  wrote:
 
> supervisord maybe?
> 
> --

Re: [WEBSITE] Security page for cloudstack.apache.org

[John Kinsella]

Been working through a few ideas in my head, will see movement on this in the 
next few days.

On May 15, 2013, at 8:12 AM, Chip Childers  wrote:

> (note mixing of public and private lists)
> 
> We need a security page for cloudstack.apache.org, so that I can add
> CloudStack to http://www.apache.org/security/projects.html.
> 
> The board has requested that we get this done.
> 
> John, you started consolidating some stuff...  do you mind driving this
> to conclusion?
> 
> -chip

Re: IRC meeting today

[John Kinsella]

I'm happy to run it

On Jun 19, 2013, at 8:45 AM, Chip Childers 
 wrote:

> Hi all,
> 
> Joe asked me to facilitate the meeting today, however I have a $dayjob
> responsibility that just came up.  I'm not going to be able to do
> anything other than lurk in the channel.
> 
> I'm going to suggest that we cancel the meeting for today, unless
> someone else wants to run it.
> 
> -chip

Re: IRC meeting today

[John Kinsella]

We had about 4 of us in the meeting, so we just dropped it until next week.

On Jun 19, 2013, at 9:15 AM, John Kinsella 
 wrote:

> I'm happy to run it
> 
> On Jun 19, 2013, at 8:45 AM, Chip Childers 
> wrote:
> 
>> Hi all,
>> 
>> Joe asked me to facilitate the meeting today, however I have a $dayjob
>> responsibility that just came up.  I'm not going to be able to do
>> anything other than lurk in the channel.
>> 
>> I'm going to suggest that we cancel the meeting for today, unless
>> someone else wants to run it.
>> 
>> -chip
> 

Re: Review Request: Make SHA256Salt the default password encoding and authentication mechanism for cloudstack

[John Kinsella]

Never too late. :)

Looking at [1], it'll take about 2E64 days to search the SHA256 keyspace with a 
brute forcer written for a GPU accelerator. Even with 10,000 of them, it'll 
take way, way too long. Bitcoin coin uses SHA256, so I think it's safe for a 
while. :)

Yes, SHA512 would be "more safe," but ya gotta ask what you're really getting 
by going to the bigger key…security is about a balance. If you're using ACS to 
run a cloud cracking SHA256 passwords, then maybe you should use SHA512 
passwords in ACS. ;)

John
http://www.insidepro.com/eng/egb.shtml

On Mar 29, 2013, at 4:36 PM, Justin Grudzien 
mailto:grudz...@gmail.com>>
 wrote:

I apologize for jumping into this conversation late, but I am new to the 
developer mailing list. Why would we choose SHA256+salt over SHA512+salt? 
SHA512+salt's storage is insignificant when compared to SHA256 and the chances 
of a birthday attack are significantly reduced. As a security professional I 
would argue for the best possible hashing algorithm available, especially when 
there is little to no cost.

Justin

On Mar 29, 2013, at 6:00 PM, "Min Chen" 
mailto:min.c...@citrix.com>> wrote:


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/10039/#review18548
---



client/tomcatconf/componentContext.xml.in


  This componentContext.xml.in and nonossComponentContext.xml.in should be put 
into applicationContext.xml since they are the same for nonoss and oss versions.


- Min Chen


On March 28, 2013, 8:26 p.m., Venkata Siva Vijayendra Bhamidipati wrote:

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/10039/
---

(Updated March 28, 2013, 8:26 p.m.)


Review request for cloudstack, Hugo Trippaers, Kelven Yang, and Min Chen.


Description
---

Changing default password encoding mechanism from MD5 to SHA256Salted.


This addresses bug CS-1734.


Diffs
-

api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java 
89673ea
api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java fb29e1a
api/src/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java 1f31662
client/tomcatconf/componentContext.xml.in 016df0a
client/tomcatconf/nonossComponentContext.xml.in 8f8dae5
developer/developer-prefill.sql 6300d35
plugins/user-authenticators/ldap/src/com/cloud/server/auth/LDAPUserAuthenticator.java
 61eebe5
plugins/user-authenticators/md5/src/com/cloud/server/auth/MD5UserAuthenticator.java
 026125e
plugins/user-authenticators/plain-text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java
 52e7cb3
plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java
 1b29f69
server/src/com/cloud/server/ManagementServerImpl.java b689f93
server/src/com/cloud/user/AccountManagerImpl.java b69f314

Diff: https://reviews.apache.org/r/10039/diff/


Testing
---

Manual testing done for both oss and nonoss components. Both admin and users 
added later are encoded according to the scheme configured, and authenticated 
by the same scheme.

To change the order of the schemes, modify the following list properties in 
client/tomcatconf/nonossComponentContext.xml.in or 
client/tomcatconf/componentContext.xml.in as applicable, to the desired order:

  
   
  
  
  
  
  
  

  
  
  
   
   
  
   


Thanks,

Venkata Siva Vijayendra Bhamidipati


Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella

Apache CloudStack Security Advisory: Multiple vulnerabilities in Apache CloudStack

[John Kinsella]

Product: Apache CloudStack
Vendor: The Apache Software Foundation
CVE References: CVE-2013-2756, CVE-2013-2758
Vulnerability Type(s): Authentication bypass (2756), cryptography (2758)
Vulnerable version(s): Apache CloudStack version 4.0.0-incubating and
4.0.1-incubating
Risk Level: High, Medium
CVSSv2 Base Scores: 7.3 (AV:N/AC:H/Au:N/CI:P/I:C/A:C), 4.3
(AV:A/AC:H/Au:N/CI:P/I:P/A:P)

Description:
The CloudStack PMC was notified of two issues found in Apache CloudStack:

1) An attacker with knowledge of CloudStack source code could gain
unauthorized access to the console of another tenant's VM.

2) Insecure hash values may lead to information disclosure. URLs
generated by Apache CloudStack to provide console access to virtual
machines contained a hash of a predictable sequence, the hash of
which was generated with a weak algorithm. While not easy to leverage,
this may allow a malicious user to gain unauthorized console access.

Mitigation:
Updating to Apache CloudStack versions 4.0.2 or higher will mitigate
these vulnerabilities.

Credit:
These issues were identified by Wolfram Schlich and Mathijs Schmittmann
to the Citrix security team, who in turn notified the Apache
CloudStack PMC.

Re: [DISCUSS] Lock System VMs to specific IPs - due to security concerns and firewall rules

[John Kinsella]

+1. You can fudge it currently via the API, but there's no guarantee…

It'd be really useful for the SSVMs, as we have various firewalls and other 
things configured to let packets to/from them.

On May 2, 2013, at 2:02 PM, "Musayev, Ilya"  wrote:

> This request mostly affects corporate customers who are accountable for each 
> IP on the network and firewalls created to accommodate CS implementation.
> 
> As it stands, there is no definite way to make ip "x" assign to SSVM and ip 
> "y" to CPVM and they can flap as they choose or even use some other IP 
> address defined in the range.
> 
> It would be really nice to have an ability to hard set IPs for CPVM, SSVM and 
> RVM. Then I can create meaningful firewall rules for each with no room for 
> error.
> 
> As always, your feedback is appreciated.
> 
> Thanks
> ilya

Re: Dev/Test Environment

[John Kinsella]

+1
On May 2, 2013, at 1:16 PM, Joe Brockmeier 
mailto:j...@zonker.net>> wrote:

On Thu, May 2, 2013, at 01:44 PM, Soheil Eizadi wrote:
The wiki is organized around VirtualBox, assuming it works, I think it is
a better choice than Fusion since it free and easy to setup. I don't have
much experience with VirtualBox, does it not support nested hypervisors?

If you've gotten something working in Fusion, it would be worth putting
that on the wiki for folks who aren't a fan of VirtualBox. (Or folks who
already use Fusion and don't want to run two desktop virt. products...)

Best,

jzb
--
Joe Brockmeier
j...@zonker.net
Twitter: @jzb
http://www.dissociatedpress.net/

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella

idea of a "production" lock

[John Kinsella]

Folks - we’re getting bitten occasionally by stability issues on some of our 
customer VMs indirectly related to ACS:

* The billing package[1] we use is touchy, and will occasionally reboot VMs 
when we bring up the VM’s details page in the billing package
* ACS recently lost connectivity with a node, asked the VR to ping the VMs but 
was blocked by host firewall, so decided the VM was down and then killed it 
after reconnecting to the node
* Something was either fat-fingered or mis-intreperted in billing package, and 
deleting a licensing product from a customer resulted in it telling ACS to 
delete a domain, user, the 10 VMs in it and their storage (Luckily I saw the 
grey icon of Shutdown/Expunge and shut down mgmt server, but not before losing 
one VM. Somehow I haven’t had a heart attack yet)

My thought is each VM would have a LOCK field - when that’s set, it basically 
becomes “read-only” to ACS - stats are gathered, it monitors if it’s up/down, 
but any change in running state, the node it’s on, storage, network, firewalls 
etc would be denied without some type of authorization (I’m not sure what I 
mean here yet, if it’s a separate login or maybe authenticating to get a token 
and then present it with the change, or...).

I understand in a larger environment there’s too much happening and this could 
backfire, but for our customers with legacy non-cloud architectures, stability 
is hugely important and anything we can do to help with that is worthwhile. 
Maybe in a “phase 2” of this implementation granular controls could be added to 
specify what could/could not happen during “production lock”...

Looking to gauge interest and ideas/suggestions in something like this. 
Unfortunately it just jumped pretty much to the top of my priority list...

John
1: I’d rather not say which at this point.

Re: idea of a "production" lock

[John Kinsella]

On Feb 7, 2014, at 6:31 PM, David Nalley  wrote:

> On Fri, Feb 7, 2014 at 9:02 PM, John Kinsella  wrote:
>> Folks - we're getting bitten occasionally by stability issues on some of our 
>> customer VMs indirectly related to ACS:
>> 
>> * The billing package[1] we use is touchy, and will occasionally reboot VMs 
>> when we bring up the VM's details page in the billing package
>> * ACS recently lost connectivity with a node, asked the VR to ping the VMs 
>> but was blocked by host firewall, so decided the VM was down and then killed 
>> it after reconnecting to the node
>> * Something was either fat-fingered or mis-intreperted in billing package, 
>> and deleting a licensing product from a customer resulted in it telling ACS 
>> to delete a domain, user, the 10 VMs in it and their storage (Luckily I saw 
>> the grey icon of Shutdown/Expunge and shut down mgmt server, but not before 
>> losing one VM. Somehow I haven't had a heart attack yet)
>> 
>> My thought is each VM would have a LOCK field - when that's set, it 
>> basically becomes "read-only" to ACS - stats are gathered, it monitors if 
>> it's up/down, but any change in running state, the node it's on, storage, 
>> network, firewalls etc would be denied without some type of authorization 
>> (I'm not sure what I mean here yet, if it's a separate login or maybe 
>> authenticating to get a token and then present it with the change, or...).
>> 
>> I understand in a larger environment there's too much happening and this 
>> could backfire, but for our customers with legacy non-cloud architectures, 
>> stability is hugely important and anything we can do to help with that is 
>> worthwhile. Maybe in a "phase 2" of this implementation granular controls 
>> could be added to specify what could/could not happen during "production 
>> lock"...
>> 
>> Looking to gauge interest and ideas/suggestions in something like this. 
>> Unfortunately it just jumped pretty much to the top of my priority list...
>> 
>> John
>> 1: I'd rather not say which at this point.
> 
> 
> AWS has 'Termination Protection' and in that light it makes sense to me.

Hm thanks, will take a look

Re: UI Latency

[John Kinsella]

I’ve been tinkering with httpd proxying the UI via mod_proxy_ajp, then using 
mod_deflate to compress on the httpd side. That gets me about a 2.5x decrease 
in loading the login screen. system.js, which is the largest item downloaded by 
default is around 980k, with gzip that drops to 68k.

I wanna see if I can squeeze a little more performance out by caching the 
static stuff…once I get some stats out of that I’ll turn it into a blog post 
later this week.

John

On Feb 9, 2014, at 3:27 PM, Alex Hitchins  wrote:

> One of the things that I want to look in to is generating a Gruntfile so we 
> can 'uglify' and reduce the size of css, js and image sprites. This should 
> help reduce the initial payload and make a big difference to VPN/low b/w 
> connections.
> 
> 
> Regards
> 
> Alex Hitchins
> 
> D: +44 1892 523 587 | S: +44 20 3603 0540 | M: +44 7788 423 969
> 
> alex.hitch...@shapeblue.com
> 
> -Original Message-
> From: Mike Tutkowski [mailto:mike.tutkow...@solidfire.com]
> Sent: 09 February 2014 19:51
> To: dev@cloudstack.apache.org
> Subject: Re: UI Latency
> 
> I could be wrong, but I believe the idea of zipping the content for the UI 
> start page was discussed, but has not yet been implemented.
> 
> As far as I know (and have experienced), every time you go to the start page, 
> it does seem to take a while to load if you are not over a particularly fast 
> connection (if I'm in the office, it loads quickly; if I'm over a VPN 
> connection from, say, home, it tends to be noticeably slower).
> 
> 
> On Sun, Feb 9, 2014 at 8:46 AM, Mo  wrote:
> 
>> Hello,
>> 
>> From my understanding going to the UI at first start-up takes awhile
>> to load due to the way it is configured, I believe I was previously
>> told it was gzip for the website. However, I thought this would a one
>> time thing; it seems to take quite awhile to load UI each time I
>> visit, unlike versions gone by.
>> 
>> Any advice? Suggestions?
>> 
>> - Maurice
>> 
> 
> 
> 
> --
> *Mike Tutkowski*
> *Senior CloudStack Developer, SolidFire Inc.*
> e: mike.tutkow...@solidfire.com
> o: 303.746.7302
> Advancing the way the world uses the
> cloud
> *(tm)*
> Need Enterprise Grade Support for Apache CloudStack?
> Our CloudStack Infrastructure 
> Support offers the 
> best 24/7 SLA for CloudStack Environments.
> 
> Apache CloudStack Bootcamp training courses
> 
> **NEW!** CloudStack 4.2.1 training
> 18th-19th February 2014, Brazil. 
> Classroom
> 17th-23rd March 2014, Region A. Instructor led, 
> On-line
> 24th-28th March 2014, Region B. Instructor led, 
> On-line
> 16th-20th June 2014, Region A. Instructor led, 
> On-line
> 23rd-27th June 2014, Region B. Instructor led, 
> On-line
> 
> This email and any attachments to it may be confidential and are intended 
> solely for the use of the individual to whom it is addressed. Any views or 
> opinions expressed are solely those of the author and do not necessarily 
> represent those of Shape Blue Ltd or related companies. If you are not the 
> intended recipient of this email, you must neither take any action based upon 
> its contents, nor copy or show it to anyone. Please contact the sender if you 
> believe you have received this email in error. Shape Blue Ltd is a company 
> incorporated in England & Wales. ShapeBlue Services India LLP is a company 
> incorporated in India and is operated under license from Shape Blue Ltd. 
> Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
> operated under license from Shape Blue Ltd. ShapeBlue is a registered 
> trademark.

Re: 4.2 max volume size hard-coded

[John Kinsella]

IIRC there was a limitation in Xen…if you search the dev archives you might 
find mention of it. We have multi-TB disks with KVM/ACS no problemo.

On Feb 12, 2014, at 9:03 AM, Marcus 
mailto:shadow...@gmail.com>> wrote:

   This doesn't seem to be an issue with 4.3, but I noticed that in
4.2 we have hard-coded the max custom disk offering size to 1024.  I'm
going to fix this (assuming we ever release a 4.2.2), but the use of
'final', and the fact that the min size is already set up to be
configurable, made me think that this was probably done with intent.

server/src/com/cloud/storage/VolumeManagerImpl.java:

   private int _customDiskOfferingMinSize = 1;
   private final int _customDiskOfferingMaxSize = 1024;

   Can anyone think of why?

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: UI Latency

[John Kinsella]

Just posted http://theresnomon.co/2014/improving-cloudstack-ui-performance/ - 
open to any comments.

John

On Feb 10, 2014, at 12:47 AM, Alex Hitchins 
mailto:alex.hitch...@shapeblue.com>> wrote:

Sounds interesting, I look forward to your write-up.



Regards

Alex Hitchins

D: +44 1892 523 587 | S: +44 20 3603 0540 | M: +44 7788 423 969

alex.hitch...@shapeblue.com<mailto:alex.hitch...@shapeblue.com>

-Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: 10 February 2014 01:05
To: 
Subject: Re: UI Latency

I've been tinkering with httpd proxying the UI via mod_proxy_ajp, then using 
mod_deflate to compress on the httpd side. That gets me about a 2.5x decrease 
in loading the login screen. system.js, which is the largest item downloaded by 
default is around 980k, with gzip that drops to 68k.

I wanna see if I can squeeze a little more performance out by caching the 
static stuff...once I get some stats out of that I'll turn it into a blog post 
later this week.

John

On Feb 9, 2014, at 3:27 PM, Alex Hitchins  wrote:

One of the things that I want to look in to is generating a Gruntfile so we can 
'uglify' and reduce the size of css, js and image sprites. This should help 
reduce the initial payload and make a big difference to VPN/low b/w connections.


Regards

Alex Hitchins

D: +44 1892 523 587 | S: +44 20 3603 0540 | M: +44 7788 423 969

alex.hitch...@shapeblue.com

-Original Message-
From: Mike Tutkowski [mailto:mike.tutkow...@solidfire.com]
Sent: 09 February 2014 19:51
To: dev@cloudstack.apache.org
Subject: Re: UI Latency

I could be wrong, but I believe the idea of zipping the content for the UI 
start page was discussed, but has not yet been implemented.

As far as I know (and have experienced), every time you go to the start page, 
it does seem to take a while to load if you are not over a particularly fast 
connection (if I'm in the office, it loads quickly; if I'm over a VPN 
connection from, say, home, it tends to be noticeably slower).


On Sun, Feb 9, 2014 at 8:46 AM, Mo  wrote:

Hello,

>From my understanding going to the UI at first start-up takes awhile
to load due to the way it is configured, I believe I was previously
told it was gzip for the website. However, I thought this would a one
time thing; it seems to take quite awhile to load UI each time I
visit, unlike versions gone by.

Any advice? Suggestions?

- Maurice




--
*Mike Tutkowski*
*Senior CloudStack Developer, SolidFire Inc.*
e: mike.tutkow...@solidfire.com
o: 303.746.7302
Advancing the way the world uses the
cloud<http://solidfire.com/solution/overview/?video=play>
*(tm)*
Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure 
Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers the 
best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1
training<http://shapeblue.com/cloudstack-training/>
18th-19th February 2014, Brazil.
Classroom<http://shapeblue.com/cloudstack-training/>
17th-23rd March 2014, Region A. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
24th-28th March 2014, Region B. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
16th-20th June 2014, Region A. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
23rd-27th June 2014, Region B. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.


This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a

Re: UI Latency

[John Kinsella]

Looks like Daan had a few issues with the patch for you to resolve regarding 
tabs and headers...

On Feb 13, 2014, at 10:14 AM, Laszlo Hornyak 
mailto:laszlo.horn...@gmail.com>> wrote:

Hi,

I have a patch for the UI compression, it is on review for a while...
But I hope I will be able to resolve the comments in...days.

I measured the download size dropped from 3.5 MB to somewhere around 0.5 MB

https://reviews.apache.org/r/12228/

Adding javascript compression could also help a lot.

That 3.5 M is a lot even on LAN :-)



On Thu, Feb 13, 2014 at 7:04 PM, John Kinsella  wrote:

Just posted
http://theresnomon.co/2014/improving-cloudstack-ui-performance/ - open to
any comments.

John

On Feb 10, 2014, at 12:47 AM, Alex Hitchins mailto:alex.hitch...@shapeblue.com>> wrote:

Sounds interesting, I look forward to your write-up.



Regards

Alex Hitchins

D: +44 1892 523 587 | S: +44 20 3603 0540 | M: +44 7788 423 969

alex.hitch...@shapeblue.com<mailto:alex.hitch...@shapeblue.com>

-Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: 10 February 2014 01:05
To: 
Subject: Re: UI Latency

I've been tinkering with httpd proxying the UI via mod_proxy_ajp, then
using mod_deflate to compress on the httpd side. That gets me about a 2.5x
decrease in loading the login screen. system.js, which is the largest item
downloaded by default is around 980k, with gzip that drops to 68k.

I wanna see if I can squeeze a little more performance out by caching the
static stuff...once I get some stats out of that I'll turn it into a blog
post later this week.

John

On Feb 9, 2014, at 3:27 PM, Alex Hitchins 
wrote:

One of the things that I want to look in to is generating a Gruntfile so
we can 'uglify' and reduce the size of css, js and image sprites. This
should help reduce the initial payload and make a big difference to VPN/low
b/w connections.


Regards

Alex Hitchins

D: +44 1892 523 587 | S: +44 20 3603 0540 | M: +44 7788 423 969

alex.hitch...@shapeblue.com

-Original Message-
From: Mike Tutkowski [mailto:mike.tutkow...@solidfire.com]
Sent: 09 February 2014 19:51
To: dev@cloudstack.apache.org
Subject: Re: UI Latency

I could be wrong, but I believe the idea of zipping the content for the UI
start page was discussed, but has not yet been implemented.

As far as I know (and have experienced), every time you go to the start
page, it does seem to take a while to load if you are not over a
particularly fast connection (if I'm in the office, it loads quickly; if
I'm over a VPN connection from, say, home, it tends to be noticeably
slower).


On Sun, Feb 9, 2014 at 8:46 AM, Mo  wrote:

Hello,

>From my understanding going to the UI at first start-up takes awhile
to load due to the way it is configured, I believe I was previously
told it was gzip for the website. However, I thought this would a one
time thing; it seems to take quite awhile to load UI each time I
visit, unlike versions gone by.

Any advice? Suggestions?

- Maurice




--
*Mike Tutkowski*
*Senior CloudStack Developer, SolidFire Inc.*
e: mike.tutkow...@solidfire.com
o: 303.746.7302
Advancing the way the world uses the
cloud<http://solidfire.com/solution/overview/?video=play>
*(tm)*
Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure Support<
http://shapeblue.com/cloudstack-infrastructure-support/> offers the best
24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1
training<http://shapeblue.com/cloudstack-training/>
18th-19th February 2014, Brazil.
Classroom<http://shapeblue.com/cloudstack-training/>
17th-23rd March 2014, Region A. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
24th-28th March 2014, Region B. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
16th-20th June 2014, Region A. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
23rd-27th June 2014, Region B. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Shape Blue Ltd or related companies. If you are not the
intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender
if you believe you have received this email in error. Shape Blue Ltd is a
company incorporated in England & Wales. ShapeBlue Services India LLP is a
company incorporated in India and is operated under license from Shape Blue
Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
and is operated under license from Shape Blue Ltd. ShapeBlue is a
registered trademark.


This email and any attachments to it

Re: UI Latency

[John Kinsella]

Seems a bit like wheel-reinventing, no? Wouldn’t it be cleaner to get Tomcat’s 
built-in compression[1] working? What I don’t see in your code is any ability 
to negotiate if the end-client supports gzip compression...

John
1:http://viralpatel.net/blogs/enable-gzip-compression-in-tomcat/

On Feb 13, 2014, at 12:09 PM, Laszlo Hornyak 
mailto:laszlo.horn...@gmail.com>> wrote:

Ah yes we are playing space-wars, I will fix it as soon as I get there. I
was not that much interested in space/tabs but what it already does:
- at build time it generates .gz files from static resources, like css,
html and js files
- during runtime it checks if there is a gz file for the resource and
silently serves the gz file and sets the headers, only if the client
browser accepts gz of course
- respects Etag since you do not want to download even "just" 500 Kb each
time you hit ctrl-r.

TODO other than the space-war:
- it uses a maven plugin I have built for home use, it is in my maven repo
and it would not be great to give my unreliable repository to everyone, so
it should be either moved to the ACS source or uploaded to the central repo
- Some a would not like to make the build even longer. It is quite short
compared to the full time of the build, but for a CI build it is completely
useless. So it must be moved to a profile and profile should be active
during release process, maybe not anyway unless you manually enable it.




On Thu, Feb 13, 2014 at 7:23 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

Looks like Daan had a few issues with the patch for you to resolve
regarding tabs and headers...

On Feb 13, 2014, at 10:14 AM, Laszlo Hornyak 
mailto:laszlo.horn...@gmail.com>
<mailto:laszlo.horn...@gmail.com>> wrote:

Hi,

I have a patch for the UI compression, it is on review for a while...
But I hope I will be able to resolve the comments in...days.

I measured the download size dropped from 3.5 MB to somewhere around 0.5 MB

https://reviews.apache.org/r/12228/

Adding javascript compression could also help a lot.

That 3.5 M is a lot even on LAN :-)



On Thu, Feb 13, 2014 at 7:04 PM, John Kinsella  wrote:

Just posted
http://theresnomon.co/2014/improving-cloudstack-ui-performance/ - open to
any comments.

John

On Feb 10, 2014, at 12:47 AM, Alex Hitchins mailto:alex.hitch...@shapeblue.com>> wrote:

Sounds interesting, I look forward to your write-up.



Regards

Alex Hitchins

D: +44 1892 523 587 | S: +44 20 3603 0540 | M: +44 7788 423 969

alex.hitch...@shapeblue.com<mailto:alex.hitch...@shapeblue.com>

-Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: 10 February 2014 01:05
To: 
Subject: Re: UI Latency

I've been tinkering with httpd proxying the UI via mod_proxy_ajp, then
using mod_deflate to compress on the httpd side. That gets me about a 2.5x
decrease in loading the login screen. system.js, which is the largest item
downloaded by default is around 980k, with gzip that drops to 68k.

I wanna see if I can squeeze a little more performance out by caching the
static stuff...once I get some stats out of that I'll turn it into a blog
post later this week.

John

On Feb 9, 2014, at 3:27 PM, Alex Hitchins 
wrote:

One of the things that I want to look in to is generating a Gruntfile so
we can 'uglify' and reduce the size of css, js and image sprites. This
should help reduce the initial payload and make a big difference to VPN/low
b/w connections.


Regards

Alex Hitchins

D: +44 1892 523 587 | S: +44 20 3603 0540 | M: +44 7788 423 969

alex.hitch...@shapeblue.com

-Original Message-
From: Mike Tutkowski [mailto:mike.tutkow...@solidfire.com]
Sent: 09 February 2014 19:51
To: dev@cloudstack.apache.org
Subject: Re: UI Latency

I could be wrong, but I believe the idea of zipping the content for the UI
start page was discussed, but has not yet been implemented.

As far as I know (and have experienced), every time you go to the start
page, it does seem to take a while to load if you are not over a
particularly fast connection (if I'm in the office, it loads quickly; if
I'm over a VPN connection from, say, home, it tends to be noticeably
slower).


On Sun, Feb 9, 2014 at 8:46 AM, Mo  wrote:

Hello,

>From my understanding going to the UI at first start-up takes awhile
to load due to the way it is configured, I believe I was previously
told it was gzip for the website. However, I thought this would a one
time thing; it seems to take quite awhile to load UI each time I
visit, unlike versions gone by.

Any advice? Suggestions?

- Maurice




--
*Mike Tutkowski*
*Senior CloudStack Developer, SolidFire Inc.*
e: mike.tutkow...@solidfire.com
o: 303.746.7302
Advancing the way the world uses the
cloud<http://solidfire.com/solution/overview/?video=play>
*(tm)*
Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure Support<
http://shapeblue.com/cloudstack-infrastructure-support/>

Re: Findbugs findings fixed this week

[John Kinsella]

On Feb 14, 2014, at 9:39 AM, Hugo Trippaers 
mailto:htrippa...@schubergphilis.com>> wrote:

The correct answer to that question is that in my opinion we both did and 
didn't improve CloudStack. The paradox here is that we improved the code as 
written making the code flow as the original developer (probably) intended and 
we added unit tests to prove it as well. However there is not much we can say 
about the functionality of the code. We touched code in all areas both within 
and outside our areas of expertise. So it is possible we introduced a number of 
functional problems that were working by accident earlier, however our belief 
is that this is far preferable above code that works by accident.

+1. Nicely done!

Re: [PROPOSAL] Windowsfication Of ACS

[John Kinsella]

On Feb 14, 2014, at 4:21 AM, Damoder Reddy 
mailto:damoder.re...@citrix.com>> wrote:


My comments inline in RED.


Apache mailing lists strip HTML, so while some form of mind altering substances 
in the correct amount might cause your comments to be perceived as RED, in 
general that won’t be the case. :)

-j

Re: [PROPOSAL] Windowsfication Of ACS

[John Kinsella]

Interesting idea…I wouldn’t use it but I wish you good luck in your journey. ;) 
As Alex mentioned, would be curious to see the demand.

I try to avoid cygwin in production environments…it’s great for desktops, but 
just feels like a hack for production use, IMHO.

The ssh part caught my attention, as that affects the security of the secondary 
storage VM.

Putty doesn’t really want to be used for command-line key generation[1].

Take a look at libssh[2] - from a glance, that looks like it might be the best 
approach.

I’d recommend against taking crypto code from another project and adding into 
ACS - at that point we have to monitor the origin project for patches and apply 
as appropriate.

John
1: 
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/puttygen-batch.html
2: http://www.libssh.org/

On Feb 14, 2014, at 3:55 AM, Rajesh Battala 
mailto:rajesh.batt...@citrix.com>> wrote:

Below are my findings and suggestions.

Dependencies for mgmt server to run on windows.

1. ssh-keygen tool ( default available on linux. Its required to generate 
id_rsa_cloud keys)
2. mount cmd ( this is used by vmware/hyperv to mount sec storage on mgmt 
server to copy the systemvm.iso to copy to Hosts)
3. injectkeys.sh ( this is binary file executes on mgmt server to inject the 
dynamically generated sshkeys to systemvm.iso. its bash file)
4. there is some code part in mgmt. server where "sudo" cmd is uses to execute 
the bash files. We have to rewrite those parts to handle it for windows.
5. Mkisofs this is used to generate the systemvm.iso

My thought for the dependencies
1. we can generate ssh-keygen binary from c source or use the putty keygen 
utility to generate the keys.
2. Mount ( we have to rewrite the code in mgmt. server to handle how to copy in 
nfs or cifs  remote path by referencing them locally)
3. For injectkeys.sh We have to write a new to bat file /python which will do 
the similar job.
4. There is already windows binary mkisofs is available we can use it.

Thanks
Rajesh Battala

-Original Message-
From: Damoder Reddy [mailto:damoder.re...@citrix.com]
Sent: Friday, February 14, 2014 2:27 PM
To: dev@cloudstack.apache.org
Subject: [PROPOSAL] Windowsfication Of ACS

Hi,

The current ACS management server runs only on linux based operating systems.
Though it runs on windows under Cygwin terminal with some effort, I'd like to 
introduce this feature to make sure that the management server runs on windows 
without any dependencies on Cygwin etc.

The Jira Ticket : https://issues.apache.org/jira/browse/CLOUDSTACK-6105
FS : 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Cloudstack+Windowsfication

Feedback/comments are welcome.

Thanks & Regards
Damodar/


Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: is cwiki down? error with 503

[John Kinsella]

Yep was down last night, infra has a few issues on 
http://monitoring.apache.org/status/ if you look at things that started around 
the same time. I haven’t asked but I presume they know about it.

John

On Feb 16, 2014, at 12:32 AM, Paul Angus 
mailto:paul.an...@shapeblue.com>> wrote:

I'm getting the same thing.

Regards,

Paul Angus
Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: @CloudyAngus
paul.an...@shapeblue.com

-Original Message-
From: Rajesh Battala [mailto:rajesh.batt...@citrix.com]
Sent: 16 February 2014 07:05
To: dev@cloudstack.apache.org
Subject: is cwiki down? error with 503

Hi,

When tried to access cwiki am getting

Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance 
downtime or capacity problems. Please try again later.

Apache/2.2.20 (Ubuntu) Server at cwiki.apache.org Port 443


Thanks
Rajesh Battala
Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure 
Support offers the 
best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1 training
18th-19th February 2014, Brazil. 
Classroom
17th-23rd March 2014, Region A. Instructor led, 
On-line
24th-28th March 2014, Region B. Instructor led, 
On-line
16th-20th June 2014, Region A. Instructor led, 
On-line
23rd-27th June 2014, Region B. Instructor led, 
On-line

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: [UPDATE][DOCS][PROPOSAL] Move to .rst and new repos

[John Kinsella]

Wow, just looked for the first time - that looks great :)

Personally I usually hit cloudstack.org and then look 
for links to docs. On the RTD sites, might wanna have links from install -> 
admin and vice-versa...

On Feb 18, 2014, at 5:12 AM, Sebastien Goasguen 
mailto:run...@gmail.com>> wrote:


On Jan 27, 2014, at 11:25 AM, sebgoa 
mailto:run...@gmail.com>> wrote:

Quick update on this thread.

I made some initial commits to the two new docs repo:
https://git-wip-us.apache.org/repos/asf?p=cloudstack-docs-admin.git;a=summary
https://git-wip-us.apache.org/repos/asf?p=cloudstack-docs-install.git;a=summary

These were made by:
1- using publican to build a html-single output of the current documentation.
2- using pandoc to convert the single html page to .rst
3- build a sphinx project for each repo using sphinx-quickstart
4- moved the .rst file to the skeleton sphinx project
5- fixed Note and Warning tags
6- fixed some issues with couple images not present or replication of reference

This leads to two successful build, even though there are still warning and 
lots of work to do with the table of content.

To test the result I created two Read The Docs projects, the results is on-line:

http://cloudstack-administration.readthedocs.org/en/latest/
http://cloudstack-installation.readthedocs.org/en/latest/

This is clearly not finished and this will require more work to check the 
format, the conversion with pandoc may have broken some things.

The end result so far is that I feel it is much easier to work with, just grab 
your favorite editor and you can actually read the docs, and fix it.
I also right away deleted some chapters in the admin guide (concepts..) that 
were a copy of the install guide.

I plan to do the same process for the release notes...

-Sebastien

On Jan 22, 2014, at 6:27 PM, Alex Hitchins  wrote:

Personally, I think if possible;

http://docs.cloudstack.apache.org could go to a page with both sets available, 
linking to

http://admin.docs.cloudstack.apache.org
http://install.docs.cloudstack.apache.org


Any other thoughts ???


My thinking is docs.cloudstack.apache.org is 
easier to remember.

I wonder if there is a SEO benefit to either option. Be good it the install and 
admin guides we well crawled.


Alex Hitchins
+44 7788 423 969

-Original Message-
From: sebgoa [mailto:run...@gmail.com]
Sent: 22 January 2014 17:18
To: dev@cloudstack.apache.org
Subject: [DOCS][PROPOSAL] Move to .rst and new repos

Hi,

Prior to the break we had a discussion to move to a new doc format RST.

In investigating the process and the infra needed for this, David and I thought 
that having a repo for each guide/book would be good.
Otherwise the readthedocs build infra will create one massive pdf/epub, think 
~400 pages.

So David created couple repos:

cloudstack-docs-admin.git
cloudstack-docs-install.git

Now we need to decide on CNAMEs for each guide, meaning that to get to the 
admin guide (for instance) you will hit http://admin.foo ...

We propose to use:

http://docs-admin.cloudstack.apache.org
http://docs-install.cloudstack.apache.org

thoughts ? better ideas ?

-Sebastien
Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure 
Support offers the 
best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1 training
18th-19th February 2014, Brazil. 
Classroom
17th-23rd March 2014, Region A. Instructor led, 
On-line
24th-28th March 2014, Region B. Instructor led, 
On-line
16th-20th June 2014, Region A. Instructor led, 
On-line
23rd-27th June 2014, Region B. Instructor led, 
On-line

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.



Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: [DISCUSS] Browser-based template and volume uploads

[John Kinsella]

We definitely need to support more than http download. http upload sounds 
interesting, but I’d love to see something more resilient for large uploads. 
How ‘bout specifying a “drop folder” type location on the mgmt server that the 
server polls every 15 seconds for new files, then in the UI the user can pick 
from the files shown there? Not as secure as your browser upload pattern, 
though.

Maybe use something like https://github.com/blueimp/jquery-file-upload that 
allows resumable uploads?

Just had the thought of maybe adding support for dropbox/box.net/etc. At that 
point, an ImageFetch plugin hook starts to sound interesting. Adding a bit 
torrent plugin could make getting the default templates quite snappy. :)


On Feb 19, 2014, at 2:12 PM, Chiradeep Vittal  
wrote:

> Hi all,
> 
> The fact that one has to have a HTTP server to host templates before the 
> templates can be imported into secondary storage is an inconvenience. I am 
> not sure how much of an inconvenience it is, but I was asked to detail the 
> technical architecture, if it needed to be supported. Certainly, I can 
> imagine for folks coming in contact with ACS for the first time, it might 
> seem onerous to set up another web server.
> 
> I've sketched a strawman proposal [1] to support browser-based uploads of 
> templates and volumes to secondary storage.
> It is not yet a PROPOSAL since it is still raw (and I do not have time to 
> work on this immediately).
> 
> Please comment on this.
> [1] https://cwiki.apache.org/confluence/x/jY5cAg
> 

Re: [DISCUSS] Browser-based template and volume uploads

[John Kinsella]

You mean to load files off the management server, yea? That makes sense to me

On Feb 20, 2014, at 3:14 AM, Daan Hoogland 
mailto:daan.hoogl...@gmail.com>> wrote:

why not a allowing a simple file:///home/me/my.template kind of url?

for simple installations this should do.

On Wed, Feb 19, 2014 at 11:42 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:
We definitely need to support more than http download. http upload sounds 
interesting, but I'd love to see something more resilient for large uploads. 
How 'bout specifying a "drop folder" type location on the mgmt server that the 
server polls every 15 seconds for new files, then in the UI the user can pick 
from the files shown there? Not as secure as your browser upload pattern, 
though.

Maybe use something like https://github.com/blueimp/jquery-file-upload that 
allows resumable uploads?

Just had the thought of maybe adding support for 
dropbox/box.net/etc<http://box.net/etc>. At that point, an ImageFetch plugin 
hook starts to sound interesting. Adding a bit torrent plugin could make 
getting the default templates quite snappy. :)


On Feb 19, 2014, at 2:12 PM, Chiradeep Vittal 
mailto:chiradeep.vit...@citrix.com>> wrote:

Hi all,

The fact that one has to have a HTTP server to host templates before the 
templates can be imported into secondary storage is an inconvenience. I am not 
sure how much of an inconvenience it is, but I was asked to detail the 
technical architecture, if it needed to be supported. Certainly, I can imagine 
for folks coming in contact with ACS for the first time, it might seem onerous 
to set up another web server.

I've sketched a strawman proposal [1] to support browser-based uploads of 
templates and volumes to secondary storage.
It is not yet a PROPOSAL since it is still raw (and I do not have time to work 
on this immediately).

Please comment on this.
[1] https://cwiki.apache.org/confluence/x/jY5cAg





--
Daan

Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Review Request 18392: CLOUDSTACK-6156: remove rampart maven dependencies to fix?

[John Kinsella]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18392/
---

Review request for cloudstack.


Bugs: CLOUDSTACK-6156
https://issues.apache.org/jira/browse/CLOUDSTACK-6156


Repository: cloudstack-git


Description
---

Attempting to get awsapi build working. Can somebody familiar with that module 
review this?


Diffs
-

  awsapi/pom.xml 601e695 

Diff: https://reviews.apache.org/r/18392/diff/


Testing
---

Built mvn -Pawsapi on master
Build/ran devcloud2
Haven't tested awsapi itself as I'm not currently using that. :/


Thanks,

John Kinsella

Re: developers and mysql

[John Kinsella]

I created CLOUDSTACK-6157 over the weekend to track this. Not sure adding the 
jar after compile will help the deploydb target, but will give it a try this 
morning.

Could we set up the pom.xmls to use the jar for execution if it’s found in the 
user/system classpaths while respecting the legal requirements?

Rayees’ suggestion for cloud.spec makes sense for the RPM builds, but doesn’t 
affect the developer issues.

-He who needs more maven experience

On Feb 24, 2014, at 7:36 AM, Hugo Trippaers  wrote:

> Heya,
> 
> as the mysql dependency is now set to provided in all the poms to fix our 
> license compliancy the jetty target and the deployed targets are not working. 
> 
> I’m trying to configure an optional profile to enable those targets to 
> include the mysql dependency while executing, but so far no luck. If anyone 
> has some bright ideas on how to do this i’m all ears. In the meantime the 
> best solutions i’ve found to continue working is to copy the mysql jar file 
> into the directory client/target/cloud-client-ui-4.4.0-SNAPSHOT/WEB-INF/lib/ 
> by hand after running mvm install and before running the jetty target (just 
> don’t run mvn clean).
> 
> Hopefully a better solution in the near future.
> 
> Cheers,
> 
> Hugo

Re: [PROPOSAL] Change systemvm template URL in master to s3 bucket

[John Kinsella]

Who’s paying for the s3 storage (sorry if I missed something there)? How long 
do you keep old images?

Vaguely related - I was pondering seeding ACS and/or VM image torrents - wonder 
if folks would be interested in that? I realize bittorrent isn’t always welcome 
in corp environments...

On Feb 24, 2014, at 1:51 AM, Hugo Trippaers 
mailto:h...@trippaers.nl>> wrote:

Hey all,

I’ve finally fixed the configuration to automagically upload the systemvm 
templates to an s3 bucket. The jobs build-systemvm-master and 
build-systemvm64-master will rebuild the systemvm template on a daily basis and 
send the resulting files to that S3 bucket.

I would like to update the URLs in the docs and in the database to make master 
point to these new locations. The locations will look like : 
https://s3.amazonaws.com/systemvm-templates.cloudstack.org/master/64/systemvm64template-master-hyperv.vhd

Why?
 Anyone using master will automagically use the latest and greatest images.
 Transparent process from build script to distribution.
 Accessible logging for folks willing to track number of downloads etc.


Any thoughts?

Cheers,

Hugo



Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: developers and mysql

[John Kinsella]

Nope. That’s the current state of things.

On Feb 24, 2014, at 2:28 PM, Alena Prokharchyk 
mailto:alena.prokharc...@citrix.com>> wrote:

Sorry, forgot to mention the steps I¹ve done:

mvn install -P developer,systemvm -DskipTests
cp mysql-connector-java-5.1.21.jar
client/target/cloud-client-ui-4.4.0-SNAPSHOT/WEB-INF/lib/
mvn -pl :cloud-client-ui jetty:run

And I still hitting the error below. Am I missing something?

Thanks,
Alena.



On 2/24/14, 11:41 AM, "Alena Prokharchyk" 
mailto:alena.prokharc...@citrix.com>>
wrote:

Hugo, fail to start latest master build on my machine, here is the error:

ERROR [c.c.u.d.Merovingian2] (main:null) Unable to get a new db connection
java.sql.SQLException: No suitable driver found for
jdbc:mysql://localhost:3306/cloud?autoReconnect=true&prepStmtCacheSize=517
&
cachePrepStmts=true
at java.sql.DriverManager.getConnection(DriverManager.java:596)
at java.sql.DriverManager.getConnection(DriverManager.java:215)



Can you please tell me what needs to be done in order to fix it?

Thanks,
Alena.

On 2/24/14, 10:11 AM, "Hugo Trippaers" 
mailto:trip...@gmail.com>> wrote:

Indeed,

I've been fighting with maven all day to get the development profile to
include MySql. No luck yet, will give it another shot tomorrow :-)

Hugo

Sent from my iPhone

On 24 feb. 2014, at 18:21, David Nalley mailto:da...@gnsa.us>> 
wrote:

So it should be ok to include the jar in non-default builds. developer
and deploydb are not what we'd expect a normal user to consume.
(Anyone else's head spinning?)

--David

On Mon, Feb 24, 2014 at 11:44 AM, John Kinsella 
mailto:j...@stratosec.co>>
wrote:
I created CLOUDSTACK-6157 over the weekend to track this. Not sure
adding the jar after compile will help the deploydb target, but will
give it a try this morning.

Could we set up the pom.xmls to use the jar for execution if it's
found in the user/system classpaths while respecting the legal
requirements?

Rayees' suggestion for cloud.spec makes sense for the RPM builds, but
doesn't affect the developer issues.

-He who needs more maven experience

On Feb 24, 2014, at 7:36 AM, Hugo Trippaers 
mailto:h...@trippaers.nl>>
wrote:

Heya,

as the mysql dependency is now set to provided in all the poms to fix
our license compliancy the jetty target and the deployed targets are
not working.

I'm trying to configure an optional profile to enable those targets
to include the mysql dependency while executing, but so far no luck.
If anyone has some bright ideas on how to do this i'm all ears. In the
meantime the best solutions i've found to continue working is to copy
the mysql jar file into the directory
client/target/cloud-client-ui-4.4.0-SNAPSHOT/WEB-INF/lib/ by hand
after running mvm install and before running the jetty target (just
don't run mvn clean).

Hopefully a better solution in the near future.

Cheers,

Hugo





Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: developers and mysql

[John Kinsella]

Yep that works - thanks! Will close 6157.

On Feb 25, 2014, at 3:33 AM, Hugo Trippaers 
mailto:h...@trippaers.nl>> wrote:

Heya,

Just pushed a change that will make the database work again. :-)


@Alex. The mysql jar used to be pulled in as a dependency from framework-db. As 
the client target is responsible for building the war file for the packages 
including this in the client pom would also put it in the war file and in the 
packages.

I think i have an elegant solution, its now included as a dependency for both 
the database deploy and the jetty:run target. Which makes it effectively a 
“provided” library for the purpose of our maven build. See commit 
8e6b86ae23dce802044388c5420ff61511d7115b and 
e883877c7a6f9df04b572afd4ee5f10d265bcc3a.

I can deploy a database and start the jetty:run target now without any trouble 
(at least not more trouble than usual ;-) )

My next step is to clean up some of the dependencies. I think that only 
cloud-framework-db should have a provided dependency on mysql. It’s the only 
piece of source code that actually needs the mysql driver to be present during 
compilation for the optional HA configuration. There are some test classes that 
depend on database functionally but those should be moved to an integration 
test profile that could include the database driver, those tests are disabled 
anyway so they don’t cause any trouble now.


Cheers,

Hugo

On 25 feb. 2014, at 06:39, Rajani Karuturi 
mailto:rajani.karut...@citrix.com>> wrote:

Can we move the mysql-connector-java dependency to the parent 
POM(SOURCE-ROOT/pom.xml) and define it different scopes for each profile?

ie)



developer
  
  
mysql
mysql-connector-java
compile
  
  


  production
  
  
mysql
mysql-connector-java
provided
  
  


Thanks,
~Rajani



On 24-Feb-2014, at 11:41 pm, Hugo Trippaers 
mailto:trip...@gmail.com><mailto:trip...@gmail.com>> wrote:

Indeed,

I've been fighting with maven all day to get the development profile to include 
MySql. No luck yet, will give it another shot tomorrow :-)

Hugo

Sent from my iPhone

On 24 feb. 2014, at 18:21, David Nalley 
mailto:da...@gnsa.us><mailto:da...@gnsa.us>> wrote:

So it should be ok to include the jar in non-default builds. developer
and deploydb are not what we'd expect a normal user to consume.
(Anyone else's head spinning?)

--David

On Mon, Feb 24, 2014 at 11:44 AM, John Kinsella 
mailto:j...@stratosec.co><mailto:j...@stratosec.co>> wrote:
I created CLOUDSTACK-6157 over the weekend to track this. Not sure adding the 
jar after compile will help the deploydb target, but will give it a try this 
morning.

Could we set up the pom.xmls to use the jar for execution if it's found in the 
user/system classpaths while respecting the legal requirements?

Rayees' suggestion for cloud.spec makes sense for the RPM builds, but doesn't 
affect the developer issues.

-He who needs more maven experience

On Feb 24, 2014, at 7:36 AM, Hugo Trippaers 
mailto:h...@trippaers.nl><mailto:h...@trippaers.nl>> wrote:

Heya,

as the mysql dependency is now set to provided in all the poms to fix our 
license compliancy the jetty target and the deployed targets are not working.

I'm trying to configure an optional profile to enable those targets to include 
the mysql dependency while executing, but so far no luck. If anyone has some 
bright ideas on how to do this i'm all ears. In the meantime the best solutions 
i've found to continue working is to copy the mysql jar file into the directory 
client/target/cloud-client-ui-4.4.0-SNAPSHOT/WEB-INF/lib/ by hand after running 
mvm install and before running the jetty target (just don't run mvn clean).

Hopefully a better solution in the near future.

Cheers,

Hugo





Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: status of 4.3?

[John Kinsella]

On Feb 25, 2014, at 3:06 AM, Daan Hoogland  wrote:

> On Tue, Feb 25, 2014 at 11:32 AM, Nux!  wrote:
>> there are going to be any dramatic last minute changes.
> 
> 
> nothing functional, just packaging (some jars will become prerequisites)
> 

Personally, I’d consider CLOUDSTACK-6156 a blocker on release - I can’t build 
RPMs on a clean system.

Re: developers and mysql

[John Kinsella]

Did you re-run mvn -P deps?

On Feb 25, 2014, at 12:16 PM, Mike Tutkowski 
mailto:mike.tutkow...@solidfire.com>> wrote:

I'm still getting the following error:

ERROR [c.c.u.d.Merovingian2] (main:null) Unable to get a new db connection
java.sql.SQLException: No suitable driver found for
jdbc:mysql://localhost:3306/cloud?autoReconnect=true&prepStmtCacheSize=517&cachePrepStmts=true

I built using "mvn -P developer,systemvm clean install" and ran the
management server using "mvn -pl client jetty:run".

Any thoughts on that?

Thanks


On Tue, Feb 25, 2014 at 1:10 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

Yep that works - thanks! Will close 6157.

On Feb 25, 2014, at 3:33 AM, Hugo Trippaers 
mailto:h...@trippaers.nl>mailto:h...@trippaers.nl>>> wrote:

Heya,

Just pushed a change that will make the database work again. :-)


@Alex. The mysql jar used to be pulled in as a dependency from
framework-db. As the client target is responsible for building the war file
for the packages including this in the client pom would also put it in the
war file and in the packages.

I think i have an elegant solution, its now included as a dependency for
both the database deploy and the jetty:run target. Which makes it
effectively a "provided" library for the purpose of our maven build. See
commit 8e6b86ae23dce802044388c5420ff61511d7115b and
e883877c7a6f9df04b572afd4ee5f10d265bcc3a.

I can deploy a database and start the jetty:run target now without any
trouble (at least not more trouble than usual ;-) )

My next step is to clean up some of the dependencies. I think that only
cloud-framework-db should have a provided dependency on mysql. It's the
only piece of source code that actually needs the mysql driver to be
present during compilation for the optional HA configuration. There are
some test classes that depend on database functionally but those should be
moved to an integration test profile that could include the database
driver, those tests are disabled anyway so they don't cause any trouble now.


Cheers,

Hugo

On 25 feb. 2014, at 06:39, Rajani Karuturi 
mailto:rajani.karut...@citrix.com>
<mailto:rajani.karut...@citrix.com>> wrote:

Can we move the mysql-connector-java dependency to the parent
POM(SOURCE-ROOT/pom.xml) and define it different scopes for each profile?

ie)



developer
 
 
   mysql
   mysql-connector-java
   compile
 
 


 production
 
 
   mysql
   mysql-connector-java
   provided
 
 


Thanks,
~Rajani



On 24-Feb-2014, at 11:41 pm, Hugo Trippaers 
mailto:trip...@gmail.com>mailto:trip...@gmail.com>><mailto:trip...@gmail.com>> wrote:

Indeed,

I've been fighting with maven all day to get the development profile to
include MySql. No luck yet, will give it another shot tomorrow :-)

Hugo

Sent from my iPhone

On 24 feb. 2014, at 18:21, David Nalley 
mailto:da...@gnsa.us>mailto:da...@gnsa.us>><mailto:da...@gnsa.us>> wrote:

So it should be ok to include the jar in non-default builds. developer
and deploydb are not what we'd expect a normal user to consume.
(Anyone else's head spinning?)

--David

On Mon, Feb 24, 2014 at 11:44 AM, John Kinsella 
mailto:j...@stratosec.co>mailto:j...@stratosec.co>><mailto:j...@stratosec.co>> wrote:
I created CLOUDSTACK-6157 over the weekend to track this. Not sure adding
the jar after compile will help the deploydb target, but will give it a try
this morning.

Could we set up the pom.xmls to use the jar for execution if it's found in
the user/system classpaths while respecting the legal requirements?

Rayees' suggestion for cloud.spec makes sense for the RPM builds, but
doesn't affect the developer issues.

-He who needs more maven experience

On Feb 24, 2014, at 7:36 AM, Hugo Trippaers 
mailto:h...@trippaers.nl>mailto:h...@trippaers.nl>><mailto:h...@trippaers.nl>> wrote:

Heya,

as the mysql dependency is now set to provided in all the poms to fix our
license compliancy the jetty target and the deployed targets are not
working.

I'm trying to configure an optional profile to enable those targets to
include the mysql dependency while executing, but so far no luck. If anyone
has some bright ideas on how to do this i'm all ears. In the meantime the
best solutions i've found to continue working is to copy the mysql jar file
into the directory
client/target/cloud-client-ui-4.4.0-SNAPSHOT/WEB-INF/lib/ by hand after
running mvm install and before running the jetty target (just don't run mvn
clean).

Hopefully a better solution in the near future.

Cheers,

Hugo





Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>




--
*Mike Tutkowski*
*Senior CloudStack Developer, SolidFire Inc.*
e: mike.tutkow...@solidfire.com<mailto:mike.tutkow...@s

Re: developers and mysql

[John Kinsella]

Ah - don’t think that’s been cherry-picked yet to 4.3...

On Feb 25, 2014, at 12:23 PM, Mike Tutkowski 
mailto:mike.tutkow...@solidfire.com>> wrote:

I should point out that I'm having this issue on 4.3 (haven't tried to run
master in a couple weeks).


On Tue, Feb 25, 2014 at 1:16 PM, Mike Tutkowski <
mike.tutkow...@solidfire.com<mailto:mike.tutkow...@solidfire.com>> wrote:

I'm still getting the following error:


ERROR [c.c.u.d.Merovingian2] (main:null) Unable to get a new db connection
java.sql.SQLException: No suitable driver found for
jdbc:mysql://localhost:3306/cloud?autoReconnect=true&prepStmtCacheSize=517&cachePrepStmts=true

I built using "mvn -P developer,systemvm clean install" and ran the
management server using "mvn -pl client jetty:run".

Any thoughts on that?

Thanks


On Tue, Feb 25, 2014 at 1:10 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

Yep that works - thanks! Will close 6157.

On Feb 25, 2014, at 3:33 AM, Hugo Trippaers 
mailto:h...@trippaers.nl>mailto:h...@trippaers.nl>>> wrote:

Heya,

Just pushed a change that will make the database work again. :-)


@Alex. The mysql jar used to be pulled in as a dependency from
framework-db. As the client target is responsible for building the war file
for the packages including this in the client pom would also put it in the
war file and in the packages.

I think i have an elegant solution, its now included as a dependency for
both the database deploy and the jetty:run target. Which makes it
effectively a "provided" library for the purpose of our maven build. See
commit 8e6b86ae23dce802044388c5420ff61511d7115b and
e883877c7a6f9df04b572afd4ee5f10d265bcc3a.

I can deploy a database and start the jetty:run target now without any
trouble (at least not more trouble than usual ;-) )

My next step is to clean up some of the dependencies. I think that only
cloud-framework-db should have a provided dependency on mysql. It's the
only piece of source code that actually needs the mysql driver to be
present during compilation for the optional HA configuration. There are
some test classes that depend on database functionally but those should be
moved to an integration test profile that could include the database
driver, those tests are disabled anyway so they don't cause any trouble now.


Cheers,

Hugo

On 25 feb. 2014, at 06:39, Rajani Karuturi 
mailto:rajani.karut...@citrix.com>
<mailto:rajani.karut...@citrix.com>> wrote:

Can we move the mysql-connector-java dependency to the parent
POM(SOURCE-ROOT/pom.xml) and define it different scopes for each profile?

ie)



developer
 
 
   mysql
   mysql-connector-java
   compile
 
 


 production
 
 
   mysql
   mysql-connector-java
   provided
 
 


Thanks,
~Rajani



On 24-Feb-2014, at 11:41 pm, Hugo Trippaers 
mailto:trip...@gmail.com>mailto:trip...@gmail.com>><mailto:trip...@gmail.com>> wrote:

Indeed,

I've been fighting with maven all day to get the development profile to
include MySql. No luck yet, will give it another shot tomorrow :-)

Hugo

Sent from my iPhone

On 24 feb. 2014, at 18:21, David Nalley 
mailto:da...@gnsa.us>mailto:da...@gnsa.us>><mailto:da...@gnsa.us>> wrote:

So it should be ok to include the jar in non-default builds. developer
and deploydb are not what we'd expect a normal user to consume.
(Anyone else's head spinning?)

--David

On Mon, Feb 24, 2014 at 11:44 AM, John Kinsella 
mailto:j...@stratosec.co>mailto:j...@stratosec.co>><mailto:j...@stratosec.co>> wrote:
I created CLOUDSTACK-6157 over the weekend to track this. Not sure adding
the jar after compile will help the deploydb target, but will give it a try
this morning.

Could we set up the pom.xmls to use the jar for execution if it's found
in the user/system classpaths while respecting the legal requirements?

Rayees' suggestion for cloud.spec makes sense for the RPM builds, but
doesn't affect the developer issues.

-He who needs more maven experience

On Feb 24, 2014, at 7:36 AM, Hugo Trippaers 
mailto:h...@trippaers.nl>mailto:h...@trippaers.nl>><mailto:h...@trippaers.nl>> wrote:

Heya,

as the mysql dependency is now set to provided in all the poms to fix our
license compliancy the jetty target and the deployed targets are not
working.

I'm trying to configure an optional profile to enable those targets to
include the mysql dependency while executing, but so far no luck. If anyone
has some bright ideas on how to do this i'm all ears. In the meantime the
best solutions i've found to continue working is to copy the mysql jar file
into the directory
client/target/cloud-client-ui-4.4.0-SNAPSHOT/WEB-INF/lib/ by hand after
running mvm install and before running the jetty target (just don't run mvn
clean).

Hopefully a better solution in the near fu

Re: status of 4.3?

[John Kinsella]

I created https://reviews.apache.org/r/18392/ as I think that’ll fix it, but 
worried I’m breaking something else that I’m not testing…

On Feb 25, 2014, at 12:42 PM, David Nalley  wrote:

> Agreed - thats a blocker (and I've elevated it to such) We're already
> doing pom surgery, so a bit more shouldn't be too troublesome.
> 
> --David
> 
> On Tue, Feb 25, 2014 at 3:21 PM, John Kinsella  wrote:
>> 
>> On Feb 25, 2014, at 3:06 AM, Daan Hoogland  wrote:
>> 
>>> On Tue, Feb 25, 2014 at 11:32 AM, Nux!  wrote:
>>>> there are going to be any dramatic last minute changes.
>>> 
>>> 
>>> nothing functional, just packaging (some jars will become prerequisites)
>>> 
>> 
>> Personally, I'd consider CLOUDSTACK-6156 a blocker on release - I can't 
>> build RPMs on a clean system.
>> 

Re: [DISCUSS] Policy blocker?

[John Kinsella]

+1 well put.

On Feb 26, 2014, at 6:44 AM, Chip Childers  wrote:

> On Tue, Feb 25, 2014 at 7:13 PM, Animesh Chaturvedi
>  wrote:
>> 
>> Folks since the liability of Release manager has been called out explicitly 
>> for the release I want to call out that I cannot take personal liability for 
>> a release and I am not sure why would anyone else in Release Manager role 
>> will take up personal liability. I don't see anything called out in our 
>> bylaws that states Release Manager being liable.
>> 
>> That being said I am seeking advice from ASF mentors and will discuss it in  
>> PMC. I  will proceed and build an RC after this issue is resolved.
>> 
>> Thanks
>> Animesh
> 
> A couple of things:
> 
> First, we don't have any "mentors" anymore...  we're a TLP.
> 
> Second, although the question of "liability" has been clarified in the
> private@ thread, I'll summarize briefly here:
> 
> The reason that we follow the voting process (where the PMC votes are
> binding) and other ASF-wide policies, is so that any release is an
> "act of the foundation" and not an act of an individual.  The point is
> that if someone were to purposefully ignore policy, then they put
> themselves at risk.  The whole reason for the foundation to have it's
> policies is to protect all of the committers and contributors from
> personal liability!  So the only thing that really matters is that if
> we follow the policies of the foundation, there's nothing to worry
> about.
> 
> Being a release manager is nothing to worry about...  the whole PMC is
> helping to ensure that we follow policies.  As our current 4.3 issue
> has pointed out, sometimes this means we have to slow down to fix
> something.  If something slipped through, it's still not a "liability"
> issue in practical terms.  It's just a mistake that we would then work
> to correct.
> 
> Make sense?
> 
> -chip

Re: Submitting a Feature Proposal

[John Kinsella]

Actually, if it’s a Significant Feature, I like seeing a spec put together to 
be referenced by the [PROPOSAL] thread. Take a look at 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Design and in particular 
the Design Document Template.

John

On Feb 26, 2014, at 7:34 AM, Mike Tutkowski 
mailto:mike.tutkow...@solidfire.com>> wrote:

Anyone feel free to correct me if I'm wrong, but I typically open up a JIRA
ticket and a corresponding Review Board Request (
https://reviews.apache.org/dashboard/).

If it's a brand-new feature, I would suggest sending a message to dev@ with
the [PROPOSAL] tag in the subject line and filling people in on what you'd
like to do. This is a good way of collecting input from the group.


On Wed, Feb 26, 2014 at 6:35 AM, Alex Hitchins
mailto:alex.hitch...@shapeblue.com>>wrote:

Firstly, thanks to all those who took part in the discussion on the 4.4 FF
date. I think we should have a discussion on altering the
release/development schedule.

That said, what is the process to submit a feature proposal?


Regards,

Alex Hitchins
VP Software Engineering


D: +44 1892 523 587 | S: +44 20 3603 0540 | M: +44 7788 423 969

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure Support<
http://shapeblue.com/cloudstack-infrastructure-support/> offers the best
24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1 training<
http://shapeblue.com/cloudstack-training/>
18th-19th February 2014, Brazil. Classroom<
http://shapeblue.com/cloudstack-training/>
17th-23rd March 2014, Region A. Instructor led, On-line<
http://shapeblue.com/cloudstack-training/>
24th-28th March 2014, Region B. Instructor led, On-line<
http://shapeblue.com/cloudstack-training/>
16th-20th June 2014, Region A. Instructor led, On-line<
http://shapeblue.com/cloudstack-training/>
23rd-27th June 2014, Region B. Instructor led, On-line<
http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Shape Blue Ltd or related companies. If you are not the
intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender
if you believe you have received this email in error. Shape Blue Ltd is a
company incorporated in England & Wales. ShapeBlue Services India LLP is a
company incorporated in India and is operated under license from Shape Blue
Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
and is operated under license from Shape Blue Ltd. ShapeBlue is a
registered trademark.




--
*Mike Tutkowski*
*Senior CloudStack Developer, SolidFire Inc.*
e: mike.tutkow...@solidfire.com
o: 303.746.7302
Advancing the way the world uses the
cloud
*(tm)*

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: [VOTE] Apache CloudStack 4.3.0 (sixth round)

[John Kinsella]

Just pushed a fix for that to master.

On Feb 25, 2014, at 5:55 PM, Chiradeep Vittal 
mailto:chiradeep.vit...@citrix.com>> wrote:

So how do you now Œprovide¹ the jdbc connector on a Mac?
mvn -Pdeveloper -pl developer -Ddeploydb-simulator
Š

SQL exception in trying initDB: java.sql.SQLException: No suitable driver
found for jdbc:mysql://localhost:3306/



On 2/21/14, 5:56 AM, "Hugo Trippaers" 
mailto:h...@trippaers.nl>> wrote:


Heya,

Just pushed commit ac00ab0087ca8f59184121697f7ac4343a694093
Author: Hugo Trippaers 
mailto:htrippa...@schubergphilis.com>>
Date:   Fri Feb 21 14:54:38 2014 +0100

  Cleanup all mysql dependencies and set all to provided.


This will set all mysql dependencies to provided and clean them up in the
process.

Tested:
Hugos-MacBook-Pro:cloudstack hugo (master)$ ls agent/target/dependencies/
| grep mysql
Hugos-MacBook-Pro:cloudstack hugo (master)$ jar -tf
awsapi/target/cloud-awsapi-4.4.0-SNAPSHOT.war | grep mysql
Hugos-MacBook-Pro:cloudstack hugo (master)$ jar -tf
client/target/cloud-client-ui-4.4.0-SNAPSHOT.war | grep mysql


Cheers,

Hugo


On 21 feb. 2014, at 13:48, Abhinandan Prateek
mailto:abhinandan.prat...@citrix.com>> wrote:

What I get is that by fixing the pom.xml, maven will not package the
connector.
The dependency for the connector was set to compile time that made the
maven to download the connector at compile time instead of at run-time.
Due to this the connector got packaged.

Now changing it to provided will make maven get the connector for
compilation but  due to expectation that this is available at run-time
it
will not be packaged.

-abhi

On 21/02/14 6:01 pm, "Daan Hoogland" 
mailto:daan.hoogl...@gmail.com>> wrote:

sure,

we will need to do something in install instructions as well, do we?

thanks,
Daan

On Fri, Feb 21, 2014 at 1:28 PM, Abhinandan Prateek
mailto:abhinandan.prat...@citrix.com>> wrote:
Daan,

It seems that the dependency on the connector can be changed so that
the
connector is not packaged with the product.
Once Damodar, who is fixing it provides a patch we can take a call.

-abhi



On 21/02/14 5:31 pm, "Daan Hoogland" 
mailto:daan.hoogl...@gmail.com>> wrote:

Animesh,

Having followed the legal discussions and remarks from David on these
matters, I will have to retract my +1 and cast a -1 (binding). I
suggest we postpone 4.3 indefinitely awaiting legal advice and
discussion on how to proceed on this list.

sorry,
Daan

On Fri, Feb 21, 2014 at 12:16 PM, benoit lair 
mailto:kurushi4...@gmail.com>>
wrote:
Hi,

I agree with Florin about GRE tunnel. It is very problematic. If i
can't
get GRE tunnels working with xenserver 6.2, i won't be able to use
the
ACS
4.3

So the jira CLOUDSTACK-5967 is not resolved, isn't it ?

Murali, you said on the Feb 14th (CLOUDSTACK-5967) that if there is
a
new
RC :
"Fix is simple, but not sure we can get this into 4.3, given
its not regression. Will get this in if there is a new RC."

Is it still relevant ?

Regards.

Benoit Lair.



2014-02-21 11:29 GMT+01:00 Srikanteswararao Talluri <
srikanteswararao.tall...@citrix.com>:

There is a bug filed for live migration on ESXi 5.5.
https://issues.apache.org/jira/browse/CLOUDSTACK-6146

I feel we need to fix this bug too in 4.3.

Thanks,
~Talluri

On 20/02/14 11:19 pm, "David Nalley"  wrote:

On Thu, Feb 20, 2014 at 11:23 AM, Chip Childers

wrote:
On Wed, Feb 19, 2014 at 04:25:21AM +, Animesh Chaturvedi
wrote:

[ ] +1  approve

[ ] +0  no opinion

[ ] -1  disapprove (and reason why)


Given the recently noticed legal issues with the
mysql-connector-java
dependency, I'm -1 (binding) until that is resolved.


I hate to have to issue a -1 (binding) but will do so as well.

--David





--
Daan




--
Daan




Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

FYI: 4.3 and 4.3-forward branches not building

[John Kinsella]

Before we go to another vote - apidocs build is failing with:

Traceback (most recent call last):
  File "/home/jlk/code/cloudstack/tools/apidoc/gen_toc.py", line 195, in 

category = choose_category(fn)
  File "/home/jlk/code/cloudstack/tools/apidoc/gen_toc.py", line 175, in 
choose_category
(fn, __file__))
Exception: Need to add a category for listOvsElements.xml to 
/home/jlk/code/cloudstack/tools/apidoc/gen_toc.py:known_categories

It’s working on master, so I’ll presume something needs to be cherry picked…

Re: developers and mysql

[John Kinsella]

I’ve merged one of the commits, will get the other two in this evening

On Feb 26, 2014, at 3:59 PM, Mike Tutkowski 
mailto:mike.tutkow...@solidfire.com>> wrote:

Yeah, if we have a 4.3 workaround for this, that would be great. Thanks


On Wed, Feb 26, 2014 at 11:19 AM, Sonal Ojha 
mailto:sonal.o...@sungard.com>> wrote:

I am seeing the issue on 4.3 branch, can someone help me how can that be
made to work ??


On Wed, Feb 26, 2014 at 3:32 AM, Hugo Trippaers 
mailto:trip...@gmail.com>> wrote:

We are already pretty much locked in as all our database scripts are
MySQL
specific. If we want to be neutral we should fix that.

Cheers,

Hugo

Sent from my iPhone

On 25 feb. 2014, at 22:57, David Nalley mailto:da...@gnsa.us>> 
wrote:

git blame showed that it came from the HA/replication work from
Damoder.
I didn't speak up at the time, but I am really reluctant for
mysql-specific features to sneak in and lock us in.

On Tue, Feb 25, 2014 at 4:44 PM, Alex Huang 
mailto:alex.hu...@citrix.com>>
wrote:
Who added the dependency on mysql for framework-db?  We actually
worked
hard to keep that depending on jdbc only.  It should not depend on mysql.
We need to fix that.

--Alex

-Original Message-
From: Trippie [mailto:trip...@gmail.com] On Behalf Of Hugo Trippaers
Sent: Tuesday, February 25, 2014 3:34 AM
To: mailto:dev@cloudstack.apache.org>>
Subject: Re: developers and mysql

Heya,

Just pushed a change that will make the database work again. :-)


@Alex. The mysql jar used to be pulled in as a dependency from
framework-
db. As the client target is responsible for building the war file for
the
packages including this in the client pom would also put it in the
war
file and
in the packages.

I think i have an elegant solution, its now included as a dependency
for both
the database deploy and the jetty:run target. Which makes it
effectively a
"provided" library for the purpose of our maven build. See commit
8e6b86ae23dce802044388c5420ff61511d7115b and
e883877c7a6f9df04b572afd4ee5f10d265bcc3a.

I can deploy a database and start the jetty:run target now without
any
trouble (at least not more trouble than usual ;-) )

My next step is to clean up some of the dependencies. I think that
only
cloud-framework-db should have a provided dependency on mysql. It's
the
only piece of source code that actually needs the mysql driver to be
present
during compilation for the optional HA configuration. There are some
test
classes that depend on database functionally but those should be
moved
to
an integration test profile that could include the database driver,
those tests
are disabled anyway so they don't cause any trouble now.


Cheers,

Hugo

On 25 feb. 2014, at 06:39, Rajani Karuturi <
rajani.karut...@citrix.com<mailto:rajani.karut...@citrix.com>> wrote:

Can we move the mysql-connector-java dependency to the parent
POM(SOURCE-ROOT/pom.xml) and define it different scopes for each
profile?

ie)



developer
 
 
   mysql
   mysql-connector-java
   compile
 
 


 production
 
 
   mysql
   mysql-connector-java
   provided
 
 


Thanks,
~Rajani



On 24-Feb-2014, at 11:41 pm, Hugo Trippaers
mailto:trip...@gmail.com><mailto:trip...@gmail.com>> wrote:

Indeed,

I've been fighting with maven all day to get the development profile
to include MySql. No luck yet, will give it another shot tomorrow
:-)

Hugo

Sent from my iPhone

On 24 feb. 2014, at 18:21, David Nalley
mailto:da...@gnsa.us><mailto:da...@gnsa.us>> wrote:

So it should be ok to include the jar in non-default builds.
developer
and deploydb are not what we'd expect a normal user to consume.
(Anyone else's head spinning?)

--David

On Mon, Feb 24, 2014 at 11:44 AM, John Kinsella
mailto:j...@stratosec.co><mailto:j...@stratosec.co>> wrote:
I created CLOUDSTACK-6157 over the weekend to track this. Not sure
adding the jar after compile will help the deploydb target, but will
give it a try
this morning.

Could we set up the pom.xmls to use the jar for execution if it's
found in
the user/system classpaths while respecting the legal requirements?

Rayees' suggestion for cloud.spec makes sense for the RPM builds,
but
doesn't affect the developer issues.

-He who needs more maven experience

On Feb 24, 2014, at 7:36 AM, Hugo Trippaers
mailto:h...@trippaers.nl><mailto:h...@trippaers.nl>> wrote:

Heya,

as the mysql dependency is now set to provided in all the poms to
fix
our
license compliancy the jetty target and the deployed targets are not
working.

I'm trying to configure an optional profile to enable those targets
to include
the mysql dependency while executing, but so far no luck. If anyone
has
some bright ideas on how to do this i'm all ears. In the meantime the
best
solutions i've found to continue working is to copy the mysql jar
file
into the
directory client/target/cloud-c

Re: developers and mysql

[John Kinsella]

I’ve cherry-picked these into 4.3-forward…will ask RM in a separate email to 
pick them into 4.3.

John

On Feb 26, 2014, at 5:26 PM, Mike Tutkowski 
mailto:mike.tutkow...@solidfire.com>> wrote:

Awesome! Thanks, John!


On Wed, Feb 26, 2014 at 6:12 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

I've merged one of the commits, will get the other two in this evening

On Feb 26, 2014, at 3:59 PM, Mike Tutkowski 
mailto:mike.tutkow...@solidfire.com>
<mailto:mike.tutkow...@solidfire.com>> wrote:

Yeah, if we have a 4.3 workaround for this, that would be great. Thanks


On Wed, Feb 26, 2014 at 11:19 AM, Sonal Ojha 
mailto:sonal.o...@sungard.com>
<mailto:sonal.o...@sungard.com>> wrote:

I am seeing the issue on 4.3 branch, can someone help me how can that be
made to work ??


On Wed, Feb 26, 2014 at 3:32 AM, Hugo Trippaers 
mailto:trip...@gmail.com>mailto:trip...@gmail.com>>> wrote:

We are already pretty much locked in as all our database scripts are
MySQL
specific. If we want to be neutral we should fix that.

Cheers,

Hugo

Sent from my iPhone

On 25 feb. 2014, at 22:57, David Nalley 
mailto:da...@gnsa.us>mailto:da...@gnsa.us>>> wrote:

git blame showed that it came from the HA/replication work from
Damoder.
I didn't speak up at the time, but I am really reluctant for
mysql-specific features to sneak in and lock us in.

On Tue, Feb 25, 2014 at 4:44 PM, Alex Huang 
mailto:alex.hu...@citrix.com>mailto:alex.hu...@citrix.com>>>
wrote:
Who added the dependency on mysql for framework-db?  We actually
worked
hard to keep that depending on jdbc only.  It should not depend on mysql.
We need to fix that.

--Alex

-Original Message-
From: Trippie [mailto:trip...@gmail.com] On Behalf Of Hugo Trippaers
Sent: Tuesday, February 25, 2014 3:34 AM
To: 
mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>>
Subject: Re: developers and mysql

Heya,

Just pushed a change that will make the database work again. :-)


@Alex. The mysql jar used to be pulled in as a dependency from
framework-
db. As the client target is responsible for building the war file for
the
packages including this in the client pom would also put it in the
war
file and
in the packages.

I think i have an elegant solution, its now included as a dependency
for both
the database deploy and the jetty:run target. Which makes it
effectively a
"provided" library for the purpose of our maven build. See commit
8e6b86ae23dce802044388c5420ff61511d7115b and
e883877c7a6f9df04b572afd4ee5f10d265bcc3a.

I can deploy a database and start the jetty:run target now without
any
trouble (at least not more trouble than usual ;-) )

My next step is to clean up some of the dependencies. I think that
only
cloud-framework-db should have a provided dependency on mysql. It's
the
only piece of source code that actually needs the mysql driver to be
present
during compilation for the optional HA configuration. There are some
test
classes that depend on database functionally but those should be
moved
to
an integration test profile that could include the database driver,
those tests
are disabled anyway so they don't cause any trouble now.


Cheers,

Hugo

On 25 feb. 2014, at 06:39, Rajani Karuturi <
rajani.karut...@citrix.com<mailto:rajani.karut...@citrix.com><mailto:rajani.karut...@citrix.com>>
 wrote:

Can we move the mysql-connector-java dependency to the parent
POM(SOURCE-ROOT/pom.xml) and define it different scopes for each
profile?

ie)



developer


  mysql
  mysql-connector-java
  compile




production


  mysql
  mysql-connector-java
  provided




Thanks,
~Rajani



On 24-Feb-2014, at 11:41 pm, Hugo Trippaers
mailto:trip...@gmail.com><mailto:trip...@gmail.com><mailto:trip...@gmail.com>>
wrote:

Indeed,

I've been fighting with maven all day to get the development profile
to include MySql. No luck yet, will give it another shot tomorrow
:-)

Hugo

Sent from my iPhone

On 24 feb. 2014, at 18:21, David Nalley
mailto:da...@gnsa.us><mailto:da...@gnsa.us><mailto:da...@gnsa.us>>
 wrote:

So it should be ok to include the jar in non-default builds.
developer
and deploydb are not what we'd expect a normal user to consume.
(Anyone else's head spinning?)

--David

On Mon, Feb 24, 2014 at 11:44 AM, John Kinsella
mailto:j...@stratosec.co><mailto:j...@stratosec.co><mailto:j...@stratosec.co>>
wrote:
I created CLOUDSTACK-6157 over the weekend to track this. Not sure
adding the jar after compile will help the deploydb target, but will
give it a try
this morning.

Could we set up the pom.xmls to use the jar for execution if it's
found in
the user/system classpaths while respecting the legal requirements?

Rayees' suggestion for cloud.spec makes sense for the RPM builds,
but
doesn't affect the developer issues.

-He w

[4.3] [Cherry-pick] developer mysql dependencies

[John Kinsella]

Dearest RM - would like the following commits from 4.3-forward picked into 4.3.

To the best of my knowledge they comply with ASF third-party licensing policy 
for build scripts [1].

24dcf2948c2d4cdd98fcda0f766d82f40eee8be1
2c3cd90b5604cde8123968b15ef6c53bad43b5e2
f5aeac845df8b73b1525442461a8a811e61439d0
54db315214f8dd518eaf1f1615d423d9f4129d31

John
1: https://www.apache.org/legal/3party.html#options-build

Re: 4.4 Feature Freeze

[John Kinsella]

I don’t see not moving the freeze date as a penalty.  If a feature doesn’t make 
the current deadline, it moves to the next release, which is still a few months 
away. For significant issues, it’s not uncommon for us to allow them in late.

What we have a stronger need for than shifting a date, by several orders of 
magnitude, is understanding why the RC process took so long and what we can do 
in the future to make that not so painful.

For the record I’m +0 on moving the feature freeze date.

John

On Feb 26, 2014, at 7:10 PM, Ram Ganesh  wrote:

> I share it too. Many developers in the community went out of their way to get 
> a cleaner RC and thereby impacting their feature development efforts. We 
> shouldn't be penalizing them with this 2 week's feature freeze schedule
> 
> Thanks,
> RamG
> 
>> -Original Message-
>> From: Animesh Chaturvedi [mailto:animesh.chaturv...@citrix.com]
>> Sent: 27 February 2014 03:00
>> To: dev@cloudstack.apache.org
>> Subject: RE: 4.4 Feature Freeze
>> 
>> Mike I share your opinion most of us have been pretty much on 4.3 until
>> now, and pushing out the release seems reasonable. As I called out in earlier
>> mail the feature proposal date was not called out for 4.4 and as such giving
>> little extra room seems reasonable.
>> 
>> Animesh
>> 
>>> -Original Message-
>>> From: Mike Tutkowski [mailto:mike.tutkow...@solidfire.com]
>>> Sent: Wednesday, February 26, 2014 7:29 AM
>>> To: dev@cloudstack.apache.org
>>> Subject: Re: 4.4 Feature Freeze
>>> 
>>> I think we're having this discussion after every release because we're
>>> beginning to realize that a four-month release cycle has not been very
>>> realistic for us yet.
>>> 
>>> The main issue I encounter is our month-long RC cycle where I spend a
>>> bunch of time validating the RC and (during that timeframe) less time
>>> developing for the next release as I had initially planned.
>>> 
>>> Perhaps instead of extending the cycle we could consider ways to
>>> actually meet the schedule on a consistent basis. That would be fine, as
>> well.
>>> 
>>> 
>>> On Wed, Feb 26, 2014 at 8:04 AM, Hugo Trippaers 
>>> wrote:
>>> 
 -1 on postponing the feature freeze. We are having this discussion
 after every release, however we agreed to do a 4 month cycle so
 let's stick
>>> to it.
 
 If there are important features that are currently being developed
 but might not make this cut-off date we should discuss that
 separately, but as a point of principle lets stick to the release schedule 
 as
>> proposed.
 
 
 Cheers,
 
 Hugo
 
 
 On 26 feb. 2014, at 15:23, Tracy Phillips
 
 wrote:
 
> +1 to Daan.
> 
> Tracy Phillips
> Weberize, Inc.
> 
> 
> On Wed, Feb 26, 2014 at 7:48 AM, Daan Hoogland
>  wrote:
> 
>> -1 for postponing the feature freeze. It will amount to more
>> features in the release. I'd rather shorten the cycle and do more
>> releases then to pack more bugs in a single go.
>> 
>> On Wed, Feb 26, 2014 at 1:13 PM, Guo Star 
>>> wrote:
>>> +1
>>> 
>>> 
>>> 2014-02-26 20:01 GMT+08:00 Abhinandan Prateek <
>> abhinandan.prat...@citrix.com
 :
>>> 
 +1 for 4.4 feature freeze on 3/28.
 
 On 26/02/14 10:01 am, "Sateesh Chodapuneedi"
  wrote:
 
>> -Original Message-
>> From: Mike Tutkowski [mailto:mike.tutkow...@solidfire.com]
>> Sent: 26 February 2014 04:46
>> To: dev@cloudstack.apache.org
>> Subject: Re: 4.4 Feature Freeze
>> 
>> I think this is a good idea, Animesh (to push out feature
>> freeze to 3/28).
> 
> +1 to move 4.4 feature freeze date to 3/28.
> 
> Regards,
> Sateesh
> 
>> I also agree we should discuss 4+ month development cycles
>> again.
>> 
>> 
>> On Tue, Feb 25, 2014 at 3:43 PM, Animesh Chaturvedi <
>> animesh.chaturv...@citrix.com> wrote:
>> 
>>> I will start a separate discussion on 4 month cycle or
>>> longer, but wanted to call out one more important date.
>>> 
>>> We have a last day for feature proposal date which is
>>> typically a month before feature freeze date. If following
>>> 4.3 schedule + 4
>> month
>>> it would have been 2/14 and we are already past that. Since
>>> it was
>> not
>>> announced for
>>> 4.4 release yet my suggestion would be to keep feature
>>> proposal
>> open
>>> for another week and push all  the dates out by 2 weeks to
>>> give
>> folks
>>> opportunity to finish up their features for new proposals
>>> that are
>> yet
>>> to come out.
>>> 
>>> To be clear that would mean pushing out feature freeze to
>>> 3/28 from
>>> 3/14 and all 

Re: developers and mysql

[John Kinsella]

Mike - that’s not a JDBC error. Can you connect to the db using the mysql 
client and properties under utils/conf/db.properties or 
utils/conf/db.properties.override?

On Feb 27, 2014, at 11:59 AM, Mike Tutkowski 
mailto:mike.tutkow...@solidfire.com>> wrote:

Actually - I get this same error in master, as well.

Consistent at least. :)


On Thu, Feb 27, 2014 at 12:37 PM, Mike Tutkowski <
mike.tutkow...@solidfire.com<mailto:mike.tutkow...@solidfire.com>> wrote:

Just an FYI that I've tried this process on both 4.3-forward and 4.3.

mvn -P developer -pl developer -Ddeploydb fails in both cases with the
following error:

SQL exception in trying initDB:
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications
link failure

The last packet sent successfully to the server was 0 milliseconds ago.
The driver has not received any packets from the server.


On Wed, Feb 26, 2014 at 11:06 PM, Mike Tutkowski <
mike.tutkow...@solidfire.com<mailto:mike.tutkow...@solidfire.com>> wrote:

Hey John,

I'm just getting around now to trying to rebuild my CS environment using
the new changes in 4.3-forward.

When I run the following:

mvn -P developer -pl developer -Ddeploydb

I receive the following error:

> Running query: drop database if exists `cloud`

SQL exception in trying initDB:
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications
link failure

I ran mvn -P deps before deploying the DB just to be sure.

To build the system in the first place, I ran the following after
fetching the latest:

mvn -P developer,systemvm clean install

Any thoughts on this?

Thanks!


On Wed, Feb 26, 2014 at 8:22 PM, Mike Tutkowski <
mike.tutkow...@solidfire.com<mailto:mike.tutkow...@solidfire.com>> wrote:

Great, John - thanks again!


On Wed, Feb 26, 2014 at 7:10 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

I've cherry-picked these into 4.3-forward...will ask RM in a separate
email to pick them into 4.3.

John

On Feb 26, 2014, at 5:26 PM, Mike Tutkowski <
mike.tutkow...@solidfire.com<mailto:mike.tutkow...@solidfire.com><mailto:mike.tutkow...@solidfire.com>>
wrote:

Awesome! Thanks, John!


On Wed, Feb 26, 2014 at 6:12 PM, John Kinsella 
mailto:j...@stratosec.co>
<mailto:j...@stratosec.co>> wrote:

I've merged one of the commits, will get the other two in this evening

On Feb 26, 2014, at 3:59 PM, Mike Tutkowski <
mike.tutkow...@solidfire.com<mailto:mike.tutkow...@solidfire.com><mailto:mike.tutkow...@solidfire.com>
<mailto:mike.tutkow...@solidfire.com>> wrote:

Yeah, if we have a 4.3 workaround for this, that would be great. Thanks


On Wed, Feb 26, 2014 at 11:19 AM, Sonal Ojha 
mailto:sonal.o...@sungard.com>
<mailto:sonal.o...@sungard.com>
<mailto:sonal.o...@sungard.com>> wrote:

I am seeing the issue on 4.3 branch, can someone help me how can that be
made to work ??


On Wed, Feb 26, 2014 at 3:32 AM, Hugo Trippaers 
mailto:trip...@gmail.com>
<mailto:trip...@gmail.com>mailto:trip...@gmail.com><mailto:trip...@gmail.com>>> wrote:

We are already pretty much locked in as all our database scripts are
MySQL
specific. If we want to be neutral we should fix that.

Cheers,

Hugo

Sent from my iPhone

On 25 feb. 2014, at 22:57, David Nalley 
mailto:da...@gnsa.us>mailto:da...@gnsa.us>>mailto:da...@gnsa.us><mailto:da...@gnsa.us>>> wrote:

git blame showed that it came from the HA/replication work from
Damoder.
I didn't speak up at the time, but I am really reluctant for
mysql-specific features to sneak in and lock us in.

On Tue, Feb 25, 2014 at 4:44 PM, Alex Huang 
mailto:alex.hu...@citrix.com>
<mailto:alex.hu...@citrix.com>mailto:alex.hu...@citrix.com><mailto:alex.hu...@citrix.com>>>
wrote:
Who added the dependency on mysql for framework-db?  We actually
worked
hard to keep that depending on jdbc only.  It should not depend on
mysql.
We need to fix that.

--Alex

-Original Message-
From: Trippie [mailto:trip...@gmail.com] On Behalf Of Hugo Trippaers
Sent: Tuesday, February 25, 2014 3:34 AM
To: 
mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org
<mailto:dev@cloudstack.apache.org>>
Subject: Re: developers and mysql

Heya,

Just pushed a change that will make the database work again. :-)


@Alex. The mysql jar used to be pulled in as a dependency from
framework-
db. As the client target is responsible for building the war file for
the
packages including this in the client pom would also put it in the
war
file and
in the packages.

I think i have an elegant solution, its now included as a dependency
for both
the database deploy and the jetty:run target. Which makes it
effectively a
"provided" library for the purpose of our maven build. See commit
8e6b86ae23dce802044388c5420ff61511d7115b and
e883877c7a6f9df04b572afd4ee5f10d265

Re: Looking for test folks on the community!

[John Kinsella]

Raja - curious why you’re asking?

On Feb 26, 2014, at 10:00 PM, Raja Pullela  wrote:

> Hi,
> 
> Can you please respond if you are actively involved or looking get involved 
> in testing 4.4 Release?
> 
> Thanks,
> Raja
> 

[DISCUSS] realhostip.com going away

[John Kinsella]

Folks: Recently the PMC was informed that the realhostip.com DNS service that 
ACS currently uses by default as part of the console proxy will be disbanded 
this summer.

We’ve been informed the realhostip service will be shut down June 30th, 2014, 
so we have approximately 4 months to mitigate this.

Here’s my thoughts on how to proceed, in order of priority:

* Make the transition as smooth as possible for current ACS users. Need to 
create clear documentation in the wiki that we can point to on how to migrate 
an existing ACS installation from using realhostip.com to a user’s own 
certificate and resolver. I see section 16.4.2 in the 4.2 admin guide talks 
about this, but I think we can improve a bit. e.g. the current docs don’t make 
it clear that a wildcard cert is required. Once we have a transition guide in 
place, I intend to announce to users@ and announce@ along with the social media 
paths. This isn’t private, but I’d rather not announce until we have a clear, 
tested easy to follow transition guide to make this as painless as possible for 
folks. I’m working on this and will update after testing.
* If at all possible, I’d really like to get something big and visible into the 
4.3 documentation warning users about this.
* For 4.4, we should no longer be using SSL/realhostip for console proxy. We’re 
expecting some patches to address this, I’ll update this thread once they hit 
and/or a Jira issue is created.

Open to any thoughts/suggestions.

John

Re: 4.4 Feature Freeze

[John Kinsella]

I’m completely in-line with Hugo on this. Was actually going to make similar 
comments about the…solidness of the arguments to move.

On Feb 28, 2014, at 6:09 AM, Hugo Trippaers 
mailto:h...@trippaers.nl>> wrote:

i’m all for being flexible, but i find a lot of the arguments used here 
debatable.

“It causes developers to rush their development to meet the deadline." This 
will happen anyway, every time we’ve extended the deadline we got new features 
coming in at the last minute. Actually i’m under the impression that when we 
move the deadline people will actually try to get more features in instead of 
working on stabilizing existing features.

“We can’t deliver features on the roadmap.” There is validity to this point, 
but on the other hand we already know the entire release schedule way ahead, 
this feature freeze date should not come as a surprise. But as i mentioned in 
an earlier mail, lets have this discussion. Post which features might not make 
it into the release so we can have a discussion if we should slip the release 
date to get this feature in. I think we all now that there are commercial 
parties working with this software to build releases and have customers 
demanding features, but if we don’t discuss that on list it’s hard for us to 
take it into account.

“Feature freeze wasn’t called” True, i wasn’t even aware that this was a 
requirement. We should add this to the procedure here 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Releases so release 
managers know this is expected of them. It should not impact the dates as the 
dates are already fixed by the release schedule (every 4 months)


I’m still -1 on extending the feature freeze. I would rather extend the 
test/stability phase to we have some more time to fix issues before we get into 
the RC spinning.


This is the list of current features targeted for 4.4 according to our Jira. 
Which features would be impacted if we don’t move the feature freeze?

ASF JIRA
Project: CloudStack
Type: New Feature
Fix Version: 4.4.0
Resolution: Unresolved
Sorted by: Updated descending
1–15 of 15 as at: 28/Feb/14 15:07
T Key Summary Assignee Reporter P Status Resolution Created Updated Due
 CLOUDSTACK-6181
Root resize
Unassigned Nux   Open Unresolved 27/Feb/14 27/Feb/14
 CLOUDSTACK-6161
distributed routing and network ACL with OVS plug-in
Murali Reddy Murali Reddy   Open Unresolved 24/Feb/14 
24/Feb/14
 CLOUDSTACK-6092
Storage OverProvisioning as a Per Primary Basis
Saksham Srivastava Saksham Srivastava   Open Unresolved 
13/Feb/14 20/Feb/14
 CLOUDSTACK-6144
HA for guest VMs running Hyper-V
Unassigned Rajesh Battala   Open Unresolved 20/Feb/14 
20/Feb/14
 CLOUDSTACK-6143
Storage Live-Migration support for Hyper-V
Unassigned Rajesh Battala   Open Unresolved 20/Feb/14 
20/Feb/14
 CLOUDSTACK-6142
Zone Wide Primary Store in Hyper-V
Unassigned Rajesh Battala   Open Unresolved 20/Feb/14 
20/Feb/14
 CLOUDSTACK-6104
PVLAN support for CloudStack deployment over Nexus 1000v in VMware environment
Sateesh Chodapuneedi Sateesh Chodapuneedi   Open 
Unresolved 14/Feb/14 15/Feb/14
 CLOUDSTACK-6109
Support of iSCSI as primary store in Hyper-V
Rajesh Battala Rajesh Battala   Open Unresolved 14/Feb/14 
14/Feb/14
 CLOUDSTACK-6106
Support of VPC in HyperV
Rajesh Battala Rajesh Battala   Open Unresolved 14/Feb/14 
14/Feb/14
 CLOUDSTACK-6090
Virtual Router Service Failure Alerting
Harikrishna Patnala Harikrishna Patnala   Open Unresolved 
13/Feb/14 13/Feb/14
 CLOUDSTACK-6052
List VM enhancement to support querying with multiple VM IDs
Koushik Das Koushik Das   Open Unresolved 07/Feb/14 
07/Feb/14
 CLOUDSTACK-5569
enhance OVS plug-in to support region level VPC and guest networks that span 
zones
Murali Reddy Murali Reddy   Open Unresolved 19/Dec/13 
19/Dec/13
 CLOUDSTACK-5568
introduce notion of guest network that spans multiple zones
Murali Reddy Murali Reddy   Open Unresolved 19/Dec/13 
19/Dec/13
 CLOUDSTACK-5567
enable VPC at region level
Murali Reddy Murali Reddy   Open Unresolved 19/Dec/13 
19/Dec/13
 CLOUDSTACK-5398
Cloudstack network-element plugin to orchestrate Juniper's switches
Unassigned Pradeep H Krishnamurthy   Open Unresolved 
06/Dec/13 06/Dec/13



Cheers,

Hugo

On 28 feb. 2014, at 10:17, Prasanna Santhanam 
mailto:t...@apache.org>> wrote:

On Fri, Feb 28, 2014 at 07:26:10AM +, Ram Ganesh wrote:
Yes. I can only agree with you on this.  When we come up with dates
we have to be cognizant about slips in prior releases (we had 6 RC
re-spins and counting) which would have had impact which is the
case now.  We have to be bit flexible with our dates.


But you do agree that the re-spins uncovered bugs/issues that needed
to be fixed? Is it perhaps a mismatch in when the artifacts start
getting tested by the users+devs as opposed to when company-x might be
satisfied with their testing? More than 90% of the re-spins are
bugs/issues uncovered by users who needed RC candidates and weren't
testing artifacts on a daily basis (I could be wrong here).

Re: [DISCUSS] realhostip.com going away

[John Kinsella]

I talked with some of the Citrix folk over the weekend…their position is they 
think they’d be doing the community a disfavor by passing the torch, 
so-to-speak, and I agree with them [1].

>From what I understand, the patches that are going to be proposed will remove 
>HTTPS completely and encrypt over http. That said, I haven’t seen anything 
>yet, so until we see something we’re guessing. I’m waiting a few more days to 
>see what’s proposed.

John
1: I’m sharing conversations with individuals, so take this as hearsay not 
official comment from Citrix.

On Mar 2, 2014, at 8:15 AM, Paul Angus 
mailto:paul.an...@shapeblue.com>> wrote:

There are a few issues with the current console proxy setup, not least of which 
is the need to have internet access to resolve 
realhostip.com in the first place - so console proxy 
can't work if you don't have internet access on your client.  I have configured 
alternative realhostip.com setups for clients - and 
quite a lot of work goes into creating the infrastructure (and certs) to 
support changing to a user managed certificate.

Sooo, is it at all possible to secure communications with the console proxy, 
without having to rely on ANY outside entity?

Testing alone is going to be a pain, if a full ssl cert setup is required to 
use console proxy..

Regards

Paul Angus
Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
paul.an...@shapeblue.com

-Original Message-
From: Amogh Vasekar [mailto:amogh.vase...@citrix.com]
Sent: 28 February 2014 23:05
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] realhostip.com going away



On 2/28/14 2:03 PM, "Nux!"  wrote:

There's also the problem of the certificate. It comes bundled in ACS as
far as I can tell.. When does it expire?

notBefore=Feb  3 03:30:40 2012 GMT
notAfter=Feb  7 05:11:23 2017 GMT

Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure 
Support offers the 
best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1 training
18th-19th February 2014, Brazil. 
Classroom
17th-23rd March 2014, Region A. Instructor led, 
On-line
24th-28th March 2014, Region B. Instructor led, 
On-line
16th-20th June 2014, Region A. Instructor led, 
On-line
23rd-27th June 2014, Region B. Instructor led, 
On-line

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: [PROPOSAL] Ability to add new guest OS

[John Kinsella]

+1 for the feature, but usually I just go for “other paravirtualized (64 bit)” 
(paraphrasing, mistakes mine) nowadays. What would be more useful, IMHO, is to 
better document the what the selection OS type selection choice means for a VM. 
For KVM, it’s a hell of a lot more than SCSI vs IDE root disk...

On Mar 3, 2014, at 12:44 PM, Amogh Vasekar 
mailto:amogh.vase...@citrix.com>> wrote:

Hi,

CloudStack currently does not allow an easy way to add new guest OS types,
for example, a standard way to add say, CentOS 6.5 even though a
hypervisor may support it.
Part of the reason is since the OS to hypervisor-specific platform
mappings are currently hard-coded into the code-base [1][2]
To support such new OS addition, the current way is to manipulate the DB
using upgrade scripts and make the necessary code changes.
This proposal aims to partially mitigate this issue by allowing the
CloudStack admin the ability to add new OS in the list, and update the
mapping to hypervisor-specific platform names, via APIs / UI. For now, the
admin will be responsible for providing the mapping to hypervisor-specific
platform names based on his knowledge, which may be enhanced in future.
For example, based on [1], an admin should be able to add a mapping like :
CentOS 6.5 (64 bit) -> CentsOS 6.5 .

The functional spec can be found at :
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Proposal+-+Ability+t
o+add+new+guest+OS+mappings

Comments / suggestions welcome.

Thanks,
Amogh


[1]
https://github.com/apache/cloudstack/blob/master/plugins/hypervisors/kvm/sr
c/com/cloud/hypervisor/kvm/resource/KVMGuestOsMapper.java
[2]
https://github.com/apache/cloudstack/blob/master/plugins/hypervisors/xen/sr
c/com/cloud/hypervisor/xen/resource/CitrixHelper.java


Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Review Request 18759: HTTP support for console proxy and making it default

[John Kinsella]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18759/#review36212
---


Amogh - thanks for the patch.  Some small issues on this patch. I've got larger 
comments but I'll post them on the "Realhostip.com shutting down on June 30" 
thread.


core/src/com/cloud/info/ConsoleProxyInfo.java
<https://reviews.apache.org/r/18759/#comment67147>

Can you clean up trailing whitespace added in lines like this?



server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
<https://reviews.apache.org/r/18759/#comment67148>

This doesn't seem relevant to the issue at hand.



systemvm/conf/consoleproxy.properties
<https://reviews.apache.org/r/18759/#comment67149>

Why change the listening port? I don't see what this has to do with moving 
from HTTPS to HTTP...


- John Kinsella


On March 5, 2014, 1:42 a.m., Amogh Vasekar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18759/
> ---
> 
> (Updated March 5, 2014, 1:42 a.m.)
> 
> 
> Review request for cloudstack, Demetrius Tsitrelis and John Kinsella.
> 
> 
> Repository: cloudstack-git
> 
> 
> Description
> ---
> 
> Changes to support HTTP mode in Console Proxy, per 
> http://www.mail-archive.com/dev@cloudstack.apache.org/msg24151.html , as 
> realhostip may go away
> 
> More details here : 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes
> 
> 
> Diffs
> -
> 
>   core/src/com/cloud/info/ConsoleProxyInfo.java 3439f3d 
>   
> engine/storage/image/src/org/apache/cloudstack/storage/image/TemplateServiceImpl.java
>  a649bb7 
>   
> plugins/storage/image/default/src/org/apache/cloudstack/storage/datastore/driver/CloudStackImageStoreDriverImpl.java
>  52cad3b 
>   server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java 3572127 
>   server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java 
> a3f837b 
>   systemvm/conf/consoleproxy.properties bb452f5 
> 
> Diff: https://reviews.apache.org/r/18759/diff/
> 
> 
> Testing
> ---
> 
> Tested on local environment by 
> 1. Using HTTP based console proxy
> 2. HTTPS with realhostip domain
> 3. HTTPS with custom domain and self-signed cert
> 4. Secondary storage template download with custom domain and self-signed cert
> 
> 
> Thanks,
> 
> Amogh Vasekar
> 
>

Re: [DISCUSS] realhostip.com going away

[John Kinsella]

While this patch might address the direct problem, a quick string search of the 
source shows “realhostip.com<http://realhostip.com>” in a few more places that 
also need to be cleaned up, including in the db. I haven’t actually applied the 
patch yet, just read over it a few times. Will try to apply/test tomorrow.

I’m going to sleep on this and mull it over a little more, will probably 
comment more tomorrow.

John

On Mar 4, 2014, at 5:43 PM, Amogh Vasekar 
mailto:amogh.vase...@citrix.com>> wrote:

Hello,

I have created a review request at : https://reviews.apache.org/r/18759/
that partially address the issue. It has a link to the wiki describing the
changes in detail.

Thanks,
Amogh

On 3/3/14 8:58 AM, "John Kinsella" 
mailto:j...@stratosec.co>> wrote:

I talked with some of the Citrix folk over the weekendŠtheir position is
they think they¹d be doing the community a disfavor by passing the torch,
so-to-speak, and I agree with them [1].

>From what I understand, the patches that are going to be proposed will
remove HTTPS completely and encrypt over http. That said, I haven¹t seen
anything yet, so until we see something we¹re guessing. I¹m waiting a few
more days to see what¹s proposed.

John
1: I¹m sharing conversations with individuals, so take this as hearsay
not official comment from Citrix.

On Mar 2, 2014, at 8:15 AM, Paul Angus
mailto:paul.an...@shapeblue.com><mailto:paul.an...@shapeblue.com>>
 wrote:

There are a few issues with the current console proxy setup, not least of
which is the need to have internet access to resolve
realhostip.com<http://realhostip.com><http://realhostip.com> in the first place 
- so console
proxy can't work if you don't have internet access on your client.  I
have configured alternative 
realhostip.com<http://realhostip.com><http://realhostip.com> setups
for clients - and quite a lot of work goes into creating the
infrastructure (and certs) to support changing to a user managed
certificate.

Sooo, is it at all possible to secure communications with the console
proxy, without having to rely on ANY outside entity?

Testing alone is going to be a pain, if a full ssl cert setup is required
to use console proxy..

Regards

Paul Angus
Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
paul.an...@shapeblue.com<mailto:paul.an...@shapeblue.com><mailto:paul.an...@shapeblue.com>

-Original Message-
From: Amogh Vasekar [mailto:amogh.vase...@citrix.com]
Sent: 28 February 2014 23:05
To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
Subject: Re: [DISCUSS] realhostip.com<http://realhostip.com> going away



On 2/28/14 2:03 PM, "Nux!" mailto:n...@li.nux.ro>> wrote:

There's also the problem of the certificate. It comes bundled in ACS as
far as I can tell.. When does it expire?

notBefore=Feb  3 03:30:40 2012 GMT
notAfter=Feb  7 05:11:23 2017 GMT

Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure
Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers
the best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1
training<http://shapeblue.com/cloudstack-training/>
18th-19th February 2014, Brazil.
Classroom<http://shapeblue.com/cloudstack-training/>
17th-23rd March 2014, Region A. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
24th-28th March 2014, Region B. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
16th-20th June 2014, Region A. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
23rd-27th June 2014, Region B. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views
or opinions expressed are solely those of the author and do not
necessarily represent those of Shape Blue Ltd or related companies. If
you are not the intended recipient of this email, you must neither take
any action based upon its contents, nor copy or show it to anyone. Please
contact the sender if you believe you have received this email in error.
Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
a company incorporated in Brasil and is operated under license from Shape
Blue Ltd. ShapeBlue is a registered trademark.

Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>



Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

The global settings beast...

[John Kinsella]

One thing that’s been gnawing on me - we keep shoving more and more stuff into 
the global settings shortcut instead of creating a proper settings UI. Then 
some new user comes along all shiny-eyed at the awesomeness of ACS, but wonders 
why something isn’t working, only to be told that combination of a) it’s in the 
docs and b) you have to scroll down through 30 items in global settings, then 
change something, then restart mgmt, then re-login…then it’ll work.

I know the UI is supposed to be a proof of concept, but I’m thinking we need to 
shed that label and empty out some closeted skeletons such as this.

Am I the only one this bothers, or should we maybe set it as a goal for 4.5 
(maybe this is on a feature list and I’ve missed it…)?

John

Re: [DISCUSS] realhostip.com going away

[John Kinsella]

It’s not.

On Mar 5, 2014, at 1:48 AM, Erik Weber 
mailto:terbol...@gmail.com>> wrote:

How is security being handled in HTTP mode?


--
Erik


On Wed, Mar 5, 2014 at 2:43 AM, Amogh Vasekar 
mailto:amogh.vase...@citrix.com>>wrote:

Hello,

I have created a review request at : https://reviews.apache.org/r/18759/
that partially address the issue. It has a link to the wiki describing the
changes in detail.

Thanks,
Amogh

On 3/3/14 8:58 AM, "John Kinsella" 
mailto:j...@stratosec.co>> wrote:

I talked with some of the Citrix folk over the weekendŠtheir position is
they think they¹d be doing the community a disfavor by passing the torch,
so-to-speak, and I agree with them [1].

>From what I understand, the patches that are going to be proposed will
remove HTTPS completely and encrypt over http. That said, I haven¹t seen
anything yet, so until we see something we¹re guessing. I¹m waiting a few
more days to see what¹s proposed.

John
1: I¹m sharing conversations with individuals, so take this as hearsay
not official comment from Citrix.

On Mar 2, 2014, at 8:15 AM, Paul Angus
mailto:paul.an...@shapeblue.com><mailto:paul.an...@shapeblue.com>>
 wrote:

There are a few issues with the current console proxy setup, not least of
which is the need to have internet access to resolve
realhostip.com<http://realhostip.com><http://realhostip.com> in the first place 
- so console
proxy can't work if you don't have internet access on your client.  I
have configured alternative 
realhostip.com<http://realhostip.com><http://realhostip.com> setups
for clients - and quite a lot of work goes into creating the
infrastructure (and certs) to support changing to a user managed
certificate.

Sooo, is it at all possible to secure communications with the console
proxy, without having to rely on ANY outside entity?

Testing alone is going to be a pain, if a full ssl cert setup is required
to use console proxy..

Regards

Paul Angus
Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
paul.an...@shapeblue.com<mailto:paul.an...@shapeblue.com><mailto:paul.an...@shapeblue.com>

-Original Message-
From: Amogh Vasekar [mailto:amogh.vase...@citrix.com]
Sent: 28 February 2014 23:05
To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
Subject: Re: [DISCUSS] realhostip.com<http://realhostip.com> going away



On 2/28/14 2:03 PM, "Nux!" mailto:n...@li.nux.ro>> wrote:

There's also the problem of the certificate. It comes bundled in ACS as
far as I can tell.. When does it expire?

notBefore=Feb  3 03:30:40 2012 GMT
notAfter=Feb  7 05:11:23 2017 GMT

Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure
Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers
the best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1
training<http://shapeblue.com/cloudstack-training/>
18th-19th February 2014, Brazil.
Classroom<http://shapeblue.com/cloudstack-training/>
17th-23rd March 2014, Region A. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
24th-28th March 2014, Region B. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
16th-20th June 2014, Region A. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>
23rd-27th June 2014, Region B. Instructor led,
On-line<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views
or opinions expressed are solely those of the author and do not
necessarily represent those of Shape Blue Ltd or related companies. If
you are not the intended recipient of this email, you must neither take
any action based upon its contents, nor copy or show it to anyone. Please
contact the sender if you believe you have received this email in error.
Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
a company incorporated in Brasil and is operated under license from Shape
Blue Ltd. ShapeBlue is a registered trademark.

Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>




Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: 4.3 vote

[John Kinsella]

FYI I’m still -1 until CLOUDSTACK-6156 and https://reviews.apache.org/r/18392/ 
is addressed.

On Mar 5, 2014, at 10:10 AM, Animesh Chaturvedi  
wrote:

> 
> 
>> -Original Message-
>> From: sebgoa [mailto:run...@gmail.com]
>> Sent: Wednesday, March 05, 2014 7:58 AM
>> To: dev@cloudstack.apache.org
>> Subject: Re: 4.3 vote
>> 
>> 
>> On Mar 5, 2014, at 4:54 PM, Nux!  wrote:
>> 
>>> On 05.03.2014 15:52, Animesh Chaturvedi wrote:
 Working on it now, waiting on 1 last thing for realhostip changes
>>> 
>>> So, does the realhostip "feature" disappear starting with 4.3?
>> 
>> if that's the case we need to put this on the release notes. Happy to do so 
>> if
>> someone send me the text..
> [Animesh] It is really a convenience that we got used to not a feature. You 
> can specify your own domain name and change the certificate even now with 4.2 
> and prior releases. The instructions are in Admin Guide [1]
> 
> Amogh has put a wiki on the changes at [2]. 
> 
> 
> [1] 
> http://cloudstack.apache.org/docs/en-US//Apache_CloudStack/4.2.0/html/Admin_Guide/console-proxy.html#change-console-proxy-ssl-certificate-domain
> 
> [2] 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes
> 
> 
> 
>> 
>>> 
>>> Lucian
>>> 
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>> 
>>> Nux!
>>> www.nux.ro
> 

Re: 4.3 vote

[John Kinsella]

The dependency’s actually been broken for a very long time, apparently. On a 
clean box with no maven repository cache (rm -rf ~/.m2/repository), awsapi (and 
therefore RPMs) will not build.

It looks like Noa saw similar issue in 
42f3804fbdde7bfe4f3676ef0c18a54dfe95354c, but I’m still seeing issues.

John

On Mar 5, 2014, at 11:10 AM, Animesh Chaturvedi 
mailto:animesh.chaturv...@citrix.com>> wrote:

John when was the dependency broken? Are you not able to build AWSAPI?

-Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: Wednesday, March 05, 2014 11:00 AM
To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
Subject: Re: 4.3 vote

FYI I'm still -1 until CLOUDSTACK-6156 and
https://reviews.apache.org/r/18392/ is addressed.

On Mar 5, 2014, at 10:10 AM, Animesh Chaturvedi
mailto:animesh.chaturv...@citrix.com>> wrote:



-Original Message-
From: sebgoa [mailto:run...@gmail.com]
Sent: Wednesday, March 05, 2014 7:58 AM
To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
Subject: Re: 4.3 vote


On Mar 5, 2014, at 4:54 PM, Nux! mailto:n...@li.nux.ro>> wrote:

On 05.03.2014 15:52, Animesh Chaturvedi wrote:
Working on it now, waiting on 1 last thing for realhostip changes

So, does the realhostip "feature" disappear starting with 4.3?

if that's the case we need to put this on the release notes. Happy to
do so if someone send me the text..
[Animesh] It is really a convenience that we got used to not a
feature. You can specify your own domain name and change the
certificate even now with 4.2 and prior releases. The instructions are
in Admin Guide [1]

Amogh has put a wiki on the changes at [2].


[1]
http://cloudstack.apache.org/docs/en-US//Apache_CloudStack/4.2.0/html/
Admin_Guide/console-proxy.html#change-console-proxy-ssl-certificate-do
main

[2]
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+chan
ges




Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro



Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: Review Request 18759: HTTP support for console proxy and making it default

[John Kinsella]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18759/#review36376
---



core/src/com/cloud/info/ConsoleProxyInfo.java
<https://reviews.apache.org/r/18759/#comment67322>

You're now fixing whitespace issues, instead of adding them. :)

Please leave formatting corrections for a separate review or commit, 
they're not related to this bug.

Sorry, I'm a stickler on mixing formatting changes with logic changes. 
Makes the patch less readable.



server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
<https://reviews.apache.org/r/18759/#comment67323>

Pull this set of include re-ordering from the patch please. Not a logic 
change, confusing.



setup/db/db/schema-421to430.sql
<https://reviews.apache.org/r/18759/#comment67324>

1) Why 2 subqueries on these 2 updates? Shouldn't just...

UPDATE `cloud`.`configuration` 
SET `value` = CONCAT("*.",(SELECT `value` FROM `cloud`.`configuration` 
WHERE `name`="secstorage.ssl.cert.domain")) 
WHERE `name`="secstorage.ssl.cert.domain";

work?

2) What happens here if a install already has changed away from 
realhostip.com?


- John Kinsella


On March 5, 2014, 8:47 p.m., Amogh Vasekar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18759/
> ---
> 
> (Updated March 5, 2014, 8:47 p.m.)
> 
> 
> Review request for cloudstack, Demetrius Tsitrelis and John Kinsella.
> 
> 
> Bugs: https://issues.apache.org/jira/browse/CLOUDSTACK-6204
> 
> https://issues.apache.org/jira/browse/https://issues.apache.org/jira/browse/CLOUDSTACK-6204
> 
> 
> Repository: cloudstack-git
> 
> 
> Description
> ---
> 
> Changes to support HTTP mode in Console Proxy, per 
> http://www.mail-archive.com/dev@cloudstack.apache.org/msg24151.html , as 
> realhostip may go away
> 
> More details here : 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes
> 
> 
> Diffs
> -
> 
>   core/src/com/cloud/info/ConsoleProxyInfo.java 
> 3439f3d3bfa2e262c48f1d7b1ea4f58522f3fcbe 
>   
> engine/storage/image/src/org/apache/cloudstack/storage/image/TemplateServiceImpl.java
>  a649bb7212308de70c41e2d74de1d865949f1cb7 
>   
> plugins/storage/image/default/src/org/apache/cloudstack/storage/datastore/driver/CloudStackImageStoreDriverImpl.java
>  52cad3bc7af291e59eabc68e23e09248877e0a81 
>   server/src/com/cloud/configuration/Config.java 
> 473db96059a4367858f9487d901b7cb3a054654a 
>   server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java 
> c8769d43349dbc5a3103a00c905f29b7edef0468 
>   server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java 
> 611550e90832911fb182ad18d93a8a18333f3a35 
>   setup/db/db/schema-421to430.sql 39f58d43822ebbe469d9af433582846a80ce91a0 
>   systemvm/conf/consoleproxy.properties 
> bb452f5823cb2da2e12aa61d762de90e4349e9ee 
> 
> Diff: https://reviews.apache.org/r/18759/diff/
> 
> 
> Testing
> ---
> 
> Tested on local environment by 
> 1. Using HTTP based console proxy
> 2. HTTPS with realhostip domain
> 3. HTTPS with custom domain and self-signed cert
> 4. Secondary storage template download with custom domain and self-signed cert
> 
> 
> Thanks,
> 
> Amogh Vasekar
> 
>

Re: apidocs build failure

[John Kinsella]

Can’t quite tell if that’s the same as what I was seeing - haven’t tried for a 
few days http://markmail.org/thread/6drub4m2xgrgtfxt

On Mar 6, 2014, at 2:12 PM, Alex Hitchins 
mailto:alex.hitch...@shapeblue.com>> wrote:

Just trying a build against 4.3 (not 4.3-forward) and I get the following error:

[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:1.2.1:exec 
(compile) on project cloud-apidoc: Command execution failed. Process exited 
with an error: 2 (Exit value: 2) -> [Help 1]

Anyone else seen this issue? I don't know what I'm doing wrong, nothing is 
building for me!


Regards,

Alex Hitchins

D: +44 1892 523 587 | S: +44 20 3603 0540 | M: 
+44 7788 423 969

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure 
Support offers the 
best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1 training
18th-19th February 2014, Brazil. 
Classroom
17th-23rd March 2014, Region A. Instructor led, 
On-line
24th-28th March 2014, Region B. Instructor led, 
On-line
16th-20th June 2014, Region A. Instructor led, 
On-line
23rd-27th June 2014, Region B. Instructor led, 
On-line

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: 4.3 vote

[John Kinsella]

David was seeing this as well. This is is a documented problem at 
https://issues.apache.org/jira/browse/RAMPART-393.

I just spun up a VM at AWS using a 64 bit amazon linux api. Ran the commands 
below, got same errors:

1  sudo yum update
2  yum install git java-1.7.0-openjdk-devel
3  git clone https://git-wip-us.apache.org/repos/asf/cloudstack.git
4  wget 
http://www.dsgnwrld.com/am/maven/maven-3/3.2.1/binaries/apache-maven-3.2.1-bin.tar.gz
5  tar xvf apache-maven-3.2.1-bin.tar.gz
6  export PATH=$PATH:~/apache-maven-3.2.1/bin/
7  cd cloudstack/
8  mvn -P deps
9  mvn clean install -Pawsapi

I suspect the Citrix devs are sitting behind Nexus or other maven mirror?

John

On Mar 6, 2014, at 3:13 PM, Animesh Chaturvedi 
mailto:animesh.chaturv...@citrix.com>> wrote:

Folks anyone else seeing this? I want to build RC soon and wanted to confirm if 
this is an issue or not and if so if we can get a fix right away

-Original Message-
From: Prachi Damle [mailto:prachi.da...@citrix.com]
Sent: Thursday, March 06, 2014 1:20 PM
To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
Subject: RE: 4.3 vote

John,

I could not reproduce this broken build on 4.3 after wiping out my entire
repository.
1.  rm -rf ~/.m2/repository
2. mvn clean install -Pawsapi

My build is successful.

Can someone who is able to reproduce this check this further?

Prachi


[INFO] 
[INFO] Reactor Summary:
[INFO]
[INFO] Apache CloudStack . SUCCESS [1:53.957s] 
[INFO]
Apache CloudStack Maven Conventions Parent  SUCCESS [0.089s] [INFO]
Apache CloudStack Framework - Managed Context . SUCCESS [28.189s]
[INFO] Apache CloudStack Utils ... SUCCESS [1:06.368s] 
[INFO]
Apache CloudStack Framework ... SUCCESS [0.303s] [INFO]
Apache CloudStack Framework - Event Notification .. SUCCESS [27.125s]
[INFO] Apache CloudStack Framework - Configuration ... SUCCESS [5.878s]
[INFO] Apache CloudStack API . SUCCESS [55.346s] 
[INFO]
Apache CloudStack Framework - REST  SUCCESS [16.891s] [INFO]
Apache CloudStack Framework - IPC . SUCCESS [11.845s] [INFO]
Apache CloudStack Cloud Engine  SUCCESS [0.072s] [INFO]
Apache CloudStack Cloud Engine API  SUCCESS [10.641s] [INFO]
Apache CloudStack Core  SUCCESS [30.300s] [INFO] 
Apache
CloudStack Agents .. SUCCESS [22.533s] [INFO] Apache
CloudStack Framework - Clustering .. SUCCESS [8.801s] [INFO] Apache
CloudStack Framework - Jobs  SUCCESS [9.251s] [INFO] Apache
CloudStack Cloud Engine Schema Component ... SUCCESS [39.764s] [INFO]
Apache CloudStack Framework - Event Notification .. SUCCESS [2.761s] [INFO]
Apache CloudStack Cloud Engine Internal Components API  SUCCESS [6.014s]
[INFO] Apache CloudStack Server .. SUCCESS [1:23.722s] 
[INFO]
Apache CloudStack Usage Server  SUCCESS [9.872s] [INFO]
Apache XenSource XAPI . SUCCESS [17.003s] [INFO] 
Apache
CloudStack Cloud Engine Orchestration Component  SUCCESS [16.774s]

[INFO] Apache CloudStack Cloud Services .. SUCCESS [0.100s] 
...
[INFO] Apache CloudStack Client UI ... SUCCESS [35.094s] 
[INFO]
Apache CloudStack Console Proxy - RDP Client .. SUCCESS [24.447s] [INFO]
Apache CloudStack Console Proxy ... SUCCESS [0.120s] [INFO]
Apache CloudStack Console Proxy - Server .. SUCCESS [6.431s] [INFO]
Apache CloudStack Framework - QuickCloud .. SUCCESS [0.577s] [INFO]
Apache CloudStack AWS API Bridge .. SUCCESS [4:57.758s] [INFO] 


[INFO] BUILD SUCCESS
[INFO] 

-Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: Wednesday, March 05, 2014 11:51 AM
To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
Subject: Re: 4.3 vote

The dependency's actually been broken for a very long time, apparently. On
a clean box with no maven repository cache (rm -rf ~/.m2/repository),
awsapi (and therefore RPMs) will not build.

It looks like Noa saw similar issue in
42f3804fbdde7bfe4f3676ef0c18a54dfe95354c, but I'm still seeing issues.

John

On Mar 5, 2014, at 11:10 AM, Animesh Chaturvedi
mailto:animesh.chaturv...@citrix.com><mailto:animesh.chaturv...@citrix.com>>
wrote:

John when was the dependency broken? Are you not able to build AWSAPI?

-Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: Wednesday, March 05, 2014 11:00 AM
To: 
dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@

Re: [DISCUSS] realhostip.com going away

[John Kinsella]

So - I’ve browsed around a little after pondering the idea of doing crypto at 
the JS level, but I can’t seem to make the argument and keep a straight face. I 
did find a JS library [1] that would probably work, but still you’re left with 
2 issues: 1) gotta get the library securely to the browser (proper running SSL 
on the management server), and 2) You’d still need a CA to sign the certs that 
run on the console proxy/SSVM [2]. 

So, nix that. It seems like the best way to do this is have security off by 
default, make sure that’s very obvious to new users, and have a guide on how to 
get things production-ready.

Anyways - we almost have the patch ready, Amogh and I have gone back/forth on 
the review once or twice, once we get I think just one more issue straightened 
out we’re good.

John
1: https://github.com/digitalbazaar/forge
2: Ya know…we could run a CA on the management server….

On Mar 6, 2014, at 4:53 PM, Kelven Yang  wrote:

> 
> 
> On 3/2/14, 8:15 AM, "Paul Angus"  wrote:
> 
>> There are a few issues with the current console proxy setup, not least of
>> which is the need to have internet access to resolve realhostip.com in
>> the first place - so console proxy can't work if you don't have internet
>> access on your client.  I have configured alternative realhostip.com
>> setups for clients - and quite a lot of work goes into creating the
>> infrastructure (and certs) to support changing to a user managed
>> certificate.
>> 
>> Sooo, is it at all possible to secure communications with the console
>> proxy, without having to rely on ANY outside entity?
> 
> 
> console proxy client is based on AJAX channel provided by browser via
> Javascript engine, which leaves the security option to be pretty much on
> HTTPS, and it requires a server certificate to start with. So we don¹t
> have many choices here.
> 
> -Kelven
> 
> 
>> 
>> Testing alone is going to be a pain, if a full ssl cert setup is required
>> to use console proxy..
>> 
>> Regards
>> 
>> Paul Angus
>> Cloud Architect
>> S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
>> paul.an...@shapeblue.com
>> 
>> -Original Message-
>> From: Amogh Vasekar [mailto:amogh.vase...@citrix.com]
>> Sent: 28 February 2014 23:05
>> To: dev@cloudstack.apache.org
>> Subject: Re: [DISCUSS] realhostip.com going away
>> 
>> 
>> 
>> On 2/28/14 2:03 PM, "Nux!"  wrote:
>> 
>>> There's also the problem of the certificate. It comes bundled in ACS as
>>> far as I can tell.. When does it expire?
>> 
>> notBefore=Feb  3 03:30:40 2012 GMT
>> notAfter=Feb  7 05:11:23 2017 GMT
>> 
>> Need Enterprise Grade Support for Apache CloudStack?
>> Our CloudStack Infrastructure
>> Support offers
>> the best 24/7 SLA for CloudStack Environments.
>> 
>> Apache CloudStack Bootcamp training courses
>> 
>> **NEW!** CloudStack 4.2.1
>> training
>> 18th-19th February 2014, Brazil.
>> Classroom
>> 17th-23rd March 2014, Region A. Instructor led,
>> On-line
>> 24th-28th March 2014, Region B. Instructor led,
>> On-line
>> 16th-20th June 2014, Region A. Instructor led,
>> On-line
>> 23rd-27th June 2014, Region B. Instructor led,
>> On-line
>> 
>> This email and any attachments to it may be confidential and are intended
>> solely for the use of the individual to whom it is addressed. Any views
>> or opinions expressed are solely those of the author and do not
>> necessarily represent those of Shape Blue Ltd or related companies. If
>> you are not the intended recipient of this email, you must neither take
>> any action based upon its contents, nor copy or show it to anyone. Please
>> contact the sender if you believe you have received this email in error.
>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>> Services India LLP is a company incorporated in India and is operated
>> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>> a company incorporated in Brasil and is operated under license from Shape
>> Blue Ltd. ShapeBlue is a registered trademark.
> 

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: 4.3 vote

[John Kinsella]

I have a review request sitting at https://reviews.apache.org/r/18392/ - that 
works for me but I don’t know if it’s breaking AWSAPI functionality. Would love 
it if somebody more familiar with that module could test. I’d rather not just 
check that in and see what happens.

Animesh, I know you put a ton of work into these RCs and I hate holding you up, 
but here’s my train of thought: packaging/centos63/package.sh is broken because 
one of the RPMs it attempts to build is for awsapi. No self-respecting 
enterprise (I hope, dream) is going to drop non-packaged (deb, rpm, whatever) 
code on production systems. So if that packaging ability is broken, there’s a 
good chance enterprises can’t use the new code.

Just got an idea to see if Apache’s Sonatype has a valid mirror, and it does, 
at least for some[1]. So I’ll go down that path this AM as well, in case my 
patch above doesn’t work.

John
1: https://repository.apache.org/index.html#nexus-search;quick~mex

On Mar 6, 2014, at 11:04 PM, Animesh Chaturvedi  
wrote:

> Ok so how do we get past this? This should have been pre-existing as 
> dependency has been broken for a long time and I am not sure if this should 
> block our next RC.
> 
>> -Original Message-----
>> From: John Kinsella [mailto:j...@stratosec.co]
>> Sent: Thursday, March 06, 2014 4:14 PM
>> To: dev@cloudstack.apache.org
>> Subject: Re: 4.3 vote
>> 
>> David was seeing this as well. This is is a documented problem at
>> https://issues.apache.org/jira/browse/RAMPART-393.
>> 
>> I just spun up a VM at AWS using a 64 bit amazon linux api. Ran the
>> commands below, got same errors:
>> 
>>1  sudo yum update
>>2  yum install git java-1.7.0-openjdk-devel
>>3  git clone https://git-wip-us.apache.org/repos/asf/cloudstack.git
>>4  wget http://www.dsgnwrld.com/am/maven/maven-
>> 3/3.2.1/binaries/apache-maven-3.2.1-bin.tar.gz
>>5  tar xvf apache-maven-3.2.1-bin.tar.gz
>>6  export PATH=$PATH:~/apache-maven-3.2.1/bin/
>>7  cd cloudstack/
>>8  mvn -P deps
>>9  mvn clean install -Pawsapi
>> 
>> I suspect the Citrix devs are sitting behind Nexus or other maven mirror?
>> 
>> John
>> 
>> On Mar 6, 2014, at 3:13 PM, Animesh Chaturvedi
>> mailto:animesh.chaturv...@citrix.com>>
>> wrote:
>> 
>> Folks anyone else seeing this? I want to build RC soon and wanted to
>> confirm if this is an issue or not and if so if we can get a fix right away
>> 
>> -Original Message-
>> From: Prachi Damle [mailto:prachi.da...@citrix.com]
>> Sent: Thursday, March 06, 2014 1:20 PM
>> To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
>> Subject: RE: 4.3 vote
>> 
>> John,
>> 
>> I could not reproduce this broken build on 4.3 after wiping out my entire
>> repository.
>> 1.  rm -rf ~/.m2/repository
>> 2. mvn clean install -Pawsapi
>> 
>> My build is successful.
>> 
>> Can someone who is able to reproduce this check this further?
>> 
>> Prachi
>> 
>> 
>> [INFO] 
>> 
>> [INFO] Reactor Summary:
>> [INFO]
>> [INFO] Apache CloudStack . SUCCESS 
>> [1:53.957s] [INFO]
>> Apache CloudStack Maven Conventions Parent  SUCCESS [0.089s] [INFO]
>> Apache CloudStack Framework - Managed Context . SUCCESS [28.189s]
>> [INFO] Apache CloudStack Utils ... SUCCESS 
>> [1:06.368s] [INFO]
>> Apache CloudStack Framework ... SUCCESS [0.303s] [INFO]
>> Apache CloudStack Framework - Event Notification .. SUCCESS [27.125s]
>> [INFO] Apache CloudStack Framework - Configuration ... SUCCESS [5.878s]
>> [INFO] Apache CloudStack API . SUCCESS [55.346s] 
>> [INFO]
>> Apache CloudStack Framework - REST  SUCCESS [16.891s] [INFO]
>> Apache CloudStack Framework - IPC . SUCCESS [11.845s] [INFO]
>> Apache CloudStack Cloud Engine  SUCCESS [0.072s] [INFO]
>> Apache CloudStack Cloud Engine API  SUCCESS [10.641s] [INFO]
>> Apache CloudStack Core  SUCCESS [30.300s] [INFO] 
>> Apache
>> CloudStack Agents .. SUCCESS [22.533s] [INFO] Apache
>> CloudStack Framework - Clustering .. SUCCESS [8.801s] [INFO] Apache
>> CloudStack Framework - Jobs  SUCCESS [9.251s] [INFO] Apache
>> CloudStack Cloud Engine Schema Component ... SUCCESS [39.764s] [INFO]
>> Apache CloudStack Framework

Re: [DISCUSS] realhostip.com going away

[John Kinsella]

Soo…I’d recommend against something like Nux’s suggestion below. I’ve only 
looked briefly at VirtualDNS.java, and it looks fine from a glance, but I’m 
willing to bet I can a) DOS it, and b) use it for a reflection attack. I could 
be wrong, don’t really have time to look closely, but based on it looking like 
the design pattern for a basic UDP server, I wouldn’t recommend the community 
to build a network of those.

4 months is not a huge period of time, but I think if somebody can’t apply a 
patch within 4 months they need to consider if they should be running that 
service. If this was a critical security vulnerability and folks couldn’t patch 
it within a few weeks of notification, I’d have a hard time feeling sorry for 
them.

I do concur that we should back port the patch.

John

On Mar 7, 2014, at 11:19 AM, Nux!  wrote:

> On 07.03.2014 14:55, France wrote:
>> Hi all.
>> Are we going to have a solution for older versions like 4.1.1?
>> I think we can already change that domain to something different
>> currently in settings. Hopefully it's not "hardcoded" anywhere else.
>> Is it?
>> I think it's the right thing to move away from such solution in
>> future versions, but just killing the service with 4 months notice, is
>> not a way to go about in enterprise world. How expensive can it be to
>> keep providing it?
>> If someone needs to take over realhostip.com, we can offer our
>> datacenter resources too.
>> Regards,
>> F.
> 
> It would be interesting to change the NS to 3-4 different Cloudstack 
> users/backers. Even I could run an instance.
> 
> France, here's how to run your own (excuse the formatting, was written in a 
> hurry):
> http://www.nux.ro/archive/2014/03/Run_your_own_realhostip.html
> 
> -- 
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Review Request 18759: HTTP support for console proxy and making it default

[John Kinsella]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18759/#review36614
---

Ship it!


Ship It!

- John Kinsella


On March 7, 2014, 12:32 a.m., Amogh Vasekar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18759/
> ---
> 
> (Updated March 7, 2014, 12:32 a.m.)
> 
> 
> Review request for cloudstack, Demetrius Tsitrelis and John Kinsella.
> 
> 
> Bugs: https://issues.apache.org/jira/browse/CLOUDSTACK-6204
> 
> https://issues.apache.org/jira/browse/https://issues.apache.org/jira/browse/CLOUDSTACK-6204
> 
> 
> Repository: cloudstack-git
> 
> 
> Description
> ---
> 
> Changes to support HTTP mode in Console Proxy, per 
> http://www.mail-archive.com/dev@cloudstack.apache.org/msg24151.html , as 
> realhostip may go away
> 
> More details here : 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes
> 
> 
> Diffs
> -
> 
>   core/src/com/cloud/info/ConsoleProxyInfo.java 
> 3439f3d3bfa2e262c48f1d7b1ea4f58522f3fcbe 
>   
> engine/storage/image/src/org/apache/cloudstack/storage/image/TemplateServiceImpl.java
>  a649bb7212308de70c41e2d74de1d865949f1cb7 
>   
> plugins/storage/image/default/src/org/apache/cloudstack/storage/datastore/driver/CloudStackImageStoreDriverImpl.java
>  52cad3bc7af291e59eabc68e23e09248877e0a81 
>   server/src/com/cloud/configuration/Config.java 
> 473db96059a4367858f9487d901b7cb3a054654a 
>   server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java 
> c8769d43349dbc5a3103a00c905f29b7edef0468 
>   server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java 
> 611550e90832911fb182ad18d93a8a18333f3a35 
>   setup/db/db/schema-421to430.sql 39f58d43822ebbe469d9af433582846a80ce91a0 
>   systemvm/conf/consoleproxy.properties 
> bb452f5823cb2da2e12aa61d762de90e4349e9ee 
> 
> Diff: https://reviews.apache.org/r/18759/diff/
> 
> 
> Testing
> ---
> 
> Tested on local environment by 
> 1. Using HTTP based console proxy
> 2. HTTPS with realhostip domain
> 3. HTTPS with custom domain and self-signed cert
> 4. Secondary storage template download with custom domain and self-signed cert
> 
> 
> Thanks,
> 
> Amogh Vasekar
> 
>

[4.3][Cherry-pick] realhostip changes

[John Kinsella]

Animesh - please pick the commit below from 4.3-forward into 4.3. This is for 
CLOUDSTACK-6204.

2fe7aeea23ddef25224e3e248f0a91513a14811f

John

Re: [DISCUSS] realhostip.com going away

[John Kinsella]

Folks - just applied Amogh’s patch to 4.3-forward, and back ported that to 
master.

Two steps left on the code side:
 * Need to get this retirement into the 4.3 docs
 * Need to backport this to 4.2

John

On Feb 28, 2014, at 12:27 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

Folks: Recently the PMC was informed that the 
realhostip.com<http://realhostip.com> DNS service that ACS currently uses by 
default as part of the console proxy will be disbanded this summer.

We’ve been informed the realhostip service will be shut down June 30th, 2014, 
so we have approximately 4 months to mitigate this.

Here’s my thoughts on how to proceed, in order of priority:

* Make the transition as smooth as possible for current ACS users. Need to 
create clear documentation in the wiki that we can point to on how to migrate 
an existing ACS installation from using realhostip.com<http://realhostip.com> 
to a user’s own certificate and resolver. I see section 16.4.2 in the 4.2 admin 
guide talks about this, but I think we can improve a bit. e.g. the current docs 
don’t make it clear that a wildcard cert is required. Once we have a transition 
guide in place, I intend to announce to users@ and announce@ along with the 
social media paths. This isn’t private, but I’d rather not announce until we 
have a clear, tested easy to follow transition guide to make this as painless 
as possible for folks. I’m working on this and will update after testing.
* If at all possible, I’d really like to get something big and visible into the 
4.3 documentation warning users about this.
* For 4.4, we should no longer be using SSL/realhostip for console proxy. We’re 
expecting some patches to address this, I’ll update this thread once they hit 
and/or a Jira issue is created.

Open to any thoughts/suggestions.

John

Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: [DISCUSS] realhostip.com going away

[John Kinsella]

I mentioned their response on 3/3. Basically "their position is they think 
they’d be doing the community a disfavor by passing the torch” (quoting my 
previous email, not a direct quote from them but this is their position)

The realhostip cert provides a false sense of security, so I can’t think of a 
reason why I’d want to convince Citrix to change their current course.

Adding the appropriate entries to a provider’s existing DNS server is not a big 
deal and should be easily scriptable. If a provider has several class C blocks 
they have to add, then they REALLY shouldn’t be using realhostip.com, anyways. 

Any energy put into properly setting up a community resolver would be much 
better spent helping others migrate away from realhostip.com.


On Mar 10, 2014, at 7:10 AM, France  wrote:

> Please let us know, what was the Citrixes response to community run 
> realhostip.com service.

Re: [DISCUSS] realhostip.com going away

[John Kinsella]

The console technology doesn’t really matter. The encryption is the part of 
concern. You have two choices:

* Shared secret: set up a crypto password in advance, get it onto the CPVM and 
browser in some secure manner. Basically, however you do this you’re 
compromised once somebody sniffs the connection and gets the 
token/password/whatever.
* Public/private key: This is what ACS uses, and as long as you don’t share the 
private key across the internet in a code repository, self sign the key, or use 
a CA authority that’s somewhat competent.

Folks may think this isn’t that big a deal for an internal cloud, but if that 
cloud is running production systems and you’re even vaguely concerned about 
their security, then securing that proxy should be on your mind.

John


On Mar 11, 2014, at 2:32 AM, Paul Angus 
mailto:paul.an...@shapeblue.com>> wrote:

Just thinking out loud;

Would using a secure vnc connection over http achieve the same result as using 
a secure http session - the authentication token is in the initial url anyway..

Regards,

Paul Angus
Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: @CloudyAngus
paul.an...@shapeblue.com


Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure 
Support offers the 
best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1 training
18th-19th February 2014, Brazil. 
Classroom
17th-23rd March 2014, Region A. Instructor led, 
On-line
24th-28th March 2014, Region B. Instructor led, 
On-line
16th-20th June 2014, Region A. Instructor led, 
On-line
23rd-27th June 2014, Region B. Instructor led, 
On-line

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: [PROPOSAL] Enhance the cloudstack events to include more information

[John Kinsella]

I didn’t see comments from others, but this sounds great to me. More info is 
always better IMHO.

On Mar 11, 2014, at 2:31 AM, Sonal Ojha 
mailto:sonal.o...@sungard.com>> wrote:

Currently the event logged in CloudStack doesn't give detailed information
about the event that has occurred. The information provided in each event
shown on the cloudstack ui doesn't provide specifics, particularly in case
of errors. For example, the message shown on the cloudstack ui is just
"Error while starting Vm. Vm Id: " in case of failure to start a vm ,
which doesnt help much.

I would like to propose some changes to enhance the events to be more
informative. Like:

1) Instead of just showing resource database id in the event details it
should also display resource UUID. Since all the cloudstack apis take input
as resource uuid it would be helpful to see the same on the ui as well.
Like in the quickview mode introduce another field as resource UUID which
would specify the UUID for the resource on which the event occurred.

2) Enhance the events and listEvents API to include the resource UUID so
that it can be queried by the resource UUID as well.

3) Currently, the event description messages are specified in the *Cmd.java
file instead, all of them should be externalize to a resource file. This
would be helpful even for internationalization.

4) Provide more detailed messages in case of error events. Messages such as
"Error while starting VM" are generic to take any action.

These changes could be taken forward in phases, some suggestion like

Phase I -
include 2 and 3 point mentioned above
Phase II -
include 1 and 4 point mentioned above

Thoughts / Suggestions ?

--

Regards,

___

*Sonal Ojha* ● Senior Engineer - Product Developement ● SunGard
Availability Services, India ● Mobile: +91 9922412645●  Email:
sonal.o...@sungard.com ● Website: 
http://www.sungardas.in/

8 Times Winner – BC Service Provider of the Year – 2011, 2010, 2009, 2006,
2005, 2002, 2000, 1999; Finalist – 2008, 2007, 2004, 2001 ● Excellence in
Infrastructure Management – 2010 ● Outstanding Excellence in Business
Continuity – 2008 ● Business Continuity Provider of the Year (BCM Service)
– 2013 BCI Global Awards ● Business Continuity Provider of the Year (BCM
Product) – 2013 BCI India Awards

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Release cadence

[John Kinsella]

I am in agreement with my radical CloudStack brother.


On Mar 13, 2014, at 9:42 AM, David Nalley  wrote:

> The RC7 vote thread contained a lot of discussion around release
> cadence, and I figured I'd move that to a thread that has a better
> subject so there is better visibility to list participants who don't
> read every thread.
> 
> When I look at things schedule wise, I see our aims and our reality.
> We have a relatively short development window (in the schedule) and we
> have almost 50% of our time in the schedule allocated to testing.
> (over two months). However, it seems that a lot of testing - or at
> least a lot of testing for  what became blockers to the release didn't
> appear to happen until RCs were kicked out - and that's where our
> schedule has fallen apart for multiple releases. The automated tests
> we have were clean when we issued RCs, so we clearly don't have the
> depth needed from an automated standpoint.
> 
> Two problems, one cultural and one technical. The technical problem is
> that our automated test suite isn't deep enough to give us a high
> level of confidence that we should release. The cultural problem is
> that many of us wait until the release period of the schedule to test.
> 
> What does that have to do with release cadence? Well inherently not
> much; but let me describe my concerns. As a project; the schedule is
> meaningless if we don't follow it; and effectively the release date is
> held hostage. Personally, I do want as few bugs as possible, but it's
> a balancing act where people doubt our ability if we aren't able to
> ship. I don't think it matters if we move to 6 month cycles, if this
> behavior continues, we'd miss the 6 month date as well and push to 8
> or 9 months. See my radical proposition at the bottom for an idea on
> dealing with this.
> 
> I also find myself agreeing with Daan on the additional complexity.
> Increasing the window for release inherently increases the window for
> feature development. As soon as we branch a release, master is open
> for feature development again. This means a potential for greater
> change at each release. Change is a risk to quality; or at least an
> unknown that we again have to test. The greater that quantity of
> change, the greater the potential threat to quality.
> 
> Radical proposition:
> 
> Because we have two problems, of different nature, we are in a
> difficult situation. This is a possible solution, and I'd appreciate
> you reading and considering it.  Feedback is welcome. I propose that
> after we enter the RC stage that we not entertain any bugs as blockers
> that don't have automated test cases associated with them. This means
> that you are still welcome to do manual testing of your pet feature
> and the things that are important to you; during the testing window
> (or anytime really). However, if the automation suite isn't also
> failing then we consider the release as high enough quality to ship.
> This isn't something we can codify, but the PMC can certainly adopt
> this attitude as a group when voting. Which also means that we can
> deviate from it. If you brought up a blocker for release - we should
> be immediately looking at how we can write a test for that behavior.
> This should also mean several other behaviors need to become a valid
> part of our process. We need to ensure that things are well tested
> before allowing a merge. This means we need a known state of master,
> and we need to perform testing that allows us to confirm that a patch
> does no harm. We also need to insist on implementation of
> comprehensive tests for every inbound feature.
> 
> Thoughts, comments, flames, death threats? :)
> 
> --David

Re: [VOTE] Apache CloudStack 4.3.0 (eighth round)

[John Kinsella]

Before we go to 9th round, let’s get 
https://issues.apache.org/jira/browse/CLOUDSTACK-6156 resolved.

I’m pretty busy this week, but will see if I can come up with. Just tried doing 
a clean awsapi build on a clean AWS instance again and it still fails.


On Mar 12, 2014, at 5:26 PM, Animesh Chaturvedi 
mailto:animesh.chaturv...@citrix.com>> wrote:

Hi All,



I've created a 4.3.0 release, with the following artifacts up for a

vote:





Git Branch and Commit SH:

https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs/heads/4.3
Commit: 6a6ec648099553a42f830dcd566eab2452428908



List of changes:

New Features in 4.3: https://issues.apache.org/jira/issues/?filter=12325248

Improvement in 4.3: https://issues.apache.org/jira/issues/?filter=12325249

Issues fixed in 4.3 https://issues.apache.org/jira/issues/?filter=12326161

Known Issues in 4.3: https://issues.apache.org/jira/issues/?filter=12326162







Source release (checksums and signatures are available at the same

location):

https://dist.apache.org/repos/dist/dev/cloudstack/4.3.0/



PGP release keys (signed using 94BE0D7C):

https://dist.apache.org/repos/dist/release/cloudstack/KEYS



Testing instructions are here:

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+test+procedure



Vote will be open for 72 hours (Monday evening PST 5:30 PM)



For sanity in tallying the vote, can PMC members please be sure to indicate 
"(binding)" with their vote?



[ ] +1  approve

[ ] +0  no opinion

[ ] -1  disapprove (and reason why)



Thanks

Animesh


Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: [VOTE] Apache CloudStack 4.3.0 (eighth round)

[John Kinsella]

Thanks Sebastien. I had been intending to mail previous committers on the 
subdir.

Prachi/Likitha - any comments on https://reviews.apache.org/r/18392/ would be 
appreciated.

On Mar 17, 2014, at 12:54 PM, Sebastien Goasguen 
mailto:run...@gmail.com>> wrote:

John, I am copying Likitha and Prachi who worked on awsapi, maybe they can help

-sebastien

On Mar 17, 2014, at 2:25 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

Before we go to 9th round, let’s get 
https://issues.apache.org/jira/browse/CLOUDSTACK-6156 resolved.

I’m pretty busy this week, but will see if I can come up with. Just tried doing 
a clean awsapi build on a clean AWS instance again and it still fails.


On Mar 12, 2014, at 5:26 PM, Animesh Chaturvedi 
mailto:animesh.chaturv...@citrix.com><mailto:animesh.chaturv...@citrix.com>>
 wrote:

Hi All,



I've created a 4.3.0 release, with the following artifacts up for a

vote:





Git Branch and Commit SH:

https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs/heads/4.3
Commit: 6a6ec648099553a42f830dcd566eab2452428908



List of changes:

New Features in 4.3: https://issues.apache.org/jira/issues/?filter=12325248

Improvement in 4.3: https://issues.apache.org/jira/issues/?filter=12325249

Issues fixed in 4.3 https://issues.apache.org/jira/issues/?filter=12326161

Known Issues in 4.3: https://issues.apache.org/jira/issues/?filter=12326162







Source release (checksums and signatures are available at the same

location):

https://dist.apache.org/repos/dist/dev/cloudstack/4.3.0/



PGP release keys (signed using 94BE0D7C):

https://dist.apache.org/repos/dist/release/cloudstack/KEYS



Testing instructions are here:

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+test+procedure



Vote will be open for 72 hours (Monday evening PST 5:30 PM)



For sanity in tallying the vote, can PMC members please be sure to indicate 
"(binding)" with their vote?



[ ] +1  approve

[ ] +0  no opinion

[ ] -1  disapprove (and reason why)



Thanks

Animesh


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>



Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: 4.3 vote

[John Kinsella]

>From my last few hours tinkering, this seems like an alternate workaround to 
>the patch I have in review board, for those who don’t want to patch code but 
>need to build RPMs of ACS:

Executed on a virgin AWS ECS instance running 64 bit Amazon Linux:

sudo yum -y update
sudo yum -y install git java-1.7.0-openjdk-devel
git clone https://git-wip-us.apache.org/repos/asf/cloudstack.git
wget 
http://www.dsgnwrld.com/am/maven/maven-3/3.2.1/binaries/apache-maven-3.2.1-bin.tar.gz
tar xvf apache-maven-3.2.1-bin.tar.gz
export PATH=$PATH:~/apache-maven-3.2.1/bin
# select JDK 1.7 when prompted
sudo alternatives --config java 
cd cloudstack/
mvn -P deps
mvn clean install -Pawsapi
# The previous step will fail, as things are: Broken. Next lines before the 
next mvn command fix and clean things up:
Edit 
~/.m2/repository/org/apache/rampart/rampart-project/1.5.1/rampart-project-1.5.1.pom,
 remove repositories section
rm -rf ~/.m2/repository/org/apache/rampart/rahas
rm -rf ~/.m2/repository/org/apache/rampart/rampart
rm -rf ~/.m2/repository/org/apache/rampart/rampart-core
rm -rf ~/.m2/repository/org/apache/rampart/rampart-policy
rm -rf ~/.m2/repository/org/apache/rampart/rampart-trust
rm -rf ~/.m2/repository/org/apache/ws
rm -rf ~/.m2/repository/org/apache/santuario
rm -rf ~/.m2/repository/org/apache/axis2
rm -rf ~/.m2/repository/org/slf4j/
rm -rf ~/.m2/repository/org/opensaml/
rm -rf ~/.m2/repository/commons-lang/
rm -rf ~/.m2/repository/bouncycastle/
mvn clean install -Pawsapi

I haven’t run this through functional testing yet, but the results look 
promising.

On Mar 6, 2014, at 4:14 PM, John Kinsella  wrote:

> David was seeing this as well. This is is a documented problem at 
> https://issues.apache.org/jira/browse/RAMPART-393.
> 
> I just spun up a VM at AWS using a 64 bit amazon linux api. Ran the commands 
> below, got same errors:
> 
>1  sudo yum update
>2  yum install git java-1.7.0-openjdk-devel
>3  git clone https://git-wip-us.apache.org/repos/asf/cloudstack.git
>4  wget 
> http://www.dsgnwrld.com/am/maven/maven-3/3.2.1/binaries/apache-maven-3.2.1-bin.tar.gz
>5  tar xvf apache-maven-3.2.1-bin.tar.gz
>6  export PATH=$PATH:~/apache-maven-3.2.1/bin/
>7  cd cloudstack/
>8  mvn -P deps
>9  mvn clean install -Pawsapi
> 
> I suspect the Citrix devs are sitting behind Nexus or other maven mirror?
> 
> John
> 
> On Mar 6, 2014, at 3:13 PM, Animesh Chaturvedi 
> mailto:animesh.chaturv...@citrix.com>> wrote:
> 
> Folks anyone else seeing this? I want to build RC soon and wanted to confirm 
> if this is an issue or not and if so if we can get a fix right away
> 
> -Original Message-
> From: Prachi Damle [mailto:prachi.da...@citrix.com]
> Sent: Thursday, March 06, 2014 1:20 PM
> To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
> Subject: RE: 4.3 vote
> 
> John,
> 
> I could not reproduce this broken build on 4.3 after wiping out my entire
> repository.
> 1.  rm -rf ~/.m2/repository
> 2. mvn clean install -Pawsapi
> 
> My build is successful.
> 
> Can someone who is able to reproduce this check this further?
> 
> Prachi
> 
> 
> [INFO] 
> 
> [INFO] Reactor Summary:
> [INFO]
> [INFO] Apache CloudStack . SUCCESS 
> [1:53.957s] [INFO]
> Apache CloudStack Maven Conventions Parent  SUCCESS [0.089s] [INFO]
> Apache CloudStack Framework - Managed Context . SUCCESS [28.189s]
> [INFO] Apache CloudStack Utils ... SUCCESS 
> [1:06.368s] [INFO]
> Apache CloudStack Framework ... SUCCESS [0.303s] [INFO]
> Apache CloudStack Framework - Event Notification .. SUCCESS [27.125s]
> [INFO] Apache CloudStack Framework - Configuration ... SUCCESS [5.878s]
> [INFO] Apache CloudStack API . SUCCESS [55.346s] 
> [INFO]
> Apache CloudStack Framework - REST  SUCCESS [16.891s] [INFO]
> Apache CloudStack Framework - IPC . SUCCESS [11.845s] [INFO]
> Apache CloudStack Cloud Engine  SUCCESS [0.072s] [INFO]
> Apache CloudStack Cloud Engine API  SUCCESS [10.641s] [INFO]
> Apache CloudStack Core  SUCCESS [30.300s] [INFO] 
> Apache
> CloudStack Agents .. SUCCESS [22.533s] [INFO] Apache
> CloudStack Framework - Clustering .. SUCCESS [8.801s] [INFO] Apache
> CloudStack Framework - Jobs  SUCCESS [9.251s] [INFO] Apache
> CloudStack Cloud Engine Schema Component ... SUCCESS [39.764s] [INFO]
> Apache CloudStack Framework - Event Notification .. SUCCESS [2.761s] [INFO]
> Apache CloudStack Cloud Engine Internal Components API  SUCCESS [6.01

Re: [VOTE] Apache CloudStack 4.3.0 (eighth round)

[John Kinsella]

I’ll be committing the patch to master in the morning unless I hear otherwise.

On Mar 17, 2014, at 2:56 PM, Animesh Chaturvedi 
mailto:animesh.chaturv...@citrix.com>> wrote:



-Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: Monday, March 17, 2014 2:48 PM
To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
Cc: Likitha Shetty; Prachi Damle
Subject: Re: [VOTE] Apache CloudStack 4.3.0 (eighth round)

Thanks Sebastien. I had been intending to mail previous committers on the
subdir.

Prachi/Likitha - any comments on https://reviews.apache.org/r/18392/
would be appreciated.
[Animesh] Removing rampart dependency will need testing AWSAPI again, I am 
inclined to track this for 4.3 maintenance or 4.4 release


On Mar 17, 2014, at 12:54 PM, Sebastien Goasguen
mailto:run...@gmail.com><mailto:run...@gmail.com>> wrote:

John, I am copying Likitha and Prachi who worked on awsapi, maybe they
can help

-sebastien

On Mar 17, 2014, at 2:25 PM, John Kinsella
mailto:j...@stratosec.co><mailto:j...@stratosec.co>> wrote:

Before we go to 9th round, let's get
https://issues.apache.org/jira/browse/CLOUDSTACK-6156 resolved.

I'm pretty busy this week, but will see if I can come up with. Just tried doing
a clean awsapi build on a clean AWS instance again and it still fails.


On Mar 12, 2014, at 5:26 PM, Animesh Chaturvedi
mailto:animesh.chaturv...@citrix.com><mailto:animesh.chaturv...@citrix.com>http://citrix.com>>> wrote:

Hi All,



I've created a 4.3.0 release, with the following artifacts up for a

vote:





Git Branch and Commit SH:

https://git-wip-
us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs/heads/4.3
Commit: 6a6ec648099553a42f830dcd566eab2452428908



List of changes:

New Features in 4.3: https://issues.apache.org/jira/issues/?filter=12325248

Improvement in 4.3: https://issues.apache.org/jira/issues/?filter=12325249

Issues fixed in 4.3 https://issues.apache.org/jira/issues/?filter=12326161

Known Issues in 4.3: https://issues.apache.org/jira/issues/?filter=12326162







Source release (checksums and signatures are available at the same

location):

https://dist.apache.org/repos/dist/dev/cloudstack/4.3.0/



PGP release keys (signed using 94BE0D7C):

https://dist.apache.org/repos/dist/release/cloudstack/KEYS



Testing instructions are here:

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+test+pro
cedure



Vote will be open for 72 hours (Monday evening PST 5:30 PM)



For sanity in tallying the vote, can PMC members please be sure to indicate
"(binding)" with their vote?



[ ] +1  approve

[ ] +0  no opinion

[ ] -1  disapprove (and reason why)



Thanks

Animesh


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>



Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: 4.3 vote

[John Kinsella]

btw, what I’m doing here is based on 
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/pom.xml?r1=1355738&r2=1357818&pathrev=1357818&diff_format=h


On Mar 17, 2014, at 10:34 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

>From my last few hours tinkering, this seems like an alternate workaround to 
>the patch I have in review board, for those who don’t want to patch code but 
>need to build RPMs of ACS:

Executed on a virgin AWS ECS instance running 64 bit Amazon Linux:

sudo yum -y update
sudo yum -y install git java-1.7.0-openjdk-devel
git clone https://git-wip-us.apache.org/repos/asf/cloudstack.git
wget 
http://www.dsgnwrld.com/am/maven/maven-3/3.2.1/binaries/apache-maven-3.2.1-bin.tar.gz
tar xvf apache-maven-3.2.1-bin.tar.gz
export PATH=$PATH:~/apache-maven-3.2.1/bin
# select JDK 1.7 when prompted
sudo alternatives --config java
cd cloudstack/
mvn -P deps
mvn clean install -Pawsapi
# The previous step will fail, as things are: Broken. Next lines before the 
next mvn command fix and clean things up:
Edit 
~/.m2/repository/org/apache/rampart/rampart-project/1.5.1/rampart-project-1.5.1.pom,
 remove repositories section
rm -rf ~/.m2/repository/org/apache/rampart/rahas
rm -rf ~/.m2/repository/org/apache/rampart/rampart
rm -rf ~/.m2/repository/org/apache/rampart/rampart-core
rm -rf ~/.m2/repository/org/apache/rampart/rampart-policy
rm -rf ~/.m2/repository/org/apache/rampart/rampart-trust
rm -rf ~/.m2/repository/org/apache/ws
rm -rf ~/.m2/repository/org/apache/santuario
rm -rf ~/.m2/repository/org/apache/axis2
rm -rf ~/.m2/repository/org/slf4j/
rm -rf ~/.m2/repository/org/opensaml/
rm -rf ~/.m2/repository/commons-lang/
rm -rf ~/.m2/repository/bouncycastle/
mvn clean install -Pawsapi

I haven’t run this through functional testing yet, but the results look 
promising.

On Mar 6, 2014, at 4:14 PM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

David was seeing this as well. This is is a documented problem at 
https://issues.apache.org/jira/browse/RAMPART-393.

I just spun up a VM at AWS using a 64 bit amazon linux api. Ran the commands 
below, got same errors:

  1  sudo yum update
  2  yum install git java-1.7.0-openjdk-devel
  3  git clone https://git-wip-us.apache.org/repos/asf/cloudstack.git
  4  wget 
http://www.dsgnwrld.com/am/maven/maven-3/3.2.1/binaries/apache-maven-3.2.1-bin.tar.gz
  5  tar xvf apache-maven-3.2.1-bin.tar.gz
  6  export PATH=$PATH:~/apache-maven-3.2.1/bin/
  7  cd cloudstack/
  8  mvn -P deps
  9  mvn clean install -Pawsapi

I suspect the Citrix devs are sitting behind Nexus or other maven mirror?

John

On Mar 6, 2014, at 3:13 PM, Animesh Chaturvedi 
mailto:animesh.chaturv...@citrix.com><mailto:animesh.chaturv...@citrix.com>>
 wrote:

Folks anyone else seeing this? I want to build RC soon and wanted to confirm if 
this is an issue or not and if so if we can get a fix right away

-Original Message-
From: Prachi Damle [mailto:prachi.da...@citrix.com]
Sent: Thursday, March 06, 2014 1:20 PM
To: 
dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>
Subject: RE: 4.3 vote

John,

I could not reproduce this broken build on 4.3 after wiping out my entire
repository.
1.  rm -rf ~/.m2/repository
2. mvn clean install -Pawsapi

My build is successful.

Can someone who is able to reproduce this check this further?

Prachi


[INFO] 
[INFO] Reactor Summary:
[INFO]
[INFO] Apache CloudStack . SUCCESS [1:53.957s] 
[INFO]
Apache CloudStack Maven Conventions Parent  SUCCESS [0.089s] [INFO]
Apache CloudStack Framework - Managed Context . SUCCESS [28.189s]
[INFO] Apache CloudStack Utils ... SUCCESS [1:06.368s] 
[INFO]
Apache CloudStack Framework ... SUCCESS [0.303s] [INFO]
Apache CloudStack Framework - Event Notification .. SUCCESS [27.125s]
[INFO] Apache CloudStack Framework - Configuration ... SUCCESS [5.878s]
[INFO] Apache CloudStack API . SUCCESS [55.346s] 
[INFO]
Apache CloudStack Framework - REST  SUCCESS [16.891s] [INFO]
Apache CloudStack Framework - IPC . SUCCESS [11.845s] [INFO]
Apache CloudStack Cloud Engine  SUCCESS [0.072s] [INFO]
Apache CloudStack Cloud Engine API  SUCCESS [10.641s] [INFO]
Apache CloudStack Core  SUCCESS [30.300s] [INFO] 
Apache
CloudStack Agents .. SUCCESS [22.533s] [INFO] Apache
CloudStack Framework - Clustering .. SUCCESS [8.801s] [INFO] Apache
CloudStack Framework - Jobs  SUCCESS [9.251s] [INFO] Apache
CloudStack Cloud Engine Schema Component ... SUCCESS [39.764s] [INFO]
Apache CloudStack Framework - Event Notification .. SUCCESS [2.761s] [INFO]
Apache CloudStack Cloud Engine Internal Compone

Re: RealHostIp

[John Kinsella]

I can’t ping the NS servers, but they do respond to queries…

On Mar 19, 2014, at 2:37 AM, Alex Hitchins  wrote:

> I can't ping RealHostIp, has the service been properly taken down? An 
> NSLOOKUP didn't resolve any nameservers at all.
> 
> Alex
> 
> .
> 
> Need Enterprise Grade Support for Apache CloudStack?
> Our CloudStack Infrastructure 
> Support offers the 
> best 24/7 SLA for CloudStack Environments.
> 
> Apache CloudStack Bootcamp training courses
> 
> **NEW!** CloudStack 4.2.1 training
> 18th-19th February 2014, Brazil. 
> Classroom
> 17th-23rd March 2014, Region A. Instructor led, 
> On-line
> 24th-28th March 2014, Region B. Instructor led, 
> On-line
> 16th-20th June 2014, Region A. Instructor led, 
> On-line
> 23rd-27th June 2014, Region B. Instructor led, 
> On-line
> 
> This email and any attachments to it may be confidential and are intended 
> solely for the use of the individual to whom it is addressed. Any views or 
> opinions expressed are solely those of the author and do not necessarily 
> represent those of Shape Blue Ltd or related companies. If you are not the 
> intended recipient of this email, you must neither take any action based upon 
> its contents, nor copy or show it to anyone. Please contact the sender if you 
> believe you have received this email in error. Shape Blue Ltd is a company 
> incorporated in England & Wales. ShapeBlue Services India LLP is a company 
> incorporated in India and is operated under license from Shape Blue Ltd. 
> Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
> operated under license from Shape Blue Ltd. ShapeBlue is a registered 
> trademark.

Re: [ANNOUNCE] Change of Apache CloudStack PMC Chair

[John Kinsella]

Chip - your balanced viewpoint has kept ACS moving forward in leaps and bounds. 
I greedily hope you’ll continue to stay involved, no matter what $dayjob says. 
:)

Congrats Hugo - looking forward to another great year!

On Mar 19, 2014, at 1:51 PM, Chip Childers  wrote:

> Per our project bylaws, we are changing our project's chair today!
> 
> Over discussions during the last month the PMC had reached a consensus 
> to recommend to the ASF board that Hugo Trippaers be accepted as the 
> next Apache CloudStack PMC Chair / VP of Apache CloudStack.  As of
> today's ASF board meeting, this has been accepted and made official.
> 
> Please join me in congratulating Hugo in his new role!
> 
> It's been an honor serving the project as it's chair over the last year, 
> and although I regret that my recent contributions have been diminished 
> due to a change in $dayjob, I'm exceptionally proud to be part of this 
> community. Apache CloudStack is amazing software, and the community that 
> has formed around the code since it's donation to the ASF is nothing 
> short of remarkable.
> 
> -chip

Re: RealHostIp

[John Kinsella]

+1 on avoiding 8.8.8.8. Nothing good comes from google knowing your dns 
resolution history...

(or whatever other free dns resolvers)

On Mar 19, 2014, at 2:08 PM, Nux!  wrote:

> On 19.03.2014 19:37, Alex Hitchins wrote:
>> It's my DNS, it just won't play ball with this one domain.
>> I will try changing it to 8.8.8.8 and see if that makes any
>> different. My suspicion is with BT and their 'smart' filtering.
>> Thanks to all those who checked for me.
> 
> Alex,
> 
> Had many issues with BT's DNS. I ended up running a resolver on 127.0.0.1, 
> probably the best choice and it's easy-peasy.
> I'd avoid 8.8.8.8[1] and all the other "free" nameservers.
> 
> Lucian
> 
> [1] - 
> http://www.zdnet.com/google-free-public-dns-services-were-briefly-corrupted-727401/
> 
> -- 
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro

Re: Resetting a VM is broken?

[John Kinsella]

Mike - There is a way to restore disks in destroyed state before they are 
expunged. It requires shutting down management server, modifying database 
directly, and keeping a good stock of potential offerings near your data 
recovery shrine.

I’m going to be covering this in my CCC Denver talk.

John

On Mar 19, 2014, at 9:59 PM, Mike Tutkowski 
mailto:mike.tutkow...@solidfire.com>> wrote:

Please correct me if I'm wrong, but there does not appear to be a way to
"save" the old root disk once it has gone into the Destroy state in this
situation, is there?

In other words, the new root disk is created, the old is put into the
Destroy state, and the old will get deleted at the next clean-up cycle...no
chance to restore that volume (even for use as a data disk).


On Wed, Mar 19, 2014 at 10:33 PM, Mike Tutkowski <
mike.tutkow...@solidfire.com> wrote:

OK, I went back an re-ran my test.

I see how this works now.

I was aware that volumes in the Destroy state get expunged by a background
thread at some point; however, what tricked me here is that my "old" root
disk no longer showed up in the Storage tab of the GUI.

When I looked in the volumes table, though, I saw that that disk was in
the Destroy state.

I speed up the frequency of the clean-up background thread to run once
every minute and I saw the old root disk got put into the Expunged state
(as you'd expect, it was no longer present in the SR).


On Wed, Mar 19, 2014 at 7:06 PM, Mike Tutkowski <
mike.tutkow...@solidfire.com> wrote:

Yeah, usually "reset" (for hypervisors) means "shut down the VM and
re-start it."


On Wed, Mar 19, 2014 at 6:22 PM, Marcus 
mailto:shadow...@gmail.com>> wrote:

+1 to reset being a bad verb for this. It's too late now, however.

On Wed, Mar 19, 2014 at 6:22 PM, Marcus 
mailto:shadow...@gmail.com>> wrote:
The storage gets marked as 'Destroy' state. Then it goes to
'Expunging' when the storage cleanup interval occurs. I've actually
thought about leveraging that for data disks, the current delete data
disk immediately cleans up the disk, when we could create an api call
that just moves the data disk to destroy state. Then there'd actually
be room for an 'undo' operation where the state could be moved back to
Ready, so long as the cleanup hasn't occurred.

On Wed, Mar 19, 2014 at 4:43 PM, Nitin Mehta 
mailto:nitin.me...@citrix.com>>
wrote:
Please feel free to open a documentation bug on JIRA if the info
doesn't
exist.

On 19/03/14 3:16 PM, "Mike Tutkowski" 
mailto:mike.tutkow...@solidfire.com>>
wrote:

Thanks for that background-cleanup info. I was not aware of that.

I'll probably take a look into it and see how that works.


On Wed, Mar 19, 2014 at 4:13 PM, Alena Prokharchyk <
alena.prokharc...@citrix.com> wrote:

CS destroys the Root volume in CS DB, then its up to the storage
pool
cleanup task to clean it up on the backend. This is a background
task
running every storage.cleanup.interval seconds.

For how long do you see the volume being present on the SR?

On 3/19/14, 3:03 PM, "Mike Tutkowski" 
mailto:mike.tutkow...@solidfire.com>

wrote:

OK, sounds good; however, if this is desired behavior, does anyone
know
why
we abandon the old root disk in the XenServer SR? It seems that
CloudStack
"forgets" about it and it just stays in the SR taking up space.

Do people think it should be deleted?


On Wed, Mar 19, 2014 at 3:49 PM, Nitin Mehta <
nitin.me...@citrix.com>
wrote:

I think that's what it is supposed to do. It discards the old
root
disk
and creates a fresh root disk for the vm and in case an optional
field
template id is passed in the root disk is created from this new
template
id.
The api name is restoreVirtualMachine. Please check that the UI
is
internally invoking this api

Thanks,
-Nitin

On 19/03/14 1:55 PM, "Mike Tutkowski" <
mike.tutkow...@solidfire.com>
wrote:

Hi,

I noticed today while running through some test cases for 4.4
that
resetting a VM does not work as expected.

Instead of the typical stop and re-start behavior where the VM
is
booted
back up using the same root disk, the VM gets a new root disk
when
it
is
booted back up.

Can anyone confirm this finding for me with his or her setup?

Thanks!

--
*Mike Tutkowski*
*Senior CloudStack Developer, SolidFire Inc.*
e: mike.tutkow...@solidfire.com
o: 303.746.7302
Advancing the way the world uses the
cloud
*(tm)*




--
*Mike Tutkowski*
*Senior CloudStack Developer, SolidFire Inc.*
e: mike.tutkow...@solidfire.com
o: 303.746.7302
Advancing the way the world uses the
cloud
*(tm)*




--
*Mike Tutkowski*
*Senior CloudStack Developer, SolidFire Inc.*
e: mike.tutkow...@solidfire.com

Re: Review Request 12228: static resource compression

[John Kinsella]

Laszlo, can you reference any other open source projects that have similar 
solutions to this issue? Anything I’ve read states dynamic compression in 
tomcat/httpd/nginx does not add significant CPU overhead.

On Mar 20, 2014, at 12:53 PM, Laszlo Hornyak 
mailto:laszlo.horn...@gmail.com>> wrote:


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12228/
---

(Updated March 20, 2014, 7:53 p.m.)


Review request for cloudstack, Brian Federle, Darren Shepherd, and Prasanna 
Santhanam.


Changes
---

spaces


Repository: cloudstack-git


Description
---

CloudStack at first use downloads some 3.5 MB of css and javascript to the 
client. With a weak internet connection, this might take a long time. With gzip 
compression content can be compressed to 850 KB.

This version of the patch uses a custom plugin to compress static resources, so 
that no dynamic compression is needed at runtime. When the static resource 
servlet notices that there is gzipped version of the resource and the client 
accepts gzipped content, then it is going to send the gziped version, while 
still respects http caching.


Diffs (updated)
-

 client/WEB-INF/web.xml 1af38e1
 client/pom.xml d8dbde7
 server/src/com/cloud/servlet/StaticResourceServlet.java PRE-CREATION
 server/test/com/cloud/servlet/StaticResourceServletTest.java PRE-CREATION

Diff: https://reviews.apache.org/r/12228/diff/


Testing
---

yes, tested with firefox and chrome


Thanks,

Laszlo Hornyak


Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Review Request 12228: static resource compression

[John Kinsella]

Canya tell us a little more about the test you’re doing? What URL are you 
fetching, how many times etc. Just curious to tinker myself this weekend if I 
have some time. :)

On Mar 21, 2014, at 1:07 PM, Laszlo Hornyak 
mailto:laszlo.horn...@gmail.com>> wrote:


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12228/#review38181
---


https://docs.google.com/spreadsheet/ccc?key=0ApMkIX1Ygx8zdHhqV2RETy05SDU1WER3Z2JEN3ktZHc&usp=sharing

Comparison of 3 configurations, the dynamic compression solution is the last 
one. This test was conducted in a VM with 2 vCPU and 4 GB RAM on a
AMD E2-1800.


- Laszlo Hornyak


On March 20, 2014, 7:53 p.m., Laszlo Hornyak wrote:

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/12228/
---

(Updated March 20, 2014, 7:53 p.m.)


Review request for cloudstack, Brian Federle, Darren Shepherd, and Prasanna 
Santhanam.


Repository: cloudstack-git


Description
---

CloudStack at first use downloads some 3.5 MB of css and javascript to the 
client. With a weak internet connection, this might take a long time. With gzip 
compression content can be compressed to 850 KB.

This version of the patch uses a custom plugin to compress static resources, so 
that no dynamic compression is needed at runtime. When the static resource 
servlet notices that there is gzipped version of the resource and the client 
accepts gzipped content, then it is going to send the gziped version, while 
still respects http caching.


Diffs
-

 client/WEB-INF/web.xml 1af38e1
 client/pom.xml d8dbde7
 server/src/com/cloud/servlet/StaticResourceServlet.java PRE-CREATION
 server/test/com/cloud/servlet/StaticResourceServletTest.java PRE-CREATION

Diff: https://reviews.apache.org/r/12228/diff/


Testing
---

yes, tested with firefox and chrome


Thanks,

Laszlo Hornyak




Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: Simulator Component under Jira

[John Kinsella]

done

On Mar 21, 2014, at 1:18 AM, Santhosh Edukulla  
wrote:

> Team,
> 
> Currently, it seems we don't have a component by name Simulator under jira, 
> This component can be used for any changes we do and issues raised against 
> simulator.
> 
> Please, some body with permissions can add it. 
> 
> 
> Thanks!
> Santhosh

Still need SSVM SSL config docs

[John Kinsella]

Everyone - I believe we’re still missing documentation on how to configure ACS 
4.3 to use a user-provided SSL certificate for SSVM file copies?

Pretty sure I know the answer, so consider this a request for that 
documentation, at least in wiki form.

I’ve submitted a pull request for updates to the console proxy docs in the 
admin guide.

I’ve got a blog post in draft format that I’d like to send out tomorrow, would 
love to be able to link to the SSVM configuration steps as well.

John

Re: Still need SSVM SSL config docs

[John Kinsella]

Thx!

On Mar 25, 2014, at 11:50 AM, Amogh Vasekar 
mailto:amogh.vase...@citrix.com>> wrote:

Hi,

I have some info on :
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes#
RealhostIPchanges-SSVM , which gives pointers on updating the parameter
and tips on how to generate the correct certificate. I will submit a pull
request based on similar lines as console proxy soon.

Thanks,
Amogh

On 3/24/14 11:32 PM, "John Kinsella"  wrote:

Everyone - I believe we¹re still missing documentation on how to
configure ACS 4.3 to use a user-provided SSL certificate for SSVM file
copies?

Pretty sure I know the answer, so consider this a request for that
documentation, at least in wiki form.

I¹ve submitted a pull request for updates to the console proxy docs in
the admin guide.

I¹ve got a blog post in draft format that I¹d like to send out tomorrow,
would love to be able to link to the SSVM configuration steps as well.

John


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

REMINDER please send security issues to security@

[John Kinsella]

Folks - in the last week or three we’ve had 2 Jira issues created for 
security-related issues. In both cases, they seem to be false-positives, 
luckily.

If you think you have found a security issue in ACS, please email 
secur...@cloudstack.apache.org.

This gives us a chance to investigate and create patches, and give the 
community the best shot of minimizing malicious groups leveraging 
vulnerabilities.

More info about reporting security issues and our response process can be found 
at [1]

John
1: https://cloudstack.apache.org/security.html

Re: OpenSSL vunerability (bleedheart)

[John Kinsella]

Folks - we’re aware of the OpenSSL issue, and are working with vendors to 
release mitigation instructions for ACS.

Hoping to have something out later this evening.

John

On Apr 8, 2014, at 8:12 AM, Paul Angus 
mailto:paul.an...@shapeblue.com>> wrote:

A vulnerability has been found in OpenSSL

http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1

Affected are OpenSSL versions 1.0.1 and 1.0.2-beta, which include such releases 
as
Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 
8.4, NetBSD 5.0.2 and OpenSUSE 12.2.

It is fixed in OpenSSL 1.0.1g

>From https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9

"Statement:
This issue did not affect the versions of openssl as shipped with Red Hat 
Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue 
does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization 
Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e."

XenServer 6.2 SP1 uses the native CentOS OpenSSL RPM without modification 
version (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) so is unaffected.



Regards,

Paul Angus
Senior Consultant / Cloud Architect

S: +44 20 3603 0540 | M: +447711418784 | 
T: @CloudyAngus
paul.an...@shapeblue.com | 
www.shapeblue.com | 
Twitter:@shapeblue
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure 
Support offers the 
best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1 training
28th-29th May 2014, Bangalore. 
Classromm
16th-20th June 2014, Region A. Instructor led, 
On-line
23rd-27th June 2014, Region B. Instructor led, 
On-line
15th-20th September 2014, Region A. Instructor led, 
On-line
22nd-27th September 2014, Region B. Instructor led, 
On-line
1st-6th December 2014, Region A. Instructor led, 
On-line
8th-12th December 2014, Region B. Instructor led, 
On-line

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed. Any views or 
opinions expressed are solely those of the author and do not necessarily 
represent those of Shape Blue Ltd or related companies. If you are not the 
intended recipient of this email, you must neither take any action based upon 
its contents, nor copy or show it to anyone. Please contact the sender if you 
believe you have received this email in error. Shape Blue Ltd is a company 
incorporated in England & Wales. ShapeBlue Services India LLP is a company 
incorporated in India and is operated under license from Shape Blue Ltd. Shape 
Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: OpenSSL vunerability (bleedheart)

[John Kinsella]

Just put up a blog post with mitigation instructions [1]. If anybody has any 
issues with this, please let us know and we’ll help/update as appropriate.

We’re working on new SystemVM images, but that’s going to take us a few days.

John
1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed

On Apr 8, 2014, at 6:21 PM, John Kinsella  wrote:

> Folks - we’re aware of the OpenSSL issue, and are working with vendors to 
> release mitigation instructions for ACS.
> 
> Hoping to have something out later this evening.
> 
> John
> 
> On Apr 8, 2014, at 8:12 AM, Paul Angus 
> mailto:paul.an...@shapeblue.com>> wrote:
> 
> A vulnerability has been found in OpenSSL
> 
> http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1
> 
> Affected are OpenSSL versions 1.0.1 and 1.0.2-beta, which include such 
> releases as
> Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, 
> FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.
> 
> It is fixed in OpenSSL 1.0.1g
> 
> From https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9
> 
> "Statement:
> This issue did not affect the versions of openssl as shipped with Red Hat 
> Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue 
> does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization 
> Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e."
> 
> XenServer 6.2 SP1 uses the native CentOS OpenSSL RPM without modification 
> version (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) so is unaffected.
> 
> 
> 
> Regards,
> 
> Paul Angus
> Senior Consultant / Cloud Architect
> 
> S: +44 20 3603 0540 | M: +447711418784 
> | T: @CloudyAngus
> paul.an...@shapeblue.com<mailto:paul.an...@shapeblue.com> | 
> www.shapeblue.com | 
> Twitter:@shapeblue<https://twitter.com/>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
> 
> Need Enterprise Grade Support for Apache CloudStack?
> Our CloudStack Infrastructure 
> Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers the 
> best 24/7 SLA for CloudStack Environments.
> 
> Apache CloudStack Bootcamp training courses
> 
> **NEW!** CloudStack 4.2.1 training<http://shapeblue.com/cloudstack-training/>
> 28th-29th May 2014, Bangalore. 
> Classromm<http://shapeblue.com/cloudstack-training/>
> 16th-20th June 2014, Region A. Instructor led, 
> On-line<http://shapeblue.com/cloudstack-training/>
> 23rd-27th June 2014, Region B. Instructor led, 
> On-line<http://shapeblue.com/cloudstack-training/>
> 15th-20th September 2014, Region A. Instructor led, 
> On-line<http://shapeblue.com/cloudstack-training/>
> 22nd-27th September 2014, Region B. Instructor led, 
> On-line<http://shapeblue.com/cloudstack-training/>
> 1st-6th December 2014, Region A. Instructor led, 
> On-line<http://shapeblue.com/cloudstack-training/>
> 8th-12th December 2014, Region B. Instructor led, 
> On-line<http://shapeblue.com/cloudstack-training/>
> 
> This email and any attachments to it may be confidential and are intended 
> solely for the use of the individual to whom it is addressed. Any views or 
> opinions expressed are solely those of the author and do not necessarily 
> represent those of Shape Blue Ltd or related companies. If you are not the 
> intended recipient of this email, you must neither take any action based upon 
> its contents, nor copy or show it to anyone. Please contact the sender if you 
> believe you have received this email in error. Shape Blue Ltd is a company 
> incorporated in England & Wales. ShapeBlue Services India LLP is a company 
> incorporated in India and is operated under license from Shape Blue Ltd. 
> Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is 
> operated under license from Shape Blue Ltd. ShapeBlue is a registered 
> trademark.
> 

Re: OpenSSL vunerability (bleedheart)

[John Kinsella]

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

- Reply message -
From: "Rayees Namathponnan" 
To: "dev@cloudstack.apache.org" 
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from 
http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has 
openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl  
1.0.1e-2+deb7u6  ?

Regards,
Rayees

-Original Message-
From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To: 
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to 
get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test 
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux!  wrote:

> On 09.04.2014 12:04, Abhinandan Prateek wrote:
>> Latest jenkins build template have openSSL version 1.0.1e, the
>> version that is compromised.
>
> Guys, do not panic.
> It is my understanding that in Debian, just like in RHEL, major versions will 
> not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they 
> will backport stuff.
>
> After I did an "apt-get update && apt-get install openssl" I got package 
> version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok 
> according to the changelog:
>
> "aptitude changelog openssl" says:
>
> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Enable checking for services that may need to be restarted
>  * Update list of services to possibly restart
>
> -- Salvatore Bonaccorso   Tue, 08 Apr 2014 10:44:53
> +0200
>
> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Add CVE-2014-0160.patch patch.
>CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>A missing bounds check in the handling of the TLS heartbeat extension
>can be used to reveal up to 64k of memory to a connected client or
>server.
>
> -- Salvatore Bonaccorso   Mon, 07 Apr 2014 22:26:55
> +0200
>
> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then 
> they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro

Re: OpenSSL vunerability (bleedheart)

[John Kinsella]

Folks - unfortunately there’s an error in my blog post last night. On Debian, 
you need to update both openssl and libssl, updating openssl by itself is not 
good enough. I knew this, had it in a draft but somehow that didn’t make it 
into the post. I’ll blame lack of sleep.

Blog post has been updated, and I’ve also added instructions for VMWare shops, 
thanks to Geoff Higginbottom.

I can guarantee that current ACS is vulnerable, and I can attest that with our 
config (KVM) the notes in the blog post [1] will mitigate the vulnerability.

1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed

On Apr 9, 2014, at 5:30 AM, Nux! mailto:n...@li.nux.ro>> wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version
that is compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions will 
not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they 
will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package 
version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according 
to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

 * Non-maintainer upload by the Security Team.
 * Enable checking for services that may need to be restarted
 * Update list of services to possibly restart

-- Salvatore Bonaccorso mailto:car...@debian.org>>  Tue, 08 
Apr 2014 10:44:53 +0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

 * Non-maintainer upload by the Security Team.
 * Add CVE-2014-0160.patch patch.
   CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
   A missing bounds check in the handling of the TLS heartbeat extension
   can be used to reveal up to 64k of memory to a connected client or
   server.

-- Salvatore Bonaccorso mailto:car...@debian.org>>  Mon, 07 
Apr 2014 22:26:55 +0200

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they 
are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella

Re: OpenSSL vunerability (bleedheart)

[John Kinsella]

I want to address a few things here directly (I think these are covered in the 
blog post, if not ping me)

* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious, see 
"lsof|grep -i ssl”
* I’m not sure if the current SystemVM template on Jenkins is secure, we’re 
testing that currently and will update once confirmed.
* Assume if you see us releasing a blog post about a security issue, there’s a 
security issue (QED HTH HAND)
* Realhostip uses SSL, but not on the SystemVMs. If you’re using realhostIP, it 
doesn’t matter what version of OSSL you use, you’re still insecure. Horse: 
beaten.
* Chiradeep’s correct, 4.1 and older are not vulnerable. Post updated again.

I think that covers the questions…running around doing a few things but this is 
very high on our priority list.

(snarky comments are meant to be funny not insulting/condescending)

On Apr 9, 2014, at 10:19 AM, John Kinsella 
mailto:j...@stratosec.co>> wrote:

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

- Reply message -
From: "Rayees Namathponnan" 
mailto:rayees.namathpon...@citrix.com>>
To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" 
mailto:dev@cloudstack.apache.org>>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from 
http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has 
openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl  
1.0.1e-2+deb7u6  ?

Regards,
Rayees

-Original Message-
From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To: mailto:dev@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to 
get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test 
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! mailto:n...@li.nux.ro>> wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the
version that is compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions will 
not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they 
will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package 
version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according 
to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart

-- Salvatore Bonaccorso mailto:car...@debian.org>>  Tue, 08 
Apr 2014 10:44:53
+0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
  CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
  A missing bounds check in the handling of the TLS heartbeat extension
  can be used to reveal up to 64k of memory to a connected client or
  server.

-- Salvatore Bonaccorso mailto:car...@debian.org>>  Mon, 07 
Apr 2014 22:26:55
+0200

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they 
are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro<http://www.nux.ro>


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: OpenSSL vunerability (bleedheart)

[John Kinsella]

CPVM runs a monit daemon which is at least linked to libssl. I haven’t taken 
more than peek at that yet - I think SSL is configured off by default but…yeah 
sorry will have to look at that closer.

Regarding the trusted IPs - I only attempted to test one SSVM from 
http://filippo.io/Heartbleed/ and it was a) publicly accessible and b) 
vulnerable, so trust didn’t really enter into the equation.

I already adjusted the blog post re: VR and earlier versions of ACS.

John

On Apr 9, 2014, at 12:15 PM, Animesh Chaturvedi 
mailto:animesh.chaturv...@citrix.com>> wrote:

Courtesy Chiradeep


- CPVM uses JSSE so that should not be affected
- VR is not affected since it does not offer any HTTPS/TLS service. The RA VPN 
and S2S VPN use the OpenSSL lib only for crypto and not for any transport
- The only vulnerable service is the volume upload service and template copy. 
The latter is between 2 trusted IPs
- Also this should only affect SSVM template from 4.2 onwards as only wheezy is 
affected

Thanks
Animesh
-Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: Wednesday, April 09, 2014 11:07 AM
To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)

I want to address a few things here directly (I think these are covered in the
blog post, if not ping me)

* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious,
see "lsof|grep -i ssl"
* I'm not sure if the current SystemVM template on Jenkins is secure, we're
testing that currently and will update once confirmed.
* Assume if you see us releasing a blog post about a security issue, there's a
security issue (QED HTH HAND)
* Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP,
it doesn't matter what version of OSSL you use, you're still insecure. Horse:
beaten.
* Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again.

I think that covers the questions...running around doing a few things but this
is very high on our priority list.

(snarky comments are meant to be funny not insulting/condescending)

On Apr 9, 2014, at 10:19 AM, John Kinsella
mailto:j...@stratosec.co><mailto:j...@stratosec.co>> wrote:

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

- Reply message -
From: "Rayees Namathponnan"
mailto:rayees.namathpon...@citrix.com><mailto:rayees.namathpon...@citrix.co
m>>
To: 
"dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>"
mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from
http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it
has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl
1.0.1e-2+deb7u6  ?

Regards,
Rayees

-Original Message-
From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To: 
mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update
openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our
network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! 
mailto:n...@li.nux.ro><mailto:n...@li.nux.ro>>
wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version that is
compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions will
not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they
will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package
version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok
according to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart

-- Salvatore Bonaccorso 
mailto:car...@debian.org><mailto:car...@debian.org>>
Tue, 08 Apr 2014 10:44:53
+0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
 CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
 A missing bounds check in the handling of the TLS heartbeat extension
 can be used to reveal up to 64k of memor

Re: OpenSSL vunerability (bleedheart)

[John Kinsella]

root@v-14-VM:~# lsof|grep -i ssl
monit 11461   root  mem   REG  254,7   358880  15115 
/usr/lib/i386-linux-gnu/i686/cmov/libssl.so.1.0.0
root@v-14-VM:~# ps -ef|grep monit
root 11461 1  0 Apr09 ?00:00:02 /usr/bin/monit -c 
/etc/monit/monitrc

On Apr 9, 2014, at 9:10 PM, Kelven Yang 
mailto:kelven.y...@citrix.com>> wrote:

What is the process name of that daemon in CPVM? I remember that we only
have SSH and HTTPS port open in console proxy, and the later one is
running Java based SSL engine.

Kelven

On 4/9/14, 1:38 PM, "John Kinsella" 
mailto:j...@stratosec.co>> wrote:

CPVM runs a monit daemon which is at least linked to libssl. I haven¹t
taken more than peek at that yet - I think SSL is configured off by
default butŠyeah sorry will have to look at that closer.

Regarding the trusted IPs - I only attempted to test one SSVM from
http://filippo.io/Heartbleed/ and it was a) publicly accessible and b)
vulnerable, so trust didn¹t really enter into the equation.

I already adjusted the blog post re: VR and earlier versions of ACS.

John

On Apr 9, 2014, at 12:15 PM, Animesh Chaturvedi
mailto:animesh.chaturv...@citrix.com><mailto:animesh.chaturv...@citrix.com>>
wrote:

Courtesy Chiradeep


- CPVM uses JSSE so that should not be affected
- VR is not affected since it does not offer any HTTPS/TLS service. The
RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any
transport
- The only vulnerable service is the volume upload service and template
copy. The latter is between 2 trusted IPs
- Also this should only affect SSVM template from 4.2 onwards as only
wheezy is affected

Thanks
Animesh
-----Original Message-
From: John Kinsella [mailto:j...@stratosec.co]
Sent: Wednesday, April 09, 2014 11:07 AM
To: 
dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)

I want to address a few things here directly (I think these are covered
in the
blog post, if not ping me)

* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious,
see "lsof|grep -i ssl"
* I'm not sure if the current SystemVM template on Jenkins is secure,
we're
testing that currently and will update once confirmed.
* Assume if you see us releasing a blog post about a security issue,
there's a
security issue (QED HTH HAND)
* Realhostip uses SSL, but not on the SystemVMs. If you're using
realhostIP,
it doesn't matter what version of OSSL you use, you're still insecure.
Horse:
beaten.
* Chiradeep's correct, 4.1 and older are not vulnerable. Post updated
again.

I think that covers the questions...running around doing a few things but
this
is very high on our priority list.

(snarky comments are meant to be funny not insulting/condescending)

On Apr 9, 2014, at 10:19 AM, John Kinsella
mailto:j...@stratosec.co><mailto:j...@stratosec.co><mailto:j...@stratosec.co>>
wrote:

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

- Reply message -
From: "Rayees Namathponnan"
mailto:rayees.namathpon...@citrix.com><mailto:rayees.namathpon...@citrix.com>http://citrix.co>
m>>
To:
"dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org><mailto:dev@cl
oudstack.apache.org<http://oudstack.apache.org>>"
mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org><mailto:dev@cl
oudstack.apache.org<http://oudstack.apache.org>>>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from
http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . ,
it
has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl
1.0.1e-2+deb7u6  ?

Regards,
Rayees

-Original Message-
From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To:
mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org><mailto:dev@cl
oudstack.apache.org<http://oudstack.apache.org>>>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update
openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and
test
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our
network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux!
mailto:n...@li.nux.ro><mailto:n...@li.nux.ro><mailto:n...@li.nux.ro>>
wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version
that is
compromised.

Guys, do not panic.
It is my understanding that in Debia

REMINDER realhostip going away

[John Kinsella]

Reminder, folks - please migrate off realhostip.com or you’re going to get a 
nasty surprise this summer. More info at link below.

https://blogs.apache.org/cloudstack/entry/realhostip_service_is_being_retired

Re: [DISCUSS][PROPOSAL] CA authority plugin definition

[John Kinsella]

I’d suggest taking a look at using Dogtag[1] as well. Actually, that’s what the 
Other Guys also suggest[2].

1: http://pki.fedoraproject.org/wiki/PKI_Main_Page 

2: https://wiki.openstack.org/wiki/PKI 


> On Apr 14, 2017, at 7:57 AM, Simon Weller  wrote:
> 
> Daan,
> 
> 
> What about integrating some like Vault (https://github.com/hashicorp/vault 
> )?
> 
> 
> - Si
> 
> 
> From: Daan Hoogland  >
> Sent: Friday, April 14, 2017 5:46 AM
> To: dev@cloudstack.apache.org 
> Subject: [DISCUSS][PROPOSAL] CA authority plugin definition
> 
> Devs,
> 
> Following a discussion with a client they came up with the idea to create a 
> pluggable CA-framework. A plugin would serve components in cloudstack that so 
> require (management servers, agents, load balancers, SVMs, etc.) with 
> certificates answering certificate requests and validating certificates on 
> request.
> 
> A default plugin can be written that serves according to its own self signed 
> root certificate and have its own revocation list to be managed by the admin. 
> Other plugin could forward by mail or web requests to external parties.
> 
> A CA-plugin will have to
> 
> -  Setup, for the default this means creating its certificate, for 
> others it might mean install an intermediate certificate or configure a mail, 
> or website address.
> 
> -  Accept and answer certificate requests
> 
> oFor client certificates
> 
> oFor server certificates
> 
> -  Accept revocation requests
> 
> -  Validate a connection request according to origin and certificate 
> and . What extra data is is defined by the plugin and can be 
> credentials or field-definitions referring the x509 entries or for instance 
> port numbers allowed… this is basically free to the implementer.
> 
> A next step will have to be integrating the request calls with installs on 
> targets but I think as is this feature merits itself as it could be used with 
> out of band configuration management tools as well.
> 
> Any thoughts, remarks and critiques are welcome,
> 
> daan.hoogl...@shapeblue.com
> www.shapeblue.com  >
> Shapeblue - The CloudStack Company >
> www.shapeblue.com 
> Background Cloudstack relies on a fixed download site when it fetches the 
> built-in guest VM templates. That download site has historically
> 
> 
> 
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue

New committer: Dag Sonstebo

[John Kinsella]

The Project Management Committee (PMC) for Apache CloudStack has
invited Dag Sonsteboto become a committer and we are pleased to
announce that he has accepted.

I’ll take a moment here to remind folks that being an ASF committer
isn’t purely about code - Dag has been helping out for quite a while
on users@, and seems to have a strong interest around ACS and the
community. We welcome this activity, and encourage others to help
out as they can - it doesn’t necessarily have to be purely code-related.

Being a committer enables easier contribution to the project since
there is no need to go via the patch submission process. This should
enable better productivity.

Please join me in welcoming Dag!

John

Re: John Kinsella and Wido den Hollander now ASF members

[John Kinsella]

Thanks David and everyone - it really means a lot to me.

Will continue to support and evangelize CloudStack and the ASF where I can!

John 

> On May 2, 2018, at 8:57 AM, David Nalley  wrote:
> 
> Hi folks,
> 
> As noted in the press release[1] John Kinsella and Wido den Hollander
> have been elected to the ASF's membership.
> 
> Members are the 'shareholders' of the foundation, elect the board of
> directors, and help guide the future of the ASF.
> 
> Congrats to both of you, very well deserved.
> 
> --David
> 
> [1] https://s.apache.org/ysxx