[jira] [Commented] (CLOUDSTACK-10381) [ConfigDrive] Password is missing after reset password sequence
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16507806#comment-16507806
]
ASF GitHub Bot commented on CLOUDSTACK-10381:
-
fmaximus commented on a change in pull request #2705: CLOUDSTACK-10381: Fix
password reset / reset ssh key with ConfigDrive
URL: https://github.com/apache/cloudstack/pull/2705#discussion_r194326251
##
File path: server/src/com/cloud/network/element/ConfigDriveNetworkElement.java
##
@@ -223,7 +231,14 @@ public boolean saveSSHKey(final Network network, final
NicProfile nic, final Vir
if (vm != null &&
vm.getVirtualMachine().getState().equals(VirtualMachine.State.Running)) {
throw new CloudRuntimeException("VM should to stopped to reset
password");
}
-return canHandle(network.getTrafficType());
+
+final boolean canHandle = canHandle(network.getTrafficType());
+
+if (canHandle) {
+storePasswordInVmDetails(vm);
Review comment:
SaveSshKey implicitly also resets the password. So I'm also saving it in
this case.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> [ConfigDrive] Password is missing after reset password sequence
> ---
>
> Key: CLOUDSTACK-10381
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10381
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
>Affects Versions: 4.11.1.0
>Reporter: Frank Maximus
>Priority: Blocker
>
> Failing Scenario:
> {quote}*Given* a network offering specifying ConfigDrive as UserData provider
> *And* a network using this offering
> *And* a VM in this network
> *When* I stop the VM
> *and* I reset the password of the VM
> *and* I start the VM
> *Then* I can login with the password returned by the reset password api call
> *And* the password is found on the config drive disk.
> {quote}
> Actual behavior:
> {quote}Password file is missing on config drive disk.
> Password of root on the VM didn't change
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10381) [ConfigDrive] Password is missing after reset password sequence
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16507814#comment-16507814
]
ASF GitHub Bot commented on CLOUDSTACK-10381:
-
fmaximus commented on issue #2705: CLOUDSTACK-10381: Fix password reset / reset
ssh key with ConfigDrive
URL: https://github.com/apache/cloudstack/pull/2705#issuecomment-396167313
I've used the same code as is used in VRElement, when VR is stopped.
There it's delayed to when the VM is starting, as by then the VR is running.
We've looked at removing the password from the config drive, it soon becomes
complex.
- As you can't be certain that the password has been requested (like in VR),
you don't know for sure when to remove it.
- The only way to remove it is to build a new iso, and change the config
drive disk.
This can only be done safely when the VM is stopped.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> [ConfigDrive] Password is missing after reset password sequence
> ---
>
> Key: CLOUDSTACK-10381
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10381
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
>Affects Versions: 4.11.1.0
>Reporter: Frank Maximus
>Priority: Blocker
>
> Failing Scenario:
> {quote}*Given* a network offering specifying ConfigDrive as UserData provider
> *And* a network using this offering
> *And* a VM in this network
> *When* I stop the VM
> *and* I reset the password of the VM
> *and* I start the VM
> *Then* I can login with the password returned by the reset password api call
> *And* the password is found on the config drive disk.
> {quote}
> Actual behavior:
> {quote}Password file is missing on config drive disk.
> Password of root on the VM didn't change
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10381) [ConfigDrive] Password is missing after reset password sequence
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16507841#comment-16507841
]
ASF GitHub Bot commented on CLOUDSTACK-10381:
-
rhtyd commented on issue #2705: CLOUDSTACK-10381: Fix password reset / reset
ssh key with ConfigDrive
URL: https://github.com/apache/cloudstack/pull/2705#issuecomment-396179262
@fmaximus yes, it is a requirement that VM is stopped for doing password
reset and this also ensures that a new ISO will be built when VM is started (if
config drive is enabled/available). Per the apidocs, similar to the reset SSH
key API I've added a check that will not allow reset password API to work if VM
is not stopped. /cc @PaulAngus @DaanHoogland
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> [ConfigDrive] Password is missing after reset password sequence
> ---
>
> Key: CLOUDSTACK-10381
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10381
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
>Affects Versions: 4.11.1.0
>Reporter: Frank Maximus
>Priority: Blocker
>
> Failing Scenario:
> {quote}*Given* a network offering specifying ConfigDrive as UserData provider
> *And* a network using this offering
> *And* a VM in this network
> *When* I stop the VM
> *and* I reset the password of the VM
> *and* I start the VM
> *Then* I can login with the password returned by the reset password api call
> *And* the password is found on the config drive disk.
> {quote}
> Actual behavior:
> {quote}Password file is missing on config drive disk.
> Password of root on the VM didn't change
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10381) [ConfigDrive] Password is missing after reset password sequence
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16507985#comment-16507985
]
ASF GitHub Bot commented on CLOUDSTACK-10381:
-
PaulAngus commented on issue #2705: CLOUDSTACK-10381: Fix password reset /
reset ssh key with ConfigDrive
URL: https://github.com/apache/cloudstack/pull/2705#issuecomment-396233571
LGTM - tested by;
creating an L2 network with configdrive
marking a template as password enabled and then starting the built-in
template
inspecting config drive i can find password file with correct password inside
stopping and starting vm, password file is removed
stopping vm and resetting password
after starting VM password file has correct password
stopping and starting vm, password file is removed again.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> [ConfigDrive] Password is missing after reset password sequence
> ---
>
> Key: CLOUDSTACK-10381
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10381
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
>Affects Versions: 4.11.1.0
>Reporter: Frank Maximus
>Priority: Blocker
>
> Failing Scenario:
> {quote}*Given* a network offering specifying ConfigDrive as UserData provider
> *And* a network using this offering
> *And* a VM in this network
> *When* I stop the VM
> *and* I reset the password of the VM
> *and* I start the VM
> *Then* I can login with the password returned by the reset password api call
> *And* the password is found on the config drive disk.
> {quote}
> Actual behavior:
> {quote}Password file is missing on config drive disk.
> Password of root on the VM didn't change
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10381) [ConfigDrive] Password is missing after reset password sequence
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16508041#comment-16508041
]
ASF GitHub Bot commented on CLOUDSTACK-10381:
-
DaanHoogland commented on issue #2705: CLOUDSTACK-10381: Fix password reset /
reset ssh key with ConfigDrive
URL: https://github.com/apache/cloudstack/pull/2705#issuecomment-396241957
@rhtyd you approve and say LGTM but then say "if..." effectively -1ing the
PR. the password will remain available in the configdrive until it is rereated,
won't it? @fmaximus am I seeing this wrong?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> [ConfigDrive] Password is missing after reset password sequence
> ---
>
> Key: CLOUDSTACK-10381
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10381
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
>Affects Versions: 4.11.1.0
>Reporter: Frank Maximus
>Priority: Blocker
>
> Failing Scenario:
> {quote}*Given* a network offering specifying ConfigDrive as UserData provider
> *And* a network using this offering
> *And* a VM in this network
> *When* I stop the VM
> *and* I reset the password of the VM
> *and* I start the VM
> *Then* I can login with the password returned by the reset password api call
> *And* the password is found on the config drive disk.
> {quote}
> Actual behavior:
> {quote}Password file is missing on config drive disk.
> Password of root on the VM didn't change
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10381) [ConfigDrive] Password is missing after reset password sequence
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16508084#comment-16508084
]
ASF GitHub Bot commented on CLOUDSTACK-10381:
-
PaulAngus closed pull request #2705: CLOUDSTACK-10381: Fix password reset /
reset ssh key with ConfigDrive
URL: https://github.com/apache/cloudstack/pull/2705
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/server/src/com/cloud/network/element/ConfigDriveNetworkElement.java
b/server/src/com/cloud/network/element/ConfigDriveNetworkElement.java
index dab4a14311c..a304ea43fa2 100644
--- a/server/src/com/cloud/network/element/ConfigDriveNetworkElement.java
+++ b/server/src/com/cloud/network/element/ConfigDriveNetworkElement.java
@@ -63,6 +63,7 @@
import com.cloud.storage.dao.GuestOSDao;
import com.cloud.storage.dao.VolumeDao;
import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.crypt.DBEncryptionUtil;
import com.cloud.utils.exception.CloudRuntimeException;
import com.cloud.utils.fsm.StateListener;
import com.cloud.utils.fsm.StateMachine2;
@@ -212,7 +213,14 @@ public boolean savePassword(final Network network, final
NicProfile nic, final V
if (vm != null &&
vm.getVirtualMachine().getState().equals(VirtualMachine.State.Running)) {
throw new CloudRuntimeException("VM should to stopped to reset
password");
}
-return canHandle(network.getTrafficType());
+
+final boolean canHandle = canHandle(network.getTrafficType());
+
+if (canHandle) {
+storePasswordInVmDetails(vm);
+}
+
+return canHandle;
}
@Override
@@ -223,7 +231,14 @@ public boolean saveSSHKey(final Network network, final
NicProfile nic, final Vir
if (vm != null &&
vm.getVirtualMachine().getState().equals(VirtualMachine.State.Running)) {
throw new CloudRuntimeException("VM should to stopped to reset
password");
}
-return canHandle(network.getTrafficType());
+
+final boolean canHandle = canHandle(network.getTrafficType());
+
+if (canHandle) {
+storePasswordInVmDetails(vm);
+}
+
+return canHandle;
}
@Override
@@ -237,6 +252,20 @@ public boolean saveUserData(final Network network, final
NicProfile nic, final V
return canHandle(network.getTrafficType());
}
+/**
+ * Store password in vm details so it can be picked up during VM start.
+ */
+private void storePasswordInVmDetails(VirtualMachineProfile vm) {
+final String password = (String)
vm.getParameter(VirtualMachineProfile.Param.VmPassword);
+final String password_encrypted = DBEncryptionUtil.encrypt(password);
+final UserVmVO userVmVO = _userVmDao.findById(vm.getId());
+
+_userVmDetailsDao.addDetail(vm.getId(), "password",
password_encrypted, false);
+
+userVmVO.setUpdateParameters(true);
+_userVmDao.update(userVmVO.getId(), userVmVO);
+}
+
@Override
public boolean verifyServicesCombination(Set services) {
return true;
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> [ConfigDrive] Password is missing after reset password sequence
> ---
>
> Key: CLOUDSTACK-10381
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10381
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
>Affects Versions: 4.11.1.0
>Reporter: Frank Maximus
>Priority: Blocker
>
> Failing Scenario:
> {quote}*Given* a network offering specifying ConfigDrive as UserData provider
> *And* a network using this offering
> *And* a VM in this network
> *When* I stop the VM
> *and* I reset the password of the VM
> *and* I start the VM
> *Then* I can login with the password returned by the reset password api call
> *And* the password is found on the config drive disk.
> {quote}
> Actual behavior:
> {quote}Password file is missing on config drive disk.
> Password of root on the VM didn't change
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10326) Prevent hosts fall into Maintenance when there are running VMs on it
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16508501#comment-16508501 ] ASF GitHub Bot commented on CLOUDSTACK-10326: - nvazquez opened a new pull request #2493: CLOUDSTACK-10326: Prevent hosts fall into Maintenance when there are running VMs on it URL: https://github.com/apache/cloudstack/pull/2493 JIRA Ticket: https://issues.apache.org/jira/browse/CLOUDSTACK-10326 This issue was discovered, fixed and tested on KVM, but applies for every hypervisor. ### Background When enabling maintenance mode in a host, host state is put into 'PrepareForMaintenance' and running VMs are migrated into another host. After every VM is migrated, host goes to 'Maintenance' state. Checks are performed on `ResourceManagerImpl.checkAndMaintan()` method: - List VMs with host_id = HOST_ID - List VMs with last_host_id = HOST_ID and state=Migrating When both queries are empty, then the host can be put into Maintenance. When a VM is being migrated to DEST_HOST, its host_id column is set to DEST_HOST, last_host_id = ORIGIN_HOST and state = Migrating. If then migration fails, host_id = last_host_id = ORIGIN_HOST ### Issue This sequence: - Enable maintenance mode on ORIGIN_HOST - VMs start being migrated to a host, say DEST_HOST - checkAndMaintain() starts: - First check passes (no VM with host_id = ORIGIN_HOST_ID as those are being migrated) - Before the second check, one or more migrations fail - Second check passes, however there are VMs running on the host as migrations have failed. - Host goes into Maintenance state. Screenshots attached, query executed on each case: `select id, name, instance_name, state, host_id, last_host_id from vm_instance;` Before enabling maintenance mode on host 4:  While host = 'PrepareForMaintenance' and VM is being migrated to host 1:  At this point the first check is performed:  Made migrations fail adding these rules on host 4: iptables -I OUTPUT -j REJECT -m state --state NEW -m tcp -p tcp --dport 49152:49215 -m comment --comment 'test block migrations' iptables -I OUTPUT -j REJECT -m state --state NEW -m tcp -p tcp --dport 16509 -m comment --comment 'test block migrations' Migration failed and VM goes Running into host 4:  Second check passes and host goes into Maintenance  This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Prevent hosts fall into Maintenance when there are running VMs on it > > > Key: CLOUDSTACK-10326 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10326 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Affects Versions: 4.11.0.0 >Reporter: Nicolas Vazquez >Assignee: Nicolas Vazquez >Priority: Major > Fix For: 4.11.1.0 > > Attachments: CLOUDSTACK-10326-Debug.png, > CLOUDSTACK-10326-InitialState.png, CLOUDSTACK-10326-Migrating.png, > CLOUDSTACK-10326-MigrationFailed.png > > > This issue was discovered, fixed and tested on KVM, but applies for every > hypervisor. > h2. Background > When enabling maintenance mode in a host, host state is put into > 'PrepareForMaintenance' and running VMs are migrated into another host. After > every VM is migrated, host goes to 'Maintenance' state. > Checks are performed on ResourceManagerImpl.checkAndMaintan() method: > * List VMs with host_id = HOST_ID > * List VMs with last_host_id = HOST_ID and state=Migrating > When both queries are empty, then the host can be put into Maintenance. > When a VM is being migrated to DEST_HOST, its host_id column is set to > DEST_HOST, last_host_id = ORIGIN_HOST and state = Migrating. If then
