[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-325306453 The XenServer env related failure was caused by centos7 based packging/dependencies issues where pyopessl.crypto may not have a `load_publickey` method available. I've put a fix in the marvin test to skip when pyopenssl library does not export such a method, with that all tests pass now: === TestName: test_issue_certificate_with_csr | Status : SUCCESS === === TestName: test_issue_certificate_without_csr | Status : SUCCESS === === TestName: test_list_ca_certificate | Status : SUCCESS === === TestName: test_list_ca_providers | Status : SUCCESS === === TestName: test_provision_certificate | Status : SUCCESS === === TestName: test_revoke_certificate | Status : SUCCESS === With enough test results and code reviews, this is ready for merging. I'll wait for Travis to go green and then merge this feature. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-324971414 @mlsorensen yes if @wido wants to use the new secure system he can (1) create a keystore at /etc/cloudstack/agent/cloud.jks with a 'cloud' alias and password at agent.properties file, and (2) create a CSR using the keystore, (3) use the CSR to issue a certificate from management server and save the certificate and ca-certs and import them into the keystore, (4) add/start the agent to a zone/cluster. The utility scripts will be installed as part of `cloudstack-common` package and will be put in systemvm.iso for systemvms, and available at: `/usr/share/cloudstack-common/scripts/util/{keystore-cert-import, keystore-setup}` I'll document the usage of these scripts, in admin docs or somewhere, briefly here's how these scripts work: (the command name and options in <> brackets) `keystore-setup` This script will save and output the csr, save the keystore passphrase in the properties file and also create a `cloud.jks.new` keystore file. After the certificate (ca+client) are created, they are stored in the keystore file using `keystore-import-cert` script: `keystore-cert-import` Running the import-script would save the certs in the keystore file `cloud.jks.new` and rename it to `cloud.jks`. The `.new` is used to act as a two-phase commit approach, so in case during provisioning (for example, a live system using provisionCertificate API) if anything goes bad, it won't affect an existing keystore. Lastly, in addition to the keystore file, the certificates and keys are also stored in usual x509/pem formats with `chmod 600` applied to them, at the agent conf directory for usage with other services. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-324971414 @mlsorensen yes if @wido wants to use the new secure system he can (1) create a keystore at /etc/cloudstack/agent/cloud.jks with a 'cloud' alias and password at agent.properties file, and (2) create a CSR using the keystore, (3) use the CSR to issue a certificate from management server and save the certificate and ca-certs and import them into the keystore, (4) add/start the agent to a zone/cluster. The utility scripts will be installed as part of `cloudstack-common` package and will be put in systemvm.iso for systemvms, and available at: `/usr/share/cloudstack-common/scripts/util/{keystore-cert-import, keystore-setup}` I'll document the usage of these scripts, in admin docs or somewhere, briefly here's how these scripts work: `keystore-setup` This script will save and output the csr, save the keystore passphrase in the properties file and also create a `cloud.jks.new` keystore file. After the certificate (ca+client) are created, they are stored in the keystore file using `keystore-import-cert` script: `keystore-cert-import` Running the import-script would save the certs in the keystore file `cloud.jks.new` and rename it to `cloud.jks`. The `.new` is used to act as a two-phase commit approach, so in case during provisioning (for example, a live system using provisionCertificate API) if anything goes bad, it won't affect an existing keystore. Lastly, in addition to the keystore file, the certificates and keys are also stored in usual x509/pem formats with `chmod 600` applied to them, at the agent conf directory for usage with other services. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-324879755 @blueorangutan test centos7 xenserver-65sp1 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-324874411 @blueorangutan package This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-324706796 Thanks @borisstoyanov , I'll keep this open for now until we receive the xenserver smoke test results. I'll merge this on satisfactory results. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-324619991 Thanks @DaanHoogland @nvazquez for reviewing This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-324544888 @blueorangutan test centos7 xenserver-65sp1 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-324374398 @blueorangutan package This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323980697 @blueorangutan package This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323980697 @blueorangutan package This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323721124 @wido okay, so for you environment just keep `ca.plugin.root.auth.strictness` set to `false` for both new and existing cloudstack environments This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323718422 @wido in current implementation -- all agent-mgmt server connections are encrypted and SSL enabled, based on a random cert that the mgmt server creates, stores and uses from `cloudmanagement.keystore` reading/updating from ssl.keystore global setting; and when agents connect to the mgmt server they use a trust-all-manager to trust any certificate presented to them. So, all cloudstack env have the connections encrypted, however not authenticated and secured in one or two-way SSL. With this new work/PR -- for existing environments, after upgrade the auth strictness enforcement will be `'false`, however newer hosts/agents will be provisioned to use this new system to have CA certs etc stored in agents so they will have more secure SSL authentication, however, mgmt server will not perform additional trust validations and it will allow any clients (like it used to now). This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323718422 @wido all agent-mgmt server connections are encrypted and SSL enabled, based on a random cert that the mgmt server creates, stores and uses from `cloudmanagement.keystore` reading/updating from ssl.keystore global setting; and when agents connect to the mgmt server they use a trust-all-manager to trust any certificate presented to them. So, all cloudstack env have the connections encrypted, however not authenticated and secured in one or two-way SSL. For existing environments, after upgrade the auth strictness enforcement will be `'false`, however newer hosts/agents will be provisioned to use this new system to have CA certs etc stored in agents so they will have more secure SSL authentication, however, mgmt server will not perform additional trust validations and it will allow any clients (like it used to now). This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323583831 The one test failing `create_volume` is not related to this PR but general intermittent failures, include those rvpc/rvr failures and are ignorable. The failure was caused due to; ``` sshClient: DEBUG: Host: 10.1.34.164 Cmd: /sbin/fdisk -l | grep Disk Output:{'status': 'SUCCESS', 'stdin': None, 'stderr': [u"Disk /dev/sda doesn't contain a valid partition table\n"], 'stdout': [u'Disk /dev/hdb: 2147 MB, 2147483648 bytes\n', u'Disk /dev/sda: 1073 MB, 1073741824 bytes\n']} test_01_create_volume (tests.smoke.test_volumes.TestCreateVolume): DEBUG: Volume Size Expected 1073741824 Actual :Volume Not Found ``` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323540764 @blueorangutan test centos6 vmware-55u3 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323451002 @blueorangutan test This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323445554 @blueorangutan package This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323399304 @blueorangutan package This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications
rhtyd commented on issue #2239: CLOUDSTACK-9993: Securing Agents Communications URL: https://github.com/apache/cloudstack/pull/2239#issuecomment-323362107 Pinging for review @nvazquez @borisstoyanov @DaanHoogland @wido @marcaurele @GabrielBrascher @rafaelweingartner @ustcweizhou @pyr and others @blueorangutan package This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services