Re: [VOTE] Upgrade Log4j to Log4j2

[Sidimar Carniel]

Important effort in this work!

[ ] +1 approve

Regards,
Sidimar Carniel



Em qua., 17 de mai. de 2023 às 10:27, Rodrigo D. Lopez <
rodrigoduartelo...@gmail.com> escreveu:

> Thanks for the great work!
>
> Based on discussions in PR and the discussion thread[1]. My vote is +1.
>
> Log4j v1 (deprecated) and its current alternative reload4j in use in ACS
> are not ideal for the long run. Therefore, for the future of ACS, and to
> enable us to keep evolving, the upgrade is most welcome.
>
> Regards,
> Rodrigo Lopez
>
> [1]  https://lists.apache.org/thread/261j7m0p5mr4q7yclvo49mwhkxz4yov2
>
> Em qua., 17 de mai. de 2023 às 09:41, Daan Hoogland <
> daan.hoogl...@gmail.com>
> escreveu:
>
> > -0
> >
> > Joao, Daniel reacted negatively to my question to create a proxy with bad
> > arguments and I had no time to respond yet. I think not adding a proxy at
> > this time is a missed opportunity and I would full heartedly +1 if we
> had.
> > Not creating a proxy class (with or without configurability) is a waste
> of
> > your effort.
> > All the standardisation of calls is very useful irrespective.
> >
> > On Tue, May 16, 2023 at 8:45 PM Daniel Salvador  >
> > wrote:
> >
> > > Hello, João
> > >
> > > Considering the discussion we had in the thread[1] and that the
> conflicts
> > > will be mostly regarding loggers names (which is simple to fix), I am
> +1
> > on
> > > the proposal.
> > >
> > > Best regards,
> > > Daniel Salvador (gutoveronezi)
> > >
> > > [1] https://lists.apache.org/thread/261j7m0p5mr4q7yclvo49mwhkxz4yov2
> > >
> > > On Tue, May 16, 2023 at 1:28 PM João Jandre Paraquetti <
> > > j...@scclouds.com.br>
> > > wrote:
> > >
> > > > Hello guys,
> > > >
> > > > I am opening this voting thread as result of the discussion in thread
> > > > "ACS upgrade to Log4J2 version 2.19"[1].
> > > >
> > > > The voting aims to continue the efforts and conclude the upgrade of
> the
> > > > ACS logging library to Log4j2 through PR 7131[2]; merge the PR as
> soon
> > > > as possible and provide ways to contributors solve the conflicts
> > easily,
> > > > so all the contributors have time to fix their merge conflicts before
> > > > 4.19; announce that change in the release notes and provide ways to
> > > > users upgrade their customization made to the default log4j
> > > > configuration files.
> > > >
> > > > For sanity in tallying the vote, can PMC members please be sure to
> > > indicate
> > > > "(binding)" with their vote?
> > > >
> > > > [ ] +1 approve
> > > > [ ] +0 no opinion
> > > > [ ] -1 disapprove (and reason why)
> > > >
> > > > Best regards,
> > > > João Jandre (JoaoJandre)
> > > >
> > > > [1] https://lists.apache.org/thread/261j7m0p5mr4q7yclvo49mwhkxz4yov2
> > > > [2] https://github.com/apache/cloudstack/pull/7131
> > > >
> > > >
> > >
> >
> >
> > --
> > Daan
> >
>

IP Spoofing and IP Theft

[Wei ZHOU]

Yes, as Jithin said cloudstack uses iptables/ebtables/ipset to prevent IP
spoofing in advanced zone with security groups.

If the IP or mac address of vm instance is modified inside the vm by the
user, the vm will not work.

-Wei


On Thursday, 18 May 2023, Jithin Raju  wrote:

> Hi Willard,
>
> I believe there is something implemented using iptables,ebtables to
> prevent IP spoofing for security group enabled zones. You need to take this
> into account if you are using security group enabled zones.
>
> -Jithin
>
> From: Will Conrad 
> Date: Thursday, 18 May 2023 at 1:08 PM
> To: users@cloudstack.apache.org 
> Subject: IP Spoofing and IP Theft
> Hello Community!
>
> It looks like cloudstack has built-iin protection to prevent IP spoofing, I
> am wondering what kind (if any) of protections cloudstack has built-in to
> protect the environment from IP theft, or is this a consideration that
> should be taken into account when designing the network layout and
> offerings for tenants?
>
> Regards,
>
> Willard Conrad
> DevOps Engineer
> Hivelocity, LLC
>
>
>
>

Re: IP Spoofing and IP Theft

[Bryan Lima]

Hello Willard,

ACS has the configuration `api.allowed.source.cidr.list` which is a 
comma-separated list of IPv4/IPv6 CIDRs from which API calls can be 
performed. Therefore, it is possible to filter from which IP addresses 
the ACS will accept calls; this parameter is also configurable at the 
account level.


However, the implementation of this feature uses the de-facto standard 
`X-Forwarded-For` HTTP header for getting the client IP address, and ACS 
will use whatever IP is sent in this header for filtering. Thus, this IP 
needs to be treated before reaching the ACS management server. This can 
be done in the proxy/load balancer server by checking if the IP passed 
in the `X-Forwarded-For` header matches the remote address, for example. 
Blindly accepting the header `X-Forwarded-For` is a security risk[1], 
this header is only safe when it was built from a trusted node, usually 
the first wall of defense, i.g. a firewall.


In short, ACS does not have built-in protection for IP spoofing; this 
needs to be done before the request reaches the ACS, either in a proxy 
server or firewall.


Regarding IP theft, it is proposed in issue #7369[2] and implemented in 
PR#7378[3] a functionality called public IP quarantine. This feature is 
useful for preventing IP theft, as it keeps a public IP in quarantine 
for a configurable period, which only allows the owner of the IP to 
allocate during the quarantine duration. Therefore, this feature 
prevents a user to impersonate another user by using its public IP, as 
it will be in quarantine.


Best regards,
Bryan

[1] 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#security_and_privacy_concerns

[2] https://github.com/apache/cloudstack/issues/7369
[3] https://github.com/apache/cloudstack/pull/7378

On 18/05/2023 10:20, Jithin Raju wrote:

Hi Willard,

I believe there is something implemented using iptables,ebtables to prevent IP 
spoofing for security group enabled zones. You need to take this into account 
if you are using security group enabled zones.

-Jithin

From: Will Conrad 
Date: Thursday, 18 May 2023 at 1:08 PM
To: users@cloudstack.apache.org 
Subject: IP Spoofing and IP Theft
Hello Community!

It looks like cloudstack has built-iin protection to prevent IP spoofing, I
am wondering what kind (if any) of protections cloudstack has built-in to
protect the environment from IP theft, or is this a consideration that
should be taken into account when designing the network layout and
offerings for tenants?

Regards,

Willard Conrad
DevOps Engineer
Hivelocity, LLC

Re: IP Spoofing and IP Theft

[Jithin Raju]

Hi Willard,

I believe there is something implemented using iptables,ebtables to prevent IP 
spoofing for security group enabled zones. You need to take this into account 
if you are using security group enabled zones.

-Jithin

From: Will Conrad 
Date: Thursday, 18 May 2023 at 1:08 PM
To: users@cloudstack.apache.org 
Subject: IP Spoofing and IP Theft
Hello Community!

It looks like cloudstack has built-iin protection to prevent IP spoofing, I
am wondering what kind (if any) of protections cloudstack has built-in to
protect the environment from IP theft, or is this a consideration that
should be taken into account when designing the network layout and
offerings for tenants?

Regards,

Willard Conrad
DevOps Engineer
Hivelocity, LLC

 

Re: Managing Security bewteen account in Advanced Zone without SG

[Jithin Raju]

Hi Pratik,

You probably want to create a new custom ACL list and add your own ACL rules. 
Go to the tier and replace the ‘default_allow’ ACL list with the new one.

-Jithin

From: Pratik Chandrakar 
Date: Wednesday, 17 May 2023 at 8:33 AM
To: users@cloudstack.apache.org 
Subject: Re: Managing Security bewteen account in Advanced Zone without SG
Hi  Loges,
Thanks for the update.

On Wed, May 17, 2023 at 12:59 PM Logeswaran T
 wrote:

> Hi Pratik,
>
> We now have a request open in cloudstack github for a VPC ACL issue.
>
> https://github.com/apache/cloudstack/issues/7483
>
> The changes are tracked in this thread.
>
> Regards,
> Loges
> www.stackbill.com
>
> On Wed, May 17, 2023 at 11:28 AM Pratik Chandrakar <
> chandrakarpra...@gmail.com> wrote:
>
> > Hi all,
> > Curious to know how others are managing isolation between VMs of
> different
> > accounts in the Advanced Zone without SG deployment, as most users opt
> for
> > default_allow policy for their VPC. Because of default_allow policy all
> > ports are opened between public ip (static nat) irrespective of VLAN used
> > in VPC. Is there any option to remove default_allow policy for VPC so
> that
> > it can't be selected or any other method available?
> > Please advise
> >
> > --
> > *Regards,*
> > *Pratik Chandrakar*
> >
>
> --
>
>
>
>
> *This E-mail is confidential. It may also be legally privileged. If you
> are not the addressee you may not copy, forward, disclose or use any part
> of
> it. If you have received this message in error, please delete it and all
> copies
> from your system and notify the sender immediately by return E-mail.
> Internet
> communications cannot be guaranteed to be timely, secure, error or
> virus-free.
> The sender does not accept liability for any errors or
> omissions*
>


--
*Regards,*
*Pratik Chandrakar*

 

IP Spoofing and IP Theft

[Will Conrad]

Hello Community!

It looks like cloudstack has built-iin protection to prevent IP spoofing, I
am wondering what kind (if any) of protections cloudstack has built-in to
protect the environment from IP theft, or is this a consideration that
should be taken into account when designing the network layout and
offerings for tenants?

Regards,

Willard Conrad
DevOps Engineer
Hivelocity, LLC

Re: VMWare dvSwitch - import port groups to Cloudstack

[Vivek Kumar]

Hello, 

So I have recently imported 30+ VMs from vCenter to Cloudstack, I have created 
a L2 network with same VLAN where VMs were running on vCenter, So I deleted the 
NIC from VM from vCenter, import it to the cloudstack (If you have active NIC 
on the VM then while importing the VM it will look of the network which is 
there on the vCenter, so it’s better to delete the NIC and let cloudstack 
handle it completely )and then attach NIC from cloudstack, since I use the same 
VLAN, so there is no need to change the network configuration inside the VM.



Vivek Kumar
Sr. Manager - Cloud & DevOps
TechOps | Indiqus Technologies

vivek.ku...@indiqus.com 
www.indiqus.com 




> On 18-May-2023, at 12:49 PM, Jafar Aghabalayev 
>  wrote:
> 
> Thanks a lot, Alex.
> 
> 
> 
> -Original Message-
> From: Alex Mattioli 
> Sent: Wednesday, May 17, 2023 5:14 PM
> To: users@cloudstack.apache.org
> Subject: RE: VMWare dvSwitch - import port groups to Cloudstack
> 
> CAUTION: This email originated from outside the organization. Do not click 
> links or open attachments unless you recognize the sender and know the 
> content is safe. Please report all suspicious emails to 
> s...@pasha-technology.com.
> 
> That's correct, the networks need to be created in CloudStack first.
> 
> 
> 
> 
> -Original Message-
> From: Jafar Aghabalayev 
> Sent: Wednesday, May 17, 2023 12:53 PM
> To: users@cloudstack.apache.org
> Subject: RE: VMWare dvSwitch - import port groups to Cloudstack
> 
> Hello Rohit,
> 
> Thank you for prompt response.
> 
> From the documentation and articles I found -  " It also requires CloudStack 
> networks to be created for existing networks from vCenter. "
> 
> Am I correct understand that the only way is create networks from CloudStack 
> UI and no way to import networks?
> 
> Appreciate your efforts.
> 
> Best Regards,
> 
> Jafar Aghabalayev
> 
> -Original Message-
> From: Rohit Yadav 
> Sent: Wednesday, May 17, 2023 3:27 PM
> To: users@cloudstack.apache.org
> Subject: Re: VMWare dvSwitch - import port groups to Cloudstack
> 
> CAUTION: This email originated from outside the organization. Do not click 
> links or open attachments unless you recognize the sender and know the 
> content is safe. Please report all suspicious emails to 
> s...@pasha-technology.com.
> 
> Hi Jafar,
> 
> You can refer further here:
> 
> https://docs.cloudstack.apache.org/en/latest/adminguide/virtual_machines.html#importing-and-unmanaging-virtual-machines
> https://www.youtube.com/watch?v=EfAXyAF1wwM
> https://www.shapeblue.com/new-feature-first-look-vm-ingestion/
> 
> 
> Regards.
> 
> 
> From: Jafar Aghabalayev 
> Sent: Wednesday, May 17, 2023 16:31
> To: users@cloudstack.apache.org 
> Subject: VMWare dvSwitch - import port groups to Cloudstack
> 
> Hello Community,
> 
> I have VMWare vCenter with number of VMs and Portgroups (dvSwitch).
> 
> I want to import all portgroups to cloudstack and used them for imported 
> instances. Is it possible to import networks (portgroups) from vCenter to 
> cloudstack?
> 
> I couldn't find any information related to importing networks from vCenter to 
> cloudstack.
> 
> Thanks.
> 
> Best regards,
> 
> Jafar Aghabalayev
> 
> 
> 
> 


-- 
This message is intended only for the use of the individual or entity to 
which it is addressed and may contain confidential and/or privileged 
information. If you are not the intended recipient, please delete the 
original message and any copy of it from your computer system. You are 
hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited unless proper authorization has been 
obtained for such action. If you have received this communication in error, 
please notify the sender immediately. Although IndiQus attempts to sweep 
e-mail and attachments for viruses, it does not guarantee that both are 
virus-free and accepts no liability for any damage sustained as a result of 
viruses.

RE: VMWare dvSwitch - import port groups to Cloudstack

[Jafar Aghabalayev]

Thanks a lot, Alex.



-Original Message-
From: Alex Mattioli 
Sent: Wednesday, May 17, 2023 5:14 PM
To: users@cloudstack.apache.org
Subject: RE: VMWare dvSwitch - import port groups to Cloudstack

CAUTION: This email originated from outside the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. Please report all suspicious emails to s...@pasha-technology.com.

That's correct, the networks need to be created in CloudStack first.




-Original Message-
From: Jafar Aghabalayev 
Sent: Wednesday, May 17, 2023 12:53 PM
To: users@cloudstack.apache.org
Subject: RE: VMWare dvSwitch - import port groups to Cloudstack

Hello Rohit,

Thank you for prompt response.

>From the documentation and articles I found -  " It also requires CloudStack 
>networks to be created for existing networks from vCenter. "

Am I correct understand that the only way is create networks from CloudStack UI 
and no way to import networks?

Appreciate your efforts.

Best Regards,

Jafar Aghabalayev

-Original Message-
From: Rohit Yadav 
Sent: Wednesday, May 17, 2023 3:27 PM
To: users@cloudstack.apache.org
Subject: Re: VMWare dvSwitch - import port groups to Cloudstack

CAUTION: This email originated from outside the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. Please report all suspicious emails to s...@pasha-technology.com.

Hi Jafar,

You can refer further here:

https://docs.cloudstack.apache.org/en/latest/adminguide/virtual_machines.html#importing-and-unmanaging-virtual-machines
https://www.youtube.com/watch?v=EfAXyAF1wwM
https://www.shapeblue.com/new-feature-first-look-vm-ingestion/


Regards.


From: Jafar Aghabalayev 
Sent: Wednesday, May 17, 2023 16:31
To: users@cloudstack.apache.org 
Subject: VMWare dvSwitch - import port groups to Cloudstack

Hello Community,

I have VMWare vCenter with number of VMs and Portgroups (dvSwitch).

I want to import all portgroups to cloudstack and used them for imported 
instances. Is it possible to import networks (portgroups) from vCenter to 
cloudstack?

I couldn't find any information related to importing networks from vCenter to 
cloudstack.

Thanks.

Best regards,

Jafar Aghabalayev