Re: [DISCUSS] Freezing master for 4.11

[Kristian Liivak]

Rohit,

In first cloned my old  ACS 4.10 production server and upgraded.
Then i took new clean installed centos 7 server
Results are same.

i can see errors in management log.

2018-01-24 13:48:17,207 WARN  [n.s.e.c.ConfigurationFactory] (main:null) 
(logid:) No configuration found. Configuring ehcache from ehcache-failsafe.xml  
found in the classpath: 
jar:file:/usr/share/cloudstack-management/lib/cloudstack-4.11.0.0.jar!/ehcache-failsafe.xml
2018-01-24 13:48:17,514 WARN  [c.c.c.ConsoleProxyManagerImpl] (main:null) 
(logid:) Empty console proxy domain, explicitly disabling SSL
2018-01-24 13:48:17,553 WARN  [c.c.s.d.DownloadMonitorImpl] (main:null) 
(logid:) Only realhostip.com ssl cert is supported, ignoring self-signed and 
other certs
2018-01-24 13:48:18,912 ERROR [c.c.u.PropertiesUtil] (main:null) (logid:) 
Unable to find properties file: commands.properties
2018-01-24 13:48:25,430 INFO  [c.c.h.x.r.XenServerConnectionPool] (main:null) 
(logid:) XenServer Connection Pool Configs: sleep.interval.on.error=1


Lugupidamisega / Regards
 
Kristian Liivak

Tegevjuht / Executive director

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee

- Original Message -
From: "rohit yadav" <rohit.ya...@shapeblue.com>
To: "users" <users@cloudstack.apache.org>
Sent: Tuesday, January 23, 2018 4:37:44 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

Kristian,


4.11+ has migrated to embedded Jetty. Can you share which environment you've 
upgraded your environment from, i.e. Java version, ACS version etc. The log 
you're seeing is not a failure.


If you wait for some time, the management server should run. Tail for the 
management server logs for details, or journalctl -f.


- Rohit

<https://cloudstack.apache.org>




From: Kristian Liivak <k...@wavecom.ee>
Sent: Monday, January 22, 2018 6:59:11 PM
To: users
Subject: Re: [DISCUSS] Freezing master for 4.11

Hello,

I just installed RC1 for testing from centos packages but there is problem 
starting it in centos7 enviroment
Clodustack won´t start and i can see in management log
[o.e.j.w.StandardDescriptorProcessor] (main:null) (logid:) NO JSP Support for 
/client, did not find org.eclipse.jetty.jsp.JettyJspServlet

Can anyone suggest a fix/workaround ?


Lugupidamisega / Regards

Kristian Liivak
CTO

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee


rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

- Original Message -
From: "rohit yadav" <rohit.ya...@shapeblue.com>
To: "users" <users@cloudstack.apache.org>
Cc: "dev" <d...@cloudstack.apache.org>
Sent: Friday, January 19, 2018 11:13:49 AM
Subject: Re: [DISCUSS] Freezing master for 4.11

Hi Kristian,


I looked at https://issues.apache.org/jira/browse/CLOUDSTACK-10141


If the new VM is deployed with a password and/or ssh-key enabled VM template, 
then VR should get new password and the user/account specific ssh-public key so 
the mentioned issues don't affect such new VMs. However, I agree VMs may have 
access to old VM's password (if not consumed) and ssh-public key if are not 
password/ssh-public-key enabled - but they may be useless/stale information and 
I feel they are more of a GC issue than a security issue.


Are you able to reproduce a case when a new VM deployed using old VM's IP and 
with a password and/or public-key enabled template is getting the password 
and/or ssh-public-key from old VM (and the old user/account)? I think if yes, 
then it's a security issue.


Thoughts, comments?


- Rohit

<https://cloudstack.apache.org>




From: Kristian Liivak <k...@wavecom.ee>
Sent: Monday, January 15, 2018 4:19:03 PM
To: users
Cc: d...@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

Hello,

I have created issue in jira 2 month ago.
https://issues.apache.org/jira/browse/CLOUDSTACK-10141

In version 4.10 VR password and ssh key distribution don´t work on instance 
creation.
When instance is allreay excisting reset function is operational.

Also there is major security hole. When instance is destroyd and expunged and 
new instance is created with old IP all old data is unaffected in VR
New instance will get then old root password and  ssh key if they were present 
in VR

In my knowledege cloudstack older versions are not affected.

Lugupidamisega / Regards

Kristian Liivak

CTO

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee


rohit.ya...@shapeblue.com
ww

Re: [DISCUSS] Freezing master for 4.11

[Rohit Yadav]

Kristian,


4.11+ has migrated to embedded Jetty. Can you share which environment you've 
upgraded your environment from, i.e. Java version, ACS version etc. The log 
you're seeing is not a failure.


If you wait for some time, the management server should run. Tail for the 
management server logs for details, or journalctl -f.


- Rohit

<https://cloudstack.apache.org>




From: Kristian Liivak <k...@wavecom.ee>
Sent: Monday, January 22, 2018 6:59:11 PM
To: users
Subject: Re: [DISCUSS] Freezing master for 4.11

Hello,

I just installed RC1 for testing from centos packages but there is problem 
starting it in centos7 enviroment
Clodustack won´t start and i can see in management log
[o.e.j.w.StandardDescriptorProcessor] (main:null) (logid:) NO JSP Support for 
/client, did not find org.eclipse.jetty.jsp.JettyJspServlet

Can anyone suggest a fix/workaround ?


Lugupidamisega / Regards

Kristian Liivak
CTO

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee


rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

- Original Message -
From: "rohit yadav" <rohit.ya...@shapeblue.com>
To: "users" <users@cloudstack.apache.org>
Cc: "dev" <d...@cloudstack.apache.org>
Sent: Friday, January 19, 2018 11:13:49 AM
Subject: Re: [DISCUSS] Freezing master for 4.11

Hi Kristian,


I looked at https://issues.apache.org/jira/browse/CLOUDSTACK-10141


If the new VM is deployed with a password and/or ssh-key enabled VM template, 
then VR should get new password and the user/account specific ssh-public key so 
the mentioned issues don't affect such new VMs. However, I agree VMs may have 
access to old VM's password (if not consumed) and ssh-public key if are not 
password/ssh-public-key enabled - but they may be useless/stale information and 
I feel they are more of a GC issue than a security issue.


Are you able to reproduce a case when a new VM deployed using old VM's IP and 
with a password and/or public-key enabled template is getting the password 
and/or ssh-public-key from old VM (and the old user/account)? I think if yes, 
then it's a security issue.


Thoughts, comments?


- Rohit

<https://cloudstack.apache.org>




From: Kristian Liivak <k...@wavecom.ee>
Sent: Monday, January 15, 2018 4:19:03 PM
To: users
Cc: d...@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

Hello,

I have created issue in jira 2 month ago.
https://issues.apache.org/jira/browse/CLOUDSTACK-10141

In version 4.10 VR password and ssh key distribution don´t work on instance 
creation.
When instance is allreay excisting reset function is operational.

Also there is major security hole. When instance is destroyd and expunged and 
new instance is created with old IP all old data is unaffected in VR
New instance will get then old root password and  ssh key if they were present 
in VR

In my knowledege cloudstack older versions are not affected.

Lugupidamisega / Regards

Kristian Liivak

CTO

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee


rohit.ya...@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue



- Original Message -
From: "Rohit Yadav" <rohit.ya...@shapeblue.com>
To: d...@cloudstack.apache.org, "users" <users@cloudstack.apache.org>
Sent: Sunday, January 14, 2018 8:41:15 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

All,


To give you update, all feature PRs have been reviewed, tested and merged 
towards the 4.11.0.0. I'll engage with Mike and others for any post-merge 
regressions (smoketest to be kicked shortly).


I see an outstanding PR that may be a critical/blocker PR, please advise and 
also review:

https://github.com/apache/cloudstack/pull/2402


If anyone has any blocker to report, please do so. Thanks.


I'll cut RC1 as planned by EOD today (Mon/15 Jan 2018).


- Rohit

<https://cloudstack.apache.org>




From: Tutkowski, Mike <mike.tutkow...@netapp.com>
Sent: Saturday, January 13, 2018 3:23:40 AM
To: d...@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

I’m investigating these now. I have found and fixed two of them so far.


rohit.ya...@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue



> On Jan 12, 2018, at 2:49 PM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote:
>
> Thanks Rafael and Daan.
>
>
>> From: Rafael Weingärtner <rafaelweingart...@gmail.com>
>

Re: [DISCUSS] Freezing master for 4.11

[Kristian Liivak]

Hello,

I just installed RC1 for testing from centos packages but there is problem 
starting it in centos7 enviroment
Clodustack won´t start and i can see in management log
[o.e.j.w.StandardDescriptorProcessor] (main:null) (logid:) NO JSP Support for 
/client, did not find org.eclipse.jetty.jsp.JettyJspServlet

Can anyone suggest a fix/workaround ?


Lugupidamisega / Regards
 
Kristian Liivak
CTO

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee

- Original Message -
From: "rohit yadav" <rohit.ya...@shapeblue.com>
To: "users" <users@cloudstack.apache.org>
Cc: "dev" <d...@cloudstack.apache.org>
Sent: Friday, January 19, 2018 11:13:49 AM
Subject: Re: [DISCUSS] Freezing master for 4.11

Hi Kristian,


I looked at https://issues.apache.org/jira/browse/CLOUDSTACK-10141


If the new VM is deployed with a password and/or ssh-key enabled VM template, 
then VR should get new password and the user/account specific ssh-public key so 
the mentioned issues don't affect such new VMs. However, I agree VMs may have 
access to old VM's password (if not consumed) and ssh-public key if are not 
password/ssh-public-key enabled - but they may be useless/stale information and 
I feel they are more of a GC issue than a security issue.


Are you able to reproduce a case when a new VM deployed using old VM's IP and 
with a password and/or public-key enabled template is getting the password 
and/or ssh-public-key from old VM (and the old user/account)? I think if yes, 
then it's a security issue.


Thoughts, comments?


- Rohit

<https://cloudstack.apache.org>




From: Kristian Liivak <k...@wavecom.ee>
Sent: Monday, January 15, 2018 4:19:03 PM
To: users
Cc: d...@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

Hello,

I have created issue in jira 2 month ago.
https://issues.apache.org/jira/browse/CLOUDSTACK-10141

In version 4.10 VR password and ssh key distribution don´t work on instance 
creation.
When instance is allreay excisting reset function is operational.

Also there is major security hole. When instance is destroyd and expunged and 
new instance is created with old IP all old data is unaffected in VR
New instance will get then old root password and  ssh key if they were present 
in VR

In my knowledege cloudstack older versions are not affected.

Lugupidamisega / Regards

Kristian Liivak

CTO

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee


rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

- Original Message -
From: "Rohit Yadav" <rohit.ya...@shapeblue.com>
To: d...@cloudstack.apache.org, "users" <users@cloudstack.apache.org>
Sent: Sunday, January 14, 2018 8:41:15 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

All,


To give you update, all feature PRs have been reviewed, tested and merged 
towards the 4.11.0.0. I'll engage with Mike and others for any post-merge 
regressions (smoketest to be kicked shortly).


I see an outstanding PR that may be a critical/blocker PR, please advise and 
also review:

https://github.com/apache/cloudstack/pull/2402


If anyone has any blocker to report, please do so. Thanks.


I'll cut RC1 as planned by EOD today (Mon/15 Jan 2018).


- Rohit

<https://cloudstack.apache.org>




From: Tutkowski, Mike <mike.tutkow...@netapp.com>
Sent: Saturday, January 13, 2018 3:23:40 AM
To: d...@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

I’m investigating these now. I have found and fixed two of them so far.


rohit.ya...@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue



> On Jan 12, 2018, at 2:49 PM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote:
>
> Thanks Rafael and Daan.
>
>
>> From: Rafael Weingärtner <rafaelweingart...@gmail.com>
>>
>> I believe there is no problem in merging Wido’s and Mike’s PRs, they have
>> been extensively discussed and improved (specially Mike’s one).
>
> Thanks, Mike's PR has several regression smoketest failures and can be 
> accepted only when those failures are fixed.
>
> We'll cut 4.11 branch start rc1 on Monday that would be a hard freeze. If 
> Mike wants, he can help fix them over the weekend, I can help run smoketests.
>
>> Having said that; I would be ok with it (no need to revert it), but we need
>> to be more careful with these things. If one wants to merge something,
>> there is no harm in waiting and calling for reviewers via Githu

Re: [DISCUSS] Freezing master for 4.11

[Rohit Yadav]

Hi Kristian,


I looked at https://issues.apache.org/jira/browse/CLOUDSTACK-10141


If the new VM is deployed with a password and/or ssh-key enabled VM template, 
then VR should get new password and the user/account specific ssh-public key so 
the mentioned issues don't affect such new VMs. However, I agree VMs may have 
access to old VM's password (if not consumed) and ssh-public key if are not 
password/ssh-public-key enabled - but they may be useless/stale information and 
I feel they are more of a GC issue than a security issue.


Are you able to reproduce a case when a new VM deployed using old VM's IP and 
with a password and/or public-key enabled template is getting the password 
and/or ssh-public-key from old VM (and the old user/account)? I think if yes, 
then it's a security issue.


Thoughts, comments?


- Rohit

<https://cloudstack.apache.org>




From: Kristian Liivak <k...@wavecom.ee>
Sent: Monday, January 15, 2018 4:19:03 PM
To: users
Cc: d...@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

Hello,

I have created issue in jira 2 month ago.
https://issues.apache.org/jira/browse/CLOUDSTACK-10141

In version 4.10 VR password and ssh key distribution don´t work on instance 
creation.
When instance is allreay excisting reset function is operational.

Also there is major security hole. When instance is destroyd and expunged and 
new instance is created with old IP all old data is unaffected in VR
New instance will get then old root password and  ssh key if they were present 
in VR

In my knowledege cloudstack older versions are not affected.

Lugupidamisega / Regards

Kristian Liivak

CTO

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee


rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

- Original Message -
From: "Rohit Yadav" <rohit.ya...@shapeblue.com>
To: d...@cloudstack.apache.org, "users" <users@cloudstack.apache.org>
Sent: Sunday, January 14, 2018 8:41:15 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

All,


To give you update, all feature PRs have been reviewed, tested and merged 
towards the 4.11.0.0. I'll engage with Mike and others for any post-merge 
regressions (smoketest to be kicked shortly).


I see an outstanding PR that may be a critical/blocker PR, please advise and 
also review:

https://github.com/apache/cloudstack/pull/2402


If anyone has any blocker to report, please do so. Thanks.


I'll cut RC1 as planned by EOD today (Mon/15 Jan 2018).


- Rohit

<https://cloudstack.apache.org>




From: Tutkowski, Mike <mike.tutkow...@netapp.com>
Sent: Saturday, January 13, 2018 3:23:40 AM
To: d...@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

I’m investigating these now. I have found and fixed two of them so far.


rohit.ya...@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue



> On Jan 12, 2018, at 2:49 PM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote:
>
> Thanks Rafael and Daan.
>
>
>> From: Rafael Weingärtner <rafaelweingart...@gmail.com>
>>
>> I believe there is no problem in merging Wido’s and Mike’s PRs, they have
>> been extensively discussed and improved (specially Mike’s one).
>
> Thanks, Mike's PR has several regression smoketest failures and can be 
> accepted only when those failures are fixed.
>
> We'll cut 4.11 branch start rc1 on Monday that would be a hard freeze. If 
> Mike wants, he can help fix them over the weekend, I can help run smoketests.
>
>> Having said that; I would be ok with it (no need to revert it), but we need
>> to be more careful with these things. If one wants to merge something,
>> there is no harm in waiting and calling for reviewers via Github, Slack, or
>> even email them directly.
>
> Additional review was requested, but mea culpa - thanks for your support, 
> noted.
>
> - Rohit
>
> On Fri, Jan 12, 2018 at 3:57 PM, Rohit Yadav <rohit.ya...@shapeblue.com>
> wrote:
>
>> All,
>>
>>
>> We're down to one feature PR towards 4.11 milestone now:
>>
>> https://github.com/apache/cloudstack/pull/2298
>>
>>
>> The config drive PR from Frank (Nuage) has been accepted today after no
>> regression test failures seen from yesterday's smoketest run. We've also
>> tested, reviewed and merge Wido's (blocker fix) PR.
>>
>>
>> I've asked Mike to stabilize the branch; based on the smoketest results
>> from today we can see some failures caused by the PR. I'm willing to work
>> with Mike and other

Re: [DISCUSS] Freezing master for 4.11

[Kristian Liivak]

Hi Rohit,

Im currenlty moving our office to new location and therefore busy at least 
week. After that i can set up test enviroment and make all tests.

Lugupidamisega / Regards
 
Kristian Liivak

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee

- Original Message -
From: "Rohit Yadav" <rohit.ya...@shapeblue.com>
To: "users" <users@cloudstack.apache.org>
Cc: "dev" <d...@cloudstack.apache.org>
Sent: Tuesday, January 16, 2018 1:17:20 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

Hi Kristian,

Can you test and confirm that you can reproduce the issue with 4.11.0.0-rc1?


- Rohit

<https://cloudstack.apache.org>




From: Kristian Liivak <k...@wavecom.ee>
Sent: Tuesday, January 16, 2018 4:10:17 PM
To: users
Cc: dev
Subject: Re: [DISCUSS] Freezing master for 4.11

Daan,

For us and i guess for many others public cloud and vps providers its very big 
hole.
Imagine that 10-20 chinese guys have made fraud orders and 10-20 vps are 
provisioned.
We dealing with fradulent orders daily basis.
Some time later abusers will get catch in the act and vpses will be terminated.
If your customer increase is considerable, most probably one or more ips will 
be given to new customers during same day.
Newly created instances get then abusers keys and root passwords.
If new instance uses only keys, root password will be never changed.
Abusers need just log in with them old passwords and bitcoin mining or spamming 
will be started again.
Some of smarter customers are able to connect dots and serviceprovider 
reputation will be damaged seriously.


Lugupidamisega / Regards

Kristian Liivak

Tegevjuht / Executive director

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee


rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

- Original Message -
From: "Daan Hoogland" <daan.hoogl...@gmail.com>
To: "users" <users@cloudstack.apache.org>
Cc: "dev" <d...@cloudstack.apache.org>
Sent: Monday, January 15, 2018 1:49:04 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

Kristian,



On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <k...@wavecom.ee> wrote:
>>
> ...



As for this one:

> Also there is major security hole. When instance is destroyd and expunged
>> > and new instance is created with old IP all old data is unaffected in VR
>> > New instance will get then old root password and  ssh key if they were
>> > present in VR
>>
> I don't see how this is a security issue. The user won't get in and
update the key and password to get in. No harm done or am I overlooking
something?


--
Daan

Re: [DISCUSS] Freezing master for 4.11

[Rohit Yadav]

Hi Kristian,

Can you test and confirm that you can reproduce the issue with 4.11.0.0-rc1?


- Rohit

<https://cloudstack.apache.org>




From: Kristian Liivak <k...@wavecom.ee>
Sent: Tuesday, January 16, 2018 4:10:17 PM
To: users
Cc: dev
Subject: Re: [DISCUSS] Freezing master for 4.11

Daan,

For us and i guess for many others public cloud and vps providers its very big 
hole.
Imagine that 10-20 chinese guys have made fraud orders and 10-20 vps are 
provisioned.
We dealing with fradulent orders daily basis.
Some time later abusers will get catch in the act and vpses will be terminated.
If your customer increase is considerable, most probably one or more ips will 
be given to new customers during same day.
Newly created instances get then abusers keys and root passwords.
If new instance uses only keys, root password will be never changed.
Abusers need just log in with them old passwords and bitcoin mining or spamming 
will be started again.
Some of smarter customers are able to connect dots and serviceprovider 
reputation will be damaged seriously.


Lugupidamisega / Regards

Kristian Liivak

Tegevjuht / Executive director

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee


rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

- Original Message -
From: "Daan Hoogland" <daan.hoogl...@gmail.com>
To: "users" <users@cloudstack.apache.org>
Cc: "dev" <d...@cloudstack.apache.org>
Sent: Monday, January 15, 2018 1:49:04 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

Kristian,



On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <k...@wavecom.ee> wrote:
>>
> ...



As for this one:

> Also there is major security hole. When instance is destroyd and expunged
>> > and new instance is created with old IP all old data is unaffected in VR
>> > New instance will get then old root password and  ssh key if they were
>> > present in VR
>>
> I don't see how this is a security issue. The user won't get in and
update the key and password to get in. No harm done or am I overlooking
something?


--
Daan

Re: [DISCUSS] Freezing master for 4.11

[Daan Hoogland]

please discuss on the VOTE thread Kristian. Give your -1 with explanation
there.

On Tue, Jan 16, 2018 at 11:40 AM, Kristian Liivak <k...@wavecom.ee> wrote:

> Daan,
>
> For us and i guess for many others public cloud and vps providers its very
> big hole.
> Imagine that 10-20 chinese guys have made fraud orders and 10-20 vps are
> provisioned.
> We dealing with fradulent orders daily basis.
> Some time later abusers will get catch in the act and vpses will be
> terminated.
> If your customer increase is considerable, most probably one or more ips
> will be given to new customers during same day.
> Newly created instances get then abusers keys and root passwords.
> If new instance uses only keys, root password will be never changed.
> Abusers need just log in with them old passwords and bitcoin mining or
> spamming will be started again.
> Some of smarter customers are able to connect dots and serviceprovider
> reputation will be damaged seriously.
>
>
> Lugupidamisega / Regards
>
> Kristian Liivak
>
> Tegevjuht / Executive director
>
> WaveCom As
> Endla 16, 10142 Tallinn
> Estonia
> Tel: +3726850001
> Gsm: +37256850001
> E-mail: k...@wavecom.ee
> Skype: kristian.liivak
> http://www.wavecom.ee
> http://www.facebook.com/wavecom.ee
>
> - Original Message -
> From: "Daan Hoogland" <daan.hoogl...@gmail.com>
> To: "users" <users@cloudstack.apache.org>
> Cc: "dev" <d...@cloudstack.apache.org>
> Sent: Monday, January 15, 2018 1:49:04 PM
> Subject: Re: [DISCUSS] Freezing master for 4.11
>
> Kristian,
>
>
>
> On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <k...@wavecom.ee> wrote:
> >>
> > ...
>
>
>
> As for this one:
>
> > Also there is major security hole. When instance is destroyd and expunged
> >> > and new instance is created with old IP all old data is unaffected in
> VR
> >> > New instance will get then old root password and  ssh key if they were
> >> > present in VR
> >>
> > I don't see how this is a security issue. The user won't get in and
> update the key and password to get in. No harm done or am I overlooking
> something?
>
>
> --
> Daan
>



-- 
Daan

Re: [DISCUSS] Freezing master for 4.11

[Kristian Liivak]

Daan,

For us and i guess for many others public cloud and vps providers its very big 
hole.
Imagine that 10-20 chinese guys have made fraud orders and 10-20 vps are 
provisioned.
We dealing with fradulent orders daily basis.
Some time later abusers will get catch in the act and vpses will be terminated.
If your customer increase is considerable, most probably one or more ips will 
be given to new customers during same day.
Newly created instances get then abusers keys and root passwords. 
If new instance uses only keys, root password will be never changed.
Abusers need just log in with them old passwords and bitcoin mining or spamming 
will be started again.
Some of smarter customers are able to connect dots and serviceprovider 
reputation will be damaged seriously.


Lugupidamisega / Regards
 
Kristian Liivak

Tegevjuht / Executive director

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee

- Original Message -
From: "Daan Hoogland" <daan.hoogl...@gmail.com>
To: "users" <users@cloudstack.apache.org>
Cc: "dev" <d...@cloudstack.apache.org>
Sent: Monday, January 15, 2018 1:49:04 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

Kristian,



On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <k...@wavecom.ee> wrote:
>>
> ...



As for this one:

> Also there is major security hole. When instance is destroyd and expunged
>> > and new instance is created with old IP all old data is unaffected in VR
>> > New instance will get then old root password and  ssh key if they were
>> > present in VR
>>
> I don't see how this is a security issue. The user won't get in and
update the key and password to get in. No harm done or am I overlooking
something?


-- 
Daan

RE: [DISCUSS] Freezing master for 4.11

[Paul Angus]

Hi Ivan,

Here's email from Rohit, systemvm template path is at the bottom 

I've created a 4.11.0.0 release, with the following artifacts up for testing 
and a vote:

Git Branch and Commit SH:
https://gitbox.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs/heads/4.11.0.0-RC20180115T1603
Commit: 1b8a532ba52127f388847690df70e65c6b46f4d4

Source release (checksums and signatures are available at the same
location):
https://dist.apache.org/repos/dist/dev/cloudstack/4.11.0.0/

PGP release keys (signed using 5ED1E1122DC5E8A4A45112C2484248210EE3D884):
https://dist.apache.org/repos/dist/release/cloudstack/KEYS

The vote will be open for 72 hours.

For sanity in tallying the vote, can PMC members please be sure to indicate 
"(binding)" with their vote?

[ ] +1  approve
[ ] +0  no opinion
[ ] -1  disapprove (and reason why)

Additional information:

For users' convenience, I've built packages from
1b8a532ba52127f388847690df70e65c6b46f4d4 and published RC1 repository here:
http://cloudstack.apt-get.eu/testing/4.11-rc1

The release notes are still work-in-progress, but the systemvmtemplate upgrade 
section has been updated. You may refer the following for systemvmtemplate 
upgrade testing:
http://docs.cloudstack.apache.org/projects/cloudstack-release-notes/en/latest/index.html

4.11 systemvmtemplates are available from here:
https://download.cloudstack.org/systemvm/4.11/

Regards,
Rohit Yadav


Kind regards,

Paul Angus

paul.an...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 


-Original Message-
From: Ivan Kudryavtsev [mailto:kudryavtsev...@bw-sw.com] 
Sent: 15 January 2018 17:34
To: users@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

Hello,all. Do we already have systemvm and packages for RC? I would like to 
upgrade my dev to help testing it.

15 янв. 2018 г. 18:51 пользователь "Daan Hoogland" <daan.hoogl...@gmail.com>
написал:

> I suggest you discuss it on the vote thread for RC1 Kristian.
>
> On Mon, Jan 15, 2018 at 12:47 PM, Kristian Liivak <k...@wavecom.ee> wrote:
>
> >
> > This fix is only for smaller part of password management..
> > Is´t possible that someone have look VR password distribution with 
> > instance creation ?
>
>
> --
> Daan
>

Re: [DISCUSS] Freezing master for 4.11

[Ivan Kudryavtsev]

Hello,all. Do we already have systemvm and packages for RC? I would like to
upgrade my dev to help testing it.

15 янв. 2018 г. 18:51 пользователь "Daan Hoogland" 
написал:

> I suggest you discuss it on the vote thread for RC1 Kristian.
>
> On Mon, Jan 15, 2018 at 12:47 PM, Kristian Liivak  wrote:
>
> >
> > This fix is only for smaller part of password management..
> > Is´t possible that someone have look VR password distribution with
> > instance creation ?
>
>
> --
> Daan
>

Re: [DISCUSS] Freezing master for 4.11

[Daan Hoogland]

​Kristian,

​

On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak  wrote:
>>
> ​...
​


​As for this one:​

> Also there is major security hole. When instance is destroyd and expunged
>> > and new instance is created with old IP all old data is unaffected in VR
>> > New instance will get then old root password and  ssh key if they were
>> > present in VR
>>
> ​I don't see how this is a security issue​. The user won't get in and
update the key and password to get in. No harm done or am I overlooking
something?


-- 
Daan

Re: [DISCUSS] Freezing master for 4.11

[Daan Hoogland]

I suggest you discuss it on the vote thread for RC1 Kristian.

On Mon, Jan 15, 2018 at 12:47 PM, Kristian Liivak  wrote:

>
> This fix is only for smaller part of password management..
> Is´t possible that someone have look VR password distribution with
> instance creation ?


-- 
Daan

Re: [DISCUSS] Freezing master for 4.11

[Kristian Liivak]

This fix is only for smaller part of password management..
Is´t possible that someone have look VR password distribution with instance 
creation ?

Lugupidamisega / Regards
 
Kristian Liivak

Tegevjuht / Executive director

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee

- Original Message -
From: "Daan Hoogland" <daan.hoogl...@gmail.com>
To: "users" <users@cloudstack.apache.org>
Cc: "dev" <d...@cloudstack.apache.org>
Sent: Monday, January 15, 2018 1:42:00 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

Yes, I know. I made that that's why i asked. This fix isn't in 4.10 but is
in 4.11.

On Mon, Jan 15, 2018 at 12:37 PM, Kristian Liivak <k...@wavecom.ee> wrote:

>
> We made lot testing but did´nt had time to dig code this time.
> There was similar VR password management related and fixed issue
> https://issues.apache.org/jira/browse/CLOUDSTACK-10113
>
>
>
> Lugupidamisega / Regards
>
> Kristian Liivak
>
> CTO
> WaveCom As
> Endla 16, 10142 Tallinn
> Estonia
> Tel: +3726850001
> Gsm: +37256850001
> E-mail: k...@wavecom.ee
> Skype: kristian.liivak
> http://www.wavecom.ee
> http://www.facebook.com/wavecom.ee
>
> - Original Message -
> From: "Daan Hoogland" <daan.hoogl...@gmail.com>
> To: "users" <users@cloudstack.apache.org>
> Cc: "dev" <d...@cloudstack.apache.org>
> Sent: Monday, January 15, 2018 1:22:23 PM
> Subject: Re: [DISCUSS] Freezing master for 4.11
>
> kristian,
>
> these sound like serious regressions. Do you have a fix or did you analyse
> the code yet?
>
> On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <k...@wavecom.ee> wrote:
>
> > Hello,
> >
> > I have created issue in jira 2 month ago.
> > https://issues.apache.org/jira/browse/CLOUDSTACK-10141
> >
> > In version 4.10 VR password and ssh key distribution don´t work on
> > instance creation.
> > When instance is allreay excisting reset function is operational.
> >
> > Also there is major security hole. When instance is destroyd and expunged
> > and new instance is created with old IP all old data is unaffected in VR
> > New instance will get then old root password and  ssh key if they were
> > present in VR
> >
> > In my knowledege cloudstack older versions are not affected.
> >
> > Lugupidamisega / Regards
> >
> > Kristian Liivak
> >
> > CTO
> >
> > WaveCom As
> > Endla 16, 10142 Tallinn
> > Estonia
> > Tel: +3726850001
> > Gsm: +37256850001
> > E-mail: k...@wavecom.ee
> > Skype: kristian.liivak
> > http://www.wavecom.ee
> > http://www.facebook.com/wavecom.ee
> >
> > - Original Message -
> > From: "Rohit Yadav" <rohit.ya...@shapeblue.com>
> > To: d...@cloudstack.apache.org, "users" <users@cloudstack.apache.org>
> > Sent: Sunday, January 14, 2018 8:41:15 PM
> > Subject: Re: [DISCUSS] Freezing master for 4.11
> >
> > All,
> >
> >
> > To give you update, all feature PRs have been reviewed, tested and merged
> > towards the 4.11.0.0. I'll engage with Mike and others for any post-merge
> > regressions (smoketest to be kicked shortly).
> >
> >
> > I see an outstanding PR that may be a critical/blocker PR, please advise
> > and also review:
> >
> > https://github.com/apache/cloudstack/pull/2402
> >
> >
> > If anyone has any blocker to report, please do so. Thanks.
> >
> >
> > I'll cut RC1 as planned by EOD today (Mon/15 Jan 2018).
> >
> >
> > - Rohit
> >
> > <https://cloudstack.apache.org>
> >
> >
> >
> > 
> > From: Tutkowski, Mike <mike.tutkow...@netapp.com>
> > Sent: Saturday, January 13, 2018 3:23:40 AM
> > To: d...@cloudstack.apache.org
> > Subject: Re: [DISCUSS] Freezing master for 4.11
> >
> > I’m investigating these now. I have found and fixed two of them so far.
> >
> >
> > rohit.ya...@shapeblue.com
> > www.shapeblue.com
> > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > @shapeblue
> >
> >
> >
> > > On Jan 12, 2018, at 2:49 PM, Rohit Yadav <rohit.ya...@shapeblue.com>
> > wrote:
> > >
> > > Thanks Rafael and Daan.
> > >
> > >
> > >> From: Rafael Weingärtner <rafaelweingart...@gmail.com>
> > >>
> > >> 

Re: [DISCUSS] Freezing master for 4.11

[Daan Hoogland]

Yes, I know. I made that that's why i asked. This fix isn't in 4.10 but is
in 4.11.

On Mon, Jan 15, 2018 at 12:37 PM, Kristian Liivak <k...@wavecom.ee> wrote:

>
> We made lot testing but did´nt had time to dig code this time.
> There was similar VR password management related and fixed issue
> https://issues.apache.org/jira/browse/CLOUDSTACK-10113
>
>
>
> Lugupidamisega / Regards
>
> Kristian Liivak
>
> CTO
> WaveCom As
> Endla 16, 10142 Tallinn
> Estonia
> Tel: +3726850001
> Gsm: +37256850001
> E-mail: k...@wavecom.ee
> Skype: kristian.liivak
> http://www.wavecom.ee
> http://www.facebook.com/wavecom.ee
>
> - Original Message -
> From: "Daan Hoogland" <daan.hoogl...@gmail.com>
> To: "users" <users@cloudstack.apache.org>
> Cc: "dev" <d...@cloudstack.apache.org>
> Sent: Monday, January 15, 2018 1:22:23 PM
> Subject: Re: [DISCUSS] Freezing master for 4.11
>
> kristian,
>
> these sound like serious regressions. Do you have a fix or did you analyse
> the code yet?
>
> On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <k...@wavecom.ee> wrote:
>
> > Hello,
> >
> > I have created issue in jira 2 month ago.
> > https://issues.apache.org/jira/browse/CLOUDSTACK-10141
> >
> > In version 4.10 VR password and ssh key distribution don´t work on
> > instance creation.
> > When instance is allreay excisting reset function is operational.
> >
> > Also there is major security hole. When instance is destroyd and expunged
> > and new instance is created with old IP all old data is unaffected in VR
> > New instance will get then old root password and  ssh key if they were
> > present in VR
> >
> > In my knowledege cloudstack older versions are not affected.
> >
> > Lugupidamisega / Regards
> >
> > Kristian Liivak
> >
> > CTO
> >
> > WaveCom As
> > Endla 16, 10142 Tallinn
> > Estonia
> > Tel: +3726850001
> > Gsm: +37256850001
> > E-mail: k...@wavecom.ee
> > Skype: kristian.liivak
> > http://www.wavecom.ee
> > http://www.facebook.com/wavecom.ee
> >
> > - Original Message -
> > From: "Rohit Yadav" <rohit.ya...@shapeblue.com>
> > To: d...@cloudstack.apache.org, "users" <users@cloudstack.apache.org>
> > Sent: Sunday, January 14, 2018 8:41:15 PM
> > Subject: Re: [DISCUSS] Freezing master for 4.11
> >
> > All,
> >
> >
> > To give you update, all feature PRs have been reviewed, tested and merged
> > towards the 4.11.0.0. I'll engage with Mike and others for any post-merge
> > regressions (smoketest to be kicked shortly).
> >
> >
> > I see an outstanding PR that may be a critical/blocker PR, please advise
> > and also review:
> >
> > https://github.com/apache/cloudstack/pull/2402
> >
> >
> > If anyone has any blocker to report, please do so. Thanks.
> >
> >
> > I'll cut RC1 as planned by EOD today (Mon/15 Jan 2018).
> >
> >
> > - Rohit
> >
> > <https://cloudstack.apache.org>
> >
> >
> >
> > 
> > From: Tutkowski, Mike <mike.tutkow...@netapp.com>
> > Sent: Saturday, January 13, 2018 3:23:40 AM
> > To: d...@cloudstack.apache.org
> > Subject: Re: [DISCUSS] Freezing master for 4.11
> >
> > I’m investigating these now. I have found and fixed two of them so far.
> >
> >
> > rohit.ya...@shapeblue.com
> > www.shapeblue.com
> > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > @shapeblue
> >
> >
> >
> > > On Jan 12, 2018, at 2:49 PM, Rohit Yadav <rohit.ya...@shapeblue.com>
> > wrote:
> > >
> > > Thanks Rafael and Daan.
> > >
> > >
> > >> From: Rafael Weingärtner <rafaelweingart...@gmail.com>
> > >>
> > >> I believe there is no problem in merging Wido’s and Mike’s PRs, they
> > have
> > >> been extensively discussed and improved (specially Mike’s one).
> > >
> > > Thanks, Mike's PR has several regression smoketest failures and can be
> > accepted only when those failures are fixed.
> > >
> > > We'll cut 4.11 branch start rc1 on Monday that would be a hard freeze.
> > If Mike wants, he can help fix them over the weekend, I can help run
> > smoketests.
> > >
> > >> Having said that; I would be ok with it (no need to revert it), but we
> > need
> > >> to be more careful with these things. If one wants to merge

Re: [DISCUSS] Freezing master for 4.11

[Kristian Liivak]

We made lot testing but did´nt had time to dig code this time. 
There was similar VR password management related and fixed issue  
https://issues.apache.org/jira/browse/CLOUDSTACK-10113



Lugupidamisega / Regards
 
Kristian Liivak

CTO
WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee

- Original Message -
From: "Daan Hoogland" <daan.hoogl...@gmail.com>
To: "users" <users@cloudstack.apache.org>
Cc: "dev" <d...@cloudstack.apache.org>
Sent: Monday, January 15, 2018 1:22:23 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

kristian,

these sound like serious regressions. Do you have a fix or did you analyse
the code yet?

On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <k...@wavecom.ee> wrote:

> Hello,
>
> I have created issue in jira 2 month ago.
> https://issues.apache.org/jira/browse/CLOUDSTACK-10141
>
> In version 4.10 VR password and ssh key distribution don´t work on
> instance creation.
> When instance is allreay excisting reset function is operational.
>
> Also there is major security hole. When instance is destroyd and expunged
> and new instance is created with old IP all old data is unaffected in VR
> New instance will get then old root password and  ssh key if they were
> present in VR
>
> In my knowledege cloudstack older versions are not affected.
>
> Lugupidamisega / Regards
>
> Kristian Liivak
>
> CTO
>
> WaveCom As
> Endla 16, 10142 Tallinn
> Estonia
> Tel: +3726850001
> Gsm: +37256850001
> E-mail: k...@wavecom.ee
> Skype: kristian.liivak
> http://www.wavecom.ee
> http://www.facebook.com/wavecom.ee
>
> - Original Message -
> From: "Rohit Yadav" <rohit.ya...@shapeblue.com>
> To: d...@cloudstack.apache.org, "users" <users@cloudstack.apache.org>
> Sent: Sunday, January 14, 2018 8:41:15 PM
> Subject: Re: [DISCUSS] Freezing master for 4.11
>
> All,
>
>
> To give you update, all feature PRs have been reviewed, tested and merged
> towards the 4.11.0.0. I'll engage with Mike and others for any post-merge
> regressions (smoketest to be kicked shortly).
>
>
> I see an outstanding PR that may be a critical/blocker PR, please advise
> and also review:
>
> https://github.com/apache/cloudstack/pull/2402
>
>
> If anyone has any blocker to report, please do so. Thanks.
>
>
> I'll cut RC1 as planned by EOD today (Mon/15 Jan 2018).
>
>
> - Rohit
>
> <https://cloudstack.apache.org>
>
>
>
> 
> From: Tutkowski, Mike <mike.tutkow...@netapp.com>
> Sent: Saturday, January 13, 2018 3:23:40 AM
> To: d...@cloudstack.apache.org
> Subject: Re: [DISCUSS] Freezing master for 4.11
>
> I’m investigating these now. I have found and fixed two of them so far.
>
>
> rohit.ya...@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>
> > On Jan 12, 2018, at 2:49 PM, Rohit Yadav <rohit.ya...@shapeblue.com>
> wrote:
> >
> > Thanks Rafael and Daan.
> >
> >
> >> From: Rafael Weingärtner <rafaelweingart...@gmail.com>
> >>
> >> I believe there is no problem in merging Wido’s and Mike’s PRs, they
> have
> >> been extensively discussed and improved (specially Mike’s one).
> >
> > Thanks, Mike's PR has several regression smoketest failures and can be
> accepted only when those failures are fixed.
> >
> > We'll cut 4.11 branch start rc1 on Monday that would be a hard freeze.
> If Mike wants, he can help fix them over the weekend, I can help run
> smoketests.
> >
> >> Having said that; I would be ok with it (no need to revert it), but we
> need
> >> to be more careful with these things. If one wants to merge something,
> >> there is no harm in waiting and calling for reviewers via Github,
> Slack, or
> >> even email them directly.
> >
> > Additional review was requested, but mea culpa - thanks for your
> support, noted.
> >
> > - Rohit
> >
> > On Fri, Jan 12, 2018 at 3:57 PM, Rohit Yadav <rohit.ya...@shapeblue.com>
> > wrote:
> >
> >> All,
> >>
> >>
> >> We're down to one feature PR towards 4.11 milestone now:
> >>
> >> https://github.com/apache/cloudstack/pull/2298
> >>
> >>
> >> The config drive PR from Frank (Nuage) has been accepted today after no
> >> regression test failures seen from yesterday's smoketest run. We've also
> >> tested, reviewed and

Re: [DISCUSS] Freezing master for 4.11

[Daan Hoogland]

kristian,

these sound like serious regressions. Do you have a fix or did you analyse
the code yet?

On Mon, Jan 15, 2018 at 11:49 AM, Kristian Liivak <k...@wavecom.ee> wrote:

> Hello,
>
> I have created issue in jira 2 month ago.
> https://issues.apache.org/jira/browse/CLOUDSTACK-10141
>
> In version 4.10 VR password and ssh key distribution don´t work on
> instance creation.
> When instance is allreay excisting reset function is operational.
>
> Also there is major security hole. When instance is destroyd and expunged
> and new instance is created with old IP all old data is unaffected in VR
> New instance will get then old root password and  ssh key if they were
> present in VR
>
> In my knowledege cloudstack older versions are not affected.
>
> Lugupidamisega / Regards
>
> Kristian Liivak
>
> CTO
>
> WaveCom As
> Endla 16, 10142 Tallinn
> Estonia
> Tel: +3726850001
> Gsm: +37256850001
> E-mail: k...@wavecom.ee
> Skype: kristian.liivak
> http://www.wavecom.ee
> http://www.facebook.com/wavecom.ee
>
> - Original Message -
> From: "Rohit Yadav" <rohit.ya...@shapeblue.com>
> To: d...@cloudstack.apache.org, "users" <users@cloudstack.apache.org>
> Sent: Sunday, January 14, 2018 8:41:15 PM
> Subject: Re: [DISCUSS] Freezing master for 4.11
>
> All,
>
>
> To give you update, all feature PRs have been reviewed, tested and merged
> towards the 4.11.0.0. I'll engage with Mike and others for any post-merge
> regressions (smoketest to be kicked shortly).
>
>
> I see an outstanding PR that may be a critical/blocker PR, please advise
> and also review:
>
> https://github.com/apache/cloudstack/pull/2402
>
>
> If anyone has any blocker to report, please do so. Thanks.
>
>
> I'll cut RC1 as planned by EOD today (Mon/15 Jan 2018).
>
>
> - Rohit
>
> <https://cloudstack.apache.org>
>
>
>
> 
> From: Tutkowski, Mike <mike.tutkow...@netapp.com>
> Sent: Saturday, January 13, 2018 3:23:40 AM
> To: d...@cloudstack.apache.org
> Subject: Re: [DISCUSS] Freezing master for 4.11
>
> I’m investigating these now. I have found and fixed two of them so far.
>
>
> rohit.ya...@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>
> > On Jan 12, 2018, at 2:49 PM, Rohit Yadav <rohit.ya...@shapeblue.com>
> wrote:
> >
> > Thanks Rafael and Daan.
> >
> >
> >> From: Rafael Weingärtner <rafaelweingart...@gmail.com>
> >>
> >> I believe there is no problem in merging Wido’s and Mike’s PRs, they
> have
> >> been extensively discussed and improved (specially Mike’s one).
> >
> > Thanks, Mike's PR has several regression smoketest failures and can be
> accepted only when those failures are fixed.
> >
> > We'll cut 4.11 branch start rc1 on Monday that would be a hard freeze.
> If Mike wants, he can help fix them over the weekend, I can help run
> smoketests.
> >
> >> Having said that; I would be ok with it (no need to revert it), but we
> need
> >> to be more careful with these things. If one wants to merge something,
> >> there is no harm in waiting and calling for reviewers via Github,
> Slack, or
> >> even email them directly.
> >
> > Additional review was requested, but mea culpa - thanks for your
> support, noted.
> >
> > - Rohit
> >
> > On Fri, Jan 12, 2018 at 3:57 PM, Rohit Yadav <rohit.ya...@shapeblue.com>
> > wrote:
> >
> >> All,
> >>
> >>
> >> We're down to one feature PR towards 4.11 milestone now:
> >>
> >> https://github.com/apache/cloudstack/pull/2298
> >>
> >>
> >> The config drive PR from Frank (Nuage) has been accepted today after no
> >> regression test failures seen from yesterday's smoketest run. We've also
> >> tested, reviewed and merge Wido's (blocker fix) PR.
> >>
> >>
> >> I've asked Mike to stabilize the branch; based on the smoketest results
> >> from today we can see some failures caused by the PR. I'm willing to
> work
> >> with Mike and others to get this PR tested, and merged over the
> weekends if
> >> we can demonstrate that no regression is caused by it, i.e. no new
> >> smoketest regressions. I'll also try to fix regression and test failures
> >> over the weekend.
> >>
> >>
> >> Lastly, I would like to discuss a mistake I made today with merging the
> >> following PR which per our guideline lacks one code review
>

Re: [DISCUSS] Freezing master for 4.11

[Kristian Liivak]

Hello,

I have created issue in jira 2 month ago.
https://issues.apache.org/jira/browse/CLOUDSTACK-10141

In version 4.10 VR password and ssh key distribution don´t work on instance 
creation.
When instance is allreay excisting reset function is operational.

Also there is major security hole. When instance is destroyd and expunged and 
new instance is created with old IP all old data is unaffected in VR
New instance will get then old root password and  ssh key if they were present 
in VR

In my knowledege cloudstack older versions are not affected.

Lugupidamisega / Regards
 
Kristian Liivak

CTO

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: k...@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee

- Original Message -
From: "Rohit Yadav" <rohit.ya...@shapeblue.com>
To: d...@cloudstack.apache.org, "users" <users@cloudstack.apache.org>
Sent: Sunday, January 14, 2018 8:41:15 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

All,


To give you update, all feature PRs have been reviewed, tested and merged 
towards the 4.11.0.0. I'll engage with Mike and others for any post-merge 
regressions (smoketest to be kicked shortly).


I see an outstanding PR that may be a critical/blocker PR, please advise and 
also review:

https://github.com/apache/cloudstack/pull/2402


If anyone has any blocker to report, please do so. Thanks.


I'll cut RC1 as planned by EOD today (Mon/15 Jan 2018).


- Rohit

<https://cloudstack.apache.org>




From: Tutkowski, Mike <mike.tutkow...@netapp.com>
Sent: Saturday, January 13, 2018 3:23:40 AM
To: d...@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

I’m investigating these now. I have found and fixed two of them so far.


rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

> On Jan 12, 2018, at 2:49 PM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote:
>
> Thanks Rafael and Daan.
>
>
>> From: Rafael Weingärtner <rafaelweingart...@gmail.com>
>>
>> I believe there is no problem in merging Wido’s and Mike’s PRs, they have
>> been extensively discussed and improved (specially Mike’s one).
>
> Thanks, Mike's PR has several regression smoketest failures and can be 
> accepted only when those failures are fixed.
>
> We'll cut 4.11 branch start rc1 on Monday that would be a hard freeze. If 
> Mike wants, he can help fix them over the weekend, I can help run smoketests.
>
>> Having said that; I would be ok with it (no need to revert it), but we need
>> to be more careful with these things. If one wants to merge something,
>> there is no harm in waiting and calling for reviewers via Github, Slack, or
>> even email them directly.
>
> Additional review was requested, but mea culpa - thanks for your support, 
> noted.
>
> - Rohit
>
> On Fri, Jan 12, 2018 at 3:57 PM, Rohit Yadav <rohit.ya...@shapeblue.com>
> wrote:
>
>> All,
>>
>>
>> We're down to one feature PR towards 4.11 milestone now:
>>
>> https://github.com/apache/cloudstack/pull/2298
>>
>>
>> The config drive PR from Frank (Nuage) has been accepted today after no
>> regression test failures seen from yesterday's smoketest run. We've also
>> tested, reviewed and merge Wido's (blocker fix) PR.
>>
>>
>> I've asked Mike to stabilize the branch; based on the smoketest results
>> from today we can see some failures caused by the PR. I'm willing to work
>> with Mike and others to get this PR tested, and merged over the weekends if
>> we can demonstrate that no regression is caused by it, i.e. no new
>> smoketest regressions. I'll also try to fix regression and test failures
>> over the weekend.
>>
>>
>> Lastly, I would like to discuss a mistake I made today with merging the
>> following PR which per our guideline lacks one code review lgtm/approval:
>>
>> https://github.com/apache/cloudstack/pull/2152
>>
>>
>> The changes in above (merged) PR are all localized to a xenserver-swift
>> file, that is not tested by Travis or Trillian, since no new regression
>> failures were seen I accepted and merge it on that discretion. The PR was
>> originally on the 4.11 milestone, however, due to it lacking a JIRA id and
>> no response from the author it was only recently removed from the milestone.
>>
>>
>> Please advise if I need to revert this, or we can review/lgtm it
>> post-merge? I'll also ping on the above PR.
>>
>>
>> - Rohit
>>
>> <https://cloudstack.apache.org>
> Apache CloudStack: Open Source Cloud Computing<https://cloudstack

Re: [DISCUSS] Freezing master for 4.11

[Rohit Yadav]

All,


To give you update, all feature PRs have been reviewed, tested and merged 
towards the 4.11.0.0. I'll engage with Mike and others for any post-merge 
regressions (smoketest to be kicked shortly).


I see an outstanding PR that may be a critical/blocker PR, please advise and 
also review:

https://github.com/apache/cloudstack/pull/2402


If anyone has any blocker to report, please do so. Thanks.


I'll cut RC1 as planned by EOD today (Mon/15 Jan 2018).


- Rohit

<https://cloudstack.apache.org>




From: Tutkowski, Mike <mike.tutkow...@netapp.com>
Sent: Saturday, January 13, 2018 3:23:40 AM
To: d...@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

I’m investigating these now. I have found and fixed two of them so far.


rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

> On Jan 12, 2018, at 2:49 PM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote:
>
> Thanks Rafael and Daan.
>
>
>> From: Rafael Weingärtner <rafaelweingart...@gmail.com>
>>
>> I believe there is no problem in merging Wido’s and Mike’s PRs, they have
>> been extensively discussed and improved (specially Mike’s one).
>
> Thanks, Mike's PR has several regression smoketest failures and can be 
> accepted only when those failures are fixed.
>
> We'll cut 4.11 branch start rc1 on Monday that would be a hard freeze. If 
> Mike wants, he can help fix them over the weekend, I can help run smoketests.
>
>> Having said that; I would be ok with it (no need to revert it), but we need
>> to be more careful with these things. If one wants to merge something,
>> there is no harm in waiting and calling for reviewers via Github, Slack, or
>> even email them directly.
>
> Additional review was requested, but mea culpa - thanks for your support, 
> noted.
>
> - Rohit
>
> On Fri, Jan 12, 2018 at 3:57 PM, Rohit Yadav <rohit.ya...@shapeblue.com>
> wrote:
>
>> All,
>>
>>
>> We're down to one feature PR towards 4.11 milestone now:
>>
>> https://github.com/apache/cloudstack/pull/2298
>>
>>
>> The config drive PR from Frank (Nuage) has been accepted today after no
>> regression test failures seen from yesterday's smoketest run. We've also
>> tested, reviewed and merge Wido's (blocker fix) PR.
>>
>>
>> I've asked Mike to stabilize the branch; based on the smoketest results
>> from today we can see some failures caused by the PR. I'm willing to work
>> with Mike and others to get this PR tested, and merged over the weekends if
>> we can demonstrate that no regression is caused by it, i.e. no new
>> smoketest regressions. I'll also try to fix regression and test failures
>> over the weekend.
>>
>>
>> Lastly, I would like to discuss a mistake I made today with merging the
>> following PR which per our guideline lacks one code review lgtm/approval:
>>
>> https://github.com/apache/cloudstack/pull/2152
>>
>>
>> The changes in above (merged) PR are all localized to a xenserver-swift
>> file, that is not tested by Travis or Trillian, since no new regression
>> failures were seen I accepted and merge it on that discretion. The PR was
>> originally on the 4.11 milestone, however, due to it lacking a JIRA id and
>> no response from the author it was only recently removed from the milestone.
>>
>>
>> Please advise if I need to revert this, or we can review/lgtm it
>> post-merge? I'll also ping on the above PR.
>>
>>
>> - Rohit
>>
>> <https://cloudstack.apache.org>
> Apache CloudStack: Open Source Cloud Computing<https://cloudstack.apache.org/>
> cloudstack.apache.org
> CloudStack is open source cloud computing software for creating, managing, 
> and deploying infrastructure cloud services
>
>
>
>>
>>
>>
>> 
>> From: Wido den Hollander <w...@widodh.nl>
>> Sent: Thursday, January 11, 2018 9:17:26 PM
>> To: d...@cloudstack.apache.org
>> Subject: Re: [DISCUSS] Freezing master for 4.11
>>
>>
>>
>>> On 01/10/2018 07:26 PM, Daan Hoogland wrote:
>>> I hope we understand each other correctly: No-one running an earlier
>>> version then 4.11 should miss out on any functionality they are using
>> now.
>>>
>>> So if you use ipv6 and multiple cidrs now it must continue to work with
>> no
>>> loss of functionality. see my question below.
>>>
>>> On Wed, Jan 10, 2018 at 7:06 PM, Ivan Kudryavtsev <
>> kudryavtsev...@bw-sw.com>
>>> wrote:
>>>
>&g