Re: Procedure for Linux templates

[Stephan Seitz]

Hi guys,

just sorting out our repository.

Maybe you find it useful:
https://github.com/HeinleinSupport/acs-template-scripts

Currently, the scripts are looking somewhat messy and our SuSE LEAP
scripts are waiting for cleanup, but for the impatient ones ...

For ACS we're moving to public github projects, so I'ld expect more to
come ;)

cheers and have a nice weekend!

- Stephan

Am Donnerstag, den 18.02.2016, 22:13 +0200 schrieb Cristian Ciobanu: 
> Hello,
> 
> Nice to hear this, i will wait for updates.
> 
> 
> Regards,
> Cristian
> On 18.02.2016 19:19:30, Stephan Seitz  
> wrote:
> Hi,
> 
> we've recently built templates for Centos 7, Ubuntu 14.04, Debian 8 and
> SuSE Leap 42.1.
> 
> We tried to do our work as near as possible to the respective default
> networking. So CentOS 7 w/ NM and SuSE Leap with wicked (which caused a
> lot of pain to get it working...)
> 
> We're just sorting out our git project including ReadMe's and scripts
> and expect to push it tomorrow to github.
> 
> cheers,
> 
> - Stephan
> 
> Am Donnerstag, den 18.02.2016, 15:04 +0200 schrieb Cristian Ciobanu:
> > Hello,
> >
> > Can i get a documentation for how to create Linux templates, and needed 
> > scripts ?
> >
> > I did like in this example : 
> > http://cloudstack-administration.readthedocs.org/en/4.8/templates.html#creating-a-template-from-an-existing-virtual-machine
> >  but is not working for CentOS 6.7 or CentOS 7 ( after deploy from template 
> > template i don't have IP assigned on my network also password reset is not 
> > working )
> >
> > Thank you!
> >
> >
> > Regards,
> > Cristian
> 
> 

S3 create storage error

[Yuriy Karpel]

CentOS7, Cloudstack 4.7.


Log management server:

2016-02-18 12:29:11,412 DEBUG [c.c.a.ApiServlet]
(catalina-exec-1:ctx-b584fb48 ctx-a3bf9246) (logid:4f89e2ee) ===END===
 10.30.10.41 -- GET
 
command=addImageStore&response=json&name=%D0%A8%D1%8C%D1%84%D0%BF%D1%83%D1%8B&provider=S3&details%5B2%5D.key=bucket&details%5B2%5D.value=cloudsatck&details%5B3%5D.key=usehttps&details%5B3%5D.value=false&details%5B4%5D.key=endpoint&details%5B4%5D.value=s3.cloud.bst.su&_=1455787750977
2016-02-18 12:29:21,114 INFO  [c.c.s.t.S3TemplateDownloader]
(pool-31-thread-1:ctx-6edac5b0) (logid:12c6e83b) Starting download
fromhttp://10.30.10.3/mrepo/ISO/systemvm64template-4.6.0-kvm.qcow2.bz2
to S3
bucket cloudsatck and size 319401369 bytes
2016-02-18 12:29:21,114 DEBUG [c.c.u.s.S.S3Utils]
(pool-31-thread-1:ctx-6edac5b0) (logid:12c6e83b) Sending stream as S3
object template/tmpl/1/3/routing-3/systemvm64template-4.6.0-kvm.qcow2.bz2
in bucket cloudsatck using PutObjectRequest
2016-02-18 12:29:24,162 ERROR [o.a.c.s.i.BaseImageStoreDriverImpl]
(pool-32-thread-1:ctx-c4711819) (logid:1e9d43f6) Failed to register
template: 68e06bff-c4de-440f-af52-5de758880219 with error:
2016-02-18 12:29:28,874 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
(AsyncJobMgr-Heartbeat-1:ctx-76a4fd2a) (logid:bf77dfbf) Begin cleanup
expired async-jobs
2016-02-18 12:29:28,899 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
(AsyncJobMgr-Heartbeat-1:ctx-76a4fd2a) (logid:bf77dfbf) End cleanup expired
async-jobs

Log radosgw:
10.30.10.42 - - [18/Feb/2016:12:29:21 +0300] "POST
/template/tmpl/1/3/routing-3/systemvm64template-4.6.0-kvm.qcow2.bz2?uploads
HTTP/1.1" 400 152 "-" "aws-sdk-java/1.10.34 Linux/3.10.0-327.3.1.el7.x86_64
OpenJDK_64-Bit_Server_VM/25.65-b01/1.8.0_65
com.amazonaws.services.s3.transfer.TransferManager_multipart/1.10.34"

S3cmd:
[ceph@ceph-adm ~]$ s3cmd -c s3test.cfg ls
2016-02-18 06:37  s3://cl-images
2016-02-18 08:06  s3://cloudstack
[ceph@ceph-adm ~]$ s3cmd -c s3test.cfg put s3test.cfg s3://cl-images
upload: 's3test.cfg' -> 's3://cl-images/s3test.cfg'  [1 of 1]
 1949 of 1949   100% in0s   241.14 kB/s  done
upload: 's3test.cfg' -> 's3://cl-images/s3test.cfg'  [1 of 1]
 1949 of 1949   100% in0s99.51 kB/s  done
[ceph@ceph-adm ~]$ s3cmd -c s3test.cfg la
2016-02-18 07:23  1949   s3://cl-images/s3test.cfg
[ceph@ceph-adm ~]$ s3cmd -c s3test.cfg rm s3://cl-images/s3test.cfg
delete: 's3://cl-images/s3test.cfg'

Re: Procedure for Linux templates

[Cristian Ciobanu]

Hi Stephan,

  First of all, thanks for scripts, also can you let me know what need to be 
executed on VM after script file's are copied on VM.

  I don't see any information, is like only copy the files and execute 
newtemplate.sh.

Regards,
Cristian
On 19.02.2016 13:19:47, Stephan Seitz  
wrote:
Hi guys,

just sorting out our repository.

Maybe you find it useful:
https://github.com/HeinleinSupport/acs-template-scripts

Currently, the scripts are looking somewhat messy and our SuSE LEAP
scripts are waiting for cleanup, but for the impatient ones ...

For ACS we're moving to public github projects, so I'ld expect more to
come ;)

cheers and have a nice weekend!

- Stephan

Am Donnerstag, den 18.02.2016, 22:13 +0200 schrieb Cristian Ciobanu:
> Hello,
>
> Nice to hear this, i will wait for updates.
>
>
> Regards,
> Cristian
> On 18.02.2016 19:19:30, Stephan Seitz wrote:
> Hi,
>
> we've recently built templates for Centos 7, Ubuntu 14.04, Debian 8 and
> SuSE Leap 42.1.
>
> We tried to do our work as near as possible to the respective default
> networking. So CentOS 7 w/ NM and SuSE Leap with wicked (which caused a
> lot of pain to get it working...)
>
> We're just sorting out our git project including ReadMe's and scripts
> and expect to push it tomorrow to github.
>
> cheers,
>
> - Stephan
>
> Am Donnerstag, den 18.02.2016, 15:04 +0200 schrieb Cristian Ciobanu:
> > Hello,
> >
> > Can i get a documentation for how to create Linux templates, and needed 
> > scripts ?
> >
> > I did like in this example : 
> > http://cloudstack-administration.readthedocs.org/en/4.8/templates.html#creating-a-template-from-an-existing-virtual-machine
> >  but is not working for CentOS 6.7 or CentOS 7 ( after deploy from template 
> > template i don't have IP assigned on my network also password reset is not 
> > working )
> >
> > Thank you!
> >
> >
> > Regards,
> > Cristian
>
>

HTTPS for console VM, without the wildcard DNS

[Nux!]

Hi,

Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a 
wildcard certificate to match that.
Is there no other way to enable SSL without the wildcard DNS bit?
It adds a bit of overhead having to setup DNS infra for the customer just so 
he's able to securely access his cloud.


--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: Procedure for Linux templates

[Stephan Seitz]

Hey Cristian,

we will add distribution-dependent README.md next week.

If you'ld like to follow the same naming, just:

1. create a user "vmadmin"
2. optional: add vmadmin user to sudoers (maybe with NOPASSWD: )
3. copy the files
4. enable the init scripts. E.g. systemctl enable cloud... or
update-rc.d ... depends on the respective distro.


If you copied the files (some need executable rights,
e.g. /etc/init.d/... or /usr/local/sbin/...)


If you want to benefit from the rock-sold (hehe...) accessibility, just
create some kind of "admin-only" or "management" or similar network with
a network-address of 10.97.64.0 (doesn't matter if it's /24 or bigger,
though we're using a /22) and attach this network as the first one.

The whole magic is done via movedhcpdefaultroute script.

We're using the /root/newtemplate.sh if we modified our templates and
just want to create the next version of it.

As said, next week some documentation and suggestions will follow :)

cheers,

- Stephan



Am Freitag, den 19.02.2016, 17:18 +0200 schrieb Cristian Ciobanu: 
> Hi Stephan,
> 
>   First of all, thanks for scripts, also can you let me know what need to be 
> executed on VM after script file's are copied on VM.
> 
>   I don't see any information, is like only copy the files and execute 
> newtemplate.sh.
> 
> Regards,
> Cristian
> On 19.02.2016 13:19:47, Stephan Seitz  
> wrote:
> Hi guys,
> 
> just sorting out our repository.
> 
> Maybe you find it useful:
> https://github.com/HeinleinSupport/acs-template-scripts
> 
> Currently, the scripts are looking somewhat messy and our SuSE LEAP
> scripts are waiting for cleanup, but for the impatient ones ...
> 
> For ACS we're moving to public github projects, so I'ld expect more to
> come ;)
> 
> cheers and have a nice weekend!
> 
> - Stephan
> 
> Am Donnerstag, den 18.02.2016, 22:13 +0200 schrieb Cristian Ciobanu:
> > Hello,
> >
> > Nice to hear this, i will wait for updates.
> >
> >
> > Regards,
> > Cristian
> > On 18.02.2016 19:19:30, Stephan Seitz wrote:
> > Hi,
> >
> > we've recently built templates for Centos 7, Ubuntu 14.04, Debian 8 and
> > SuSE Leap 42.1.
> >
> > We tried to do our work as near as possible to the respective default
> > networking. So CentOS 7 w/ NM and SuSE Leap with wicked (which caused a
> > lot of pain to get it working...)
> >
> > We're just sorting out our git project including ReadMe's and scripts
> > and expect to push it tomorrow to github.
> >
> > cheers,
> >
> > - Stephan
> >
> > Am Donnerstag, den 18.02.2016, 15:04 +0200 schrieb Cristian Ciobanu:
> > > Hello,
> > >
> > > Can i get a documentation for how to create Linux templates, and needed 
> > > scripts ?
> > >
> > > I did like in this example : 
> > > http://cloudstack-administration.readthedocs.org/en/4.8/templates.html#creating-a-template-from-an-existing-virtual-machine
> > >  but is not working for CentOS 6.7 or CentOS 7 ( after deploy from 
> > > template template i don't have IP assigned on my network also password 
> > > reset is not working )
> > >
> > > Thank you!
> > >
> > >
> > > Regards,
> > > Cristian
> >
> >
> 
> 

Re: HTTPS for console VM, without the wildcard DNS

[Stephan Seitz]

Hi,

well, one could manage huge hosts-files ;)

but seriously, you just need a dns-name / wildcard-certificate for a
domain you trust. If your customers trust your certificate AND your dns
- maybe because of dnssec - you don't need that for every customer.

To keep things off our full-featured nameservers, we did a
zone-delegation for a cloud-subdomain.domain.tld to a small bind which
holds just a flat zone-file wich contains all of the a-b-c-d to a.b.c.d
A-Records.
This took us maybe one hour and a 3-liner in bash.

cheers,

- Stephan

Am Freitag, den 19.02.2016, 16:07 + schrieb Nux!: 
> Hi,
> 
> Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a 
> wildcard certificate to match that.
> Is there no other way to enable SSL without the wildcard DNS bit?
> It adds a bit of overhead having to setup DNS infra for the customer just so 
> he's able to securely access his cloud.
> 
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro

Re: Procedure for Linux templates

[Cristian Ciobanu]

Hi Stephan,

    I just figured out how to do, i also created a template for CentOS 7 but i 
changed user from vmadmin to root also everything is ok except i'm not able to 
connect via ssh on VM ( i get time out ) but  if go via console on VM i have 
network connection and generated password works.


  Thank you ! ( very nice scripts )


Regards,
Cristian
On 19.02.2016 18:14:43, Stephan Seitz  
wrote:
Hey Cristian,

we will add distribution-dependent README.md next week.

If you'ld like to follow the same naming, just:

1. create a user "vmadmin"
2. optional: add vmadmin user to sudoers (maybe with NOPASSWD: )
3. copy the files
4. enable the init scripts. E.g. systemctl enable cloud... or
update-rc.d ... depends on the respective distro.


If you copied the files (some need executable rights,
e.g. /etc/init.d/... or /usr/local/sbin/...)


If you want to benefit from the rock-sold (hehe...) accessibility, just
create some kind of "admin-only" or "management" or similar network with
a network-address of 10.97.64.0 (doesn't matter if it's /24 or bigger,
though we're using a /22) and attach this network as the first one.

The whole magic is done via movedhcpdefaultroute script.

We're using the /root/newtemplate.sh if we modified our templates and
just want to create the next version of it.

As said, next week some documentation and suggestions will follow :)

cheers,

- Stephan



Am Freitag, den 19.02.2016, 17:18 +0200 schrieb Cristian Ciobanu:
> Hi Stephan,
>
> First of all, thanks for scripts, also can you let me know what need to be 
> executed on VM after script file's are copied on VM.
>
> I don't see any information, is like only copy the files and execute 
> newtemplate.sh.
>
> Regards,
> Cristian
> On 19.02.2016 13:19:47, Stephan Seitz wrote:
> Hi guys,
>
> just sorting out our repository.
>
> Maybe you find it useful:
> https://github.com/HeinleinSupport/acs-template-scripts
>
> Currently, the scripts are looking somewhat messy and our SuSE LEAP
> scripts are waiting for cleanup, but for the impatient ones ...
>
> For ACS we're moving to public github projects, so I'ld expect more to
> come ;)
>
> cheers and have a nice weekend!
>
> - Stephan
>
> Am Donnerstag, den 18.02.2016, 22:13 +0200 schrieb Cristian Ciobanu:
> > Hello,
> >
> > Nice to hear this, i will wait for updates.
> >
> >
> > Regards,
> > Cristian
> > On 18.02.2016 19:19:30, Stephan Seitz wrote:
> > Hi,
> >
> > we've recently built templates for Centos 7, Ubuntu 14.04, Debian 8 and
> > SuSE Leap 42.1.
> >
> > We tried to do our work as near as possible to the respective default
> > networking. So CentOS 7 w/ NM and SuSE Leap with wicked (which caused a
> > lot of pain to get it working...)
> >
> > We're just sorting out our git project including ReadMe's and scripts
> > and expect to push it tomorrow to github.
> >
> > cheers,
> >
> > - Stephan
> >
> > Am Donnerstag, den 18.02.2016, 15:04 +0200 schrieb Cristian Ciobanu:
> > > Hello,
> > >
> > > Can i get a documentation for how to create Linux templates, and needed 
> > > scripts ?
> > >
> > > I did like in this example : 
> > > http://cloudstack-administration.readthedocs.org/en/4.8/templates.html#creating-a-template-from-an-existing-virtual-machine
> > >  but is not working for CentOS 6.7 or CentOS 7 ( after deploy from 
> > > template template i don't have IP assigned on my network also password 
> > > reset is not working )
> > >
> > > Thank you!
> > >
> > >
> > > Regards,
> > > Cristian
> >
> >
>
>

Re: HTTPS for console VM, without the wildcard DNS

[Nux!]

So there's no way around it, thanks Stephan. :-)

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "Stephan Seitz" 
> To: users@cloudstack.apache.org
> Sent: Friday, 19 February, 2016 16:21:37
> Subject: Re: HTTPS for console VM, without the wildcard DNS

> Hi,
> 
> well, one could manage huge hosts-files ;)
> 
> but seriously, you just need a dns-name / wildcard-certificate for a
> domain you trust. If your customers trust your certificate AND your dns
> - maybe because of dnssec - you don't need that for every customer.
> 
> To keep things off our full-featured nameservers, we did a
> zone-delegation for a cloud-subdomain.domain.tld to a small bind which
> holds just a flat zone-file wich contains all of the a-b-c-d to a.b.c.d
> A-Records.
> This took us maybe one hour and a 3-liner in bash.
> 
> cheers,
> 
> - Stephan
> 
> Am Freitag, den 19.02.2016, 16:07 + schrieb Nux!:
>> Hi,
>> 
>> Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a
>> wildcard certificate to match that.
>> Is there no other way to enable SSL without the wildcard DNS bit?
>> It adds a bit of overhead having to setup DNS infra for the customer just so
>> he's able to securely access his cloud.
>> 
>> 
>> --
>> Sent from the Delta quadrant using Borg technology!
>> 
>> Nux!
> > www.nux.ro

Re: Procedure for Linux templates

[Cristian Ciobanu]

Stephan,

Sorry, after VM restart SSH works.


Regards,
Cristian
On 19.02.2016 18:14:43, Stephan Seitz  
wrote:
Hey Cristian,

we will add distribution-dependent README.md next week.

If you'ld like to follow the same naming, just:

1. create a user "vmadmin"
2. optional: add vmadmin user to sudoers (maybe with NOPASSWD: )
3. copy the files
4. enable the init scripts. E.g. systemctl enable cloud... or
update-rc.d ... depends on the respective distro.


If you copied the files (some need executable rights,
e.g. /etc/init.d/... or /usr/local/sbin/...)


If you want to benefit from the rock-sold (hehe...) accessibility, just
create some kind of "admin-only" or "management" or similar network with
a network-address of 10.97.64.0 (doesn't matter if it's /24 or bigger,
though we're using a /22) and attach this network as the first one.

The whole magic is done via movedhcpdefaultroute script.

We're using the /root/newtemplate.sh if we modified our templates and
just want to create the next version of it.

As said, next week some documentation and suggestions will follow :)

cheers,

- Stephan



Am Freitag, den 19.02.2016, 17:18 +0200 schrieb Cristian Ciobanu:
> Hi Stephan,
>
> First of all, thanks for scripts, also can you let me know what need to be 
> executed on VM after script file's are copied on VM.
>
> I don't see any information, is like only copy the files and execute 
> newtemplate.sh.
>
> Regards,
> Cristian
> On 19.02.2016 13:19:47, Stephan Seitz wrote:
> Hi guys,
>
> just sorting out our repository.
>
> Maybe you find it useful:
> https://github.com/HeinleinSupport/acs-template-scripts
>
> Currently, the scripts are looking somewhat messy and our SuSE LEAP
> scripts are waiting for cleanup, but for the impatient ones ...
>
> For ACS we're moving to public github projects, so I'ld expect more to
> come ;)
>
> cheers and have a nice weekend!
>
> - Stephan
>
> Am Donnerstag, den 18.02.2016, 22:13 +0200 schrieb Cristian Ciobanu:
> > Hello,
> >
> > Nice to hear this, i will wait for updates.
> >
> >
> > Regards,
> > Cristian
> > On 18.02.2016 19:19:30, Stephan Seitz wrote:
> > Hi,
> >
> > we've recently built templates for Centos 7, Ubuntu 14.04, Debian 8 and
> > SuSE Leap 42.1.
> >
> > We tried to do our work as near as possible to the respective default
> > networking. So CentOS 7 w/ NM and SuSE Leap with wicked (which caused a
> > lot of pain to get it working...)
> >
> > We're just sorting out our git project including ReadMe's and scripts
> > and expect to push it tomorrow to github.
> >
> > cheers,
> >
> > - Stephan
> >
> > Am Donnerstag, den 18.02.2016, 15:04 +0200 schrieb Cristian Ciobanu:
> > > Hello,
> > >
> > > Can i get a documentation for how to create Linux templates, and needed 
> > > scripts ?
> > >
> > > I did like in this example : 
> > > http://cloudstack-administration.readthedocs.org/en/4.8/templates.html#creating-a-template-from-an-existing-virtual-machine
> > >  but is not working for CentOS 6.7 or CentOS 7 ( after deploy from 
> > > template template i don't have IP assigned on my network also password 
> > > reset is not working )
> > >
> > > Thank you!
> > >
> > >
> > > Regards,
> > > Cristian
> >
> >
>
>

Network Rate

[Yesid Mora]

Hello guys, we have a problem, we need to limit the Network-rate for the all 
VM’s on a specific account  the bandwidth require for the client its 2Mb, which 
parameters in offering (Compute, system, disk, network) do I need to change in 
order to apply the limit?.

Thanks




Cordialmente / Best regards,





Yesid Mora | Orchestration Engineer | O4IT


PBX:+57 (1) 423-5460  Ext  251  | Cel: 3124509565


Cr. 7 #74-56 | Oficina 202 | Bogotá, Colombia


www.o4it.com | ym...@o4it.com





[http://www.o4it.com][http://www.linkedin.com/company/1207504][https://twitter.com/o4it][https://www.facebook.com/o4itofficial][https://www.youtube.com/user/o4itofficial]




CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential or 
proprietary information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, immediately 
contact the sender by reply e-mail and destroy all copies of the original 
message.

RE: Network Rate

[Somesh Naidu]

One way to accomplish this would be to set rate limit on Network offering (in 
UI, the label for that parameter is “Network Rate (Mb/s)”) that would be used 
specifically to create network/s specific to that particular account.

Regards,
Somesh

From: Yesid Mora [mailto:ym...@o4it.com]
Sent: Friday, February 19, 2016 1:51 PM
To: users@cloudstack.apache.org
Subject: Network Rate

Hello guys, we have a problem, we need to limit the Network-rate for the all 
VM’s on a specific account  the bandwidth require for the client its 2Mb, which 
parameters in offering (Compute, system, disk, network) do I need to change in 
order to apply the limit?.

Thanks




Cordialmente / Best regards,





Yesid Mora | Orchestration Engineer | O4IT


PBX:+57 (1) 423-5460  Ext  251  | Cel: 3124509565


Cr. 7 #74-56 | Oficina 202 | Bogotá, Colombia


www.o4it.com | ym...@o4it.com




[http://www.o4it.com][http://www.linkedin.com/company/1207504][https://twitter.com/o4it][https://www.facebook.com/o4itofficial][https://www.youtube.com/user/o4itofficial]





CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential or 
proprietary information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, immediately 
contact the sender by reply e-mail and destroy all copies of the original 
message.

Re: HTTPS for console VM, without the wildcard DNS

[John Kinsella]

You could probably hack this - if you only provided enough IPs for your System 
VMs so that it’s IP wouldn’t change, you could register the SSL cert for that 
specific FQDN.

Seems like it should be possible to have the console proxy run in http-only, 
then put an TLS endpoint in front of it (haproxy, netscaler etc) but I suspect 
a few code tweaks would be necessary.

But no, no good out-of-the box solution.

John

> On Feb 19, 2016, at 8:38 AM, Nux!  wrote:
> 
> So there's no way around it, thanks Stephan. :-)
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro
> 
> - Original Message -
>> From: "Stephan Seitz" 
>> To: users@cloudstack.apache.org
>> Sent: Friday, 19 February, 2016 16:21:37
>> Subject: Re: HTTPS for console VM, without the wildcard DNS
> 
>> Hi,
>> 
>> well, one could manage huge hosts-files ;)
>> 
>> but seriously, you just need a dns-name / wildcard-certificate for a
>> domain you trust. If your customers trust your certificate AND your dns
>> - maybe because of dnssec - you don't need that for every customer.
>> 
>> To keep things off our full-featured nameservers, we did a
>> zone-delegation for a cloud-subdomain.domain.tld to a small bind which
>> holds just a flat zone-file wich contains all of the a-b-c-d to a.b.c.d
>> A-Records.
>> This took us maybe one hour and a 3-liner in bash.
>> 
>> cheers,
>> 
>> - Stephan
>> 
>> Am Freitag, den 19.02.2016, 16:07 + schrieb Nux!:
>>> Hi,
>>> 
>>> Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a
>>> wildcard certificate to match that.
>>> Is there no other way to enable SSL without the wildcard DNS bit?
>>> It adds a bit of overhead having to setup DNS infra for the customer just so
>>> he's able to securely access his cloud.
>>> 
>>> 
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>> 
>>> Nux!
>>> www.nux.ro

Re: HTTPS for console VM, without the wildcard DNS

[Nux!]

Yeah, it's a hassle.

I wish the console VM came with a self signed certificate by default and be 
accessed via https by default.

Nowadays I use your proxy-ing tip to quickly put the cloudstack management 
behind mod_ssl - way easier than having to mess with Tomcat, however browsers 
will not render non-https URLs in https pages, such as the iframe inclusive of 
the console url.

The way it is now works fine if you have one or two clouds, but when you want 
to sell many little clouds adding new infra (spinning gears) to do the whole 
https/dns thingy is annoying.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "John Kinsella" 
> To: users@cloudstack.apache.org
> Sent: Friday, 19 February, 2016 20:31:55
> Subject: Re: HTTPS for console VM, without the wildcard DNS

> You could probably hack this - if you only provided enough IPs for your System
> VMs so that it’s IP wouldn’t change, you could register the SSL cert for that
> specific FQDN.
> 
> Seems like it should be possible to have the console proxy run in http-only,
> then put an TLS endpoint in front of it (haproxy, netscaler etc) but I suspect
> a few code tweaks would be necessary.
> 
> But no, no good out-of-the box solution.
> 
> John
> 
>> On Feb 19, 2016, at 8:38 AM, Nux!  wrote:
>> 
>> So there's no way around it, thanks Stephan. :-)
>> 
>> --
>> Sent from the Delta quadrant using Borg technology!
>> 
>> Nux!
>> www.nux.ro
>> 
>> - Original Message -
>>> From: "Stephan Seitz" 
>>> To: users@cloudstack.apache.org
>>> Sent: Friday, 19 February, 2016 16:21:37
>>> Subject: Re: HTTPS for console VM, without the wildcard DNS
>> 
>>> Hi,
>>> 
>>> well, one could manage huge hosts-files ;)
>>> 
>>> but seriously, you just need a dns-name / wildcard-certificate for a
>>> domain you trust. If your customers trust your certificate AND your dns
>>> - maybe because of dnssec - you don't need that for every customer.
>>> 
>>> To keep things off our full-featured nameservers, we did a
>>> zone-delegation for a cloud-subdomain.domain.tld to a small bind which
>>> holds just a flat zone-file wich contains all of the a-b-c-d to a.b.c.d
>>> A-Records.
>>> This took us maybe one hour and a 3-liner in bash.
>>> 
>>> cheers,
>>> 
>>> - Stephan
>>> 
>>> Am Freitag, den 19.02.2016, 16:07 + schrieb Nux!:
 Hi,
 
 Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a
 wildcard certificate to match that.
 Is there no other way to enable SSL without the wildcard DNS bit?
 It adds a bit of overhead having to setup DNS infra for the customer just 
 so
 he's able to securely access his cloud.
 
 
 --
 Sent from the Delta quadrant using Borg technology!
 
 Nux!
> >>> www.nux.ro