agent: enable ssl only for kvm agent (not in system vms) #6371
Conversation
|
@blueorangutan package |
|
@weizhouapache a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 3383 |
|
@blueorangutan test |
|
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
| if (!LIBVIRT_COMPUTING_RESOURCE.equalsIgnoreCase(resource)) { | ||
| s_logger.info("This is not a cloudstack kvm agent, ignoring"); | ||
| return; | ||
| } |
There was a problem hiding this comment.
@nvazquez @weizhouapache Could this cause an issue with (a) direct download, (b) ssl enabled cpvm and ssvm. Should we attempt to fix the issue by importing or referencing the system keystore too where java/ca certs are stored and imported (for x1/letsencrypt) @Pearl1594 ?
There was a problem hiding this comment.
@rohityadavcloud @nvazquez @Pearl1594
this part of code was introduced in #6200 which aims to fix an issue with direct download on KVM.
with this pr, SSL is still enabled on KVM hosts, but not in system VMs where Java process load key store realhostip.keystone (same as the behavior without #6200 )
There was a problem hiding this comment.
Makes sense if this was relatively newer code.
|
@blueorangutan ubuntu20 kvm-ubuntu20 |
|
Verified HTTPS templates working on KVM env with this fix |
| return; | ||
| } | ||
| final String resource = getProperty(null, "resource"); | ||
| if (!LIBVIRT_COMPUTING_RESOURCE.equalsIgnoreCase(resource)) { |
There was a problem hiding this comment.
The use of LIBVIRT_COMPUTING_RESOURCE or com.cloud.hypervisor.kvm.resource.LibvirtComputingResource may be misleading (for ex. what if this isn't the resource name? for example, we do support lxc etc?).
Can you simply add a check if the agent is either is in systemvm (for ex. /etc/cloudstack-release would exist) or if we're on a KVM host (check for /dev/kvm exists or libvirt running)? (Depending on what we're trying to achieve here). The other option usually is to check the resource class via some method.
What do you think @weizhouapache @nvazquez ?
There was a problem hiding this comment.
@rohityadavcloud
I will move all these codes to LibvirtComputingResource which makes more sense.
I will verify the issue fixed by #6200 as well.
|
Trillian test result (tid-4158)
|
|
Found UI changes, kicking a new UI QA build |
|
@acs-robot a Jenkins job has been kicked to build UI QA env. I'll keep you posted as I make progress. |
|
UI build: ✔️ |
|
@blueorangutan package |
|
@weizhouapache a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Kudos, SonarCloud Quality Gate passed! |
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 3386 |
|
@blueorangutan test |
|
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
Trillian test result (tid-4161)
|
|
@blueorangutan test |
|
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
Trillian test result (tid-4166)
|
apache#151) * agent: enable ssl only for kvm agent (not in system vms) * Revert "agent: enable ssl only for kvm agent (not in system vms)" This reverts commit b2d76ba. * Revert "KVM: Enable SSL if keystore exists (apache#6200)" This reverts commit 4525f8c. * KVM: Enable SSL if keystore exists in LibvirtComputingResource.java Co-authored-by: Wei Zhou <weizhou@apache.org>
…en enable SSL for kvm agent This was implemented in PR#6200 and apache#6371 , but broken in PR#6348
…en enable SSL for kvm agent This was implemented in PR#6200 and apache#6371 , but broken in PR#6348
7 participants
Description
This PR fixes the issue that template cannot be downloaded from https site in 4.17.0.0 RC2.
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?