From b2d76bad2e9455384c4ac34cee6763014e255eb6 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Tue, 10 May 2022 20:45:24 +0200
Subject: [PATCH 1/4] agent: enable ssl only for kvm agent (not in system vms)

---
 agent/src/main/java/com/cloud/agent/AgentShell.java | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/agent/src/main/java/com/cloud/agent/AgentShell.java b/agent/src/main/java/com/cloud/agent/AgentShell.java
index b693ce1b2b3e..9009cbd2cb5d 100644
--- a/agent/src/main/java/com/cloud/agent/AgentShell.java
+++ b/agent/src/main/java/com/cloud/agent/AgentShell.java
@@ -76,6 +76,8 @@ public class AgentShell implements IAgentShell, Daemon {
     private String connectedHost;
     private Long preferredHostCheckInterval;
 
+    static final String LIBVIRT_COMPUTING_RESOURCE = "com.cloud.hypervisor.kvm.resource.LibvirtComputingResource";
+
     public AgentShell() {
     }
 
@@ -375,7 +377,7 @@ public void init(String[] args) throws ConfigurationException {
 
         loadProperties();
         parseCommand(args);
-        enableSSL();
+        enableSSLForKvmAgent();
 
         if (s_logger.isDebugEnabled()) {
             List<String> properties = Collections.list((Enumeration<String>)_properties.propertyNames());
@@ -399,12 +401,17 @@ public void init(String[] args) throws ConfigurationException {
         _backoff.configure("ConstantTimeBackoff", new HashMap<String, Object>());
     }
 
-    private void enableSSL() {
+    private void enableSSLForKvmAgent() {
         final File agentFile = PropertiesUtil.findConfigFile("agent.properties");
         if (agentFile == null) {
             s_logger.info("Failed to find agent.properties file");
             return;
         }
+        final String resource = getProperty(null, "resource");
+        if (!LIBVIRT_COMPUTING_RESOURCE.equalsIgnoreCase(resource)) {
+            s_logger.info("This is not a cloudstack kvm agent, ignoring");
+            return;
+        }
         String keystorePass = getProperty(null, "keystore.passphrase");
         if (StringUtils.isBlank(keystorePass)) {
             s_logger.info("Failed to find passphrase for keystore: " + KeyStoreUtils.KS_FILENAME);

From 9b43ad297d6ae8adc8233a558185d716e5d01259 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Wed, 11 May 2022 11:19:28 +0200
Subject: [PATCH 2/4] Revert "agent: enable ssl only for kvm agent (not in
 system vms)"

This reverts commit b2d76bad2e9455384c4ac34cee6763014e255eb6.
---
 agent/src/main/java/com/cloud/agent/AgentShell.java | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/agent/src/main/java/com/cloud/agent/AgentShell.java b/agent/src/main/java/com/cloud/agent/AgentShell.java
index 9009cbd2cb5d..b693ce1b2b3e 100644
--- a/agent/src/main/java/com/cloud/agent/AgentShell.java
+++ b/agent/src/main/java/com/cloud/agent/AgentShell.java
@@ -76,8 +76,6 @@ public class AgentShell implements IAgentShell, Daemon {
     private String connectedHost;
     private Long preferredHostCheckInterval;
 
-    static final String LIBVIRT_COMPUTING_RESOURCE = "com.cloud.hypervisor.kvm.resource.LibvirtComputingResource";
-
     public AgentShell() {
     }
 
@@ -377,7 +375,7 @@ public void init(String[] args) throws ConfigurationException {
 
         loadProperties();
         parseCommand(args);
-        enableSSLForKvmAgent();
+        enableSSL();
 
         if (s_logger.isDebugEnabled()) {
             List<String> properties = Collections.list((Enumeration<String>)_properties.propertyNames());
@@ -401,17 +399,12 @@ public void init(String[] args) throws ConfigurationException {
         _backoff.configure("ConstantTimeBackoff", new HashMap<String, Object>());
     }
 
-    private void enableSSLForKvmAgent() {
+    private void enableSSL() {
         final File agentFile = PropertiesUtil.findConfigFile("agent.properties");
         if (agentFile == null) {
             s_logger.info("Failed to find agent.properties file");
             return;
         }
-        final String resource = getProperty(null, "resource");
-        if (!LIBVIRT_COMPUTING_RESOURCE.equalsIgnoreCase(resource)) {
-            s_logger.info("This is not a cloudstack kvm agent, ignoring");
-            return;
-        }
         String keystorePass = getProperty(null, "keystore.passphrase");
         if (StringUtils.isBlank(keystorePass)) {
             s_logger.info("Failed to find passphrase for keystore: " + KeyStoreUtils.KS_FILENAME);

From a16b46e1677c7c137659ff606419ea732b88d41f Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Wed, 11 May 2022 11:19:40 +0200
Subject: [PATCH 3/4] Revert "KVM: Enable SSL if keystore exists (#6200)"

This reverts commit 4525f8c8e7ffecf50eff586ccfbc3d498f1b8021.
---
 .../main/java/com/cloud/agent/AgentShell.java | 23 -------------------
 1 file changed, 23 deletions(-)

diff --git a/agent/src/main/java/com/cloud/agent/AgentShell.java b/agent/src/main/java/com/cloud/agent/AgentShell.java
index b693ce1b2b3e..f5920a8e037b 100644
--- a/agent/src/main/java/com/cloud/agent/AgentShell.java
+++ b/agent/src/main/java/com/cloud/agent/AgentShell.java
@@ -27,7 +27,6 @@
 import com.cloud.utils.backoff.BackoffAlgorithm;
 import com.cloud.utils.backoff.impl.ConstantTimeBackoff;
 import com.cloud.utils.exception.CloudRuntimeException;
-import org.apache.cloudstack.utils.security.KeyStoreUtils;
 import org.apache.commons.daemon.Daemon;
 import org.apache.commons.daemon.DaemonContext;
 import org.apache.commons.daemon.DaemonInitException;
@@ -375,7 +374,6 @@ public void init(String[] args) throws ConfigurationException {
 
         loadProperties();
         parseCommand(args);
-        enableSSL();
 
         if (s_logger.isDebugEnabled()) {
             List<String> properties = Collections.list((Enumeration<String>)_properties.propertyNames());
@@ -399,27 +397,6 @@ public void init(String[] args) throws ConfigurationException {
         _backoff.configure("ConstantTimeBackoff", new HashMap<String, Object>());
     }
 
-    private void enableSSL() {
-        final File agentFile = PropertiesUtil.findConfigFile("agent.properties");
-        if (agentFile == null) {
-            s_logger.info("Failed to find agent.properties file");
-            return;
-        }
-        String keystorePass = getProperty(null, "keystore.passphrase");
-        if (StringUtils.isBlank(keystorePass)) {
-            s_logger.info("Failed to find passphrase for keystore: " + KeyStoreUtils.KS_FILENAME);
-            return;
-        }
-        final String keyStoreFile = agentFile.getParent() + "/" + KeyStoreUtils.KS_FILENAME;
-        File f = new File(keyStoreFile);
-        if (f.exists() && !f.isDirectory()) {
-            System.setProperty("javax.net.ssl.trustStore", keyStoreFile);
-            System.setProperty("javax.net.ssl.trustStorePassword", keystorePass);
-        } else {
-            s_logger.info("Failed to find keystore file: " + keyStoreFile);
-        }
-    }
-
     private void launchAgent() throws ConfigurationException {
         String resourceClassNames = getProperty(null, "resource");
         s_logger.trace("resource=" + resourceClassNames);

From 1b29eb93da86938026bb31b1eb6fd7afd8aab57f Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Wed, 11 May 2022 11:19:46 +0200
Subject: [PATCH 4/4] KVM: Enable SSL if keystore exists in
 LibvirtComputingResource.java

---
 .../kvm/resource/LibvirtComputingResource.java | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
index c513be6be229..c743a7858279 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
@@ -1020,6 +1020,7 @@ public boolean configure(final String name, final Map<String, Object> params) th
             }
         }
 
+        enableSSLForKvmAgent(params);
         configureLocalStorage(params);
 
         /* Directory to use for Qemu sockets like for the Qemu Guest Agent */
@@ -1282,6 +1283,23 @@ public boolean configure(final String name, final Map<String, Object> params) th
         return true;
     }
 
+    private void enableSSLForKvmAgent(final Map<String, Object> params) {
+        final File keyStoreFile = PropertiesUtil.findConfigFile(KeyStoreUtils.KS_FILENAME);
+        if (keyStoreFile == null) {
+            s_logger.info("Failed to find keystore file: " + KeyStoreUtils.KS_FILENAME);
+            return;
+        }
+        String keystorePass = (String)params.get(KeyStoreUtils.KS_PASSPHRASE_PROPERTY);
+        if (StringUtils.isBlank(keystorePass)) {
+            s_logger.info("Failed to find passphrase for keystore: " + KeyStoreUtils.KS_FILENAME);
+            return;
+        }
+        if (keyStoreFile.exists() && !keyStoreFile.isDirectory()) {
+            System.setProperty("javax.net.ssl.trustStore", keyStoreFile.getAbsolutePath());
+            System.setProperty("javax.net.ssl.trustStorePassword", keystorePass);
+        }
+    }
+
     protected void configureLocalStorage(final Map<String, Object> params) throws ConfigurationException {
         String localStoragePath = (String)params.get(LOCAL_STORAGE_PATH);
         if (localStoragePath == null) {