git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [VOTE] Apache CloudStack 4.11.2.0 RC5


Hi Wei,


I think the details were available via the list API in past releases (certainly 4.11.0, 4.11.1), and update API also existed therefore I think it is not a blocker but could be major security issue. As a workaround, admins may set the display field of keys in user_vm_details details to 0, or hide the tab in UI and even disable access to the update API (I get that it may not be ideal).


Let's plan to fix this and other bugs that we'll discover from 4.11.2.0 towards 4.11.3.0 and we can work on 4.11.3.0's release effort in next 1-2 months?


- Rohit

<https://cloudstack.apache.org>



________________________________
From: Wei ZHOU <ustcweizhou@xxxxxxxxx>
Sent: Thursday, November 22, 2018 4:32:07 PM
To: dev@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5

found one blocker issue

users can see the setting tab of vms, and change the value of settings......
for example, memoryOvercommitRatio, cpuOvercommitRatio, SSH.PublicKey

-Wei

Wei ZHOU <ustcweizhou@xxxxxxxxx> 于2018年11月22日周四 上午11:46写道:

> +0
>
> tested with 4.11.2.0-rc6
>
> the following operations are ok on Ubuntu 16.04
>
> (0) build packages with the PR Rohit created
> https://github.com/apache/cloudstack/pull/3038. (also works on Ubuntu
> 18.04)
> (1) installation
> (2) created advanced zone with security groups by Marvin 4.11.2.0
> (3) system vms are Up.
> (4) upload ssl certificate, vm console works
> (5) install template
> (6) create vm
> (7) create vm with rootdisksize and datadisk
> (8) add domain/user, move vm to new user
> (9) change ip/mac, add new ip in vm, new ip/mac do not work. that's fine
>
> Found some issues below
> (1) upgrade from 4.7.1 to 4.11.2.0, need to
> copy /etc/default/cloudstack-management.dpkg-dist to
> /etc/default/cloudstack-management. otherwise mgt server will not be up
> (2) create L2 network will get error "Unable to execute API command
> listnetworkofferings due to invalid value.". zoneid is not passed to UI
> (3) reset sshkey will reset password. new password not in response, and
> not shown on UI. cannot find new password anywhere
> (4) add network to vm, the second nic will not work. vm will be stuck at
> start up after reboot. We should disable it if it is not supported by
> cloudstack
>
> I will test advanced zone (without security groups) later.
>
> Kind regards,
> Wei
>
>
>
> Paul Angus <paul.angus@xxxxxxxxxxxxx> 于2018年11月22日周四 上午9:16写道:
>
>> Hi Wido,
>>
>> We're in a position to upload the 4.11.2.0 binaries to
>> download.cloudstack.org  could you build the RPMs and DEBs please?
>> If it helps we can build the RPMs and put them up for you to sign.
>>
>>
>> Kind regards,
>>
>> Paul Angus
>>
>> paul.angus@xxxxxxxxxxxxx
>> www.shapeblue.com<http://www.shapeblue.com>
>> Amadeus House, Floral Street, London  WC2E 9DPUK
>> @shapeblue
>>
>>
>>
>>
>> -----Original Message-----
>> From: Rohit Yadav <rohit.yadav@xxxxxxxxxxxxx>
>> Sent: 21 November 2018 16:26
>> To: dev@xxxxxxxxxxxxxxxxxxxxx
>> Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
>>
>> Hi Andrija,
>>
>> In 4.11.2 VR we've restricted the maximum size of systemd/journald files
>> so you should not see any significant memory increase than say 25-50MBs. In
>> my local testing with kvm, xenserver and vmware, I was never able to
>> reproduce the memory issue on VRs.
>>
>> Regards,
>> Rohit Yadav
>>
>> ________________________________
>> From: Andrija Panic <andrija.panic@xxxxxxxxx>
>> Sent: Wednesday, November 21, 2018 6:24:30 PM
>> To: dev
>> Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
>>
>> FYI, I also t tested this on KVM (ssh into VR many times with while
>> true..do ...as Rene  suggested) and also observed small increase in memory,
>> after 10min of script running, it went up by 10-20MB...but not sure how
>> significant this is...
>>
>> Andrija
>>
>> On Wed, Nov 21, 2018, 13:27 Zehnder, Samuel <zehnder@xxxxxxxxxxx wrote:
>>
>> > Hi Rohit
>> >
>> > I think I've found something regarding memory issues with vmware:
>> > Schema-update only updates default system-vm, but not newly registered
>> > ones:
>> >
>> >
>> > https://github.com/apache/cloudstack/blob/master/engine/schema/src/mai
>> > n/resources/META-INF/db/schema-41000to41100.sql
>> > :
>> > 448: -- Use 'Other Linux 64-bit' as guest os for the default
>> > systemvmtemplate for VMware
>> > 449: -- This fixes a memory allocation issue to systemvms on
>> > VMware/ESXi
>> > 450: UPDATE `cloud`.`vm_template` SET guest_os_id=99 WHERE id=8;
>> >
>> > When I registered the new templates I selected Debian something as OS
>> > type. I now changed this to "Other Linux (64bit)", which is what above
>> > update is doing, and I can see significantly less memory used by VRs.
>> > I do not understand the reasons behind this behavior, I tried also
>> > other settings (Debian 9 64-bit, Other 3.x Linux), neither seem to
>> > handle memory well...
>> >
>> > As for the VPN part, you suggested
>> > > you can build a custom systemvm.iso file with those settings.
>> > Is it possible to simply replace the systemvm.iso file on mgmt-server,
>> > remove it from secondary and restart mgmt-server? Maybe you can point
>> > me here in the right direction.
>> >
>> > Thanks,
>> > Sam
>> >
>> >
>> > > -----Original Message-----
>> > > From: Rohit Yadav <rohit.yadav@xxxxxxxxxxxxx>
>> > > Sent: Dienstag, 20. November 2018 12:55
>> > > To: dev@xxxxxxxxxxxxxxxxxxxxx
>> > > Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
>> > >
>> > > Hi Samuel,
>> > >
>> > >
>> > > Thanks for your email. I've opened this ticket for your first issue:
>> > > https://github.com/apache/cloudstack/issues/3039
>> > >
>> > > Please follow René's advice to (a) try increase the VR memory and
>> > > see if
>> > it
>> > > helps, (b) have a script for reducing memory over time. We'll also
>> > > work
>> > with
>> > > the systemd project to see if they can fix and backport this for
>> > > Debian
>> > 9.6+.
>> > >
>> > >
>> > > For your second issue, in 4.9 which used a Debian7 based VR and
>> > > openswan for VPN, we've moved to strongswan. If your external Cisco
>> > > endpoint/integration can work with strongswan, please create a VPC
>> > > VR and manipulate the strongswan configs in that VR and share your
>> > > results or
>> > send
>> > > a PR, the changes need to be in one of the python files such as
>> > configure.py.
>> > > The #2 issue is very specific to your environment and is not a
>> > > general
>> > error, if
>> > > you're able to optimize the configuration for a VR, you can build a
>> > custom
>> > > systemvm.iso file with those settings. In addition, you can send a
>> > > PR or submit a Github issue with details, logs, configurations etc:
>> > > https://github.com/apache/cloudstack/issues
>> > >
>> > >
>> > > I think both the issues are not general blockers and should not void
>> > 4.11.2.0
>> > > voting.
>> > >
>> > >
>> > > - Rohit
>> > >
>> > > <https://cloudstack.apache.org>
>> > >
>> > >
>> > >
>> > > ________________________________
>> > > From: Zehnder, Samuel <zehnder@xxxxxxxxxxx>
>> > > Sent: Monday, November 19, 2018 9:13:04 PM
>> > > To: dev@xxxxxxxxxxxxxxxxxxxxx
>> > > Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
>> > >
>> > >
>> > > Hi Group
>> > >
>> > > First, sorry that I wasn't able to use the mailto-link for the
>> > > reply. It
>> > somehow
>> > > did not work..
>> > >
>> > >
>> > >
>> > > After Upgrading from 4.9 to 4.11 we are seeing two issues with
>> > > vRouter
>> > > systemVMs:
>> > >
>> > >
>> > >
>> > > 1) Memory Consumption on vSphere
>> > >
>> > > vRouter are starting to swap with low memory available, this also
>> > > starts happening after increasing memory size to 512m.
>> > > Interestingly, there's no process nor cache using the memory as far
>> > > as "top", "ps", or other tools report.
>> > >
>> > >
>> > >
>> > > 2) Site-2-Site VPN
>> > >
>> > > a) After a restart of the VPC (vRouter rebuild) VPN Tunnels are not
>> > > configured on vRouter. This has to be triggered manually with a call
>> > > to resetVpnConnection API.
>> > >
>> > > b) StrongSwan configuration does not work well with Cisco endpoints,
>> > > I've found following inputs:
>> > >
>> > >   - multiple "rightsubnet=" entries are not supported with ikev1
>> > > [1], so multiple conns should be configured instead
>> > >
>> > >   - multiple subnets are supported with ikev2, but not with Cisco
>> > endpoints,
>> > > use multiple conns as well [2]
>> > >
>> > >
>> > >
>> > > For me it is unclear, what script should be modified for above
>> > > issues,
>> > one of
>> > > those look promising:
>> > >
>> > > https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt
>> > > /
>> > > cloud/bin/ipsectunnel.sh
>> > >
>> > > https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt
>> > > /
>> > > cloud/bin/configure.py
>> > >
>> > >
>> > >
>> > > Regards,
>> > >
>> > > Sam
>> > >
>> > >
>> > >
>> > > [1]
>> > >
>> > https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection#leftr
>> > igh
>> > > t-End-Parameters
>> > >
>> > > [2]
>> > https://serverfault.com/questions/904028/strongswan-to-cisco-asa-with-
>> > > multiple-right-subnet
>> > >
>> > >
>> > >
>> > > rohit.yadav@xxxxxxxxxxxxx
>> > > www.shapeblue.com<http://www.shapeblue.com>
>> > > Amadeus House, Floral Street, London  WC2E 9DPUK @shapeblue
>> > >
>> > >
>> >
>>
>> rohit.yadav@xxxxxxxxxxxxx
>> www.shapeblue.com<http://www.shapeblue.com>
>> Amadeus House, Floral Street, London  WC2E 9DPUK @shapeblue
>>
>>
>>
>>
>>

rohit.yadav@xxxxxxxxxxxxx 
www.shapeblue.com
Amadeus House, Floral Street, London  WC2E 9DPUK
@shapeblue