git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [VOTE] Apache CloudStack 4.11.2.0 RC5


Hi Rohit,

Thanks for your reply.

I do not object to show these value to users. However, user should not be
able to change/remove the settings, at least we can enable/disable it by
some settings.

If we can fix it in next minor release, this is not a blocker for me.

-Wei




Rohit Yadav <rohit.yadav@xxxxxxxxxxxxx> 于2018年11月22日周四 下午12:19写道:

> Hi Wei,
>
>
> I think the details were available via the list API in past releases
> (certainly 4.11.0, 4.11.1), and update API also existed therefore I think
> it is not a blocker but could be major security issue. As a workaround,
> admins may set the display field of keys in user_vm_details details to 0,
> or hide the tab in UI and even disable access to the update API (I get that
> it may not be ideal).
>
>
> Let's plan to fix this and other bugs that we'll discover from 4.11.2.0
> towards 4.11.3.0 and we can work on 4.11.3.0's release effort in next 1-2
> months?
>
>
> - Rohit
>
> <https://cloudstack.apache.org>
>
>
>
> ________________________________
> From: Wei ZHOU <ustcweizhou@xxxxxxxxx>
> Sent: Thursday, November 22, 2018 4:32:07 PM
> To: dev@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
>
> found one blocker issue
>
> users can see the setting tab of vms, and change the value of
> settings......
> for example, memoryOvercommitRatio, cpuOvercommitRatio, SSH.PublicKey
>
> -Wei
>
> Wei ZHOU <ustcweizhou@xxxxxxxxx> 于2018年11月22日周四 上午11:46写道:
>
> > +0
> >
> > tested with 4.11.2.0-rc6
> >
> > the following operations are ok on Ubuntu 16.04
> >
> > (0) build packages with the PR Rohit created
> > https://github.com/apache/cloudstack/pull/3038. (also works on Ubuntu
> > 18.04)
> > (1) installation
> > (2) created advanced zone with security groups by Marvin 4.11.2.0
> > (3) system vms are Up.
> > (4) upload ssl certificate, vm console works
> > (5) install template
> > (6) create vm
> > (7) create vm with rootdisksize and datadisk
> > (8) add domain/user, move vm to new user
> > (9) change ip/mac, add new ip in vm, new ip/mac do not work. that's fine
> >
> > Found some issues below
> > (1) upgrade from 4.7.1 to 4.11.2.0, need to
> > copy /etc/default/cloudstack-management.dpkg-dist to
> > /etc/default/cloudstack-management. otherwise mgt server will not be up
> > (2) create L2 network will get error "Unable to execute API command
> > listnetworkofferings due to invalid value.". zoneid is not passed to UI
> > (3) reset sshkey will reset password. new password not in response, and
> > not shown on UI. cannot find new password anywhere
> > (4) add network to vm, the second nic will not work. vm will be stuck at
> > start up after reboot. We should disable it if it is not supported by
> > cloudstack
> >
> > I will test advanced zone (without security groups) later.
> >
> > Kind regards,
> > Wei
> >
> >
> >
> > Paul Angus <paul.angus@xxxxxxxxxxxxx> 于2018年11月22日周四 上午9:16写道:
> >
> >> Hi Wido,
> >>
> >> We're in a position to upload the 4.11.2.0 binaries to
> >> download.cloudstack.org  could you build the RPMs and DEBs please?
> >> If it helps we can build the RPMs and put them up for you to sign.
> >>
> >>
> >> Kind regards,
> >>
> >> Paul Angus
> >>
> >> paul.angus@xxxxxxxxxxxxx
> >> www.shapeblue.com<http://www.shapeblue.com>
> >> Amadeus House, Floral Street, London  WC2E 9DPUK
> >> @shapeblue
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: Rohit Yadav <rohit.yadav@xxxxxxxxxxxxx>
> >> Sent: 21 November 2018 16:26
> >> To: dev@xxxxxxxxxxxxxxxxxxxxx
> >> Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
> >>
> >> Hi Andrija,
> >>
> >> In 4.11.2 VR we've restricted the maximum size of systemd/journald files
> >> so you should not see any significant memory increase than say
> 25-50MBs. In
> >> my local testing with kvm, xenserver and vmware, I was never able to
> >> reproduce the memory issue on VRs.
> >>
> >> Regards,
> >> Rohit Yadav
> >>
> >> ________________________________
> >> From: Andrija Panic <andrija.panic@xxxxxxxxx>
> >> Sent: Wednesday, November 21, 2018 6:24:30 PM
> >> To: dev
> >> Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
> >>
> >> FYI, I also t tested this on KVM (ssh into VR many times with while
> >> true..do ...as Rene  suggested) and also observed small increase in
> memory,
> >> after 10min of script running, it went up by 10-20MB...but not sure how
> >> significant this is...
> >>
> >> Andrija
> >>
> >> On Wed, Nov 21, 2018, 13:27 Zehnder, Samuel <zehnder@xxxxxxxxxxx wrote:
> >>
> >> > Hi Rohit
> >> >
> >> > I think I've found something regarding memory issues with vmware:
> >> > Schema-update only updates default system-vm, but not newly registered
> >> > ones:
> >> >
> >> >
> >> >
> https://github.com/apache/cloudstack/blob/master/engine/schema/src/mai
> >> > n/resources/META-INF/db/schema-41000to41100.sql
> >> > :
> >> > 448: -- Use 'Other Linux 64-bit' as guest os for the default
> >> > systemvmtemplate for VMware
> >> > 449: -- This fixes a memory allocation issue to systemvms on
> >> > VMware/ESXi
> >> > 450: UPDATE `cloud`.`vm_template` SET guest_os_id=99 WHERE id=8;
> >> >
> >> > When I registered the new templates I selected Debian something as OS
> >> > type. I now changed this to "Other Linux (64bit)", which is what above
> >> > update is doing, and I can see significantly less memory used by VRs.
> >> > I do not understand the reasons behind this behavior, I tried also
> >> > other settings (Debian 9 64-bit, Other 3.x Linux), neither seem to
> >> > handle memory well...
> >> >
> >> > As for the VPN part, you suggested
> >> > > you can build a custom systemvm.iso file with those settings.
> >> > Is it possible to simply replace the systemvm.iso file on mgmt-server,
> >> > remove it from secondary and restart mgmt-server? Maybe you can point
> >> > me here in the right direction.
> >> >
> >> > Thanks,
> >> > Sam
> >> >
> >> >
> >> > > -----Original Message-----
> >> > > From: Rohit Yadav <rohit.yadav@xxxxxxxxxxxxx>
> >> > > Sent: Dienstag, 20. November 2018 12:55
> >> > > To: dev@xxxxxxxxxxxxxxxxxxxxx
> >> > > Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
> >> > >
> >> > > Hi Samuel,
> >> > >
> >> > >
> >> > > Thanks for your email. I've opened this ticket for your first issue:
> >> > > https://github.com/apache/cloudstack/issues/3039
> >> > >
> >> > > Please follow René's advice to (a) try increase the VR memory and
> >> > > see if
> >> > it
> >> > > helps, (b) have a script for reducing memory over time. We'll also
> >> > > work
> >> > with
> >> > > the systemd project to see if they can fix and backport this for
> >> > > Debian
> >> > 9.6+.
> >> > >
> >> > >
> >> > > For your second issue, in 4.9 which used a Debian7 based VR and
> >> > > openswan for VPN, we've moved to strongswan. If your external Cisco
> >> > > endpoint/integration can work with strongswan, please create a VPC
> >> > > VR and manipulate the strongswan configs in that VR and share your
> >> > > results or
> >> > send
> >> > > a PR, the changes need to be in one of the python files such as
> >> > configure.py.
> >> > > The #2 issue is very specific to your environment and is not a
> >> > > general
> >> > error, if
> >> > > you're able to optimize the configuration for a VR, you can build a
> >> > custom
> >> > > systemvm.iso file with those settings. In addition, you can send a
> >> > > PR or submit a Github issue with details, logs, configurations etc:
> >> > > https://github.com/apache/cloudstack/issues
> >> > >
> >> > >
> >> > > I think both the issues are not general blockers and should not void
> >> > 4.11.2.0
> >> > > voting.
> >> > >
> >> > >
> >> > > - Rohit
> >> > >
> >> > > <https://cloudstack.apache.org>
> >> > >
> >> > >
> >> > >
> >> > > ________________________________
> >> > > From: Zehnder, Samuel <zehnder@xxxxxxxxxxx>
> >> > > Sent: Monday, November 19, 2018 9:13:04 PM
> >> > > To: dev@xxxxxxxxxxxxxxxxxxxxx
> >> > > Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
> >> > >
> >> > >
> >> > > Hi Group
> >> > >
> >> > > First, sorry that I wasn't able to use the mailto-link for the
> >> > > reply. It
> >> > somehow
> >> > > did not work..
> >> > >
> >> > >
> >> > >
> >> > > After Upgrading from 4.9 to 4.11 we are seeing two issues with
> >> > > vRouter
> >> > > systemVMs:
> >> > >
> >> > >
> >> > >
> >> > > 1) Memory Consumption on vSphere
> >> > >
> >> > > vRouter are starting to swap with low memory available, this also
> >> > > starts happening after increasing memory size to 512m.
> >> > > Interestingly, there's no process nor cache using the memory as far
> >> > > as "top", "ps", or other tools report.
> >> > >
> >> > >
> >> > >
> >> > > 2) Site-2-Site VPN
> >> > >
> >> > > a) After a restart of the VPC (vRouter rebuild) VPN Tunnels are not
> >> > > configured on vRouter. This has to be triggered manually with a call
> >> > > to resetVpnConnection API.
> >> > >
> >> > > b) StrongSwan configuration does not work well with Cisco endpoints,
> >> > > I've found following inputs:
> >> > >
> >> > >   - multiple "rightsubnet=" entries are not supported with ikev1
> >> > > [1], so multiple conns should be configured instead
> >> > >
> >> > >   - multiple subnets are supported with ikev2, but not with Cisco
> >> > endpoints,
> >> > > use multiple conns as well [2]
> >> > >
> >> > >
> >> > >
> >> > > For me it is unclear, what script should be modified for above
> >> > > issues,
> >> > one of
> >> > > those look promising:
> >> > >
> >> > >
> https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt
> >> > > /
> >> > > cloud/bin/ipsectunnel.sh
> >> > >
> >> > >
> https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt
> >> > > /
> >> > > cloud/bin/configure.py
> >> > >
> >> > >
> >> > >
> >> > > Regards,
> >> > >
> >> > > Sam
> >> > >
> >> > >
> >> > >
> >> > > [1]
> >> > >
> >> >
> https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection#leftr
> >> > igh
> >> > > t-End-Parameters
> >> > >
> >> > > [2]
> >> >
> https://serverfault.com/questions/904028/strongswan-to-cisco-asa-with-
> >> > > multiple-right-subnet
> >> > >
> >> > >
> >> > >
> >> > > rohit.yadav@xxxxxxxxxxxxx
> >> > > www.shapeblue.com<http://www.shapeblue.com>
> >> > > Amadeus House, Floral Street, London  WC2E 9DPUK @shapeblue
> >> > >
> >> > >
> >> >
> >>
> >> rohit.yadav@xxxxxxxxxxxxx
> >> www.shapeblue.com<http://www.shapeblue.com>
> >> Amadeus House, Floral Street, London  WC2E 9DPUK @shapeblue
> >>
> >>
> >>
> >>
> >>
>
> rohit.yadav@xxxxxxxxxxxxx
> www.shapeblue.com
> Amadeus House, Floral Street, London  WC2E 9DPUK
> @shapeblue
>
>
>
>