git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [VOTE] Apache CloudStack 4.11.2.0 RC5


Hi Paul,

yes, SSL offloading in VR is not implemented in 4.11.2.0. it is only
applicable for netscaler.
The button should be hidden it if there is no netscaler in use, same as
"health-check" and "autoScale"
see line 3421-3451 in ui/scripts/network.js

-Wei




Paul Angus <paul.angus@xxxxxxxxxxxxx> 于2018年11月22日周四 下午1:51写道:

> Thanks Wei,
> I'll create a 4.11.2.1 milestone with a very limited scope.
> As well as this there seems to be an SSL cert column that has been put in
> by Accelerite that only pertains to NetScalers but appears for all
> networks, which is very confusing (well it confused me anyway).
>
>
>
> Kind regards,
>
> Paul Angus
>
> paul.angus@xxxxxxxxxxxxx
> www.shapeblue.com
> Amadeus House, Floral Street, London  WC2E 9DPUK
> @shapeblue
>
>
>
>
> -----Original Message-----
> From: Wei ZHOU <ustcweizhou@xxxxxxxxx>
> Sent: 22 November 2018 11:56
> To: dev@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
>
> Hi Rohit,
>
> Thanks for your reply.
>
> I do not object to show these value to users. However, user should not be
> able to change/remove the settings, at least we can enable/disable it by
> some settings.
>
> If we can fix it in next minor release, this is not a blocker for me.
>
> -Wei
>
>
>
>
> Rohit Yadav <rohit.yadav@xxxxxxxxxxxxx> 于2018年11月22日周四 下午12:19写道:
>
> > Hi Wei,
> >
> >
> > I think the details were available via the list API in past releases
> > (certainly 4.11.0, 4.11.1), and update API also existed therefore I
> > think it is not a blocker but could be major security issue. As a
> > workaround, admins may set the display field of keys in
> > user_vm_details details to 0, or hide the tab in UI and even disable
> > access to the update API (I get that it may not be ideal).
> >
> >
> > Let's plan to fix this and other bugs that we'll discover from
> > 4.11.2.0 towards 4.11.3.0 and we can work on 4.11.3.0's release effort
> > in next 1-2 months?
> >
> >
> > - Rohit
> >
> > <https://cloudstack.apache.org>
> >
> >
> >
> > ________________________________
> > From: Wei ZHOU <ustcweizhou@xxxxxxxxx>
> > Sent: Thursday, November 22, 2018 4:32:07 PM
> > To: dev@xxxxxxxxxxxxxxxxxxxxx
> > Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
> >
> > found one blocker issue
> >
> > users can see the setting tab of vms, and change the value of
> > settings......
> > for example, memoryOvercommitRatio, cpuOvercommitRatio, SSH.PublicKey
> >
> > -Wei
> >
> > Wei ZHOU <ustcweizhou@xxxxxxxxx> 于2018年11月22日周四 上午11:46写道:
> >
> > > +0
> > >
> > > tested with 4.11.2.0-rc6
> > >
> > > the following operations are ok on Ubuntu 16.04
> > >
> > > (0) build packages with the PR Rohit created
> > > https://github.com/apache/cloudstack/pull/3038. (also works on
> > > Ubuntu
> > > 18.04)
> > > (1) installation
> > > (2) created advanced zone with security groups by Marvin 4.11.2.0
> > > (3) system vms are Up.
> > > (4) upload ssl certificate, vm console works
> > > (5) install template
> > > (6) create vm
> > > (7) create vm with rootdisksize and datadisk
> > > (8) add domain/user, move vm to new user
> > > (9) change ip/mac, add new ip in vm, new ip/mac do not work. that's
> > > fine
> > >
> > > Found some issues below
> > > (1) upgrade from 4.7.1 to 4.11.2.0, need to copy
> > > /etc/default/cloudstack-management.dpkg-dist to
> > > /etc/default/cloudstack-management. otherwise mgt server will not be
> > > up
> > > (2) create L2 network will get error "Unable to execute API command
> > > listnetworkofferings due to invalid value.". zoneid is not passed to
> > > UI
> > > (3) reset sshkey will reset password. new password not in response,
> > > and not shown on UI. cannot find new password anywhere
> > > (4) add network to vm, the second nic will not work. vm will be
> > > stuck at start up after reboot. We should disable it if it is not
> > > supported by cloudstack
> > >
> > > I will test advanced zone (without security groups) later.
> > >
> > > Kind regards,
> > > Wei
> > >
> > >
> > >
> > > Paul Angus <paul.angus@xxxxxxxxxxxxx> 于2018年11月22日周四 上午9:16写道:
> > >
> > >> Hi Wido,
> > >>
> > >> We're in a position to upload the 4.11.2.0 binaries to
> > >> download.cloudstack.org  could you build the RPMs and DEBs please?
> > >> If it helps we can build the RPMs and put them up for you to sign.
> > >>
> > >>
> > >> Kind regards,
> > >>
> > >> Paul Angus
> > >>
> > >> paul.angus@xxxxxxxxxxxxx
> > >> www.shapeblue.com<http://www.shapeblue.com>
> > >> Amadeus House, Floral Street, London  WC2E 9DPUK @shapeblue
> > >>
> > >>
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: Rohit Yadav <rohit.yadav@xxxxxxxxxxxxx>
> > >> Sent: 21 November 2018 16:26
> > >> To: dev@xxxxxxxxxxxxxxxxxxxxx
> > >> Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
> > >>
> > >> Hi Andrija,
> > >>
> > >> In 4.11.2 VR we've restricted the maximum size of systemd/journald
> files
> > >> so you should not see any significant memory increase than say
> > 25-50MBs. In
> > >> my local testing with kvm, xenserver and vmware, I was never able to
> > >> reproduce the memory issue on VRs.
> > >>
> > >> Regards,
> > >> Rohit Yadav
> > >>
> > >> ________________________________
> > >> From: Andrija Panic <andrija.panic@xxxxxxxxx>
> > >> Sent: Wednesday, November 21, 2018 6:24:30 PM
> > >> To: dev
> > >> Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
> > >>
> > >> FYI, I also t tested this on KVM (ssh into VR many times with while
> > >> true..do ...as Rene  suggested) and also observed small increase in
> > memory,
> > >> after 10min of script running, it went up by 10-20MB...but not sure
> how
> > >> significant this is...
> > >>
> > >> Andrija
> > >>
> > >> On Wed, Nov 21, 2018, 13:27 Zehnder, Samuel <zehnder@xxxxxxxxxxx
> wrote:
> > >>
> > >> > Hi Rohit
> > >> >
> > >> > I think I've found something regarding memory issues with vmware:
> > >> > Schema-update only updates default system-vm, but not newly
> registered
> > >> > ones:
> > >> >
> > >> >
> > >> >
> > https://github.com/apache/cloudstack/blob/master/engine/schema/src/mai
> > >> > n/resources/META-INF/db/schema-41000to41100.sql
> > >> > :
> > >> > 448: -- Use 'Other Linux 64-bit' as guest os for the default
> > >> > systemvmtemplate for VMware
> > >> > 449: -- This fixes a memory allocation issue to systemvms on
> > >> > VMware/ESXi
> > >> > 450: UPDATE `cloud`.`vm_template` SET guest_os_id=99 WHERE id=8;
> > >> >
> > >> > When I registered the new templates I selected Debian something as
> OS
> > >> > type. I now changed this to "Other Linux (64bit)", which is what
> above
> > >> > update is doing, and I can see significantly less memory used by
> VRs.
> > >> > I do not understand the reasons behind this behavior, I tried also
> > >> > other settings (Debian 9 64-bit, Other 3.x Linux), neither seem to
> > >> > handle memory well...
> > >> >
> > >> > As for the VPN part, you suggested
> > >> > > you can build a custom systemvm.iso file with those settings.
> > >> > Is it possible to simply replace the systemvm.iso file on
> mgmt-server,
> > >> > remove it from secondary and restart mgmt-server? Maybe you can
> point
> > >> > me here in the right direction.
> > >> >
> > >> > Thanks,
> > >> > Sam
> > >> >
> > >> >
> > >> > > -----Original Message-----
> > >> > > From: Rohit Yadav <rohit.yadav@xxxxxxxxxxxxx>
> > >> > > Sent: Dienstag, 20. November 2018 12:55
> > >> > > To: dev@xxxxxxxxxxxxxxxxxxxxx
> > >> > > Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
> > >> > >
> > >> > > Hi Samuel,
> > >> > >
> > >> > >
> > >> > > Thanks for your email. I've opened this ticket for your first
> issue:
> > >> > > https://github.com/apache/cloudstack/issues/3039
> > >> > >
> > >> > > Please follow René's advice to (a) try increase the VR memory and
> > >> > > see if
> > >> > it
> > >> > > helps, (b) have a script for reducing memory over time. We'll also
> > >> > > work
> > >> > with
> > >> > > the systemd project to see if they can fix and backport this for
> > >> > > Debian
> > >> > 9.6+.
> > >> > >
> > >> > >
> > >> > > For your second issue, in 4.9 which used a Debian7 based VR and
> > >> > > openswan for VPN, we've moved to strongswan. If your external
> Cisco
> > >> > > endpoint/integration can work with strongswan, please create a VPC
> > >> > > VR and manipulate the strongswan configs in that VR and share your
> > >> > > results or
> > >> > send
> > >> > > a PR, the changes need to be in one of the python files such as
> > >> > configure.py.
> > >> > > The #2 issue is very specific to your environment and is not a
> > >> > > general
> > >> > error, if
> > >> > > you're able to optimize the configuration for a VR, you can build
> a
> > >> > custom
> > >> > > systemvm.iso file with those settings. In addition, you can send a
> > >> > > PR or submit a Github issue with details, logs, configurations
> etc:
> > >> > > https://github.com/apache/cloudstack/issues
> > >> > >
> > >> > >
> > >> > > I think both the issues are not general blockers and should not
> void
> > >> > 4.11.2.0
> > >> > > voting.
> > >> > >
> > >> > >
> > >> > > - Rohit
> > >> > >
> > >> > > <https://cloudstack.apache.org>
> > >> > >
> > >> > >
> > >> > >
> > >> > > ________________________________
> > >> > > From: Zehnder, Samuel <zehnder@xxxxxxxxxxx>
> > >> > > Sent: Monday, November 19, 2018 9:13:04 PM
> > >> > > To: dev@xxxxxxxxxxxxxxxxxxxxx
> > >> > > Subject: Re: [VOTE] Apache CloudStack 4.11.2.0 RC5
> > >> > >
> > >> > >
> > >> > > Hi Group
> > >> > >
> > >> > > First, sorry that I wasn't able to use the mailto-link for the
> > >> > > reply. It
> > >> > somehow
> > >> > > did not work..
> > >> > >
> > >> > >
> > >> > >
> > >> > > After Upgrading from 4.9 to 4.11 we are seeing two issues with
> > >> > > vRouter
> > >> > > systemVMs:
> > >> > >
> > >> > >
> > >> > >
> > >> > > 1) Memory Consumption on vSphere
> > >> > >
> > >> > > vRouter are starting to swap with low memory available, this also
> > >> > > starts happening after increasing memory size to 512m.
> > >> > > Interestingly, there's no process nor cache using the memory as
> far
> > >> > > as "top", "ps", or other tools report.
> > >> > >
> > >> > >
> > >> > >
> > >> > > 2) Site-2-Site VPN
> > >> > >
> > >> > > a) After a restart of the VPC (vRouter rebuild) VPN Tunnels are
> not
> > >> > > configured on vRouter. This has to be triggered manually with a
> call
> > >> > > to resetVpnConnection API.
> > >> > >
> > >> > > b) StrongSwan configuration does not work well with Cisco
> endpoints,
> > >> > > I've found following inputs:
> > >> > >
> > >> > >   - multiple "rightsubnet=" entries are not supported with ikev1
> > >> > > [1], so multiple conns should be configured instead
> > >> > >
> > >> > >   - multiple subnets are supported with ikev2, but not with Cisco
> > >> > endpoints,
> > >> > > use multiple conns as well [2]
> > >> > >
> > >> > >
> > >> > >
> > >> > > For me it is unclear, what script should be modified for above
> > >> > > issues,
> > >> > one of
> > >> > > those look promising:
> > >> > >
> > >> > >
> > https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt
> > >> > > /
> > >> > > cloud/bin/ipsectunnel.sh
> > >> > >
> > >> > >
> > https://github.com/apache/cloudstack/blob/master/systemvm/debian/opt
> > >> > > /
> > >> > > cloud/bin/configure.py
> > >> > >
> > >> > >
> > >> > >
> > >> > > Regards,
> > >> > >
> > >> > > Sam
> > >> > >
> > >> > >
> > >> > >
> > >> > > [1]
> > >> > >
> > >> >
> > https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection#leftr
> > >> > igh
> > >> > > t-End-Parameters
> > >> > >
> > >> > > [2]
> > >> >
> > https://serverfault.com/questions/904028/strongswan-to-cisco-asa-with-
> > >> > > multiple-right-subnet
> > >> > >
> > >> > >
> > >> > >
> > >> > > rohit.yadav@xxxxxxxxxxxxx
> > >> > > www.shapeblue.com<http://www.shapeblue.com>
> > >> > > Amadeus House, Floral Street, London  WC2E 9DPUK @shapeblue
> > >> > >
> > >> > >
> > >> >
> > >>
> > >> rohit.yadav@xxxxxxxxxxxxx
> > >> www.shapeblue.com<http://www.shapeblue.com>
> > >> Amadeus House, Floral Street, London  WC2E 9DPUK @shapeblue
> > >>
> > >>
> > >>
> > >>
> > >>
> >
> > rohit.yadav@xxxxxxxxxxxxx
> > www.shapeblue.com
> > Amadeus House, Floral Street, London  WC2E 9DPUK
> > @shapeblue
> >
> >
> >
> >
>