cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ro...@apache.org
Subject [cloudstack-documentation] branch master updated: Improve warning about the unauthenticated API port (#51)
Date Fri, 12 Jul 2019 07:49:06 GMT
This is an automated email from the ASF dual-hosted git repository.

rohit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git


The following commit(s) were added to refs/heads/master by this push:
     new 9d93d47  Improve warning about the unauthenticated API port (#51)
9d93d47 is described below

commit 9d93d476f44c182d65a05825a5d0a5152876da20
Author: Gregor Riepl <Gregor.Riepl@swisstxt.ch>
AuthorDate: Fri Jul 12 09:49:02 2019 +0200

    Improve warning about the unauthenticated API port (#51)
    
    * Improve warning about the unauthenticated API port
    
    Changes:
    
    - Added a warning box around the note about port 8096
    - Improved wording slightly
    - Added a note at the end on how to disable unauthenticated mgmt server access
---
 source/upgrading/upgrade/_sysvm_restart.rst | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/source/upgrading/upgrade/_sysvm_restart.rst b/source/upgrading/upgrade/_sysvm_restart.rst
index 3adcedc..d4b267a 100644
--- a/source/upgrading/upgrade/_sysvm_restart.rst
+++ b/source/upgrading/upgrade/_sysvm_restart.rst
@@ -18,12 +18,18 @@
 Once you've upgraded the packages on your management servers, you'll
 need to restart the system VMs. Ensure that the admin port is set to
 8096 by using the "integration.api.port" global parameter. This port
-is used by the cloud-sysvmadm script at the end of the upgrade
+is used by the cloudstack-sysvmadm script at the end of the upgrade
 procedure. For information about how to set this parameter, see :ref:`configuration parameters
<configuration-parameters>`
-Changing this parameter will require management server restart. Also
-make sure port 8096 is open in your local host firewall to do this.
-Please note that the integration.api.port (8096) is unauthenticated
-port and must not be open for public access.
+Changing this parameter will require a management server restart.
+
+If you run the cloudstack-sysvmadm script from outside the management
+server, make sure port 8096 is open in your local host firewall.
+
+.. warning::
+
+   Never allow access to port 8096 from the public internet! The
+   management server accepts API calls without authentication on this
+   port, which can pose a serious security risk.
 
 There is a script that will do this for you, all you need to do is
 run the script and supply the IP address for your MySQL instance and
@@ -51,4 +57,8 @@ The output to ``sysvm.log`` will look something like this:
    Stopping and starting 4 running routing vm(s)...
    Done restarting router(s).
 
+After the upgrade process is complete, you can disable unauthenticated
+API access again by setting "integration.api.port" to 0.
+Don't forget to restart the management server afterwards.
+
 .. sub-section included in upgrade notes.


Mime
View raw message