cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei Zhou" <w.z...@leaseweb.com>
Subject Re: Review Request: (CLOUDSTACK-1475) update keystore in SSVM and change download iso/template url after Update SSL Certificate
Date Mon, 18 Mar 2013 11:05:14 GMT


> On March 15, 2013, 5:56 a.m., Nitin Mehta wrote:
> > server/src/com/cloud/storage/download/DownloadMonitorImpl.java, line 202
> > <https://reviews.apache.org/r/9696/diff/2/?file=264874#file264874line202>
> >
> >     can you please use SecondaryStorageVmManager instead ?
> 
> Wei Zhou wrote:
>     I can define a new constant in SecondaryStorageVmManager which is same to ConsoleProxyManager.CERTIFICATE_NAME,
but I think it is not necessary.
> 
> Nitin Mehta wrote:
>     I would rather put it in SecondaryStorageVmManager so that other devs are not confused
and the design is more modularized and maintainable.

CPVM and SSVM use the same SSL certificate with name = ConsoleProxyManager.CERTIFICATE_NAME
= "CPVMCertificate".
ConsoleProxyManager.CERTIFICATE_NAME is also used in com.cloud.storage.secondary.SecondaryStorageManagerImpl.generateSetupCommand(Long).
To compatible with lower version of cloudstack, it is difficult to change the certificate
name.


> On March 15, 2013, 5:56 a.m., Nitin Mehta wrote:
> > server/src/com/cloud/configuration/Config.java, line 120
> > <https://reviews.apache.org/r/9696/diff/2/?file=264869#file264869line120>
> >
> >     are there any dependencies on this flag in the code ?
> >     We need to remove this flag during migration as well.
> 
> Wei Zhou wrote:
>     consoleproxy.url.domain is not used in any source codes. We use "company.com" which
is set in SSL certificate update as the domain suffix of console url.
> 
> Nitin Mehta wrote:
>     But if someone is upgrading to this version s/he will have this entry in the DB and
hence in the global setting correct ? Can you please put a delete statement so that people
upgrading do not get confused by this entry ? You can look into the upgrade files for example

Of course. At first I would like to ensure the fixed version (4.0.2/4.1.0/master), then I
willcreate an patch including the removement.


> On March 15, 2013, 5:56 a.m., Nitin Mehta wrote:
> > server/src/com/cloud/storage/upload/UploadMonitorImpl.java, line 225
> > <https://reviews.apache.org/r/9696/diff/2/?file=264875#file264875line225>
> >
> >     can you put an example here...seems some hardcoding
> 
> Wei Zhou wrote:
>     The list "token" is the result I split the download url of ISO/Template by "/". For
example, url is https://10-11-101-112.realhostip.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso.
the token[2] is 10-11-101-112.realhostip.com.
> 
> Nitin Mehta wrote:
>     Wei - Can you please put this as a comment in the code please - this would greatly
help devs to understand in the future ?

Of course.


- Wei


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/9696/#review17961
-----------------------------------------------------------


On March 15, 2013, 9:54 a.m., Wei Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/9696/
> -----------------------------------------------------------
> 
> (Updated March 15, 2013, 9:54 a.m.)
> 
> 
> Review request for cloudstack, Nitin Mehta and Jayapal Reddy.
> 
> 
> Description
> -------
> 
> This patch is for issue CLOUDSTACK-1475 (RegisterISO error after Update SSL Certificate)
> on CloudStack 4.0.1. 
> 
> 
> Changes include:
> (1) update realhostip.keystore in SSVM (see the change in config_ssl.sh)
> (2) change suffix of download iso/template url rom realhostip.com to domain_suffix in
SSL Certificate.
> (3) validate download URL because ssvm publicip or domain suffix may change.
> 
> 
> This addresses bug CLOUDSTACK-1475.
> 
> 
> Diffs
> -----
> 
>   agent/src/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java 48f5079 
>   console-proxy/scripts/config_ssl.sh 8d80c47 
>   core/src/com/cloud/storage/resource/CifsSecondaryStorageResource.java c606fca 
>   core/src/com/cloud/storage/resource/NfsSecondaryStorageResource.java 155210d 
>   server/src/com/cloud/configuration/Config.java dbcc97a 
>   server/src/com/cloud/consoleproxy/AgentBasedConsoleProxyManager.java 01b4720 
>   server/src/com/cloud/consoleproxy/AgentBasedStandaloneConsoleProxyManager.java 6172780

>   server/src/com/cloud/consoleproxy/StaticConsoleProxyManager.java d2df83c 
>   server/src/com/cloud/server/ConfigurationServerImpl.java 3368c9b 
>   server/src/com/cloud/storage/download/DownloadMonitorImpl.java 2736777 
>   server/src/com/cloud/storage/upload/UploadMonitorImpl.java 4231be8 
> 
> Diff: https://reviews.apache.org/r/9696/diff/
> 
> 
> Testing
> -------
> 
> Testing manually ok.
> 
> 
> To test:
> (1) generate update the SSL certificate and it.  see "17.3.1. Changing the Console Proxy
SSL Certificate and Domain" part in CloudPlatform3.0.6AdminGuide
> http://support.citrix.com/servlet/KbServlet/download/33425-102-696517/CloudPlatform3.0.6AdminGuide.pdf
> 
> (2) visit instance via console. 
> 
> (3) Download ISO/Template. The browser will show the download url.
> Before patch: the domain suffix of url always be "realhostip.com"
> after patch: the domain suffix of url is "company.com" which you set in step(1).
> 
> (4) Register ISO/Template using the url in step(3).
> Before patch: When the domain suffix is not "realhostip.com", it fails with error message
"sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target".
> after patch: successful.
> 
> (5) Destroy SSVM, and a new one will be created. 
> Before patch: the url in step(3) does not change. the url still be the ip address of
old SSVM, and old domain suffix.
> after patch: the url will contain the ip address of new SSVM. If the "company.com" changes,
the url will also contain the new domain suffix.
> 
> (6) If you do not have a DNS server (which can resolve company.com domain), please add
an entry in /etc/hosts file of the client.
> aaa-bbb-ccc-ddd aaa-bbb-ccc-ddd.company.com        # aaa.bbb.ccc.ddd is the console proxy
ip. and ssvm as well.
> 
> 
> We need to restart management-server after Update SSL Certificate.
> 
> 
> Thanks,
> 
> Wei Zhou
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message