cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chiradeep Vittal <chirade...@gmail.com>
Subject Re: Modern template hosting
Date Mon, 27 Feb 2017 21:36:53 GMT
Hashes are checked (md5 IIRC) today.
But given the issues, I think the project should steer away from hosting
templates except the systemvm template.

On Mon, Feb 27, 2017 at 1:31 PM, Rafael Weingärtner <
rafaelweingartner@gmail.com> wrote:

> Will, I think we could support different path structures. This can
> facilitate different deployment of mirrors based on the structure the host
> has.
>
> Could I add something else to the discussion? Have we discussed the
> security impacts of setting up this mirrors approach?
> I mean, if any of the mirrors gets corrupted (let`s say by a hacker), and
> the templates are injected with malicious code, an attacker could
> potentially get un-monitored and unlimited access to a cloud environment.
>
> If we assume that the mirror may get malicious (it is not that I do not
> trust you guys, but bad things happen), we cannot host hashes there. Where
> do you think we could store Sha512 or another hash type for these
> templates? Could we host in the newly proposed Github repo or maybe some
> place in the ACS website?
>
> This would have an impact on clients (needing clear documentation) and our
> code that automatically downloads System VM templates (does it check hashes
> when automatically installing templates today? It may require
> implementation changes).
>
> On Mon, Feb 27, 2017 at 3:48 PM, Will Stevens <wstevens@cloudops.com>
> wrote:
>
> > so this is what I am looking to do.  Please let me know if you have
> > suggestions for me or think I should be solving the problem a different
> > way.
> >
> > - We request a new Github repository from the ASF at:
> > 'apache/cloudstack-mirror-list'
> > - In this repository we track a text file in the 'gh-pages' branch with a
> > list of valid download mirrors.
> > - I build a binary to be hosted by the ASF (or at least with the ASF
> > pointing a domain at the binary and I could potentially host it).  We
> will
> > see how they want to handle the hosting of the binary.
> >
> > The binary would expose a web server which would behave as follows:
> > - When the 'client' requests a download url the following flow is kicked
> > off:
> > -- The mirror list is queried from github (or from a static site hosted
> on
> > asf, as we see fit).
> > -- The Lat/Lon of the 'client' is determined based on their IP.
> > -- The Lat/Lon for each of the 'mirror's is determined based on an IP
> > lookup of the hostname.
> > -- The closest geographical mirror is determined, the target is validated
> > to be available and the user is redirected.
> >
> > Some questions I have right now:
> > - Will every mirror have the same path structure to access the equivalent
> > resources?
> > - Should we support adding a path to the mirror url to specify the path
> to
> > the base common path?
> > -- Example: lets say the binary is hosted on 'dl.acs.com' and there are
> > three mirrors 'abc.com', 'pqr.com/files' and 'xyx.com/downloads'.
> > -- If the path being requested is '
> > dl.acs.com/templates/systemvm-4.6.xen.vhd.bz2', it would result in the
> > following potential paths for the mirrors:
> > -- 'abc.com/templates/systemvm-4.6.xen.vhd.bz2'
> > -- 'pqr.com/files/templates/systemvm-4.6.xen.vhd.bz2'
> > -- 'xyz.com/downloads/templates/systemvm-4.6.xen.vhd.bz2'
> >
> > Does this all make sense?
> >
> > *Will STEVENS*
> > Lead Developer
> >
> > <https://goo.gl/NYZ8KK>
> >
> > On Mon, Feb 27, 2017 at 1:31 PM, Chiradeep Vittal <chiradeepv@gmail.com>
> > wrote:
> >
> > > My bad. A few lines down, this has been added recently:
> > >
> > > this.request.setFollowRedirects(true);
> > >
> > > On Mon, Feb 27, 2017 at 10:15 AM, Will Stevens <
> williamstevens@gmail.com
> > >
> > > wrote:
> > >
> > > > OK. Thanks for the heads up.
> > > >
> > > > On Feb 27, 2017 1:08 PM, "Chiradeep Vittal" <chiradeepv@gmail.com>
> > > wrote:
> > > >
> > > > > Sounds workable. The downloader code in the SSVM won't follow
> > > redirects I
> > > > > think.
> > > > > https://github.com/apache/cloudstack/blob/
> > > 5511065fc20787619d9cd0444a65a3
> > > > > 155fc9c921/core/src/com/cloud/storage/template/
> > > > > HttpTemplateDownloader.java#L93
> > > > > https://goo.gl/dSi0r5
> > > > >  Might need to add
> > > > > client.setRedirectStrategy(new LaxRedirectStrategy());
> > > > >
> > > > > On Mon, Feb 27, 2017 at 9:57 AM, Will Stevens <
> wstevens@cloudops.com
> > >
> > > > > wrote:
> > > > >
> > > > > > We haven't opened a ticket yet because we don't have a strategy
> > yet.
> > > > > >
> > > > > > What do you guys think of this:
> > > > > > - We setup a new github repo in the 'apache' org which consists
> of
> > a
> > > > > single
> > > > > > file with a list of active/supported mirrors.
> > > > > > - I write a small web server, distributed as a binary, which
can
> be
> > > > > hosted
> > > > > > by ASF Infra.  This web server will query the current list of
> > mirrors
> > > > and
> > > > > > will select one and then do a 302 redirect to that mirror.
> > > > > >
> > > > > > The act of 'choosing' a mirror could be done in a number of
ways.
> > > > > > - If we want to define an order, then it could just try from
the
> > top
> > > of
> > > > > the
> > > > > > list and work its way down.  It would curl the target to make
> sure
> > it
> > > > > gets
> > > > > > a 200 and if it does, it would do a 302 redirect.
> > > > > > - Or, if we want to distribute the load across the mirrors,
we
> > could
> > > > pick
> > > > > > from the list randomly.  Again, doing a curl to verify the mirror
> > is
> > > up
> > > > > and
> > > > > > then doing a redirect.
> > > > > > - If we want to get fancy, we could do a reverse IP lookup and
> try
> > to
> > > > > match
> > > > > > the requester with their closest geographical mirror.
> > > > > >
> > > > > > Thoughts?
> > > > > >
> > > > > > *Will STEVENS*
> > > > > > Lead Developer
> > > > > >
> > > > > > <https://goo.gl/NYZ8KK>
> > > > > >
> > > > > > On Mon, Feb 27, 2017 at 12:46 PM, Chiradeep Vittal <
> > > > chiradeepv@gmail.com
> > > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > What steps are needed to set up a mirror? What does Infra
need
> to
> > > do?
> > > > > Has
> > > > > > > anybody filed a ticket with Infra?
> > > > > > >
> > > > > > > On Sun, Feb 26, 2017 at 10:17 PM, Raja Pullela <
> > > > > > > raja.pullela@accelerite.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi will,
> > > > > > > >
> > > > > > > > I believe, we didn’t get to close ‘getting a mirror
on
> Apache’
> > > > > because
> > > > > > we
> > > > > > > > needed someone on the Apache Infra side to close this.
BTW,
> > > > > > > > cloudstack-apt.get.eu (I think Nux manages this?)
has
> all/most
> > > of
> > > > > the
> > > > > > > > content.  Once we can close on the Apache mirror for
hosting
> > the
> > > > > > > content, I
> > > > > > > > can help assist getting the content there.
> > > > > > > >
> > > > > > > > For now, we have replicated the download.cloud.com
content
> to
> > ‘
> > > > > > > > s3.download.accelerite.com’.
> > > > > > > > Also, we are working on a set of steps/procedure to
help with
> > > this
> > > > > > > > change.  I will update everyone in about a week’s
time on the
> > > > > details.
> > > > > > > >
> > > > > > > > Best,
> > > > > > > > Raja Pullela
> > > > > > > > Engineering Team,
> > > > > > > > Accelerite, 2055 Laurelwood Road,
> > > > > > > > Santa Clara, CA, 95054
> > > > > > > >
> > > > > > > > On 2/24/17, 11:23 PM, "williamstevens@gmail.com on
behalf of
> > > Will
> > > > > > > > Stevens" <williamstevens@gmail.com on behalf of
> > > > > wstevens@cloudops.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > unfortunately the template mirror conversation got
caught up
> in
> > > > > details
> > > > > > > and
> > > > > > > > nobody took the lead on implementing a solution.
> > > > > > > >
> > > > > > > > citrix has been pinging me every couple months to
say 'dude,
> we
> > > > need
> > > > > to
> > > > > > > > remove the dependency on download.citrix.com', but
i have
> not
> > > had
> > > > > the
> > > > > > > > cycles to get in and solve the problem.  the shutdown
of that
> > is
> > > > > > imminent
> > > > > > > > right now, so we need to solve it asap.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > *Will STEVENS*
> > > > > > > > Lead Developer
> > > > > > > >
> > > > > > > > <https://goo.gl/NYZ8KK>
> > > > > > > >
> > > > > > > > On Fri, Feb 24, 2017 at 12:38 PM, Paul Angus <
> > > > > paul.angus@shapeblue.com
> > > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Hi Nathan,
> > > > > > > > >
> > > > > > > > > Ideally, if you put the template location in
(or use a
> > template
> > > > > > defined
> > > > > > > > > in)  test_data.py then the actual location can
be
> overridden
> > by
> > > > > > anyone
> > > > > > > > > testing.
> > > > > > > > >
> > > > > > > > > For Trillian, we've copied all of the templates
that people
> > > have
> > > > > > define
> > > > > > > > to
> > > > > > > > > a local repo and then replace the URLs in test_data.py
to
> > > reduce
> > > > > > > > bandwidth
> > > > > > > > > use and download times.
> > > > > > > > >
> > > > > > > > > Ie:
> > > > > > > > >
> > > > > > > > >             "bootableIso":
> > > > > > > > >                 {
> > > > > > > > >                     "displaytext": "Test Bootable
ISO",
> > > > > > > > >                     "name": "testISO",
> > > > > > > > >                     "bootable": True,
> > > > > > > > >                     "ispublic": False,
> > > > > > > > >                     "url": "{{ marvin_images_location
> > > > > > > > > }}/TinyCore-current.iso",
> > > > > > > > >                     "ostype": 'Other Linux (64-bit)',
> > > > > > > > >                     "mode": 'HTTP_DOWNLOAD'
> > > > > > > > >         },
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > I thought that we had come up with a solution
for
> > > > > download.cloud.com
> > > > > > ,
> > > > > > > by
> > > > > > > > > having a mirrorlist hosted in Community Apache
'space' with
> > > > anyone
> > > > > > able
> > > > > > > > to
> > > > > > > > > out themselves forward as a mirror.
> > > > > > > > > But I must admit I lost track of whether anyone
made the
> > > > requisite
> > > > > > > > changes
> > > > > > > > > in code....
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Kind regards,
> > > > > > > > >
> > > > > > > > > Paul Angus
> > > > > > > > >
> > > > > > > > > paul.angus@shapeblue.com
> > > > > > > > > www.shapeblue.com
> > > > > > > > > 53 Chandos Place, Covent Garden, London  WC2N
4HSUK
> > > > > > > > > @shapeblue
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: williamstevens@gmail.com [mailto:
> williamstevens@gmail.
> > > com]
> > > > > On
> > > > > > > > > Behalf Of Will Stevens
> > > > > > > > > Sent: 24 February 2017 16:30
> > > > > > > > > To: dev@cloudstack.apache.org
> > > > > > > > > Subject: Re: Modern template hosting
> > > > > > > > >
> > > > > > > > > this is a hard questions.  in general, we should
be setting
> > up
> > > a
> > > > > > mirror
> > > > > > > > on
> > > > > > > > > some cloudstack/apache domain and then mirror
to other
> > provided
> > > > > > > > templates.
> > > > > > > > >
> > > > > > > > > we MUST come up with a solution to deprecate
'
> > > download.cloud.com
> > > > ',
> > > > > > > that
> > > > > > > > > is going to be going away any day now.
> > > > > > > > >
> > > > > > > > > i don't know the right way to solve this to be
honest, but
> if
> > > you
> > > > > > have
> > > > > > > > > ideas, i am willing to help.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > *Will STEVENS*
> > > > > > > > > Lead Developer
> > > > > > > > >
> > > > > > > > > <https://goo.gl/NYZ8KK>
> > > > > > > > >
> > > > > > > > > On Fri, Feb 24, 2017 at 11:25 AM, Nathan Johnson
<
> > > > njohnson@ena.com
> > > > > >
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > So not to re-open a can of worms, but I’m
in a situation
> > > where
> > > > I
> > > > > > need
> > > > > > > > > > to come up with a Marvin component test
that depends on a
> > > > > template
> > > > > > > > > > based on a kernel that’s relatively new,
i.e., newer than
> > > > Centos
> > > > > > 5.3
> > > > > > > /
> > > > > > > > > Ubuntu 10.04 .
> > > > > > > > > > I see openvm.eu has a suitable template
(Ubuntu 16.0.4
> for
> > > > KVM),
> > > > > > but
> > > > > > > > > > from looking at the thread "Migrating CloudStack
content
> > from
> > > > > > > > > > download.cloud.com” it looks like there
is resistance to
> > > using
> > > > > > this
> > > > > > > at
> > > > > > > > > > least for hosting system vm templates over
concerns of
> > > > > neutrality.
> > > > > > > > > > Would this be suitable for a component test?
 If not,
> what
> > > is a
> > > > > > > > “blessed”
> > > > > > > > > > template location?
> > > > > > > > > >
> > > > > > > > > > Thanks in advance!
> > > > > > > > > >
> > > > > > > > > > Nathan Johnson
> > > > > > > > > > R&D Engineer
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > 618 Grassmere Park Drive, Suite 12
> > > > > > > > > > Nashville, TN 37211
> > > > > > > > > > General Office: 615-312-6000
> > > > > > > > > >
> > > > > > > > > > website | blog | support
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > DISCLAIMER
> > > > > > > > ==========
> > > > > > > > This e-mail may contain privileged and confidential
> information
> > > > which
> > > > > > is
> > > > > > > > the property of Accelerite, a Persistent Systems business.
It
> > is
> > > > > > intended
> > > > > > > > only for the use of the individual or entity to which
it is
> > > > > addressed.
> > > > > > If
> > > > > > > > you are not the intended recipient, you are not authorized
to
> > > read,
> > > > > > > retain,
> > > > > > > > copy, print, distribute or use this message. If you
have
> > received
> > > > > this
> > > > > > > > communication in error, please notify the sender and
delete
> all
> > > > > copies
> > > > > > of
> > > > > > > > this message. Accelerite, a Persistent Systems business
does
> > not
> > > > > accept
> > > > > > > any
> > > > > > > > liability for virus infected mails.
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
>
>
> --
> Rafael Weingärtner
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message