cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: [DISCUSS] Freezing master for 4.11
Date Fri, 19 Jan 2018 09:13:49 GMT
Hi Kristian,


I looked at https://issues.apache.org/jira/browse/CLOUDSTACK-10141


If the new VM is deployed with a password and/or ssh-key enabled VM template, then VR should
get new password and the user/account specific ssh-public key so the mentioned issues don't
affect such new VMs. However, I agree VMs may have access to old VM's password (if not consumed)
and ssh-public key if are not password/ssh-public-key enabled - but they may be useless/stale
information and I feel they are more of a GC issue than a security issue.


Are you able to reproduce a case when a new VM deployed using old VM's IP and with a password
and/or public-key enabled template is getting the password and/or ssh-public-key from old
VM (and the old user/account)? I think if yes, then it's a security issue.


Thoughts, comments?


- Rohit

<https://cloudstack.apache.org>



________________________________
From: Kristian Liivak <kris@wavecom.ee>
Sent: Monday, January 15, 2018 4:19:03 PM
To: users
Cc: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

Hello,

I have created issue in jira 2 month ago.
https://issues.apache.org/jira/browse/CLOUDSTACK-10141

In version 4.10 VR password and ssh key distribution don´t work on instance creation.
When instance is allreay excisting reset function is operational.

Also there is major security hole. When instance is destroyd and expunged and new instance
is created with old IP all old data is unaffected in VR
New instance will get then old root password and  ssh key if they were present in VR

In my knowledege cloudstack older versions are not affected.

Lugupidamisega / Regards

Kristian Liivak

CTO

WaveCom As
Endla 16, 10142 Tallinn
Estonia
Tel: +3726850001
Gsm: +37256850001
E-mail: kris@wavecom.ee
Skype: kristian.liivak
http://www.wavecom.ee
http://www.facebook.com/wavecom.ee


rohit.yadav@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

----- Original Message -----
From: "Rohit Yadav" <rohit.yadav@shapeblue.com>
To: dev@cloudstack.apache.org, "users" <users@cloudstack.apache.org>
Sent: Sunday, January 14, 2018 8:41:15 PM
Subject: Re: [DISCUSS] Freezing master for 4.11

All,


To give you update, all feature PRs have been reviewed, tested and merged towards the 4.11.0.0.
I'll engage with Mike and others for any post-merge regressions (smoketest to be kicked shortly).


I see an outstanding PR that may be a critical/blocker PR, please advise and also review:

https://github.com/apache/cloudstack/pull/2402


If anyone has any blocker to report, please do so. Thanks.


I'll cut RC1 as planned by EOD today (Mon/15 Jan 2018).


- Rohit

<https://cloudstack.apache.org>



________________________________
From: Tutkowski, Mike <Mike.Tutkowski@netapp.com>
Sent: Saturday, January 13, 2018 3:23:40 AM
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] Freezing master for 4.11

I’m investigating these now. I have found and fixed two of them so far.


rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue



> On Jan 12, 2018, at 2:49 PM, Rohit Yadav <rohit.yadav@shapeblue.com> wrote:
>
> Thanks Rafael and Daan.
>
>
>> From: Rafael Weingärtner <rafaelweingartner@gmail.com>
>>
>> I believe there is no problem in merging Wido’s and Mike’s PRs, they have
>> been extensively discussed and improved (specially Mike’s one).
>
> Thanks, Mike's PR has several regression smoketest failures and can be accepted only
when those failures are fixed.
>
> We'll cut 4.11 branch start rc1 on Monday that would be a hard freeze. If Mike wants,
he can help fix them over the weekend, I can help run smoketests.
>
>> Having said that; I would be ok with it (no need to revert it), but we need
>> to be more careful with these things. If one wants to merge something,
>> there is no harm in waiting and calling for reviewers via Github, Slack, or
>> even email them directly.
>
> Additional review was requested, but mea culpa - thanks for your support, noted.
>
> - Rohit
>
> On Fri, Jan 12, 2018 at 3:57 PM, Rohit Yadav <rohit.yadav@shapeblue.com>
> wrote:
>
>> All,
>>
>>
>> We're down to one feature PR towards 4.11 milestone now:
>>
>> https://github.com/apache/cloudstack/pull/2298
>>
>>
>> The config drive PR from Frank (Nuage) has been accepted today after no
>> regression test failures seen from yesterday's smoketest run. We've also
>> tested, reviewed and merge Wido's (blocker fix) PR.
>>
>>
>> I've asked Mike to stabilize the branch; based on the smoketest results
>> from today we can see some failures caused by the PR. I'm willing to work
>> with Mike and others to get this PR tested, and merged over the weekends if
>> we can demonstrate that no regression is caused by it, i.e. no new
>> smoketest regressions. I'll also try to fix regression and test failures
>> over the weekend.
>>
>>
>> Lastly, I would like to discuss a mistake I made today with merging the
>> following PR which per our guideline lacks one code review lgtm/approval:
>>
>> https://github.com/apache/cloudstack/pull/2152
>>
>>
>> The changes in above (merged) PR are all localized to a xenserver-swift
>> file, that is not tested by Travis or Trillian, since no new regression
>> failures were seen I accepted and merge it on that discretion. The PR was
>> originally on the 4.11 milestone, however, due to it lacking a JIRA id and
>> no response from the author it was only recently removed from the milestone.
>>
>>
>> Please advise if I need to revert this, or we can review/lgtm it
>> post-merge? I'll also ping on the above PR.
>>
>>
>> - Rohit
>>
>> <https://cloudstack.apache.org>
> Apache CloudStack: Open Source Cloud Computing<https://cloudstack.apache.org/>
> cloudstack.apache.org
> CloudStack is open source cloud computing software for creating, managing, and deploying
infrastructure cloud services
>
>
>
>>
>>
>>
>> ________________________________
>> From: Wido den Hollander <wido@widodh.nl>
>> Sent: Thursday, January 11, 2018 9:17:26 PM
>> To: dev@cloudstack.apache.org
>> Subject: Re: [DISCUSS] Freezing master for 4.11
>>
>>
>>
>>> On 01/10/2018 07:26 PM, Daan Hoogland wrote:
>>> I hope we understand each other correctly: No-one running an earlier
>>> version then 4.11 should miss out on any functionality they are using
>> now.
>>>
>>> So if you use ipv6 and multiple cidrs now it must continue to work with
>> no
>>> loss of functionality. see my question below.
>>>
>>> On Wed, Jan 10, 2018 at 7:06 PM, Ivan Kudryavtsev <
>> kudryavtsev_ia@bw-sw.com>
>>> wrote:
>>>
>>>> Daan, yes this sounds reasonable, I suppose who would like to fix, could
>>>> do custom build for himself...
>>>>
>>>> But still it should be aknowledged somehow, if you use several cidrs for
>>>> network, don't use v6, or don't upgrade to 4.11 because things will stop
>>>> running well.
>>>>
>>> Does this mean that several cidrs in ipv6 works in 4.9 and not in 4.11?
>>>
>>
>> No, it doesn't. IPv6 was introduced in 4.10 and this broke in 4.10.
>>
>> You can't run with 4.10 with multiple IPv4 CIDRs as well when you have
>> IPv6 enabled.
>>
>> So this is broken in 4.10 and 4.11 in that case.
>>
>> Wido
>>
>>>
>>> if yes; it is a blocker
>>>
>>> if no; you might as well upgrade for other features as it doesn't work
>> now
>>> either.
>>>
>>
>> rohit.yadav@shapeblue.com
>> www.shapeblue.com<http://www.shapeblue.com>
> [http://www.shapeblue.com/wp-content/uploads/2017/06/logo.png]<http://www.shapeblue.com/>
>
> Shapeblue - The CloudStack Company<http://www.shapeblue.com/>
> www.shapeblue.com<http://www.shapeblue.com>
> Rapid deployment framework for Apache CloudStack IaaS Clouds. CSForge is a framework
developed by ShapeBlue to deliver the rapid deployment of a standardised ...
>
>
>
>> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
>> @shapeblue
>>
>>
>>
>>
>
>
> --
> Rafael Weingärtner
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com<http://www.shapeblue.com>
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message