cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ugo Vasi <ugo.v...@procne.it.INVALID>
Subject Re: secure hosts communications
Date Thu, 31 Jan 2019 08:54:06 GMT
Hi Rohit,
sorry if I insist with the questions... by launching the procedure, does 
the framework rebuild and "overwrite" the configuration of the certificates?

Il 31/01/19 09:28, Ugo Vasi ha scritto:
> Hi Rohit,
> this is a fresh installed infrastructure, but we had some hardware 
> problems (a mgms server restart) and now the hosts are in "unsecure" 
> state.
>
> Do you have any idea how it could have happened to go to this state? 
> I'm analyzing the logs but I do not find much about it.
>
> Il 31/01/19 08:38, Rohit Yadav ha scritto:
>>
>> Hi Ugo,
>>
>>
>> If it's a fresh 4.11.2.0 installation you don't need to do anything 
>> you'll get your KVM hosts secured after you add them.
>>
>>
>> TL;DR - If you're upgrading, you simply need to run the 
>> provisionCertificate API against each of your KVM hosts after 
>> installation and upgrade. Refer: 
>> http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#securing-process
>>
>>
>>
>> - Rohit
>>
>>
>>
>> rohit.yadav@shapeblue.com
>> www.shapeblue.com
>> @shapeblue
>>
>> ------------------------------------------------------------------------
>> *From:* Ugo Vasi <ugo.vasi@procne.it>
>> *Sent:* Wednesday, January 30, 2019 6:43:00 PM
>> *To:* Rohit Yadav; users@cloudstack.apache.org
>> *Subject:* Re: secure hosts communications
>> Hi Rohit,
>> what I do not understand is if in this ACS version (4.11.2.0) you have
>> to start the procedure manually or it is done during the installation.
>> Did I skip some steps during the installation?
>>
>> Thanks
>>
>> Il 30/01/19 13:37, Rohit Yadav ha scritto:
>> >
>> > Hi Ugo,
>> >
>> >
>> > This will be a one-time procedure, and the KVM host and the VMs do not
>> > need a reboot but the provisionCertificate API will restart the
>> > libvirtd process (just check if that can have any side effects for
>> > your VMs/distro, on most modern distros restarting libvirtd does not
>> > have any side-effects on existing running VMs).
>> >
>> >
>> > - Rohit
>> >
>> >
>> >
>> > rohit.yadav@shapeblue.com
>> > www.shapeblue.com <http://www.shapeblue.com>
>> > @shapeblue
>> >
>> > 
>> ------------------------------------------------------------------------
>> > *From:* Ugo Vasi <ugo.vasi@procne.it>
>> > *Sent:* Wednesday, January 30, 2019 4:47:09 PM
>> > *To:* users@cloudstack.apache.org; Rohit Yadav
>> > *Subject:* Re: secure hosts communications
>> > Hi Rohit,
>> > I have a 4.11.2.0 ACS infrastructure (Ubuntu 16.04 with KVM 
>> hypervisor)
>> > I see that all the hosts are in unsecure state from the UI and so the
>> > live migration don't works (we had trubles with mgmt server).
>> >
>> > I read in the documentation that launching the provisionCertificate 
>> API
>> > (by pressing the appropriate button in the UI) the certificates 
>> will be
>> > renewed/regenerated for already connected agents/hosts.
>> >
>> > I do not understand if provisioning should be done manually on each 
>> host
>> > or if the procedure should be done only once.
>> >
>> > Do this procedure reboot the host or the instances that it contains?
>> >
>> >
>> > Thanks
>> >
>> >
>> >
>> > Il 27/11/18 09:49, Rohit Yadav ha scritto:
>> > > Hi Richard,
>> > >
>> > >
>> > > Please read:
>> > 
>> http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#security
>> > >
>> > >
>> > > 4.11.2 is out, please consider using it instead of 4.11.1 as it has
>> > several bugfixes etc.
>> > >
>> > > In short, with all of your KVM hosts up and connected to mgmt
>> > server, first change the auth strictness global setting to true, then
>> > using API secure the hosts using the provisionCertificate API. In the
>> > UI, go to your hosts that don't show up as secure and click on the key
>> > button (a new button) to secure the host which calls the
>> > provisionCertificate API as well.
>> > >
>> > >
>> > > - Rohit
>> > >
>> > > <https://cloudstack.apache.org>
>> > >
>> > >
>> > >
>> > > ________________________________
>> > > From: Richard Persaud <richard.persaud@macys.com>
>> > > Sent: Monday, November 26, 2018 8:19:56 PM
>> > > To: users@cloudstack.apache.org
>> > > Subject: RE: secure hosts communications
>> > >
>> > > Thank you, Rohit.
>> > >
>> > > I am using 4.11.1 with a full KVM environment. They are showing
>> > unsecure with strictness set to true.
>> > >
>> > > What configuration needs to be adjusted to have the KVM hosts show
>> > secure?
>> > >
>> > > Regards,
>> > >
>> > > Richard Persaud
>> > >
>> > > From: Rohit Yadav <rohit.yadav@shapeblue.com>
>> > > Sent: Saturday, November 24, 2018 2:02 PM
>> > > To: users@cloudstack.apache.org
>> > > Subject: Re: secure hosts communications
>> > >
>> > > ⚠ EXT MSG:
>> > >
>> > > Richard,
>> > >
>> > >
>> > > Starting 4.11, agent and management servers will use an in-built CA
>> > framework to secured hosts. Only in case of KVM hosts you may see an
>> > insecure state, otherwise all KVM hosts (agents) and SSVM/CPVM agents
>> > will by default in Up state will be secured. There is an auth
>> > strictness setting that should be true.
>> > >
>> > >
>> > >
>> > > - Rohit
>> > >
>> > > <https://cloudstack.apache.org>
>> > >
>> > >
>> > >
>> > > ________________________________
>> > > From: Richard Persaud
>> > <richard.persaud@macys.com<mailto:richard.persaud@macys.com>>
>> > > Sent: Saturday, November 24, 2018 4:21:24 AM
>> > > To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
>> > > Subject: secure hosts communications
>> > >
>> > > Hello,
>> > >
>> > > Is there straight-forward to enable secure communications between
>> > the management and the hosts?
>> > >
>> > > I have looked at many documentations but am still unable to get the
>> > hosts to show a "secure" state.
>> > >
>> > > Regards,
>> > >
>> > > Richard Persaud
>> > >
>> > >
>> > > rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>
>> > >
>> > 
>> www.shapeblue.com<https://isolate.menlosecurity.com/0/eJyrViotylGyUsooKSmw0tcvLy_XK85ILEhNyilN1UvOz1XSUSrKV7Iy1FEqyUwBqjM0MFaqBQDf4BCe>
>> > > Amadeus House, Floral Street, London  WC2E 9DPUK
>> > > @shapeblue
>> > >
>> > >
>> > >
>> > >
>> > > * This is an EXTERNAL EMAIL. Stop and think before clicking a link
>> > or opening attachments.
>> > >
>> > > rohit.yadav@shapeblue.com
>> > > www.shapeblue.com <http://www.shapeblue.com> 
>> <http://www.shapeblue.com>
>> > > Amadeus House, Floral Street, London  WC2E 9DPUK
>> > > @shapeblue
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> >
>> > *Ugo Vasi* / System Administrator
>> > ugo.vasi@procne.it <mailto:ugo.vasi@procne.it>
>> >
>> >
>> >
>> >
>> > *Procne S.r.l.*
>> > +39 0432 486 523
>> > via Cotonificio, 45
>> > 33010 Tavagnacco (UD)
>> > www.procne.it <http://www.procne.it> <http://www.procne.it> 
>> <http://www.procne.it/>
>> >
>> >
>> > Le informazioni contenute nella presente comunicazione ed i relativi
>> > allegati possono essere riservate e sono, comunque, destinate
>> > esclusivamente alle persone od alla Società sopraindicati. La
>> > diffusione, distribuzione e/o copiatura del documento trasmesso da 
>> parte
>> > di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi
>> > dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003
>> > "Codice in materia di protezione dei dati personali". Se avete 
>> ricevuto
>> > questo messaggio per errore, vi preghiamo di distruggerlo e di 
>> informare
>> > immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail
>> > info@procne.it <mailto:info@procne.it>.
>> >
>>
>>
>> -- 
>>
>> *Ugo Vasi* / System Administrator
>> ugo.vasi@procne.it <mailto:ugo.vasi@procne.it>
>>
>>
>>
>>
>> *Procne S.r.l.*
>> +39 0432 486 523
>> via Cotonificio, 45
>> 33010 Tavagnacco (UD)
>> www.procne.it <http://www.procne.it> <http://www.procne.it/>
>>
>>
>> Le informazioni contenute nella presente comunicazione ed i relativi
>> allegati possono essere riservate e sono, comunque, destinate
>> esclusivamente alle persone od alla Società sopraindicati. La
>> diffusione, distribuzione e/o copiatura del documento trasmesso da parte
>> di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi
>> dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003
>> "Codice in materia di protezione dei dati personali". Se avete ricevuto
>> questo messaggio per errore, vi preghiamo di distruggerlo e di informare
>> immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail
>> info@procne.it <mailto:info@procne.it>.
>>
>
>


-- 

*Ugo Vasi* / System Administrator
ugo.vasi@procne.it <mailto:ugo.vasi@procne.it>




*Procne S.r.l.*
+39 0432 486 523
via Cotonificio, 45
33010 Tavagnacco (UD)
www.procne.it <http://www.procne.it/>


Le informazioni contenute nella presente comunicazione ed i relativi 
allegati possono essere riservate e sono, comunque, destinate 
esclusivamente alle persone od alla Società sopraindicati. La 
diffusione, distribuzione e/o copiatura del documento trasmesso da parte 
di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi 
dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003 
"Codice in materia di protezione dei dati personali". Se avete ricevuto 
questo messaggio per errore, vi preghiamo di distruggerlo e di informare 
immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail 
info@procne.it <mailto:info@procne.it>.


Mime
View raw message