cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ugo Vasi <ugo.v...@procne.it.INVALID>
Subject Re: secure hosts communications
Date Wed, 30 Jan 2019 13:13:00 GMT
Hi Rohit,
what I do not understand is if in this ACS version (4.11.2.0) you have 
to start the procedure manually or it is done during the installation. 
Did I skip some steps during the installation?

Thanks

Il 30/01/19 13:37, Rohit Yadav ha scritto:
>
> Hi Ugo,
>
>
> This will be a one-time procedure, and the KVM host and the VMs do not 
> need a reboot but the provisionCertificate API will restart the 
> libvirtd process (just check if that can have any side effects for 
> your VMs/distro, on most modern distros restarting libvirtd does not 
> have any side-effects on existing running VMs).
>
>
> - Rohit
>
>
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> @shapeblue
>
> ------------------------------------------------------------------------
> *From:* Ugo Vasi <ugo.vasi@procne.it>
> *Sent:* Wednesday, January 30, 2019 4:47:09 PM
> *To:* users@cloudstack.apache.org; Rohit Yadav
> *Subject:* Re: secure hosts communications
> Hi Rohit,
> I have a 4.11.2.0 ACS infrastructure (Ubuntu 16.04 with KVM hypervisor)
> I see that all the hosts are in unsecure state from the UI and so the
> live migration don't works (we had trubles with mgmt server).
>
> I read in the documentation that launching the provisionCertificate API
> (by pressing the appropriate button in the UI) the certificates will be
> renewed/regenerated for already connected agents/hosts.
>
> I do not understand if provisioning should be done manually on each host
> or if the procedure should be done only once.
>
> Do this procedure reboot the host or the instances that it contains?
>
>
> Thanks
>
>
>
> Il 27/11/18 09:49, Rohit Yadav ha scritto:
> > Hi Richard,
> >
> >
> > Please read: 
> http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#security
> >
> >
> > 4.11.2 is out, please consider using it instead of 4.11.1 as it has 
> several bugfixes etc.
> >
> > In short, with all of your KVM hosts up and connected to mgmt 
> server, first change the auth strictness global setting to true, then 
> using API secure the hosts using the provisionCertificate API. In the 
> UI, go to your hosts that don't show up as secure and click on the key 
> button (a new button) to secure the host which calls the 
> provisionCertificate API as well.
> >
> >
> > - Rohit
> >
> > <https://cloudstack.apache.org>
> >
> >
> >
> > ________________________________
> > From: Richard Persaud <richard.persaud@macys.com>
> > Sent: Monday, November 26, 2018 8:19:56 PM
> > To: users@cloudstack.apache.org
> > Subject: RE: secure hosts communications
> >
> > Thank you, Rohit.
> >
> > I am using 4.11.1 with a full KVM environment. They are showing 
> unsecure with strictness set to true.
> >
> > What configuration needs to be adjusted to have the KVM hosts show 
> secure?
> >
> > Regards,
> >
> > Richard Persaud
> >
> > From: Rohit Yadav <rohit.yadav@shapeblue.com>
> > Sent: Saturday, November 24, 2018 2:02 PM
> > To: users@cloudstack.apache.org
> > Subject: Re: secure hosts communications
> >
> > ⚠ EXT MSG:
> >
> > Richard,
> >
> >
> > Starting 4.11, agent and management servers will use an in-built CA 
> framework to secured hosts. Only in case of KVM hosts you may see an 
> insecure state, otherwise all KVM hosts (agents) and SSVM/CPVM agents 
> will by default in Up state will be secured. There is an auth 
> strictness setting that should be true.
> >
> >
> >
> > - Rohit
> >
> > <https://cloudstack.apache.org>
> >
> >
> >
> > ________________________________
> > From: Richard Persaud 
> <richard.persaud@macys.com<mailto:richard.persaud@macys.com>>
> > Sent: Saturday, November 24, 2018 4:21:24 AM
> > To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
> > Subject: secure hosts communications
> >
> > Hello,
> >
> > Is there straight-forward to enable secure communications between 
> the management and the hosts?
> >
> > I have looked at many documentations but am still unable to get the 
> hosts to show a "secure" state.
> >
> > Regards,
> >
> > Richard Persaud
> >
> >
> > rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>
> > 
> www.shapeblue.com<https://isolate.menlosecurity.com/0/eJyrViotylGyUsooKSmw0tcvLy_XK85ILEhNyilN1UvOz1XSUSrKV7Iy1FEqyUwBqjM0MFaqBQDf4BCe>
> > Amadeus House, Floral Street, London  WC2E 9DPUK
> > @shapeblue
> >
> >
> >
> >
> > * This is an EXTERNAL EMAIL. Stop and think before clicking a link 
> or opening attachments.
> >
> > rohit.yadav@shapeblue.com
> > www.shapeblue.com <http://www.shapeblue.com>
> > Amadeus House, Floral Street, London  WC2E 9DPUK
> > @shapeblue
> >
> >
> >
> >
> >
> >
>
>
> -- 
>
> *Ugo Vasi* / System Administrator
> ugo.vasi@procne.it <mailto:ugo.vasi@procne.it>
>
>
>
>
> *Procne S.r.l.*
> +39 0432 486 523
> via Cotonificio, 45
> 33010 Tavagnacco (UD)
> www.procne.it <http://www.procne.it> <http://www.procne.it/>
>
>
> Le informazioni contenute nella presente comunicazione ed i relativi
> allegati possono essere riservate e sono, comunque, destinate
> esclusivamente alle persone od alla Società sopraindicati. La
> diffusione, distribuzione e/o copiatura del documento trasmesso da parte
> di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi
> dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003
> "Codice in materia di protezione dei dati personali". Se avete ricevuto
> questo messaggio per errore, vi preghiamo di distruggerlo e di informare
> immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail
> info@procne.it <mailto:info@procne.it>.
>


-- 

*Ugo Vasi* / System Administrator
ugo.vasi@procne.it <mailto:ugo.vasi@procne.it>




*Procne S.r.l.*
+39 0432 486 523
via Cotonificio, 45
33010 Tavagnacco (UD)
www.procne.it <http://www.procne.it/>


Le informazioni contenute nella presente comunicazione ed i relativi 
allegati possono essere riservate e sono, comunque, destinate 
esclusivamente alle persone od alla Società sopraindicati. La 
diffusione, distribuzione e/o copiatura del documento trasmesso da parte 
di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi 
dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003 
"Codice in materia di protezione dei dati personali". Se avete ricevuto 
questo messaggio per errore, vi preghiamo di distruggerlo e di informare 
immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail 
info@procne.it <mailto:info@procne.it>.


Mime
View raw message