incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Burwell <jburw...@basho.com>
Subject Re: issue with 4.1
Date Mon, 04 Mar 2013 16:15:39 GMT
Chip,

I neglected to mention in my reply that the extracted utility script would also need to be
refactored to accept the various important bits (e.g. password, type, and length) into command
line parameters or prompt the user.  The core of the security issue I see is the defaulting
of the password to "vmops.com", and assumptions about certificate strength.

Thanks,
-John

On Mar 4, 2013, at 11:13 AM, John Burwell <jburwell@basho.com> wrote:

> Chip,
> 
> My recommendation in the ticket is to extract the script from the management server to
a external script provided as a connivence to end users.  If we encounter a situation where
a certificate is not present, provide a meaningful error message in the logs and exit.  If
a user needs help generating an SSL certificate, they can use execute the script with the
appropriate parameters.  Otherwise, they will generate/procure one through external means.
> 
> Thanks,
> -John
> 
> On Mar 4, 2013, at 10:59 AM, Chip Childers <chip.childers@sungard.com> wrote:
> 
>> On Mon, Mar 04, 2013 at 08:51:03AM -0700, Marcus Sorensen wrote:
>>> There's a bug for this, I think it's related to passwordless sudo for
>>> cloud user on management server.
>> 
>> Is this the one?
>> 
>> https://issues.apache.org/jira/browse/CLOUDSTACK-1389
>> 
>>> 
>>> On Mon, Mar 4, 2013 at 6:52 AM, Sebastien Goasguen <runseb@gmail.com> wrote:
>>>> Hi I am trying to test the latest 4.1 (and 4.1l10n branch).
>>>> 
>>>> I am on OSX 10.8.2, I had to update to JDK 1.7 to get things going.
>>>> 
>>>> and after a 'clean install' I get stuck with:
>>>> 
>>>> Password:WARN  [utils.script.Script] (Script-1:) Interrupting script.
>>>> WARN  [utils.script.Script] (Timer-2:) Timed out: sudo keytool -genkey -keystore
/Users/sebastiengoasguen/Documents/incubator-cloudstack/client/target/cloud-client-ui-4.1.0-SNAPSHOT/WEB-INF/classes/cloud.keystore
-storepass vmops.com -keypass vmops.com -keyalg RSA -validity 3650 -dname cn="Cloudstack User",ou="168.1.20",o="168.1.20",c="Unknown"
.  Output is:
>>>> WARN  [cloud.server.ConfigurationServerImpl] (Timer-2:) Would use fail-safe
keystore to continue.
>>>> java.io.IOException: Fail to generate certificate!: timeout
>>>>       at com.cloud.server.ConfigurationServerImpl.generateDefaultKeystore(ConfigurationServerImpl.java:491)
>>>>       at com.cloud.server.ConfigurationServerImpl.updateSSLKeystore(ConfigurationServerImpl.java:512)
>>>>       at com.cloud.server.ConfigurationServerImpl.persistDefaultValues(ConfigurationServerImpl.java:269)
>>>>       at com.cloud.server.ConfigurationServerImpl.configure(ConfigurationServerImpl.java:143)
>>>>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>       at java.lang.reflect.Method.invoke(Method.java:601)
>>>>       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:319)
>>>>       at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
>>>>       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
>>>>       at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
>>>>       at com.cloud.utils.db.TransactionContextBuilder.AroundAnyMethod(TransactionContextBuilder.java:37)
>>>>       at sun.reflect.GeneratedMethodAccessor36.invoke(Unknown Source)
>>>>       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>       at java.lang.reflect.Method.invoke(Method.java:601)
>>>>       at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
>>>>       at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
>>>>       at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
>>>>       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>       at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:90)
>>>>       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>       at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
>>>>       at $Proxy388.configure(Unknown Source)
>>>>       at com.cloud.utils.component.ComponentContext.initComponentsLifeCycle(ComponentContext.java:110)
>>>>       at com.cloud.servlet.CloudStartupServlet$1.run(CloudStartupServlet.java:50)
>>>>       at java.util.TimerThread.mainLoop(Timer.java:555)
>>>>       at java.util.TimerThread.run(Timer.java:505)
>>>> INFO  [cloud.server.ConfigurationServerImpl] (Timer-2:) Processing updateKeyPairs
>>>> INFO  [cloud.server.ConfigurationServerImpl] (Timer-2:) Keypairs already
in database
>>>> INFO  [cloud.server.ConfigurationServerImpl] (Timer-2:) Keypairs already
in database, skip updating local copy (not running as cloud user)
>>>> INFO  [cloud.server.ConfigurationServerImpl] (Timer-2:) Going to update systemvm
iso with generated keypairs if needed
>>>> Password:
>>>> 
>>>> ?
>>>> 
>>>> -sebastien
>>> 
> 


Mime
View raw message