Skip to content

Allow ssvm agent certs to contain host IP for NAT situations#6864

Merged
DaanHoogland merged 1 commit into
apache:mainfrom
mlsorensen:main-hypervisor-systemvm-certs
Dec 13, 2022
Merged

Allow ssvm agent certs to contain host IP for NAT situations#6864
DaanHoogland merged 1 commit into
apache:mainfrom
mlsorensen:main-hypervisor-systemvm-certs

Conversation

@mlsorensen

Copy link
Copy Markdown
Contributor

Description

There are some networking setups where system VM communications are proxied off of the hypervisor host on which the system VM is running. For example, if the KVM management network is a NAT bridge, or the network plugin employs user mode network for system VM management interfaces, then system VM agent comms look as though they come form the hypervisor host. Admittedly, these configurations are bespoke, which is why a configuration is provided and it's disabled by default.

In such a setup, the certificate authentication for agents fails because the source IP is that of the host of the system VM, rather than the system VM itself, and this IP is not in the connecting certificate presented. This PR adds a configuration value that allows the system VM cert to contain the host IP that the system VM is scheduled on. This allows such setups to maintain auth strictness on agent auth.

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

How Has This Been Tested?

Tested this via unit tests, and in our private integration environment. When ca.framework.cert.systemvm.allow.host.ip is set, agent auth succeeds from system VMs, when unset, it fails as it did prior to this change.

@sonarqubecloud

sonarqubecloud Bot commented Nov 1, 2022

Copy link
Copy Markdown

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@codecov

codecov Bot commented Nov 1, 2022

Copy link
Copy Markdown

Codecov Report

Merging #6864 (1e150a4) into main (fa39e61) will decrease coverage by 0.00%.
The diff coverage is 0.00%.

@@             Coverage Diff              @@
##               main    #6864      +/-   ##
============================================
- Coverage     10.84%   10.84%   -0.01%     
  Complexity     7104     7104              
============================================
  Files          2485     2485              
  Lines        245417   245421       +4     
  Branches      38326    38326              
============================================
  Hits          26627    26627              
- Misses       215521   215525       +4     
  Partials       3269     3269              
Impacted Files Coverage Δ
...n/java/com/cloud/vm/VirtualMachineManagerImpl.java 0.00% <0.00%> (ø)
...n/java/org/apache/cloudstack/ca/CAManagerImpl.java 45.00% <0.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@yadvr

yadvr commented Nov 2, 2022

Copy link
Copy Markdown
Member

@blueorangutan package

@blueorangutan

Copy link
Copy Markdown

@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

@yadvr

yadvr commented Nov 2, 2022

Copy link
Copy Markdown
Member

@blueorangutan package

@blueorangutan

Copy link
Copy Markdown

@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with

SystemVM template(s). I'll keep you posted as I make progress.

@blueorangutan

Copy link
Copy Markdown

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. LL-JID 183

@yadvr yadvr added this to the 4.18.0.0 milestone Nov 3, 2022
@yadvr

yadvr commented Nov 3, 2022

Copy link
Copy Markdown
Member

(rekick pkging in Sofia lab manually)

@blueorangutan

Copy link
Copy Markdown

Trillian test result (tid-5243)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 41382 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6864-t5243-kvm-centos7.zip
Smoke tests completed. 103 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_03_create_redundant_VPC_1tier_2VMs_2IPs_2PF_ACL_reboot_routers Failure 462.04 test_vpc_redundant.py

@yadvr

yadvr commented Nov 4, 2022

Copy link
Copy Markdown
Member

Tests LGTM - the failure is a known intermittent issue not caused by this PR.

@DaanHoogland

Copy link
Copy Markdown
Contributor

@blueorangutan package

@blueorangutan

Copy link
Copy Markdown

@DaanHoogland a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

@blueorangutan

Copy link
Copy Markdown

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. LL-JID 197

@DaanHoogland

Copy link
Copy Markdown
Contributor

@blueorangutan test

@blueorangutan

Copy link
Copy Markdown

@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

@blueorangutan

Copy link
Copy Markdown

Trillian test result (tid-39)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 38016 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6864-t39-kvm-centos7.zip
Smoke tests completed. 103 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_01_redundant_vpc_site2site_vpn Failure 746.38 test_vpc_vpn.py
test_01_vpc_site2site_vpn_multiple_options Error 1273.54 test_vpc_vpn.py
test_01_vpc_site2site_vpn Error 546.21 test_vpc_vpn.py

@mlsorensen

Copy link
Copy Markdown
Contributor Author

@blueorangutan test

@blueorangutan

Copy link
Copy Markdown

@mlsorensen a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

@DaanHoogland DaanHoogland left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clgtm

@yadvr

yadvr commented Dec 9, 2022

Copy link
Copy Markdown
Member

@blueorangutan package

@blueorangutan

Copy link
Copy Markdown

@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with

SystemVM template(s). I'll keep you posted as I make progress.

@blueorangutan

Copy link
Copy Markdown

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 4821

@JoaoJandre JoaoJandre left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CLGTM

@yadvr

yadvr commented Dec 12, 2022

Copy link
Copy Markdown
Member

@blueorangutan test

@blueorangutan

Copy link
Copy Markdown

@rohityadavcloud a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

@blueorangutan

Copy link
Copy Markdown

Trillian test result (tid-5465)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 42755 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6864-t5465-kvm-centos7.zip
Smoke tests completed. 105 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File

@DaanHoogland DaanHoogland merged commit f2e7d6b into apache:main Dec 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants