systemvmtemplate: new template for 4.15.1#4793
Conversation
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. [S] |
|
|
||
| for (final Map.Entry<Hypervisor.HypervisorType, String> hypervisorAndTemplateName : NewTemplateNameList.entrySet()) { | ||
| LOG.debug("Updating " + hypervisorAndTemplateName.getKey() + " System Vms"); | ||
| try (PreparedStatement pstmt = conn.prepareStatement("select id from `cloud`.`vm_template` where name = ? and removed is null order by id desc limit 1")) { |
There was a problem hiding this comment.
@rhtyd
if an user (not root admin) register a template with the same name, will it be a security issue ?
There was a problem hiding this comment.
Good catch - we've been copying the same code/logic; however I think it may not be a big issue as it picks the last template that was added before the upgrade, even if user may have added a template, the admin likely would have added the most recent or last template. We may be saved by the order by id desc limit 1. Or, do you want me to add a check for account_idj = 2?
There was a problem hiding this comment.
@rhtyd
is it possible that cloudstack user uses other admin account than root admin (account_id=2) ?
would it be better to use this ?
select id from `cloud`.`vm_template` where name = ? and removed is null and account_id in (select id from account where role_id=1 and removed is null) order by id desc limit 1;
There was a problem hiding this comment.
Thanks, I'll test and include it
There was a problem hiding this comment.
... but what is the account is of admin role type but not role ID 1?
There was a problem hiding this comment.
what would be the issue, @rhtyd? except that the account used will fail registering systemvm templates?
There was a problem hiding this comment.
Looks like we can use Wei's query with type=1 (instead of role_id); type1 is root admin role.
|
Packaging result: ✔️ centos7 ✔️ centos8 ✔️ debian. SL-JID 83 |
|
@blueorangutan test matrix |
|
@rhtyd a Trillian-Jenkins matrix job (centos7 mgmt + xs71, centos7 mgmt + vmware65, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests [S] |
|
[S] Trillian test result (tid-80)
|
| "net_device": "virtio-net", | ||
| "iso_url": "https://download.cloudstack.org/systemvm/debian/debian-10.5.0-amd64-netinst.iso", | ||
| "iso_checksum": "0a6aee1d9aafc1ed095105c052f9fdd65ed00ea9274188c9cd0072c8e6838ab40e246d45a1e6956d74ef1b04a1fc042151762f25412e9ff0cbf49418eef7992e", | ||
| "iso_url": "https://cdimage.debian.org/debian-cd/10.8.0/amd64/iso-cd/debian-10.8.0-amd64-netinst.iso", |
There was a problem hiding this comment.
debian tends to move their ISOs, is this the best way, or should we keep a copy as we used to?
There was a problem hiding this comment.
It's either this or someone manually copying/updating the template on download.cloudstack.org and then using it here. One option is to use the archive links, but Debian doesn't put the latest version/release isos there https://cdimage.debian.org/mirror/cdimage/archive/
|
[S] Trillian test result (tid-95)
|
|
[S] Trillian test result (tid-96)
|
|
[S] Trillian test result (tid-134)
|
|
[S] Trillian test result (tid-111)
|
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. [S] |
|
Packaging result: ✔️ centos7 ✖️ centos8 ✖️ debian. SL-JID 157 |
|
@blueorangutan test matrix |
|
@rhtyd a Trillian-Jenkins matrix job (centos7 mgmt + xs71, centos7 mgmt + vmware65, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests [S] |
|
@blueorangutan package |
|
@shwstppr a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. [S] |
|
@blueorangutan package |
|
@davidjumani a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. [S] |
1 similar comment
|
@davidjumani a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. [S] |
|
Packaging result: ✔️ centos7 ✔️ centos8 ✔️ debian. SL-JID 182 |
|
Packaging result: ✔️ centos7 ✔️ centos8 ✔️ debian. SL-JID 185 |
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✖️ centos7 ✖️ centos8 ✔️ debian. SL-JID 201 |
|
@Pearl1594 to carry forward with the PR |
|
@blueorangutan package |
|
@Pearl1594 a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔️ centos7 ✔️ centos8 ✔️ debian. SL-JID 207 |
|
@blueorangutan test matrix |
|
@Pearl1594 a Trillian-Jenkins matrix job (centos7 mgmt + xs71, centos7 mgmt + vmware65, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests |
|
Trillian test result (tid-225)
|
|
Trillian test result (tid-224)
|
|
Trillian test result (tid-226)
|
|
|
||
| for (final Map.Entry<Hypervisor.HypervisorType, String> hypervisorAndTemplateName : NewTemplateNameList.entrySet()) { | ||
| LOG.debug("Updating " + hypervisorAndTemplateName.getKey() + " System Vms"); | ||
| try (PreparedStatement pstmt = conn.prepareStatement("select id from `cloud`.`vm_template` where name = ? and removed is null and account_id in (select id from account where type = 1 and removed is NULL) order by id desc limit 1")) { |
There was a problem hiding this comment.
@weizhouapache @DaanHoogland the security issue fixed here by checking the template belongs to an account with type=1 (root admin)
|
Tests LGTM, thanks for fixing the issue and kicking tests @Pearl1594 |
Pearl1594
left a comment
Pearl1594
left a comment
There was a problem hiding this comment.
LGTM.
Verified the security issue by registering a template with name "systemvm-vmware-4.15.1" as a user post root admin registering the template and then initiated upgrade. It picks up the right systemVM template, i.e., the one registered by the root admin and updates the required fields e.g. type
|
Thanks Pearl for testing. |
7 participants
Update new systemvmtemplate for 4.15.1.0; synced:
http://download.cloudstack.org/systemvm/4.15/
A new template is necessary due to many security fixes over the last year, the 4.15.0 systemvmtemplate was created about a year ago.