Merge branch 'main' into FWinVPCpublicIP

Author: DaanHoogland

.asf.yaml

@@ -51,7 +51,7 @@ github:
 
   collaborators:
     - ingox
-    - gpordeus
+    - gp-santos
     - erikbocks
     - Imvedansh
     - Damans227

.github/workflows/ci.yml

@@ -283,7 +283,7 @@ jobs:
           # https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2004-Readme.md#mysql
           sudo apt-get install -y mysql-server
           sudo systemctl start mysql
-          sudo mysql -uroot -proot -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY ''; FLUSH PRIVILEGES;"
+          sudo mysql -uroot -proot -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY ''; FLUSH PRIVILEGES;"
           sudo systemctl restart mysql
           sudo mysql -uroot -e "SELECT VERSION();"
 

.github/workflows/merge-conflict-checker.yml

@@ -17,16 +17,14 @@
 
 name: "PR Merge Conflict Check"
 on:
-  push:
-  pull_request:
-    types: [opened, synchronize, reopened]
+  schedule:
+    - cron: '*/10 * * * *'
+  workflow_dispatch:
 
-permissions:  # added using https://github.com/step-security/secure-workflows
-  contents: read
+permissions: {}
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
+  group: "gh-aw-${{ github.workflow }}"
 
 jobs:
   triage:

api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java

@@ -51,6 +51,7 @@ public class VirtualMachineTO {
 
     private long minRam;
     private long maxRam;
+    private long requestedRam;
     private String hostName;
     private String arch;
     private String os;
@@ -207,15 +208,20 @@ public long getMinRam() {
         return minRam;
     }
 
-    public void setRam(long minRam, long maxRam) {
+    public void setRam(long minRam, long maxRam, long requestedRam) {
         this.minRam = minRam;
         this.maxRam = maxRam;
+        this.requestedRam = requestedRam;
     }
 
     public long getMaxRam() {
         return maxRam;
     }
 
+    public long getRequestedRam() {
+        return requestedRam;
+    }
+
     public String getHostName() {
         return hostName;
     }

api/src/main/java/org/apache/cloudstack/api/command/admin/ca/ProvisionCertificateCmd.java

@@ -63,6 +63,12 @@ public class ProvisionCertificateCmd extends BaseAsyncCmd {
             description = "Name of the CA service provider, otherwise the default configured provider plugin will be used")
     private String provider;
 
+    @Parameter(name = ApiConstants.FORCED, type = CommandType.BOOLEAN,
+            description = "When true, uses SSH to re-provision the agent's certificate, bypassing the NIO agent connection. " +
+            "Use this when agents are disconnected due to a CA change. Supported for KVM hosts and SystemVMs. Default is false",
+            since = "4.23.0")
+    private Boolean forced;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -79,6 +85,10 @@ public String getProvider() {
         return provider;
     }
 
+    public boolean isForced() {
+        return forced != null && forced;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
@@ -90,7 +100,7 @@ public void execute() {
             throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to find host by ID: " + getHostId());
         }
 
-        boolean result = caManager.provisionCertificate(host, getReconnect(), getProvider());
+        boolean result = caManager.provisionCertificate(host, getReconnect(), getProvider(), isForced());
         SuccessResponse response = new SuccessResponse(getCommandName());
         response.setSuccess(result);
         setResponseObject(response);

api/src/main/java/org/apache/cloudstack/api/command/admin/user/GetUserCmd.java

@@ -22,7 +22,7 @@
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.UserResponse;
-
+import org.apache.cloudstack.api.ApiArgValidator;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.user.UserAccount;
 
@@ -35,7 +35,7 @@ public class GetUserCmd extends BaseCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
-    @Parameter(name = ApiConstants.USER_API_KEY, type = CommandType.STRING, required = true, description = "API key of the user")
+    @Parameter(name = ApiConstants.USER_API_KEY, type = CommandType.STRING, required = true, description = "API key of the user", validations = {ApiArgValidator.NotNullOrEmpty})
     private String apiKey;
 
     /////////////////////////////////////////////////////

api/src/main/java/org/apache/cloudstack/ca/CAManager.java

@@ -23,6 +23,8 @@
 import java.util.List;
 import java.util.Map;
 
+import com.trilead.ssh2.Connection;
+
 import org.apache.cloudstack.framework.ca.CAProvider;
 import org.apache.cloudstack.framework.ca.CAService;
 import org.apache.cloudstack.framework.ca.Certificate;
@@ -39,7 +41,10 @@ public interface CAManager extends CAService, Configurable, PluggableService {
     ConfigKey<String> CAProviderPlugin = new ConfigKey<>("Advanced", String.class,
             "ca.framework.provider.plugin",
             "root",
-            "The CA provider plugin that is used for secure CloudStack management server-agent communication for encryption and authentication. Restart management server(s) when changed.", true);
+            "The CA provider plugin used for CloudStack internal certificate management (MS-agent encryption and authentication). " +
+            "The default 'root' provider auto-generates a CA on first startup, but also supports user-provided custom CA material " +
+            "via the ca.plugin.root.private.key, ca.plugin.root.public.key, and ca.plugin.root.ca.certificate settings. " +
+            "Restart management server(s) when changed.", false);
 
     ConfigKey<Integer> CertKeySize = new ConfigKey<>("Advanced", Integer.class,
                                     "ca.framework.cert.keysize",
@@ -85,6 +90,12 @@ public interface CAManager extends CAService, Configurable, PluggableService {
                     "The actual implementation will depend on the configured CA provider.",
             false);
 
+    ConfigKey<Boolean> CaInjectDefaultTruststore = new ConfigKey<>("Advanced", Boolean.class,
+            "ca.framework.inject.default.truststore", "true",
+            "When true, injects the CA provider's certificate into the JVM default truststore on management server startup. " +
+            "This allows outgoing HTTPS connections from the management server to trust servers with certificates signed by the configured CA. " +
+            "Restart management server(s) when changed.", false);
+
     /**
      * Returns a list of available CA provider plugins
      * @return returns list of CAProvider
@@ -130,12 +141,26 @@ public interface CAManager extends CAService, Configurable, PluggableService {
     boolean revokeCertificate(final BigInteger certSerial, final String certCn, final String provider);
 
     /**
-     * Provisions certificate for given active and connected agent host
+     * Provisions certificate for given agent host.
+     * When forced=true, uses SSH to re-provision bypassing the NIO agent connection (for disconnected agents).
      * @param host
+     * @param reconnect
      * @param provider
+     * @param forced when true, provisions via SSH instead of NIO; supports KVM hosts and SystemVMs
      * @return returns success/failure as boolean
      */
-    boolean provisionCertificate(final Host host, final Boolean reconnect, final String provider);
+    boolean provisionCertificate(final Host host, final Boolean reconnect, final String provider, final boolean forced);
+
+    /**
+     * Provisions certificate for a KVM host using an existing SSH connection.
+     * Runs keystore-setup to generate a CSR, issues a certificate, then runs keystore-cert-import.
+     * Used during host discovery and for forced re-provisioning when the NIO agent is unreachable.
+     * @param sshConnection active SSH connection to the KVM host
+     * @param agentIp IP address of the KVM host agent
+     * @param agentHostname hostname of the KVM host agent
+     * @param caProvider optional CA provider plugin name (null uses default)
+     */
+    void provisionCertificateViaSsh(Connection sshConnection, String agentIp, String agentHostname, String caProvider);
 
     /**
      * Setups up a new keystore and generates CSR for a host

client/pom.xml

@@ -716,17 +716,17 @@
                     </dependency>
                     <dependency>
                         <groupId>org.bouncycastle</groupId>
-                        <artifactId>bcprov-jdk15on</artifactId>
+                        <artifactId>bcprov-jdk18on</artifactId>
                         <version>${cs.bcprov.version}</version>
                     </dependency>
                     <dependency>
                         <groupId>org.bouncycastle</groupId>
-                        <artifactId>bcpkix-jdk15on</artifactId>
+                        <artifactId>bcpkix-jdk18on</artifactId>
                         <version>${cs.bcprov.version}</version>
                     </dependency>
                     <dependency>
                         <groupId>org.bouncycastle</groupId>
-                        <artifactId>bctls-jdk15on</artifactId>
+                        <artifactId>bctls-jdk18on</artifactId>
                         <version>${cs.bcprov.version}</version>
                     </dependency>
                 </dependencies>
@@ -906,13 +906,13 @@
                                 </artifactItem>
                                 <artifactItem>
                                     <groupId>org.bouncycastle</groupId>
-                                    <artifactId>bcprov-jdk15on</artifactId>
+                                    <artifactId>bcprov-jdk18on</artifactId>
                                     <overWrite>false</overWrite>
                                     <outputDirectory>${project.build.directory}/lib</outputDirectory>
                                 </artifactItem>
                                 <artifactItem>
                                     <groupId>org.bouncycastle</groupId>
-                                    <artifactId>bcpkix-jdk15on</artifactId>
+                                    <artifactId>bcpkix-jdk18on</artifactId>
                                     <overWrite>false</overWrite>
                                     <outputDirectory>${project.build.directory}/lib</outputDirectory>
 			        </artifactItem>
@@ -936,7 +936,7 @@
                                 </artifactItem>
                                 <artifactItem>
                                     <groupId>org.bouncycastle</groupId>
-                                    <artifactId>bctls-jdk15on</artifactId>
+                                    <artifactId>bctls-jdk18on</artifactId>
                                     <overWrite>false</overWrite>
                                     <outputDirectory>${project.build.directory}/lib</outputDirectory>
                                 </artifactItem>
@@ -971,9 +971,9 @@
                                     <exclude>org.apache.tomcat.embed:tomcat-embed-core</exclude>
                                     <exclude>org.apache.geronimo.specs:geronimo-servlet_3.0_spec</exclude>
                                     <exclude>org.apache.geronimo.specs:geronimo-javamail_1.4_spec</exclude>
-                                    <exclude>org.bouncycastle:bcprov-jdk15on</exclude>
-                                    <exclude>org.bouncycastle:bcpkix-jdk15on</exclude>
-                                    <exclude>org.bouncycastle:bctls-jdk15on</exclude>
+                                    <exclude>org.bouncycastle:bcprov-jdk18on</exclude>
+                                    <exclude>org.bouncycastle:bcpkix-jdk18on</exclude>
+                                    <exclude>org.bouncycastle:bctls-jdk18on</exclude>
                                     <exclude>com.mysql:mysql-connector-j</exclude>
                                     <exclude>org.apache.cloudstack:cloud-plugin-storage-volume-storpool</exclude>
                                     <exclude>org.apache.cloudstack:cloud-plugin-storage-volume-linstor</exclude>

core/src/main/java/com/cloud/agent/api/ScaleVmCommand.java

@@ -30,6 +30,7 @@ public class ScaleVmCommand extends Command {
     Integer maxSpeed;
     long minRam;
     long maxRam;
+    private boolean limitCpuUseChange;
 
     public VirtualMachineTO getVm() {
         return vm;
@@ -43,7 +44,7 @@ public int getCpus() {
         return cpus;
     }
 
-    public ScaleVmCommand(String vmName, int cpus, Integer minSpeed, Integer maxSpeed, long minRam, long maxRam, boolean limitCpuUse) {
+    public ScaleVmCommand(String vmName, int cpus, Integer minSpeed, Integer maxSpeed, long minRam, long maxRam, boolean limitCpuUse, Double cpuQuotaPercentage, boolean limitCpuUseChange) {
         super();
         this.vmName = vmName;
         this.cpus = cpus;
@@ -52,6 +53,8 @@ public ScaleVmCommand(String vmName, int cpus, Integer minSpeed, Integer maxSpee
         this.minRam = minRam;
         this.maxRam = maxRam;
         this.vm = new VirtualMachineTO(1L, vmName, null, cpus, minSpeed, maxSpeed, minRam, maxRam, null, null, false, limitCpuUse, null);
+        this.vm.setCpuQuotaPercentage(cpuQuotaPercentage);
+        this.limitCpuUseChange = limitCpuUseChange;
     }
 
     public void setCpus(int cpus) {
@@ -102,6 +105,10 @@ public VirtualMachineTO getVirtualMachine() {
         return vm;
     }
 
+    public boolean getLimitCpuUseChange() {
+        return limitCpuUseChange;
+    }
+
     @Override
     public boolean executeInSequence() {
         return true;

debian/changelog

@@ -2,13 +2,19 @@ cloudstack (4.23.0.0-SNAPSHOT) unstable; urgency=low
 
   * Update the version to 4.23.0.0-SNAPSHOT
 
- -- the Apache CloudStack project <dev@cloudstack.apache.org>  Thu, 30 Oct 2025 19:23:55 +0530
+ -- the Apache CloudStack project <dev@cloudstack.apache.org>  Fri, 22 May 2026 10:20:00 -0300
+
+cloudstack (4.22.1.0) unstable; urgency=low
+
+  * Update the version to 4.22.1.0
 
-cloudstack (4.23.0.0-SNAPSHOT-SNAPSHOT) unstable; urgency=low
+ -- the Apache CloudStack project <dev@cloudstack.apache.org>  Mon, 11 May 2026 20:26:07 +0530
 
-  * Update the version to 4.23.0.0-SNAPSHOT-SNAPSHOT
+cloudstack (4.22.0.0) unstable; urgency=low
 
- -- the Apache CloudStack project <dev@cloudstack.apache.org>  Thu, Aug 28 11:58:36 2025 +0530
+  * Update the version to 4.22.0.0
+
+ -- the Apache CloudStack project <dev@cloudstack.apache.org>  Thu, 30 Oct 2025 19:23:55 +0530
 
 cloudstack (4.21.0.0) unstable; urgency=low