From 4303ec1a9e844dd0c9cd85df52736c75db6ec11e Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Fri, 1 Feb 2019 18:48:04 +0530 Subject: [PATCH 1/2] systemd: fix services to allow TLS configurations via java.security.ciphers This fixes the management server and systemd services to allow the java.security.ciphers file to configure disabled TLS protocols and algorithms. This also cleans up systemd service files for agent and usage server. This fixes #3140 Signed-off-by: Rohit Yadav --- debian/cloudstack-agent.postinst | 2 + packaging/centos63/cloud-management.rc | 2 +- packaging/centos7/cloud-agent.rc | 122 ------------------ packaging/centos7/cloud.spec | 2 +- packaging/debian/init/cloud-management | 2 +- packaging/systemd/cloudstack-agent.default | 8 +- packaging/systemd/cloudstack-agent.service | 8 +- .../systemd/cloudstack-management.default | 13 +- .../systemd/cloudstack-management.service | 12 +- packaging/systemd/cloudstack-usage.default | 8 +- packaging/systemd/cloudstack-usage.service | 7 +- 11 files changed, 24 insertions(+), 162 deletions(-) delete mode 100755 packaging/centos7/cloud-agent.rc diff --git a/debian/cloudstack-agent.postinst b/debian/cloudstack-agent.postinst index c358c3ca680a..0942047a3403 100755 --- a/debian/cloudstack-agent.postinst +++ b/debian/cloudstack-agent.postinst @@ -25,6 +25,8 @@ case "$1" in NEWCONFDIR="/etc/cloudstack/agent" CONFFILES="agent.properties log4j.xml log4j-cloud.xml" + mkdir -m 0755 -p /usr/share/cloudstack-agent/tmp + # Copy old configuration so the admin doesn't have to do that # Only do so when we are installing for the first time if [ -z "$2" ]; then diff --git a/packaging/centos63/cloud-management.rc b/packaging/centos63/cloud-management.rc index 0ef5fc4a1718..df7a58311213 100755 --- a/packaging/centos63/cloud-management.rc +++ b/packaging/centos63/cloud-management.rc @@ -71,7 +71,7 @@ setJavaHome() { setJavaHome JARS=$(ls /usr/share/cloudstack-management/lib/*.jar | tr '\n' ':' | sed s'/.$//') -CLASSPATH="$JARS:$CLASSPATH" +CLASSPATH="$JARS:$CLASSPATH:/usr/share/java/commons-daemon.jar" start() { if [ -s "$PIDFILE" ] && kill -0 $(cat "$PIDFILE") >/dev/null 2>&1; then diff --git a/packaging/centos7/cloud-agent.rc b/packaging/centos7/cloud-agent.rc deleted file mode 100755 index 5882780c524e..000000000000 --- a/packaging/centos7/cloud-agent.rc +++ /dev/null @@ -1,122 +0,0 @@ -#!/bin/bash - -# chkconfig: 35 99 10 -# description: Cloud Agent -# pidfile: /var/run/cloudstack-agent.pid - -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -# WARNING: if this script is changed, then all other initscripts MUST BE changed to match it as well - -. /etc/rc.d/init.d/functions - -# set environment variables - -TMP=/usr/share/cloudstack-agent/tmp -SHORTNAME=$(basename $0 | sed -e 's/^[SK][0-9][0-9]//') -PIDFILE=/var/run/"$SHORTNAME".pid -LOCKFILE=/var/lock/subsys/"$SHORTNAME" -LOGDIR=/var/log/cloudstack/agent -LOGFILE=${LOGDIR}/agent.log -PROGNAME="Cloud Agent" -CLASS="com.cloud.agent.AgentShell" -JSVC=`which jsvc 2>/dev/null`; - -# exit if we don't find jsvc -if [ -z "$JSVC" ]; then - echo no jsvc found in path; - exit 1; -fi - -# create java tmp dir if not found -mkdir -m 0755 -p "$TMP" - -unset OPTIONS -[ -r /etc/sysconfig/"$SHORTNAME" ] && source /etc/sysconfig/"$SHORTNAME" - -# The first existing directory is used for JAVA_HOME (if JAVA_HOME is not defined in $DEFAULT) -JDK_DIRS="/usr/lib/jvm/jre /usr/lib/jvm/java-1.8.0-openjdk /usr/lib/jvm/java-8-openjdk-i386 /usr/lib/jvm/java-8-openjdk-amd64" - -for jdir in $JDK_DIRS; do - if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then - JAVA_HOME="$jdir" - fi -done -export JAVA_HOME - -ACP=`ls /usr/share/cloudstack-agent/lib/*.jar | tr '\n' ':' | sed s'/.$//'` -PCP=`ls /usr/share/cloudstack-agent/plugins/*.jar 2>/dev/null | tr '\n' ':' | sed s'/.$//'` - -# We need to append the JSVC daemon JAR to the classpath -# AgentShell implements the JSVC daemon methods -export CLASSPATH="/usr/share/java/commons-daemon.jar:$ACP:$PCP:/etc/cloudstack/agent:/usr/share/cloudstack-common/scripts" - -start() { - echo -n $"Starting $PROGNAME: " - if hostname --fqdn >/dev/null 2>&1 ; then - $JSVC -Djava.io.tmpdir="$TMP" -Xms256m -Xmx2048m -cp "$CLASSPATH" -pidfile "$PIDFILE" \ - -errfile $LOGDIR/cloudstack-agent.err -outfile $LOGDIR/cloudstack-agent.out $CLASS - RETVAL=$? - echo - else - failure - echo - echo The host name does not resolve properly to an IP address. Cannot start "$PROGNAME". > /dev/stderr - RETVAL=9 - fi - [ $RETVAL = 0 ] && touch ${LOCKFILE} - return $RETVAL -} - -stop() { - echo -n $"Stopping $PROGNAME: " - $JSVC -pidfile "$PIDFILE" -stop $CLASS - RETVAL=$? - echo - [ $RETVAL = 0 ] && rm -f ${LOCKFILE} ${PIDFILE} -} - -case "$1" in - start) - start - ;; - stop) - stop - ;; - status) - status -p ${PIDFILE} $SHORTNAME - RETVAL=$? - ;; - restart) - stop - sleep 3 - start - ;; - condrestart) - if status -p ${PIDFILE} $SHORTNAME >&/dev/null; then - stop - sleep 3 - start - fi - ;; - *) - echo $"Usage: $SHORTNAME {start|stop|restart|condrestart|status|help}" - RETVAL=3 -esac - -exit $RETVAL diff --git a/packaging/centos7/cloud.spec b/packaging/centos7/cloud.spec index 1cc89939caec..8a4dd2ac74d5 100644 --- a/packaging/centos7/cloud.spec +++ b/packaging/centos7/cloud.spec @@ -59,7 +59,6 @@ intelligent IaaS cloud implementation. %package management Summary: CloudStack management server UI Requires: java-1.8.0-openjdk -Requires: apache-commons-daemon-jsvc Requires: python Requires: bash Requires: bzip2 @@ -425,6 +424,7 @@ if [ ! -d %{_sysconfdir}/libvirt/hooks ] ; then mkdir %{_sysconfdir}/libvirt/hooks fi cp -a ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib/libvirtqemuhook %{_sysconfdir}/libvirt/hooks/qemu +mkdir -m 0755 -p /usr/share/cloudstack-agent/tmp /sbin/service libvirtd restart /sbin/systemctl enable cloudstack-agent > /dev/null 2>&1 || true diff --git a/packaging/debian/init/cloud-management b/packaging/debian/init/cloud-management index 580f683b8293..5ccef70eb321 100755 --- a/packaging/debian/init/cloud-management +++ b/packaging/debian/init/cloud-management @@ -75,7 +75,7 @@ if [ -f "$DEFAULT" ]; then fi JARS=$(ls /usr/share/cloudstack-management/lib/*.jar | tr '\n' ':' | sed s'/.$//') -CLASSPATH="$JARS:$CLASSPATH" +CLASSPATH="$JARS:$CLASSPATH:/usr/share/java/commons-daemon.jar" [ -f "$DAEMON" ] || exit 0 diff --git a/packaging/systemd/cloudstack-agent.default b/packaging/systemd/cloudstack-agent.default index 41fa85bfd221..36f0562ec640 100644 --- a/packaging/systemd/cloudstack-agent.default +++ b/packaging/systemd/cloudstack-agent.default @@ -15,8 +15,8 @@ # specific language governing permissions and limitations # under the License. -JAVA=/usr/bin/java -JAVA_HEAP_INITIAL=256m -JAVA_HEAP_MAX=2048m +JAVA_OPTS="-Djava.io.tmpdir=/usr/share/cloudstack-agent/tmp -Xms256m -Xmx2048m" + +CLASSPATH="/usr/share/cloudstack-agent/lib/*:/usr/share/cloudstack-agent/plugins/*:/etc/cloudstack/agent:/usr/share/cloudstack-common/scripts" + JAVA_CLASS=com.cloud.agent.AgentShell -JAVA_TMPDIR=/usr/share/cloudstack-agent/tmp diff --git a/packaging/systemd/cloudstack-agent.service b/packaging/systemd/cloudstack-agent.service index 9cde22d7eb0d..9bdbdf82f578 100644 --- a/packaging/systemd/cloudstack-agent.service +++ b/packaging/systemd/cloudstack-agent.service @@ -23,12 +23,8 @@ After=libvirtd.service [Service] Type=simple -EnvironmentFile=-/etc/default/cloudstack-agent -ExecStart=/bin/sh -ec '\ - export ACP=`ls /usr/share/cloudstack-agent/lib/*.jar /usr/share/cloudstack-agent/plugins/*.jar 2>/dev/null|tr "\\n" ":"`; \ - export CLASSPATH="$ACP:/etc/cloudstack/agent:/usr/share/cloudstack-common/scripts"; \ - mkdir -m 0755 -p ${JAVA_TMPDIR}; \ - ${JAVA} -Djava.io.tmpdir="${JAVA_TMPDIR}" -Xms${JAVA_HEAP_INITIAL} -Xmx${JAVA_HEAP_MAX} -cp "$CLASSPATH" $JAVA_CLASS' +EnvironmentFile=/etc/default/cloudstack-agent +ExecStart=/usr/bin/java $JAVA_OPTS -cp $CLASSPATH $JAVA_CLASS Restart=always RestartSec=10s diff --git a/packaging/systemd/cloudstack-management.default b/packaging/systemd/cloudstack-management.default index 8610e03d1151..00b8ec1809b7 100644 --- a/packaging/systemd/cloudstack-management.default +++ b/packaging/systemd/cloudstack-management.default @@ -15,17 +15,8 @@ # specific language governing permissions and limitations # under the License. -# Where your java installation lives -#JAVA_HOME="/usr/lib/jvm/java" +JAVA_OPTS="-Djava.security.properties=/etc/cloudstack/management/java.security.ciphers -Djava.awt.headless=true -Dcom.sun.management.jmxremote=false -Xmx2G -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/cloudstack/management/ -XX:ErrorFile=/var/log/cloudstack/management/cloudstack-management.err " -JAVA_OPTS="-Djava.awt.headless=true -Dcom.sun.management.jmxremote=false -Xmx2g -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/cloudstack/management/ -XX:PermSize=512M -XX:MaxPermSize=800m -Djava.security.properties=/etc/cloudstack/management/java.security.ciphers " - -CLOUDSTACK_USER="cloud" - -CLOUDSTACK_PID="/var/run/cloudstack-management.pid" - -LOGDIR="/var/log/cloudstack/management" - -CLASSPATH="/etc/cloudstack/management:/usr/share/cloudstack-common:/usr/share/cloudstack-management/setup:/usr/share/cloudstack-management:/usr/share/java/mysql-connector-java.jar:/usr/share/java/commons-daemon.jar" +CLASSPATH="/usr/share/cloudstack-management/lib/*:/etc/cloudstack/management:/usr/share/cloudstack-common:/usr/share/cloudstack-management/setup:/usr/share/cloudstack-management:/usr/share/java/mysql-connector-java.jar" BOOTSTRAP_CLASS=org.apache.cloudstack.ServerDaemon diff --git a/packaging/systemd/cloudstack-management.service b/packaging/systemd/cloudstack-management.service index 58c43437c10a..f1be34eaeb67 100644 --- a/packaging/systemd/cloudstack-management.service +++ b/packaging/systemd/cloudstack-management.service @@ -23,14 +23,12 @@ After=syslog.target network.target [Service] UMask=0022 -Type=forking -Environment="NAME=cloudstack-management" +Type=simple +User=cloud EnvironmentFile=/etc/default/cloudstack-management -ExecStartPre=/bin/bash -c "/bin/systemctl set-environment JAVA_HOME=$( readlink -f $( which java ) | sed s:bin/.*$:: )" -ExecStartPre=/bin/bash -c "/bin/systemctl set-environment JARS=$(ls /usr/share/cloudstack-management/lib/*.jar | tr '\n' ':' | sed s'/.$//')" -ExecStart=/usr/bin/jsvc -home "${JAVA_HOME}" -user "${CLOUDSTACK_USER}" -cp "${JARS}:${CLASSPATH}" -errfile "${LOGDIR}/${NAME}.err" -cwd "${LOGDIR}" -pidfile "${CLOUDSTACK_PID}" "${JAVA_OPTS}" "${BOOTSTRAP_CLASS}" -ExecStop=/usr/bin/jsvc -cp "${JARS}:${CLASSPATH}" -pidfile "${CLOUDSTACK_PID}" -stop "${BOOTSTRAP_CLASS}" -SuccessExitStatus=143 +WorkingDirectory=/var/log/cloudstack/management +PIDFile=/var/run/cloudstack-management.pid +ExecStart=/usr/bin/java $JAVA_OPTS -cp $CLASSPATH $BOOTSTRAP_CLASS [Install] WantedBy=multi-user.target diff --git a/packaging/systemd/cloudstack-usage.default b/packaging/systemd/cloudstack-usage.default index 84de943ceedc..26f552859f37 100644 --- a/packaging/systemd/cloudstack-usage.default +++ b/packaging/systemd/cloudstack-usage.default @@ -15,8 +15,8 @@ # specific language governing permissions and limitations # under the License. -JAVA=/usr/bin/java -JAVA_HEAP_INITIAL=256m -JAVA_HEAP_MAX=2048m +JAVA_OPTS="-Dpid=$$ -Xms256m -Xmx2048m" + +CLASSPATH="/usr/share/cloudstack-usage/*:/usr/share/cloudstack-usage/lib/*:/usr/share/cloudstack-mysql-ha/lib/*:/etc/cloudstack/usage:/usr/share/java/mysql-connector-java.jar" + JAVA_CLASS=com.cloud.usage.UsageServer -JAVA_PID=$$ diff --git a/packaging/systemd/cloudstack-usage.service b/packaging/systemd/cloudstack-usage.service index 424a4556372b..f8874867c69a 100644 --- a/packaging/systemd/cloudstack-usage.service +++ b/packaging/systemd/cloudstack-usage.service @@ -23,11 +23,8 @@ After=network.target network-online.target [Service] Type=simple -EnvironmentFile=-/etc/default/cloudstack-usage -ExecStart=/bin/sh -ec '\ - export UCP=`ls /usr/share/cloudstack-usage/cloud-usage-*.jar /usr/share/cloudstack-usage/lib/*.jar /usr/share/cloudstack-mysql-ha/lib/*.jar | tr "\\n" ":"`; \ - export CLASSPATH="$UCP:/etc/cloudstack/usage:/usr/share/java/mysql-connector-java.jar"; \ - ${JAVA} -Dpid=${JAVA_PID} -Xms${JAVA_HEAP_INITIAL} -Xmx${JAVA_HEAP_MAX} -cp "$CLASSPATH" $JAVA_CLASS' +EnvironmentFile=/etc/default/cloudstack-usage +ExecStart=/usr/bin/java $JAVA_OPTS -cp $CLASSPATH $JAVA_CLASS Restart=always RestartSec=10s From 5af8829ffcbfb83a94caddba7eb90491e02dcaf9 Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Mon, 4 Feb 2019 13:35:53 +0530 Subject: [PATCH 2/2] configure: fix travis failure due pycodestyle error Signed-off-by: Rohit Yadav --- systemvm/debian/opt/cloud/bin/configure.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py index c8e3ff6e5042..253eb7c57fe5 100755 --- a/systemvm/debian/opt/cloud/bin/configure.py +++ b/systemvm/debian/opt/cloud/bin/configure.py @@ -124,10 +124,10 @@ def add_rule(self): rnge = '' if "first_port" in self.rule.keys() and \ self.rule['first_port'] == self.rule['last_port']: - rnge = " --dport %s " % self.rule['first_port'] + rnge = " --dport %s " % self.rule['first_port'] if "first_port" in self.rule.keys() and \ self.rule['first_port'] != self.rule['last_port']: - rnge = " --dport %s:%s" % (rule['first_port'], rule['last_port']) + rnge = " --dport %s:%s" % (rule['first_port'], rule['last_port']) logging.debug("Current ACL IP direction is ==> %s", self.direction)