From fab14c5f5a7ae9c0a0c88aeb2228b1632fe0e455 Mon Sep 17 00:00:00 2001 From: vishesh92 Date: Wed, 18 Mar 2026 15:31:35 +0530 Subject: [PATCH 1/2] Remove realhostip references from the code --- .pre-commit-config.yaml | 2 +- .../META-INF/db/schema-42210to42300.sql | 11 ++++++++++ scripts/util/keystore-cert-import | 19 +++++++++--------- .../cloud/server/ConfigurationServerImpl.java | 4 ++-- .../storage/download/DownloadMonitorImpl.java | 5 ----- .../storage/upload/UploadMonitorImpl.java | 13 +++++------- .../java/com/cloud/keystore/KeystoreTest.java | 12 +++++------ services/console-proxy/server/pom.xml | 2 +- services/secondary-storage/server/pom.xml | 2 +- .../certs/{realhostip.crt => systemvm.crt} | 0 .../certs/{realhostip.csr => systemvm.csr} | 0 .../certs/{realhostip.key => systemvm.key} | 0 ...{realhostip.keystore => systemvm.keystore} | Bin systemvm/agent/scripts/_run.sh | 2 +- systemvm/agent/scripts/config_ssl.sh | 6 +++--- .../debian/opt/cloud/bin/setup/bootstrap.sh | 2 +- systemvm/patch-sysvms.sh | 18 ++++++++--------- systemvm/pom.xml | 2 +- .../utils/imagestore/ImageStoreUtilTest.java | 4 ++-- 19 files changed, 54 insertions(+), 50 deletions(-) rename systemvm/agent/certs/{realhostip.crt => systemvm.crt} (100%) rename systemvm/agent/certs/{realhostip.csr => systemvm.csr} (100%) rename systemvm/agent/certs/{realhostip.key => systemvm.key} (100%) rename systemvm/agent/certs/{realhostip.keystore => systemvm.keystore} (100%) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 755ae125edf0..91537e25267e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -151,7 +151,7 @@ repos: ^server/src/test/resources/certs/rsa_self_signed\.key$| ^services/console-proxy/rdpconsole/src/test/doc/rdp-key\.pem$| ^systemvm/agent/certs/localhost\.key$| - ^systemvm/agent/certs/realhostip\.key$| + ^systemvm/agent/certs/systemvm\.key$| ^test/integration/smoke/test_ssl_offloading\.py$ - id: end-of-file-fixer exclude: \.vhd$|\.svg$ diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql index dfa5fa8f3a14..8142a1153137 100644 --- a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql +++ b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql @@ -149,3 +149,14 @@ SELECT 'Advanced', 'DEFAULT', 'CapacityManager', 'kvm.cpu.dynamic.scaling.capaci FROM `cloud`.`configuration` `cfg` WHERE NOT EXISTS (SELECT 1 FROM `cloud`.`configuration` WHERE `name` = 'kvm.cpu.dynamic.scaling.capacity') AND `cfg`.`name` = 'vm.serviceoffering.cpu.cores.max'; + +-- Remove stale realhostip.com default values; domain has been dead since ~2015. +UPDATE `cloud`.`configuration` + SET value = NULL + WHERE name IN ('consoleproxy.url.domain', 'secstorage.ssl.cert.domain') + AND value IN ('realhostip.com', '*.realhostip.com'); + +UPDATE `cloud`.`configuration` + SET value = NULL + WHERE name = 'secstorage.secure.copy.cert' + AND value LIKE '%realhostip%'; diff --git a/scripts/util/keystore-cert-import b/scripts/util/keystore-cert-import index cf355e098454..447dcd71745f 100755 --- a/scripts/util/keystore-cert-import +++ b/scripts/util/keystore-cert-import @@ -137,18 +137,19 @@ if [ -f "$SYSTEM_FILE" ]; then chmod 644 /usr/local/share/ca-certificates/cloudstack/ca.crt update-ca-certificates > /dev/null 2>&1 || true - # Import CA cert(s) into realhostip.keystore so the SSVM JVM - # (which overrides the truststore via -Djavax.net.ssl.trustStore in _run.sh) - # can trust servers signed by the CloudStack CA - REALHOSTIP_KS_FILE="$(dirname "$(dirname "$PROPS_FILE")")/certs/realhostip.keystore" - REALHOSTIP_PASS="vmops.com" - if [ -f "$REALHOSTIP_KS_FILE" ]; then + # Also import CA cert(s) into systemvm.keystore. KS_FILE (cloud.jks) above + # is the agent's mTLS keystore; the SSVM JVM, however, reads its truststore + # from systemvm.keystore (see -Djavax.net.ssl.trustStore in _run.sh), so the + # CA must be added here too for the SSVM to trust CloudStack-CA-signed servers. + SYSTEMVM_KS_FILE="$(dirname "$(dirname "$PROPS_FILE")")/certs/systemvm.keystore" + SYSTEMVM_PASS="vmops.com" + if [ -f "$SYSTEMVM_KS_FILE" ]; then awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++} n>0{print > "cloudca." n }' "$CACERT_FILE" for caChain in $(ls cloudca.* 2>/dev/null); do - keytool -delete -noprompt -alias "$caChain" -keystore "$REALHOSTIP_KS_FILE" \ - -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 || true + keytool -delete -noprompt -alias "$caChain" -keystore "$SYSTEMVM_KS_FILE" \ + -storepass "$SYSTEMVM_PASS" > /dev/null 2>&1 || true keytool -import -noprompt -trustcacerts -alias "$caChain" -file "$caChain" \ - -keystore "$REALHOSTIP_KS_FILE" -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 + -keystore "$SYSTEMVM_KS_FILE" -storepass "$SYSTEMVM_PASS" > /dev/null 2>&1 done rm -f cloudca.* fi diff --git a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java index 8f10dd84b54d..1be7e4834767 100644 --- a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java +++ b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java @@ -222,8 +222,8 @@ public void persistDefaultValues() throws InternalErrorException { _configDao.update(Config.SecStorageEncryptCopy.key(), Config.SecStorageEncryptCopy.getCategory(), "false"); logger.debug("ConfigurationServer made secondary storage copy encrypt set to false."); - _configDao.update("secstorage.secure.copy.cert", "realhostip"); - logger.debug("ConfigurationServer made secondary storage copy use realhostip."); + _configDao.update("secstorage.secure.copy.cert", ""); + logger.debug("ConfigurationServer cleared legacy secstorage.secure.copy.cert."); _configDao.update("user.password.encoders.exclude", "MD5,LDAP,PLAINTEXT"); logger.debug("Configuration server excluded insecure encoders"); diff --git a/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java b/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java index 67d5b091a032..5258f4337550 100644 --- a/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java +++ b/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java @@ -87,11 +87,6 @@ public boolean configure(String name, Map params) { final Map configs = _configDao.getConfiguration("management-server", params); _proxy = configs.get(Config.SecStorageProxy.key()); - String cert = configs.get("secstorage.ssl.cert.domain"); - if (!"realhostip.com".equalsIgnoreCase(cert)) { - logger.warn("Only realhostip.com ssl cert is supported, ignoring self-signed and other certs"); - } - _copyAuthPasswd = configs.get("secstorage.copy.password"); DownloadListener dl = new DownloadListener(this); diff --git a/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java b/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java index 7962d9dced9c..a32790c135d2 100644 --- a/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java +++ b/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java @@ -231,8 +231,8 @@ public UploadVO createEntityDownloadURL(VMTemplateVO template, TemplateDataStore UploadVO upload = extractURLList.get(0); String uploadUrl = extractURLList.get(0).getUploadUrl(); String[] token = uploadUrl.split("/"); - // example: uploadUrl = https://10-11-101-112.realhostip.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso - // then token[2] = 10-11-101-112.realhostip.com, token[4] = 2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso + // example: uploadUrl = https://10-11-101-112.example.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso + // then token[2] = 10-11-101-112.example.com, token[4] = 2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso String hostname = ep.getPublicAddr().replace(".", "-") + "."; if ((token != null) && (token.length == 5) && (token[2].equals(hostname + _ssvmUrlDomain))) // ssvm publicip and domain suffix not changed return extractURLList.get(0); @@ -365,7 +365,9 @@ private String generateCopyUrl(String ipAddress, String uuid) { if (_ssvmUrlDomain != null && _ssvmUrlDomain.length() > 0) { hostname = hostname + "." + _ssvmUrlDomain; } else { - hostname = hostname + ".realhostip.com"; + logger.warn("SSL copy is enabled but secstorage.ssl.cert.domain is not configured; " + + "using IP address directly. Configure a wildcard SSL certificate domain for proper HTTPS support."); + hostname = ipAddress; } } return scheme + "://" + hostname + "/userdata/" + uuid; @@ -376,11 +378,6 @@ public boolean configure(String name, Map params) throws Configu final Map configs = _configDao.getConfiguration("management-server", params); _sslCopy = Boolean.parseBoolean(configs.get("secstorage.encrypt.copy")); - String cert = configs.get("secstorage.secure.copy.cert"); - if ("realhostip.com".equalsIgnoreCase(cert)) { - logger.warn("Only realhostip.com ssl cert is supported, ignoring self-signed and other certs"); - } - _ssvmUrlDomain = configs.get("secstorage.ssl.cert.domain"); _agentMgr.registerForHostEvents(new UploadListener(this), true, false, false); diff --git a/server/src/test/java/com/cloud/keystore/KeystoreTest.java b/server/src/test/java/com/cloud/keystore/KeystoreTest.java index 970892dc325e..2b991d4a4f7c 100644 --- a/server/src/test/java/com/cloud/keystore/KeystoreTest.java +++ b/server/src/test/java/com/cloud/keystore/KeystoreTest.java @@ -75,20 +75,20 @@ public void testKeystoreSave() throws Exception { ComponentLocator locator = ComponentLocator.getCurrentLocator(); KeystoreDao ksDao = locator.getDao(KeystoreDao.class); - ksDao.save("CPVMCertificate", "CPVMCertificate", "KeyForCertificate", "realhostip.com"); + ksDao.save("CPVMCertificate", "CPVMCertificate", "KeyForCertificate", "example.com"); ksVo = ksDao.findByName("CPVMCertificate"); assertTrue(ksVo != null); assertTrue(ksVo.getCertificate().equals("CPVMCertificate")); assertTrue(ksVo.getKey().equals("KeyForCertificate")); - assertTrue(ksVo.getDomainSuffix().equals("realhostip.com")); + assertTrue(ksVo.getDomainSuffix().equals("example.com")); - ksDao.save("CPVMCertificate", "CPVMCertificate Again", "KeyForCertificate Again", "again.realhostip.com"); + ksDao.save("CPVMCertificate", "CPVMCertificate Again", "KeyForCertificate Again", "again.example.com"); ksVo = ksDao.findByName("CPVMCertificate"); assertTrue(ksVo != null); assertTrue(ksVo.getCertificate().equals("CPVMCertificate Again")); assertTrue(ksVo.getKey().equals("KeyForCertificate Again")); - assertTrue(ksVo.getDomainSuffix().equals("again.realhostip.com")); + assertTrue(ksVo.getDomainSuffix().equals("again.example.com")); ksDao.expunge(ksVo.getId()); } @@ -112,9 +112,9 @@ public void testKeystoreManager() throws Exception { assertTrue(ksMgr.configure("TaskManager", new HashMap())); assertTrue(ksMgr.start()); - ksMgr.saveCertificate("CPVMCertificate", certContent, keyContent, "realhostip.com"); + ksMgr.saveCertificate("CPVMCertificate", certContent, keyContent, "example.com"); - byte[] ksBits = ksMgr.getKeystoreBits("CPVMCertificate", "realhostip", "vmops.com"); + byte[] ksBits = ksMgr.getKeystoreBits("CPVMCertificate", "example", "vmops.com"); assertTrue(ksBits != null); try { diff --git a/services/console-proxy/server/pom.xml b/services/console-proxy/server/pom.xml index 3f5b9db68c2e..6e18a13bc57b 100644 --- a/services/console-proxy/server/pom.xml +++ b/services/console-proxy/server/pom.xml @@ -80,7 +80,7 @@ certs - realhostip.csr + systemvm.csr diff --git a/services/secondary-storage/server/pom.xml b/services/secondary-storage/server/pom.xml index e6aec8a42f70..ca26bf2bbbe9 100644 --- a/services/secondary-storage/server/pom.xml +++ b/services/secondary-storage/server/pom.xml @@ -107,7 +107,7 @@ javax.net.ssl.trustStore - certs/realhostip.keystore + certs/systemvm.keystore log.home ${PWD}/ diff --git a/systemvm/agent/certs/realhostip.crt b/systemvm/agent/certs/systemvm.crt similarity index 100% rename from systemvm/agent/certs/realhostip.crt rename to systemvm/agent/certs/systemvm.crt diff --git a/systemvm/agent/certs/realhostip.csr b/systemvm/agent/certs/systemvm.csr similarity index 100% rename from systemvm/agent/certs/realhostip.csr rename to systemvm/agent/certs/systemvm.csr diff --git a/systemvm/agent/certs/realhostip.key b/systemvm/agent/certs/systemvm.key similarity index 100% rename from systemvm/agent/certs/realhostip.key rename to systemvm/agent/certs/systemvm.key diff --git a/systemvm/agent/certs/realhostip.keystore b/systemvm/agent/certs/systemvm.keystore similarity index 100% rename from systemvm/agent/certs/realhostip.keystore rename to systemvm/agent/certs/systemvm.keystore diff --git a/systemvm/agent/scripts/_run.sh b/systemvm/agent/scripts/_run.sh index 11158ecf5bd1..bb024f71c08b 100755 --- a/systemvm/agent/scripts/_run.sh +++ b/systemvm/agent/scripts/_run.sh @@ -60,4 +60,4 @@ if [ "$(uname -m | grep '64')" == "" ]; then fi fi -java -Djavax.net.ssl.trustStore=./certs/realhostip.keystore -Djdk.tls.ephemeralDHKeySize=2048 -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP com.cloud.agent.AgentShell $keyvalues $@ +java -Djavax.net.ssl.trustStore=./certs/systemvm.keystore -Djdk.tls.ephemeralDHKeySize=2048 -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP com.cloud.agent.AgentShell $keyvalues $@ diff --git a/systemvm/agent/scripts/config_ssl.sh b/systemvm/agent/scripts/config_ssl.sh index e9340b099f62..3968b2617f21 100755 --- a/systemvm/agent/scripts/config_ssl.sh +++ b/systemvm/agent/scripts/config_ssl.sh @@ -52,13 +52,13 @@ cflag= cpkflag= cpcflag= cccflag= -customPrivKey=$(dirname $0)/certs/realhostip.key -customPrivCert=$(dirname $0)/certs/realhostip.crt +customPrivKey=$(dirname $0)/certs/systemvm.key +customPrivCert=$(dirname $0)/certs/systemvm.crt customCertChain= customCACert= publicIp= hostName= -keyStore=$(dirname $0)/certs/realhostip.keystore +keyStore=$(dirname $0)/certs/systemvm.keystore defaultJavaKeyStoreFile=/etc/ssl/certs/java/cacerts defaultJavaKeyStorePass="changeit" aliasName="CPVMCertificate" diff --git a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh index f7c071c8cc0e..c601f6ad2210 100755 --- a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh +++ b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh @@ -65,7 +65,7 @@ patch_systemvm() { fi rm -fr $backupfolder # Import global cacerts into 'cloud' service's keystore - keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt || true + keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/systemvm.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt || true return 0 } diff --git a/systemvm/patch-sysvms.sh b/systemvm/patch-sysvms.sh index 8d96de9ba3b8..e8fa06018ed4 100755 --- a/systemvm/patch-sysvms.sh +++ b/systemvm/patch-sysvms.sh @@ -126,25 +126,25 @@ patch_systemvm() { if [ "$TYPE" = "consoleproxy" ] || [ "$TYPE" = "secstorage" ]; then # Import global cacerts into 'cloud' service's keystore - REALHOSTIP_KS_FILE="/usr/local/cloud/systemvm/certs/realhostip.keystore" - REALHOSTIP_PASS="vmops.com" + SYSTEMVM_KS_FILE="/usr/local/cloud/systemvm/certs/systemvm.keystore" + SYSTEMVM_PASS="vmops.com" keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts \ - -destkeystore "$REALHOSTIP_KS_FILE" -srcstorepass changeit -deststorepass \ - "$REALHOSTIP_PASS" -noprompt 2>/dev/null || true + -destkeystore "$SYSTEMVM_KS_FILE" -srcstorepass changeit -deststorepass \ + "$SYSTEMVM_PASS" -noprompt 2>/dev/null || true - # Import CA cert(s) into realhostip.keystore so the SSVM JVM + # Import CA cert(s) into systemvm.keystore so the SSVM JVM # (which overrides the truststore via -Djavax.net.ssl.trustStore in _run.sh) # can trust servers signed by the CloudStack CA CACERT_FILE="/usr/local/share/ca-certificates/cloudstack/ca.crt" - if [ -f "$CACERT_FILE" ] && [ -f "$REALHOSTIP_KS_FILE" ]; then + if [ -f "$CACERT_FILE" ] && [ -f "$SYSTEMVM_KS_FILE" ]; then awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++} n>0{print > "cloudca." n }' "$CACERT_FILE" for caChain in $(ls cloudca.* 2>/dev/null); do - keytool -delete -noprompt -alias "$caChain" -keystore "$REALHOSTIP_KS_FILE" \ - -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 || true + keytool -delete -noprompt -alias "$caChain" -keystore "$SYSTEMVM_KS_FILE" \ + -storepass "$SYSTEMVM_PASS" > /dev/null 2>&1 || true keytool -import -noprompt -trustcacerts -alias "$caChain" -file "$caChain" \ - -keystore "$REALHOSTIP_KS_FILE" -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 + -keystore "$SYSTEMVM_KS_FILE" -storepass "$SYSTEMVM_PASS" > /dev/null 2>&1 done rm -f cloudca.* fi diff --git a/systemvm/pom.xml b/systemvm/pom.xml index 9bffc45cf4eb..ca9176ee85f9 100644 --- a/systemvm/pom.xml +++ b/systemvm/pom.xml @@ -205,7 +205,7 @@ javax.net.ssl.trustStore - certs/realhostip.keystore + certs/systemvm.keystore log.home ${PWD}/ diff --git a/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java b/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java index b7df14dc85d0..e50eefd466bf 100644 --- a/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java +++ b/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java @@ -27,7 +27,7 @@ public class ImageStoreUtilTest { @Test public void testgenerateHttpsPostUploadUrl() throws MalformedURLException { - String ssvmdomain = "*.realhostip.com"; + String ssvmdomain = "*.example.com"; String ipAddress = "10.147.28.14"; String uuid = UUID.randomUUID().toString(); String protocol = "https"; @@ -47,7 +47,7 @@ public void testgenerateHttpsPostUploadUrl() throws MalformedURLException { @Test public void testgenerateHttpPostUploadUrl() throws MalformedURLException { - String ssvmdomain = "*.realhostip.com"; + String ssvmdomain = "*.example.com"; String ipAddress = "10.147.28.14"; String uuid = UUID.randomUUID().toString(); String protocol = "http"; From caebd0cb97cdeee35a830e9d3b0d9dbb3b5f21f8 Mon Sep 17 00:00:00 2001 From: vishesh92 Date: Tue, 24 Mar 2026 16:04:02 +0530 Subject: [PATCH 2/2] remove unused code --- .../src/main/resources/META-INF/db/schema-42210to42300.sql | 5 ----- .../main/java/com/cloud/server/ConfigurationServerImpl.java | 3 --- 2 files changed, 8 deletions(-) diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql index 8142a1153137..13b79d330ac0 100644 --- a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql +++ b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql @@ -155,8 +155,3 @@ UPDATE `cloud`.`configuration` SET value = NULL WHERE name IN ('consoleproxy.url.domain', 'secstorage.ssl.cert.domain') AND value IN ('realhostip.com', '*.realhostip.com'); - -UPDATE `cloud`.`configuration` - SET value = NULL - WHERE name = 'secstorage.secure.copy.cert' - AND value LIKE '%realhostip%'; diff --git a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java index 1be7e4834767..def564dfdc68 100644 --- a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java +++ b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java @@ -222,9 +222,6 @@ public void persistDefaultValues() throws InternalErrorException { _configDao.update(Config.SecStorageEncryptCopy.key(), Config.SecStorageEncryptCopy.getCategory(), "false"); logger.debug("ConfigurationServer made secondary storage copy encrypt set to false."); - _configDao.update("secstorage.secure.copy.cert", ""); - logger.debug("ConfigurationServer cleared legacy secstorage.secure.copy.cert."); - _configDao.update("user.password.encoders.exclude", "MD5,LDAP,PLAINTEXT"); logger.debug("Configuration server excluded insecure encoders");