Fix direct download URL checks #7693
Conversation
nvazquez
requested review from
DaanHoogland,
rohityadavcloud,
shwstppr and
weizhouapache
|
@blueorangutan package |
|
@nvazquez a [SF] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 6341 |
|
@blueorangutan test |
|
@nvazquez a [SF] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
[SF] Trillian Build Failed (tid-6870) |
|
@blueorangutan test |
|
@kiranchavala a [SF] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
[SF] Trillian test result (tid-6875)
|
core/src/main/java/org/apache/cloudstack/direct/download/HttpsDirectTemplateDownloader.java
Show resolved
Hide resolved
kiranchavala
left a comment
kiranchavala
left a comment
There was a problem hiding this comment.
LGTM
Tested the issue with http, https and metalink template links and the directdownload link is working fine
Before the fix
2023-06-27 05:42:41,470 WARN [kvm.storage.KVMStorageProcessor] (agentRequest-Handler-5:null) (logid:96df14c1) Error downloading template 226 due to: Error on HTTPS request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
After the fix
2023-06-27 11:02:09,364 DEBUG [cloud.agent.Agent] (agentRequest-Handler-3:null) (logid:c6e0ab18) Processing command: org.apache.cloudstack.agent.directdownload.HttpsDirectDownloadCommand
2023-06-27 11:02:09,364 DEBUG [storage.resource.StorageSubsystemCommandHandlerBase] (agentRequest-Handler-3:null) (logid:c6e0ab18) Executing command HttpsDirectDownloadCommand: [{"url":"https://ftp.yz.yamagata-u.ac.jp/pub/linux/fedora-projects/fedora/linux/releases/37/Cloud/x86_64/images/Fedora-Cloud-Base-37-1.7.x86_64.qcow2","templateId":204,"destData":{"origUrl":"https://ftp.yz.yamagata-u.ac.jp/pub/linux/fedora-projects/fedora/linux/releases/37/Cloud/x86_64/images/Fedora-Cloud-Base-37-1.7.x86_64.qcow2","uuid":"0a5a5582-a6d2-4566-af24-206568bcf354","id":204,"format":"QCOW2","accountId":2,"hvm":true,"displayText":"fedora3","imageDataStore":{"org.apache.cloudstack.storage.to.PrimaryDataStoreTO":{"uuid":"3c9ef251-b75d-3d2b-88ee-0122246e9f7e","name":"pr7693-t6872-kvm-centos7-kvm-pri1","id":1,"poolType":"NetworkFilesystem","host":"10.0.32.4","path":"/acs/primary/pr7693-t6872-kvm-centos7/pr7693-t6872-kvm-centos7-kvm-pri1","port":2049,"url":"NetworkFilesystem://10.0.32.4/acs/primary/pr7693-t6872-kvm-centos7/pr7693-t6872-kvm-centos7-kvm-pri1/?ROLE=Primary&STOREUUID=3c9ef251-b75d-3d2b-88ee-0122246e9f7e","isManaged":false}},"name":"204-2-54b96105-91a3-3d81-a34f-85692f07c72a","size":5368709120,"hypervisorType":"KVM","bootable":false,"uniqueName":"204-2-54b96105-91a3-3d81-a34f-85692f07c72a","directDownload":true,"deployAsIs":false},"destPool":{"uuid":"3c9ef251-b75d-3d2b-88ee-0122246e9f7e","name":"pr7693-t6872-kvm-centos7-kvm-pri1","id":1,"poolType":"NetworkFilesystem","host":"10.0.32.4","path":"/acs/primary/pr7693-t6872-kvm-centos7/pr7693-t6872-kvm-centos7-kvm-pri1","port":2049,"url":"NetworkFilesystem://10.0.32.4/acs/primary/pr7693-t6872-kvm-centos7/pr7693-t6872-kvm-centos7-kvm-pri1/?ROLE=Primary&STOREUUID=3c9ef251-b75d-3d2b-88ee-0122246e9f7e","isManaged":false},"headers":{},"connectTimeout":5000,"soTimeout":5000,"connectionRequestTimeout":5000,"templateSize":5368709120,"format":"QCOW2","wait":10800,"bypassHostMaintenance":false}].
2023-06-27 11:02:09,364 DEBUG [kvm.storage.KVMStorageProcessor] (agentRequest-Handler-3:null) (logid:c6e0ab18) Verifying temporary location for downloading the template exists on the host
2023-06-27 11:02:10,542 DEBUG [kvm.storage.KVMStorageProcessor] (agentRequest-Handler-3:null) (logid:c6e0ab18) Checking for free space on the host for downloading the template with physical size: 492830720 and virtual size: 5368709120
2023-06-27 11:02:10,543 DEBUG [utils.script.Script] (agentRequest-Handler-3:null) (logid:c6e0ab18) Executing: /bin/bash -c df --output=avail /var/lib/libvirt/images -B 1 | tail -1
2023-06-27 11:02:10,546 DEBUG [utils.script.Script] (agentRequest-Handler-3:null) (logid:c6e0ab18) Executing while with timeout : 3600000
2023-06-27 11:02:10,558 DEBUG [kvm.storage.LibvirtStorageAdaptor] (agentRequest-Handler-3:null) (logid:c6e0ab18) Successfully refreshed pool 3c9ef251-b75d-3d2b-88ee-0122246e9f7e Capacity: (1.9990 TB) 2197949513728 Used: (1.4938 TB) 1642465329152 Available: (517.33 GB) 555484184576
2023-06-27 11:02:10,558 DEBUG [utils.script.Script] (agentRequest-Handler-3:null) (logid:c6e0ab18) Executing: /bin/bash -c sed -n '/keystore.passphrase/p' '/etc/cloudstack/agent/agent.properties' 2>/dev/null | sed 's/keystore.passphrase=//g' 2>/dev/null
2023-06-27 11:02:10,561 DEBUG [utils.script.Script] (agentRequest-Handler-3:null) (logid:c6e0ab18) Executing while with timeout : 3600000
2023-06-27 11:02:10,565 DEBUG [utils.script.Script] (agentRequest-Handler-3:null) (logid:c6e0ab18) Execution is successful.
2023-06-27 11:02:10,585 DEBUG [kvm.storage.KVMStorageProcessor] (agentRequest-Handler-3:null) (logid:c6e0ab18) Trying to download template
2023-06-27 11:02:11,677 INFO [direct.download.DirectTemplateDownloaderImpl] (agentRequest-Handler-3:null) (logid:c6e0ab18) Downloading template 204 from https://ftp.yz.yamagata-u.ac.jp/pub/linux/fedora-projects/fedora/linux/releases/37/
Cloud/x86_64/images/Fedora-Cloud-Base-37-1.7.x86_64.qcow2 to: /var/lib/libvirt/images/template/2/204/Fedora-Cloud-Base-37-1.7.x86_64.qcow2
2023-06-27 11:03:54,376 INFO [direct.download.DirectTemplateDownloaderImpl] (agentRequest-Handler-3:null) (logid:c6e0ab18) No checksum provided, skipping checksum validation
2023-06-27 11:03:54,379 DEBUG [utils.script.Script] (agentRequest-Handler-3:null) (logid:c6e0ab18) Executing: /bin/bash -c file /var/lib/libvirt/images/template/2/204/Fedora-Cloud-Base-37-1.7.x86_64.qcow2 | awk -F' ' '{print $2}'
2023-06-27 11:03:54,382 DEBUG [utils.script.Script] (agentRequest-Handler-3:null) (logid:c6e0ab18) Executing while with timeout : 3600000
2023-06-27 11:03:54,388 DEBUG [utils.script.Script] (agentRequest-Handler-3:null) (logid:c6e0ab18) Execution is successful.
2023-06-27 11:03:54,389 DEBUG [utils.script.Script] (agentRequest-Handler-3:null) (logid:c6e0ab18) Executing: /bin/bash -c mv /var/lib/libvirt/images/template/2/204/Fedora-Cloud-Base-37-1.7.x86_64.qcow2 /mnt/3c9ef251-b75d-3d2b-88ee-0122246e9f7e/a76d363c-ba0f-47e3-bfd3-10448127ec1d
shwstppr
left a comment
shwstppr
left a comment
There was a problem hiding this comment.
LGTM
Though the effective change/improvement is to load custom and system-trusted SSL certificates while checking accessibility and getting the size for a direct-download QCOW2 template, a lot of refactoring was needed to achieve that.
Tested with a HTTPS template URL and can see it getting registered without errors.
Codecov Report
@@ Coverage Diff @@
## 4.18 #7693 +/- ##
=========================================
Coverage 13.00% 13.01%
- Complexity 9013 9015 +2
=========================================
Files 2719 2719
Lines 256854 256836 -18
Branches 40048 40045 -3
=========================================
+ Hits 33413 33418 +5
+ Misses 219255 219231 -24
- Partials 4186 4187 +1
... and 1 file with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
|
@blueorangutan package |
|
@rohityadavcloud a [SF] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 6374 |
|
@blueorangutan test |
|
@rohityadavcloud a [SF] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
rohityadavcloud
left a comment
rohityadavcloud
left a comment
There was a problem hiding this comment.
LGTM didn't test it, need to pass smoketests
DaanHoogland
left a comment
DaanHoogland
left a comment
There was a problem hiding this comment.
new files don't end with a new line. Can you add those?
| } | ||
| } | ||
|
|
||
| private SSLContext getSSLContext() { |
There was a problem hiding this comment.
there are nested try statements in this method. I think it can do with some restructuring.
| private SSLContext getSSLContext() { | ||
| try { | ||
| KeyStore customKeystore = KeyStore.getInstance("jks"); | ||
| try (FileInputStream instream = new FileInputStream(new File("/etc/cloudstack/agent/cloud.jks"))) { |
There was a problem hiding this comment.
can this move to a separate method?
| KeyStore defaultKeystore = KeyStore.getInstance(KeyStore.getDefaultType()); | ||
| String relativeCacertsPath = "/lib/security/cacerts".replace("/", File.separator); | ||
| String filename = System.getProperty("java.home") + relativeCacertsPath; | ||
| try (FileInputStream is = new FileInputStream(filename)) { |
There was a problem hiding this comment.
can this load to a separate method as well?
| return Iterables.getFirst(Iterables.filter( | ||
| Arrays.asList(factory.getTrustManagers()), X509TrustManager.class), null); | ||
| } catch (NoSuchAlgorithmException | KeyStoreException e) { | ||
| e.printStackTrace(); |
There was a problem hiding this comment.
why not logging, but error output?
|
[SF] Trillian test result (tid-6937)
|
|
@rohityadavcloud , that was an premature merge. I have some comments out that should be addressed! |
cc @nvazquez |
|
this could be fixed by #7923 |
7 participants
Description
This PR fixes the URL check for direct downloads, in the case of HTTPS URLs the certificates were not loaded into the SSL context
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
Tested on KVM with HTTPS, HTTP and metalink templates