Manage Network Permission l CloudStack Feature Deep Dive

Introduction In Apache CloudStack, users are organized into a logical structure of Accounts and Domains. In previous versions of Apache CloudStack each Account had its own resources which could not be shared with other accounts (eg. when a software application from one Account needs to access an application in another account under the same Domain). For this to work, users had to configure their networks with firewall rules, port forwarding, load balancing or private gateways. This method causes considerable network overhead as all packets have to go through 2 different Virtual Routers (VRs) to reach their destination. With Apache CloudStack […]

Read more

Self-service Shared Networks l CloudStack Feature Deep Dive

Introduction In Apache CloudStack it is possible to deploy three types of Guest Networks: Isolated, VPC and Shared Networks. Previously in Apache CloudStack, Domain Admins and Regular Users could deploy only Isolated and VPC Networks. Shared Networks could only be deployed by Root Admins (as they require the selection of a VLAN) which adds considerable overhead and reduces the agility of the cloud offering. From the platform operator’s perspective, Shared Networks might not be made available to the Users at all due to the extra burden. From CloudStack 4.17 onwards, Domain Admin and Regular Users are now able to deploy […]

Read more

System VM and Virtual Router Zero Downtime Upgrade l CloudStack Feature First Look

Introduction Apache CloudStack has always been easier to upgrade than many of its competitors, but a common pain point is that when a new release of Apache CloudStack is deployed, the operations team must organize maintenance windows to allow the redeployment of every customer’s VR. Depending on the number of existing networks, planning and execution can be time-consuming, especially in cases of mission-critical customer services, often requiring scheduling of the VR upgrade on a case-by-case basis. Also, to a much lesser extent, when upgrading system VMs, secondary storage-related and proxy console services have some downtime. With this new feature, the […]

Read more

IPv6 Support for Isolated and VPC Networks l CloudStack Feature First Look

The IPv6 protocol is a much-needed next step in the world of the Internet and networking in general. With the depletion of publicly routable IPv4 addresses, most providers will need to switch to IPv6, which not only provides a much bigger address space but also offers many other advantages over IPv4, such as improved security, efficient routing, better QoS, etc. For a long time, Apache CloudStack has offered IPv6 support solely for Shared Networks. This will change with Apache CloudStack 4.17.0 LTS, which will add IPv6 support for isolated networks and VPCs making it possible for users to deploy dual […]

Read more

Flexible Service Offerings l CloudStack Feature First Look

Introduction Apache CloudStack Service Offerings are sets of capabilities that a CloudStack admin makes available to users, defining Instance, Volume and Network specifications to be consumed by users when creating their resources. Previously, when users deployed a new Instance, the Root Volume definition was included in the Compute Offering, including disk size, IOPS and storage tags. This behaviour is a limitation when users try to change the Instance Root Volume characteristics, as it is a part of the Compute Offering, used alongside the Instance. To address this behaviour, Root Volume specifications have been decoupled from the Compute Offerings. This new […]

Read more

ShapeBlue Security Advisory for CVE-2022-35741: XXE vulnerability in SAML 2.0 Service Provider Plugin for CloudStack

18 July 2022 13:30 UTC Versions Affected Any version of Apache CloudStack >= 4.5 (including currently supported versions: 4.16.0, 4.16.1, 4.17) Scope Any Apache CloudStack (affected versions) environments that have the SAML plugin enabled. Summary Apache CloudStack enables authentication through SAML 2.0 by providing a SAML 2.0 Service Provider Plugin. This plugin is disabled by default and is enabled by configuring the global setting saml2.enabled to true. Having this setting set to true in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack […]

Read more

Structured System Events l CloudStack Feature First Look

The events notification framework is a key component of Apache CloudStack, facilitating traceability of operations, and enabling cloud operators to automate tasks which may otherwise require admin intervention at regular intervals. Though quite useful, events in CloudStack had a major inconsistency regarding information of the resource (ie. Instances, Templates, Volumes, Networks, Accounts, etc.). To identify the resource in question, one had to refer to the Event description which may contain resource UUID or internal database ID. This made tracking resource operations difficult and also made automation difficult as the administrator would have to parse event description strings (which are not […]

Read more

ShapeBlue Advisory on Libvirt 8+ Compatibility Issues with CloudStack

Overview As of the 4.15 release, CloudStack has supported various EL8 operating systems / hypervisors, namely RHEL 8, CentOS 8, Rocky Linux 8 (and in theory – as of CloudStack 4.16 – all other EL8 variants including e.g. Alma Linux 8) – for both management servers and hypervisors. Similarly, support for Ubuntu 20.04 was added as of CloudStack 4.15, and OpenSUSE as of 4.16. All these Linux systems worked fine as hypervisors, until libvirt was upgraded to version 8+. Effects on CloudStack Historically, CloudStack used to set 22-character VNC passwords for KVM Virtual Machines, and libvirt was silently trimming it […]

Read more

What’s New in Apache CloudStack 4.17

*  The content in this blog is a reproduction from the Apache CloudStack 4.17 release blog, which can be viewed via this link. Apache CloudStack 4.17 is the latest release of the cloud management platform from the Apache Software Foundation and is a result of months of work from the development community. Apache CloudStack 4.17 is an LTS (Long Term Support) release so will be maintained for a period of 18 months after release. As always, the release contains a myriad of small improvements and bug fixes but here we focus on the major new functionality of the release. VR […]

Read more

New Server Status and Metric Views l CloudStack Feature First Look

Overview In CloudStack 4.17 a brief overview of the status of various services can be retrieved. This includes information on the Management Server(s), the Database and the Usage server. This is a quick overview for operators. It does not replace a full-fletched monitoring system. Use Case It is now possible, within the Apache CloudStack, to know the status of its management infrastructure. The status should indicate which management servers are up, their memory, CPU use, internal telemetry such as workers in use, JVM memory use, the ‘health of MySQL host(s)’ etc. Of course, further enhancements and configurability is possible, but […]

Read more