Sync master to feature/configure-ssh #6357
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…xapi-project#6049) - add a new type of origin: "remote_pool" - add a new API: "introduce_remote_pool" to init a remote_pool repository - add a new field: "certificate" for a remote_pool repository - for a remote_pool repository, binary_url will be reused to hold the base URL of binary packages in the local repository of the remote pool in https://<coordinator-ip>/repository format Signed-off-by: Gang Ji <gang.ji@cloud.com>
The HTTP /repository handler is guarded by a mutex `exposing_pool_repo_mutex` currently. Since now HTTP /repository is protected by `session_id` cookie, we can remove the mutex from this handler and keep the handler enabled all the time. Also, rename the mutex `exposing_pool_repo_mutex` to `pool_update_ops_mutex`. Signed-off-by: Bengang Yuan <bengang.yuan@cloud.com>
The HTTP /repository handler is guarded by a mutex `exposing_pool_repo_mutex` currently. Since now HTTP /repository is protected by `session_id` cookie, we can remove the mutex and keep the handler enabled all the time. Also, rename the mutex `exposing_pool_repo_mutex` to `pool_update_ops_mutex`.
…ol-join Merge master to easier-pool-join
merge master to feature/easier-pool-join
Now xapi supports setting up rpc to hosts in the pool and appliances, while for syncing updates from remote_pool type repository, we need to set up rpc to remote coordinator with its certificate verfieid. Add util Helpers.make_external_host_verified_rpc, which will set up a secure connection to the external host(host outside the pool) with its host certificate verified. Signed-off-by: Gang Ji <gang.ji@cloud.com>
Now xapi supports setting up rpc to hosts in the pool and appliances, while for syncing updates from remote_pool type repository, we need to set up rpc to remote coordinator with its certificate verfieid. Add util Helpers.make_external_host_verified_rpc, which will set up a secure connection to the external host(host outside the pool) with its host certificate verified.
Add an assertion to restrict `binary_url` of remote_pool repository to be in the format of `https://<coordinator-ip>/repository/enabled`. Signed-off-by: Bengang Yuan <bengang.yuan@cloud.com>
Signed-off-by: Bengang Yuan <bengang.yuan@cloud.com>
…roject#6089) 1. Add an assertion to restrict `binary_url` of remote_pool repository to be in the format of `https://<coordinator-ip>/repository/enabled`. 2. Add UT for restrict/check `binary_url` of remote_pool repository.
Add handler for `/repository/enabled`. Replase `/enabled` with the current enabled repository. Signed-off-by: Bengang Yuan <bengang.yuan@cloud.com>
Adding process logic for `/repository/enabled`. If there is `/enabled` after `/repository` in URI, then to find the current enabled repository. Otherwise, keep the existing process logic.
1. `remote_pool` repo doesn't support periodic sync updates. 2. Periodic sync updates should be auto-disabled when calling `set_repositories` and `add_repository` for `remote_pool` repo. 3. If `remote_pool` repository is enabled, it should be the single one enabled. Signed-off-by: Bengang Yuan <bengang.yuan@cloud.com>
Signed-off-by: Bengang Yuan <bengang.yuan@cloud.com>
Signed-off-by: Gang Ji <gang.ji@cloud.com>
Signed-off-by: Gang Ji <gang.ji@cloud.com>
When a remote_pool type repository, which points to the enabled repository in the remote pool coordinator, is set as the enabled repository of the pool, updates can be synced from it with API pool.sync_updates. The username password of the remote pool coordinator is required as parameters for pool.sync_updates to login the remote pool. And the remote pool coordinator's host server certificate needs to be configured in the remote_pool repository, it will be used to verify the remote end when sending out username passwords and syncing updates from it. A new yum/dnf plugin "xapitoken" is introduced to set xapi token as HTTP cookie: "session_id" for each HTTP request which downloads files from the remote_pool repository. Signed-off-by: Gang Ji <gang.ji@cloud.com>
Will re-enable repo_gpgcheck by reverting this commit after CP-51429 is done. Signed-off-by: Gang Ji <gang.ji@cloud.com>
CP-50787 CP-51347: Support pool.sync_updates from remote_pool repo When a remote_pool type repository, which points to the enabled repository in the remote pool coordinator, is set as the enabled repository of the pool, updates can be synced from it with API pool.sync_updates. The username password of the remote pool coordinator is required as parameters for pool.sync_updates to login the remote pool. And the remote pool coordinator's host server certificate needs to be configured in the remote_pool repository, it will be used to verify the remote end when sending out username passwords and syncing updates from it. A new yum/dnf plugin "xapitoken" is introduced to set xapi token as HTTP cookie: "session_id" for each HTTP request which downloads files from the remote_pool repository. CP-52245: Temp disable repo_gpgcheck when syncing from remote_pool repo Will re-enable repo_gpgcheck by reverting this commit after CP-51429 is done.
…_pool repo" This reverts commit c710e8f. Signed-off-by: Gang Ji <gang.ji@cloud.com>
…g testing Otherwise the CI will complain during pre-commit checks as it will fail to find methods and attributes on 'None' objects. Signed-off-by: Andrii Sultanov <andrii.sultanov@cloud.com>
Solve conflict: Stunnel.with_client_proxy -> Stunnel.with_client_proxy_systemd_service
Solve conflict: Stunnel.with_client_proxy -> Stunnel.with_client_proxy_systemd_service
When enabling pool's repositories, if enabling bundle repo and remoe_pool repositories at the same time, it returns error message: `If the bundle repository or remote_pool repository is enabled, it should be the only one enabled repository of the pool. repo_types: bundle` The `repo_types` is confusing and tedious as only these 2 types of repository can meet this error. So remove the parameter `repo_types`. Signed-off-by: Bengang Yuan <bengang.yuan@cloud.com>
When enabling pool's repositories, if enabling bundle repo and remoe_pool repositories at the same time, it returns error message: `If the bundle repository or remote_pool repository is enabled, it should be the only one enabled repository of the pool. repo_types: bundle` The `repo_types` is confusing and tedious as only these 2 types of repository can meet this error. So remove the parameter `repo_types`.
Signed-off-by: Bernhard Kaindl <bernhard.kaindl@cloud.com>
Signed-off-by: Konstantina Chremmou <konstantina.chremmou@cloud.com>
…i-project#6328) XenServer does not protect `/etc/rsyslog.d/xenserver.conf` when updating the rsyslog package (or the xenserver-release package on CH8.2CU1), as a result it is replaced with a fresh instance during updates which will lose customer configurations (if they have any). This script is primarily invoked via XenCenter when providing a new host for log forwarding. An update will be made to the XenServer rsyslog package to make it clear that `/etc/rsyslog.d/xenserver.conf` should not be edited by the customer. I've tested this by copying the updated script onto my DT box and using XenCenter to add a new log server - noting the new `/etc/rsyslog.d/custom.conf` file and the untouched `/etc/rsyslog.d/xenserver.conf` file.
…6334) An `if ... then raise exn;`was misread and make the code after impossible to execute, when that was not the intention. Remove all the ignore_<type> functions from stdext: a plain ignore with a type annotation can replace these. We should start using those for all ignores (there are too many of them, and can't be easily automated to do it in this PR) Passes internal tests: 213465 (one failure due to the recent vlan + clustering issue)
Signed-off-by: Colin James <colin.barr@cloud.com>
query xapi db, then fallback to query domain DC get_subject_information_from_identifier query subject details from subject id. It triggers some DNS query to do kerberos query. The subject details are actually cached in xapi db and refreshed default in every 10 minutes. get_subject_information_from_identifier should query subject details from xapi DB and only fallback to DC when xapi DB does not have it. Signed-off-by: Lin Liu <Lin.Liu01@cloud.com>
…api-project#6344) query xapi db, then fallback to query domain DC get_subject_information_from_identifier query subject details from subject id. It triggers some DNS query to do kerberos query, this causes the problem that authenticating to XAPI with an AD account causes large amounts of Kerberos / DNS traffic The subject details are actually cached in xapi db and refreshed default in every 10 minutes. get_subject_information_from_identifier should query subject details from xapi DB and only fallback to DC when xapi DB does not have it.
Rrd.ds_create has optional min and max arguments (defaulting to neg_infinity and infinity respectively). Several callers would omit these parameters, resulting in ds_min and ds_max being lost during the conversion from Ds.ds to Rrd.ds. Without these, metrics couldn't be kept in range, which would result in some (such as CPU usage numbers) going negative when a domain would change its domid (over a reboot), for example. Make these parameters (alobg with mrhb) required, not optional. Requires adjusting unit tests as well. This latent behaviour was exposed during the major timestamp and plugin refactoring last year. Previously, the entire RRD was created at once by calling create_fresh_rrd. Now create_fresh_rrd is only called for the first chunk, and other chunks of the RRD call merge_new_dss, which omitted the optional arguments. Rrdd_server.add_ds also ommitted these arguments, which meant that datasources enabled at runtime would not be kept in range. Signed-off-by: Andrii Sultanov <andrii.sultanov@cloud.com>
…project#6349) Rrd.ds_create has optional min and max arguments (defaulting to neg_infinity and infinity respectively). Several callers would omit these parameters, resulting in ds_min and ds_max being lost during the conversion from Ds.ds to Rrd.ds. Without these, metrics couldn't be kept in range, which would result in some (such as CPU usage numbers) going negative when a domain would change its domid (over a reboot), for example. Make these parameters required, not optional. Requires adjusting unit tests as well. This latent behaviour was exposed during the major timestamp and plugin refactoring last year. Previously, the entire RRD was created at once by calling create_fresh_rrd. Now create_fresh_rrd is only called for the first chunk, and other chunks of the RRD call merge_new_dss, which omitted the optional arguments. Rrdd_server.add_ds also ommitted these arguments, which meant that datasources enabled at runtime would not be kept in range.
Change Ocaml version of the example in readme to `4.14.2` as the same as the version in `xs-opam-ci.env`. Signed-off-by: Bengang Yuan <bengang.yuan@cloud.com>
Change Ocaml version of the example in readme to `4.14.2` as the same as the version in `xs-opam-ci.env`.
We are stopping the management server at the end of the API call. This avoids clients connecting to this host before it has rebooted and become a pool master. Signed-off-by: Christian Lindig <christian.lindig@cloud.com>
Proposing a new field field to get information about supported image formats for a given SR. This information is retrieved from SMAPIv1 plugins.
…pi-project#6343) (doc) Describe how xc_domain_claim_pages() is used to claim pages
…opsd (xapi-project#6335) Describe `xc_vcpu_setaffinity()` and document its use by `xenguest` and `xenopsd`. This PR is my third iteration of documenting how `xenopsd` and `xenguest` interact, configure, and set the vCPU affinity. With the clarifications from @edwintorok, I now have confidence that I finally got this right.
We are stopping the management server at the end of the API call. This avoids clients connecting to this host before it has rebooted and become a pool master. Tested manually; running a BST now.
Signed-off-by: Lin Liu <Lin.Liu01@cloud.com>
This reverts commit 9b1b8d4. Signed-off-by: Vincent Liu <shuntian.liu2@cloud.com>
When the cache for compile_commands.json got reused we didn't install the OCaml compiler, which caused failures in the static analyzer, because it couldn't locate the compiler runtime headers. Do not skip setup-xapi-environment when the cache is reused. This could be optimized to skip installing dune packages (install just the compiler), but for now just install everything to avoid the error. Now when the cache is used we only skip installing/running dune-compiledb. Signed-off-by: Edwin Török <edwin.torok@cloud.com>
We cannot skip the 'dune rules' part, because then files like xxhash_stubs.c will be missing because we haven't run the generators yet. Signed-off-by: Edwin Török <edwin.torok@cloud.com>
When the cache for compile_commands.json got reused we didn't install the OCaml compiler, which caused failures in the static analyzer, because it couldn't locate the compiler runtime headers. Do not skip setup-xapi-environment when the cache is reused. This could be optimized to skip installing dune packages (install just the compiler), but for now just install everything to avoid the error. Now when the cache is used we only skip installing/running dune-compiledb.
init.d are from initscripts which are legacy and removed from XS9 This commit drop the usage of the scripts
Change call_slave_... functions for new added ssh feature code to resolve build failure. Signed-off-by: Bengang Yuan <bengang.yuan@cloud.com>
lindig
approved these changes
Mar 13, 2025
psafont
approved these changes
Mar 13, 2025
BengangY
merged commit 32ded62
into
xapi-project:feature/configure-ssh
17 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
mastertofeature/configure-sshmessage_forwarding.mlin the commit0b79d88.