As previously mentioned, the realhostip.com dynamic DNS service is being retired at the end of September.

Citrix is reporting that they are still seeing DNS queries against the domain; Those who have not reconfigured their CloudStack installations will find part of their installations breaking once the realhostip service is retired on September 30th.

If you are running a version of CloudStack older than 4.3 and you have not reconfigured your installation to not use realhostip.com, please take the time to do so now before users are affected. Instructions are available in the CloudStack Wiki as well as other blogs on the Internet.

28 August 2014 —Apache CloudStack, the mature, turnkey Open Source cloud computing software platform used for creating private, public, and hybrid cloud environments, today announced Apache CloudMonkey v5.2.0, the latest feature release of its command line interface tool.

CloudMonkey is written in Python, and can be used both as an interactive shell and as a command line tool that simplifies CloudStack configuration and management.

Apache CloudMonkey v5.2.0 is the latest feature release of the 5.x line that was first released in September 2013. Some of the new features and changes include:

• Multiple server profiles where users can use CloudMonkey against different CloudStack management servers and switch between them using a profile option;
• A default profile under the section [local] is added with default values;
• Some bugfixes related to network requests, error handling, JSON decoding and shell interactivity;
• Every time 'set' is called, CloudMonkey will write the config and reload config file;
• Configuration options 'protocol', 'host', 'port', 'path' are deprecated now but setting them is still allowed which sets a single "url" option, in the config file the [server] section is deprecated now and CloudMonkey won’t read values from this section anymore but instead read from current server profile;
• Missing key/values are automatically set with defaults by CloudMonkey;
• During installation and upgrades, it will detect the platform to install either pyreadline (Windows) or readline (OSX and Linux);

Downloads and Documentation​

The official source code for CloudMonkey v5.2.0 can be downloaded from http://cloudstack.apache.org/downloads.html. A community-maintained distribution is available at the Python Package Index (PyPi) at http://pypi.python.org/pypi/CloudMonkey/

CloudMonkey's usage is documented at https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+CloudMonkey+CLIPackage documentation can be found at http://pythonhosted.org/cloudmonkey/

Availability and Oversight​

As with all Apache products, CloudMonkey is released under the Apache License v2.0, and is overseen by a self-selected team of active contributors to the project. The Apache CloudStack Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases.

About Apache CloudStack​

Apache CloudStack is a mature, turnkey integrated Infrastructure-as-a-Service (IaaS) Open Source software platform that allows users to build feature-rich public and private cloud environments. Hailed by Gartner Group as "a solid product", CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources. CloudStack entered the Apache Incubator in April 2012 and became an Apache Top-level Project in March 2013. For downloads, documentation, and ways to become involved with Apache CloudStack, visit http://cloudstack.apache.org/ and https://twitter.com/CloudStack

As mentioned previously, the realhostip.com dynamic DNS resolver service is being retired this summer. During testing of Apache CloudStack version 4.3, we found a few more issues related to realhostip.com that have been addressed for the 4.4 release.

In order to give everybody a reasonable window to update their CloudStack installations to use the updated code, the retirement date for the realhostip.com service has been pushed back to September 30th, 2014. This provides an additional 3 months from the original June 30th date.

Any questions related to the retirement of the realhostip.com service and it's affect on CloudStack installations should be send to the CloudStack Users or Development mailing lists. Further information about how to subscribe and interact with the mailing lists is available at https://cloudstack.apache.org/mailing-lists.html.

Update: The email infrastructure is back to normal, although it may take some time for the queued messages to completely flush out of the backlog. See the linked post from the ASF infrastructure team below for more details.

There are ongoing problems with the ASF's email infrastructure that mean no mail delivery is happening for our project's lists. Please check the official ASF infrastructure blog post and twitter feed for updates.

Earlier this week, a security vulnerability was disclosed in OpenSSL, one of the software libraries that Apache CloudStack uses to encrypt data sent over network connections. As the vulnerability has existed in OpenSSL since early 2012, System VMs in Apache CloudStack versions 4.1.1-4.3 are running software using vulnerable versions of OpenSSL. This includes CloudStack's Virtual Router VMs, Console Proxy VMs, and Secondary Storage VMs.

We are actively working on creating updated System VM templates for each recent version of Apache CloudStack, and for each of the hypervisor platforms which Apache CloudStack supports. Due to our testing and QA processes, this will take several days. In the meantime, we want to provide our users with a temporary workaround for currently running System VMs.

If you are running Apache CloudStack 4.0.0-incubating through the recent 4.3 release, the following steps will help ensure the security of your cloud infrastructure until an updated version of the System VM template is available:

For KVM/Xen hosted systems

1. As an administrator in the CloudStack web UI, navigate to Infrastructure->System VMs
2. For each System VM listed, note the host it is running on, and it’s “Link Local IP address."
3. With that data, perform the following steps for each System VM:
   1. ssh into that host as root
   2. From the host, ssh into the SSVM via it’s link local IP address: (e.g. ssh -i /root/.ssh/id_rsa.cloud -p 3922 169.254.3.33)
   3. On the System VM, first run "apt-get update"
   4. Then run apt-get install "openssl libssl1.0.0". If a dialog appears asking to restart programs, accept it’s request.
   5. Next, for Secondary Storage VMs, run /etc/init.d/apache2 restart
   6. Log out of the System VM and host server
4. Back in the CloudStack UI, now navigate to Infrastructure->Virtual Routers. For each VR, host it's running on and it's link local IP address, and then repeat steps a-f above.

For VMWare hosted systems

1. As an administrator in the CloudStack web UI, navigate to Infrastructure->System VMs
2. For each System VM listed, note it's management IP address
3. With that data, perform the following steps for each System VM:
4. From the Management Server, ssh to the System VM via it's management IP: (eg ssh -i /var/lib/cloud/management/.ssh/id_rsa -p 3922 root@10.40.50.8)
5. On the System VM, first run "apt-get update"
6. Then run apt-get install "openssl libssl1.0.0". If a dialog appears asking to restart programs, accept it’s request.
7. Next, for Secondary Storage VMs, run /etc/init.d/apache2 restart
8. Log out of the System VM
9. Back in the CloudStack UI, now navigate to Infrastructure->Virtual Routers. For each VR, host it's running on and it's link local IP address, and then repeat steps a-f above.

Verification

On each System VM, you can test if it has non-vulnerable openssl packages installed by listing installed packages and looking at the installed versions of openssl and libssl. As in the example below, for a system to be non-vulnerable, the packages need to be at or above version 1.0.1e-2+deb7u6:

root@v-14-VM:~# dpkg -l|grep ssl ii  libssl1.0.0:i386                     1.0.1e-2+deb7u6                  i386         SSL shared libraries ii  openssl                              1.0.1e-2+deb7u6                  i386         Secure Socket Layer (SSL) binary and related cryptographic tools

We realize that for larger installations where System VMs are being actively created and destroyed based on customer demand, this is a very rough stop-gap. The Apache CloudStack security team is actively working on a more permanent fix and will be releasing that to the community as soon as possible.

For Apache CloudStack installations that secure the web-based user-interface with SSL, these may also be vulnerable to HeartBleed, but that is outside the scope of this blog post. We recommend testing your installation with [1] to determine if you need to patch/upgrade the SSL library used by any web servers (or other SSL-based services) you use.

Flexible, scalable, Open Source Infrastructure as a Service (IaaS) used by organizations such as Zynga, Datapipe, and ISWest, among others, for creating, managing, and deploying public, private, and hybrid Cloud Computing environments

Forest Hill, MD --25 March 2014-- The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 170 Open Source projects and initiatives, today announced Apache CloudStack v4.3, the latest feature release of the CloudStack cloud orchestration platform.

Apache CloudStack is an integrated Infrastructure-as-a-Service (IaaS) software platform that allows users to build feature-rich public, private, and hybrid cloud environments. CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources. CloudStack became an Apache Top-level Project (TLP) in March 2013. "We are proud to announce CloudStack v4.3," said Hugo Trippaers, Vice President of Apache CloudStack. "This release represents over six months of work from the Apache CloudStack community with many new and improved features."

Under The Hood

CloudStack V4.3 is the next feature release of the 4.x line which first released on November 6, 2012. Some of the noteworthy new and improved features include:

• Support for Microsoft Hyper-V - Apache CloudStack can now manage Hyper-V hypervisors in addition to KVM, XenServer, VMware, LXC, and Bare Metal
• Juniper OpenContrail integration - OpenContrail is a software defined networking controller from Juniper that CloudStack now integrates with to provide SDN services
• SSL Termination support for guest VMs - Apache CloudStack can configure and manage SSL termination in certain load balancer devices
• Palo Alto Firewall integration - Apache CloudStack can now manage and configure Palo Alto firewalls
• Remote access VPN for VPC networks - CloudStack's remote access VPN is now available for Virtual Private Cloud networks
• Site to Site VPN between VRs - CloudStack now allows site-to-site VPN connectivity to it's virtual routing devices. This permits your cloud computing environment to appear as a natural extension of your local network, or for you to easily interconnect multiple environments
• VXLAN support expansion to include KVM - CloudStack's support for integrating VXLAN, the network virtualization technology that attempts to ameliorate scalability problems with traditional networking
• SolidFire plugin extension to support KVM and hypervisor snapshots for XenServer and ESX - SolidFire provides guaranteed Storage Quality of Service at the Virtual Machine level
• Dynamic Compute offering - CloudStack now has the ability to dynamically scale the resources assigned to a running virtual machine instance for those hypervisors which support it

Downloads and Documentation

The official source code for the v4.3 release, as well as individual contributors' convenience binaries, can be downloaded from the Apache CloudStack downloads page at http://cloudstack.apache.org/downloads.html

The CloudStack 4.3 release includes over 110 issues from 4.2.0 and 4.2.1, including fixes for object storage support, documentation, and more. A full list of corrected issues and upgrade instructions are available in the Release Notes http://docs.cloudstack.apache.org/projects/cloudstack-release-notes

Official installation, administration, and API documentation for each release is available at http://docs.cloudstack.apache.org/en/latest/Apache CloudStack in Action

Join members of the Apache CloudStack community at the CloudStack Collaboration Conference, taking place 9-11 April 2014 immediately following ApacheCon. For more information, visit http://cloudstackcollab.org

Availability and Oversight

As with all Apache products, Apache CloudStack v4.3 is released under the Apache License v2.0, and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project’s day-to-day operations, including community development and product releases. For documentation and ways to become involved with Apache CloudStack, visit http://cloudstack.apache.org/

About The Apache Software Foundation (ASF)

Established in 1999, the all-volunteer Foundation oversees more than one hundred and seventy leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 400 individual Members and 3,500 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Budget Direct, Citrix, Cloudera, Comcast, Facebook, Google, Hortonworks, HP, Huawei, IBM, InMotion Hosting, Matt Mullenweg, Microsoft, Pivotal, Produban, WANdisco, and Yahoo.

For more information, visit http://www.apache.org/ or follow @TheASF on Twitter.

"Apache", "CloudStack", "Apache CloudStack", and "ApacheCon" are trademarks of The Apache Software Foundation. All other brands and trademarks are the property of their respective owners.

Recently the Apache CloudStack PMC was informed that the realhostip.com Dynamic DNS service that CloudStack currently uses as part of the console proxy will be disbanded this summer. The realhostip service will be shut down June 30th, 2014, meaning users have approximately 3 months to mitigate this.

Prior to version 4.3, CloudStack used the realhostip.com service by default. With the release of CloudStack version 4.3 the default communication method with the console proxy is plaintext HTTP.

Who is Affected

CloudStack installations prior to version 4.3 that have not been reconfigured to use a DNS domain other than realhostip.com for Console Proxy or Secondary Storage must make changes to continue functioning past June 30th, 2014.

Steps You Need to Take

If you meet the criteria above, there are several options to prepare for realhostip retirement:

• Set up wildcard SSL certificate and DNS entries: This method is already well supported within prior versions of CloudStack.
• Upgrade to CloudStack 4.3 and disable SSL: This is only recommended for development installations, or private clouds that contain no information of importance.
• Upgrade to CloudStack 4.3, set up static SSL certificate and configure load balancer to point to the correct IP address: While this allows an administrator to skip setting up the DNS entries from the previous option, it is a more advanced option as CloudStack 4.3 does not support automatic load balancer configuration for the Console Proxy. It is hoped this functionality will be available in future releases.

For instructions on how to set up SSL encryption for use with CloudStack console proxy, please read the console proxy section of the CloudStack administration guide.

Additionally, if you will be using an SSL vendor who requires an intermediate CA chain to be installed for proper SSL validation by web browsers, detailed instructions for configuring the intermediate CA chain in CloudStack can be found here.

The Apache CloudStack security team does not recommend running a production cloud with either the realhostip.com SSL certificate, or with no SSL encryption at all.

The Apache CloudStack project is pleased to announce the 4.2.1 release of the CloudStack cloud orchestration platform. This is a minor release of the 4.2.0 branch which released on Oct 1, 2013. The 4.2.1 release contains more than 150 bug fixes. As a bug fix release, no new features are included in 4.2.1.

The 4.2.1 release includes fixes for a number of issues; including problems with Xenserver VMSnapshots, UCS, device ID for Xen, configurable option to choose single Vs multipart upload for S3 API, allowing network with public IP Address without needing SourceNAT, and documentation fixes.

As a minor release it is a simple upgrade from 4.2.0 with no architectural changes. CloudStack Management Servers Services, and all SystemVMs will require a restart.

This release also addresses two security issues CVE-2013-6398 and CVE-2014-0031

Documentation

The 4.2.1 release notes includes full list of corrected issues as well as upgrade instructions from previous versions of Apache CloudStack. Please see the Release Notes for a full list of corrected issues and upgrade instructions.

The official installation, administration and API documentation for each release are available on our Documentation Page.

Downloads

The official source code for the 4.2.1 release can be downloaded from our Downloads Page.

In addition to the official source code release, individual contributors have also made convenience binaries in the form or RPM and Deb packages available from the download page.

About Apache CloudStack

Apache CloudStack is an integrated Infrastructure-as-a-Service (IaaS) software platform that allows users to build feature-rich public and private cloud environments. CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources. The project became an Apache top level project in March 2013.

For additional marketing or communications information, please contact the marketing mailing list.

To learn how to join and contribute to the Apache CloudStack community please visit our website.

Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Bypass
Vulnerable Versions: Apache CloudStack 4.1.0, 4.1.1, 4.2.0
CVE References: CVE-2013-2136
Risk Level: Low
CVSSv2 Base Scores: 2.8 (AV:N/AC:M/Au:M/C:P/I:N/A:N)

Description:

The Apache CloudStack Security Team was notified of a an issue in the Apache CloudStack virtual router that failed to preserve source restrictions in firewall rules after a virtual router had been stopped and restarted.

Mitigation:

Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-5263

Credit:

This issue was identified by the Cloud team at Schuberg Philis

Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Information Disclosure
Vulnerable Versions: Apache CloudStack 4.2.0
CVE References: CVE-2014-0031
Risk Level: Low
CVSSv2 Base Scores: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description:

The Apache CloudStack Security Team was notified of a an issue in Apache CloudStack which permits an authenticated user to list network ACLs for other users.

Mitigation:

Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-5145

Credit:

This issue was identified by Marcus Sorensen