2022 was a hugely successful year for the Apache CloudStack community. We collaborated on a successful major release - Apache CloudStack 4.17 bringing a bunch of new capabilities and improvements, as well as created multiple new CloudStack integrations. As well as this, the community created two minor releases as part of the LTS programme.

The community also held two successful conferences, one of which being the first in-person CloudStack Collaboration Conference since the pandemic. The new &"Year in Review" blogs series encourages us to reflect on the community’s achievements, and thus lets us brainstorm the ways we will further develop Apache CloudStack in all facets in the new year. Find out what we managed to achieve together and what is coming in 2023 in this recap article!

Apache CloudStack LTS Maintenance Release 4.17.2.0​

The Apache CloudStack project is pleased to announce the release of CloudStack 4.17.2.0.

The CloudStack 4.17.2.0 release is a maintenance release as part of its 4.17.x LTS branch and contains more than 20 fixes since the CloudStack 4.17.1.0 release.

Apache CloudStack is a leading open-source virtualisation platform used by many global organisations. The fact that the solution is hypervisor-agnostic allows different types of enterprises to use CloudStack as a cloud orchestration no matter the rest of their tech stack.

We decided to get in touch with a few community members and ask for their perspectives on the project. In this article, CloudStack users from organisations that adopted the open-source software give their answers to the following questions: 

For the first time, the CloudStack Collaboration Conference was held as a hybrid event. It was streamed live on Hubilo for those who were not able to attend in-person. As it was the first time the community had collaborated in-person since the pandemic, we managed to collect a record number of physical attendees!

The conference hosted over 370 participants and 48 speakers from 32 countries. In total, there were 38 sessions from leading CloudStack experts, users and skilful engineers from the open-source world. These sessions included: technical talks, user stories, new features and integrations presentations and more.

CloudStack is a multi-hypervisor, multi-tenant, high-availability cloud management platform that delivers the flexibility and freedom of open-source technology and the power of an enterprise-grade virtualization management platform.

In the new blog series named CloudStack Integrations, we will present a range of technologies with which CloudStack is integrated and can become part of your technology stack. You will be able to learn more about different software solutions, which can be combined with CloudStack and dive deep into specialized Technical Solution Briefs presenting the integrations.
Today we will meet you with StorPool Storage.

The global Apache CloudStack community is hosting its major annual event - CloudStack Collaboration Conference, running from November 14th to November 16th 2022. The conference will be taking place in Sofia, Bulgaria. However, the conference is hybrid, allowing speakers and attendees to join virtually.

The Apache CloudStack project is pleased to announce the release of CloudStack 4.17.1.0. The CloudStack 4.17.1.0 release is a maintenance release as part of its 4.17.x LTS branch and contains more than 150 fixes and improvements since the CloudStack 4.17.0.0 release.

Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.

Introduce yourself with a few words

I am K B Shiv Kumar and am the Co-Founder and CTO at IndiQus. I am based out of Delhi, India and am passionate about travelling and dig going on driving holidays with my friends and family. I love listening to music and ABBA has been my all-time favourite band since childhood.

On 14th June 2022, a new issue affecting only KVM users using Shared Mount Point storage was reported [1]. This issue affects the creation and the usage of existing Shared Mount Point storage pools on Apache CloudStack 4.17.0.0.

Apache CloudStack 4.17.0.0 added support for the StorPool storage based on Shared Mount Point. However, the current version of CloudStack doesn't allow multiple implementations of Shared Mount Point storage pool providers, causing the StorPool provider to override the default implementation. This affected the other storage pool providers for Shared Mount Point since CloudStack tries to add them as a StorPool storage pool.

To mitigate the issue, a CloudStack administrator needs to do the following on version 4.17.0.0:

• On each management server: stop the CloudStack management service, remove the Storpool plugin jar on /usr/share/cloudstack-management/lib/cloud-plugin-storage-volume-storpool-4.17.0.0.jar and restart the CloudStack management service
  
• On each KVM host: stop the CloudStack agent service, remove the StorPool plugin jar on /usr/share/cloudstack-agent/lib/cloud-plugin-storage-volume-storpool-4.17.0.0.jar and restart the CloudStack agent service
  

Note: This workaround removes the StorPool plugin support. StorPool users should not apply the workaround to continue using their Storpool storage.

This issue will be fixed in the upcoming CloudStack version 4.17.1.0.

[1] https://github.com/apache/cloudstack/issues/6455