From 28142b49a8458fa5fa4b4aa15b2ae3d18059d64c Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Wed, 12 Feb 2025 15:10:32 -0500 Subject: [PATCH 01/11] Update kvm.rst - iptables before rule On Ubuntu 24.04 LTS I found the described issue with the forwarding traffic back and fourth from guests system VMs and the physical interfaces attached to the bridges. This solved my problems. --- source/installguide/hypervisor/kvm.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/installguide/hypervisor/kvm.rst b/source/installguide/hypervisor/kvm.rst index 969730cc26..beadf39cc1 100644 --- a/source/installguide/hypervisor/kvm.rst +++ b/source/installguide/hypervisor/kvm.rst @@ -1551,8 +1551,8 @@ To open the required ports, execute the following commands: sudo vi /etc/ufw/before.rules .. parsed-literal:: - -A FORWARD -d 192.168.42.11 -j ACCEPT - -A FORWARD -s 192.168.42.11 -j ACCEPT + -A FORWARD -d 192.168.42.0/24 -j ACCEPT + -A FORWARD -s 192.168.42.0/24 -j ACCEPT Additional Packages Required for Features From 5345f3957547bdf1ea4ec10f120c0480393c79e9 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Tue, 18 Feb 2025 21:55:21 -0500 Subject: [PATCH 02/11] Update qig.rst --- source/quickinstallationguide/qig.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/quickinstallationguide/qig.rst b/source/quickinstallationguide/qig.rst index da74fe90cf..346e1f2951 100644 --- a/source/quickinstallationguide/qig.rst +++ b/source/quickinstallationguide/qig.rst @@ -353,8 +353,8 @@ section: innodb_rollback_on_timeout=1 innodb_lock_wait_timeout=600 max_connections=350 - log-bin=mysql-bin - binlog-format = 'ROW' + log_bin=mysql-bin + binlog_format = 'ROW' Now that MySQL is properly configured we can start it and configure it to From 05641a2046d106e886df1d5299e7261a4c23e0ed Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Tue, 18 Feb 2025 21:58:24 -0500 Subject: [PATCH 03/11] Update optional_installation.rst From aca1381e9050494b7f7b6f20f08fb7bb18e15c79 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Tue, 18 Feb 2025 22:01:56 -0500 Subject: [PATCH 04/11] Update _database.rst --- .../installguide/management-server/_database.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/source/installguide/management-server/_database.rst b/source/installguide/management-server/_database.rst index ca70a13e8c..61301d0f02 100644 --- a/source/installguide/management-server/_database.rst +++ b/source/installguide/management-server/_database.rst @@ -64,20 +64,20 @@ MySQL. See :ref:`install-database-on-separate-node`. innodb_rollback_on_timeout=1 innodb_lock_wait_timeout=600 max_connections=350 - log-bin=mysql-bin - binlog-format = 'ROW' + log_bin=mysql-bin + binlog_format=ROW .. note:: - For Ubuntu 16.04 and later, make sure you specify a ``server-id`` in your ``.cnf`` file for binary logging. Set the ``server-id`` according to your database setup. + For Ubuntu 16.04 and later, make sure you specify a ``server_id`` in your ``/etc/mysql/mysql.conf.d/mysqld.cnf`` file for binary logging. Set the ``server_id`` according to your database setup. .. parsed-literal:: - server-id=source-01 + server_id=source-01 innodb_rollback_on_timeout=1 innodb_lock_wait_timeout=600 max_connections=350 - log-bin=mysql-bin - binlog-format = 'ROW' + log_bin=mysql-bin + binlog_format=ROW .. note:: You can also create a file ``/etc/mysql/conf.d/cloudstack.cnf`` @@ -328,8 +328,8 @@ same node for MySQL. See `“Install the Database on the Management Server Node innodb_rollback_on_timeout=1 innodb_lock_wait_timeout=600 max_connections=700 - log-bin=mysql-bin - binlog-format = 'ROW' + log_bin=mysql-bin + binlog_format = 'ROW' bind-address = 0.0.0.0 #. Start or restart MySQL to put the new configuration into effect. From 1a9c7a461c46c7ecfa2c727df815dffd7409da19 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Tue, 18 Feb 2025 22:03:33 -0500 Subject: [PATCH 05/11] Update _database.rst --- source/installguide/management-server/_database.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/installguide/management-server/_database.rst b/source/installguide/management-server/_database.rst index 61301d0f02..8db4fbd355 100644 --- a/source/installguide/management-server/_database.rst +++ b/source/installguide/management-server/_database.rst @@ -329,8 +329,8 @@ same node for MySQL. See `“Install the Database on the Management Server Node innodb_lock_wait_timeout=600 max_connections=700 log_bin=mysql-bin - binlog_format = 'ROW' - bind-address = 0.0.0.0 + binlog_format=ROW + bind-address=0.0.0.0 #. Start or restart MySQL to put the new configuration into effect. From e302881fc76285366094628e10526755e6953721 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Tue, 18 Feb 2025 22:05:27 -0500 Subject: [PATCH 06/11] Update qig.rst --- source/quickinstallationguide/qig.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/quickinstallationguide/qig.rst b/source/quickinstallationguide/qig.rst index 346e1f2951..7f08777b19 100644 --- a/source/quickinstallationguide/qig.rst +++ b/source/quickinstallationguide/qig.rst @@ -354,7 +354,7 @@ section: innodb_lock_wait_timeout=600 max_connections=350 log_bin=mysql-bin - binlog_format = 'ROW' + binlog_format=ROW Now that MySQL is properly configured we can start it and configure it to From 44233b1e6e99ac992777e7835cbf532d464436b3 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Tue, 25 Feb 2025 15:53:44 -0500 Subject: [PATCH 07/11] Update kvm.rst --- source/installguide/hypervisor/kvm.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source/installguide/hypervisor/kvm.rst b/source/installguide/hypervisor/kvm.rst index beadf39cc1..8acaece3b0 100644 --- a/source/installguide/hypervisor/kvm.rst +++ b/source/installguide/hypervisor/kvm.rst @@ -1551,8 +1551,7 @@ To open the required ports, execute the following commands: sudo vi /etc/ufw/before.rules .. parsed-literal:: - -A FORWARD -d 192.168.42.0/24 -j ACCEPT - -A FORWARD -s 192.168.42.0/24 -j ACCEPT + -A FORWARD -j ACCEPT Additional Packages Required for Features From 6c3f7401a2b048eb9530d0b86ec33153fbede3f5 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Thu, 27 Feb 2025 08:29:21 -0500 Subject: [PATCH 08/11] Update kvm.rst --- source/installguide/hypervisor/kvm.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source/installguide/hypervisor/kvm.rst b/source/installguide/hypervisor/kvm.rst index 8acaece3b0..5c969f9707 100644 --- a/source/installguide/hypervisor/kvm.rst +++ b/source/installguide/hypervisor/kvm.rst @@ -1541,17 +1541,17 @@ To open the required ports, execute the following commands: $ ufw allow proto tcp from any to any port 49152:49216 .. note:: - By default UFW is not enabled on Ubuntu. Executing these commands with the - firewall disabled does not enable the firewall. + Since Ubuntu 22.04 LTS, the UFW's default policy for forwarding is set to "DROP". + Change it to "ACCEPT". - If you have an issue with ufw while using a bridged connection, - add those two lines at the end of the /etc/ufw/before.rules just before COMMIT +.. parsed-literal:: + sudo vi /etc/default/ufw .. parsed-literal:: - sudo vi /etc/ufw/before.rules + DEFAULT_FORWARD_POLICY="ACCEPT" .. parsed-literal:: - -A FORWARD -j ACCEPT + sudo ufw enable Additional Packages Required for Features From d3ece80c17f9f9f8fccf5ca6fbbe84e32b94f846 Mon Sep 17 00:00:00 2001 From: Davi Torres Date: Fri, 11 Apr 2025 13:47:01 -0400 Subject: [PATCH 09/11] consolidated instructions in a table format --- source/adminguide/accounts.rst | 104 +++++++++++++++++++-------------- 1 file changed, 59 insertions(+), 45 deletions(-) diff --git a/source/adminguide/accounts.rst b/source/adminguide/accounts.rst index c66e0f0438..9f4502900a 100644 --- a/source/adminguide/accounts.rst +++ b/source/adminguide/accounts.rst @@ -481,36 +481,74 @@ to be applied through the API call described above. In addition to those shown in the example script above, the following -configuration items can be configured (the default values are for -openldap) +configuration items can be configured on a Global or on a per Domain level (the default values are for +OpenLDAP) -- ``ldap.basedn``: Sets the basedn for LDAP. Ex: **OU=APAC,DC=company,DC=com** - -- ``ldap.bind.principal``, ``ldap.bind.password``: DN and password for a User - who can list all the Users in the above basedn. Ex: - **CN=Administrator, OU=APAC, DC=company, DC=com** +.. list-table:: LDAP Settings + :header-rows: 1 -- ``ldap.user.object``: object type of Users within LDAP. Defaults value is - **user** for AD and **interorgperson** for openldap. + * - Setting + - OpenLDAP + - Active Directory + - Description + * - ``ldap.basedn`` + - `Ex: OU=APAC,DC=company,DC=com` + - `Ex: DC=company,DC=com` + - Sets the basedn for LDAP. + * - ``ldap.search.group.principle`` + - `Ex: CN=ACSGroup,DC=company,DC=com` + - `Ex: CN=ACSGroup,CN=Users,DC=company,DC=com` + - (optional) if set only Users from this group are listed. + * - ``ldap.bind.principal`` + - `Ex: CN=ACSServiceAccount,OU=APAC,DC=company,DC=com` + - `Ex: CN=ACSServiceAccount,CN=Users,DC=company,DC=com` + - Service account that can list all the Users in the above basedn. Avoid using privileged account such as Administrator. + * - ``ldap.bind.password`` + - `******************` + - `******************` + - Password for a DN User. Is entered in plain text but gets stored encrypted. + * - ``ldap.user.object`` + - `interorgperson` + - `user` + - Object type of Users within LDAP. + * - ``ldap.email.attribute`` + - `mail` + - `mail` + - Email attribute within ldap for a User. + * - ``ldap.firstname.attribute`` + - `givenname` + - `givenname` + - firstname attribute within ldap for a User. + * - ``ldap.lastname.attribute`` + - `sn` + - `sn` + - lastname attribute within ldap for a User. + * - ``ldap.group.object`` + - `groupOfUniqueNames` + - `groupOfUniqueNames` + - Object type of groups within LDAP. + * - ``ldap.group.user.uniquemember`` + - `uniquemember` + - `uniquemember` + - Attribute for uniquemembers within a group. + + +Once configured, on Add Account page, you will see an "Add LDAP Account" button which opens a dialog and the selected Users can be imported. -- ``ldap.email.attribute``: email attribute within ldap for a User. Default - value for AD and openldap is **mail**. +.. figure:: /_static/images/CloudStack-ldap-screen1.png + :align: center -- ``ldap.firstname.attribute``: firstname attribute within ldap for a User. - Default value for AD and openldap is **givenname**. -- ``ldap.lastname.attribute``: lastname attribute within ldap for a User. - Default value for AD and openldap is **sn**. +You could also use api commands: +``listLdapUsers``, to list Users in LDAP that could or would be imported in CloudStack +``ldapCreateAccount``, to manually create a User in a specific Account +``importLdapUsers``, to batch import Users from LDAP -- ``ldap.username.attribute``: username attribute for a User within LDAP. - Default value is **SAMAccountName** for AD and **uid** for openldap. +Once LDAP is enabled, the Users will not be allowed to changed password +directly in CloudStack. -Restricting LDAP Users to a group: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- ``ldap.search.group.principle``: this is optional and if set only Users from - this group are listed. LDAP SSL: @@ -524,30 +562,6 @@ You will need to know the path to the keystore and the password. - ``ldap.truststore.password`` : truststore password -LDAP groups: -~~~~~~~~~~~~ - -- ``ldap.group.object``: object type of groups within LDAP. Default value is - group for AD and **groupOfUniqueNames** for openldap. - -- ``ldap.group.user.uniquemember``: attribute for uniquemembers within a group. - Default value is **member** for AD and **uniquemember** for openldap. - -Once configured, on Add Account page, you will see an "Add LDAP Account" button -which opens a dialog and the selected Users can be imported. - -.. figure:: /_static/images/CloudStack-ldap-screen1.png - :align: center - - -You could also use api commands: -``listLdapUsers``, to list Users in LDAP that could or would be imported in CloudStack -``ldapCreateAccount``, to manually create a User in a specific Account -``importLdapUsers``, to batch import Users from LDAP - -Once LDAP is enabled, the Users will not be allowed to changed password -directly in CloudStack. - .. |button to dedicate a zone, pod,cluster, or host| image:: /_static/images/dedicate-resource-button.png Using a SAML 2.0 Identity Provider for User Authentication From 2c92c235b54f0e31664aabe5277dd53137b0cfb5 Mon Sep 17 00:00:00 2001 From: Davi Torres Date: Fri, 11 Apr 2025 14:03:14 -0400 Subject: [PATCH 10/11] cleanup --- source/installguide/hypervisor/kvm.rst | 13 +++++++------ .../management-server/_database.rst | 18 +++++++++--------- source/quickinstallationguide/qig.rst | 4 ++-- 3 files changed, 18 insertions(+), 17 deletions(-) diff --git a/source/installguide/hypervisor/kvm.rst b/source/installguide/hypervisor/kvm.rst index 5c969f9707..969730cc26 100644 --- a/source/installguide/hypervisor/kvm.rst +++ b/source/installguide/hypervisor/kvm.rst @@ -1541,17 +1541,18 @@ To open the required ports, execute the following commands: $ ufw allow proto tcp from any to any port 49152:49216 .. note:: - Since Ubuntu 22.04 LTS, the UFW's default policy for forwarding is set to "DROP". - Change it to "ACCEPT". + By default UFW is not enabled on Ubuntu. Executing these commands with the + firewall disabled does not enable the firewall. -.. parsed-literal:: - sudo vi /etc/default/ufw + If you have an issue with ufw while using a bridged connection, + add those two lines at the end of the /etc/ufw/before.rules just before COMMIT .. parsed-literal:: - DEFAULT_FORWARD_POLICY="ACCEPT" + sudo vi /etc/ufw/before.rules .. parsed-literal:: - sudo ufw enable + -A FORWARD -d 192.168.42.11 -j ACCEPT + -A FORWARD -s 192.168.42.11 -j ACCEPT Additional Packages Required for Features diff --git a/source/installguide/management-server/_database.rst b/source/installguide/management-server/_database.rst index 8db4fbd355..ca70a13e8c 100644 --- a/source/installguide/management-server/_database.rst +++ b/source/installguide/management-server/_database.rst @@ -64,20 +64,20 @@ MySQL. See :ref:`install-database-on-separate-node`. innodb_rollback_on_timeout=1 innodb_lock_wait_timeout=600 max_connections=350 - log_bin=mysql-bin - binlog_format=ROW + log-bin=mysql-bin + binlog-format = 'ROW' .. note:: - For Ubuntu 16.04 and later, make sure you specify a ``server_id`` in your ``/etc/mysql/mysql.conf.d/mysqld.cnf`` file for binary logging. Set the ``server_id`` according to your database setup. + For Ubuntu 16.04 and later, make sure you specify a ``server-id`` in your ``.cnf`` file for binary logging. Set the ``server-id`` according to your database setup. .. parsed-literal:: - server_id=source-01 + server-id=source-01 innodb_rollback_on_timeout=1 innodb_lock_wait_timeout=600 max_connections=350 - log_bin=mysql-bin - binlog_format=ROW + log-bin=mysql-bin + binlog-format = 'ROW' .. note:: You can also create a file ``/etc/mysql/conf.d/cloudstack.cnf`` @@ -328,9 +328,9 @@ same node for MySQL. See `“Install the Database on the Management Server Node innodb_rollback_on_timeout=1 innodb_lock_wait_timeout=600 max_connections=700 - log_bin=mysql-bin - binlog_format=ROW - bind-address=0.0.0.0 + log-bin=mysql-bin + binlog-format = 'ROW' + bind-address = 0.0.0.0 #. Start or restart MySQL to put the new configuration into effect. diff --git a/source/quickinstallationguide/qig.rst b/source/quickinstallationguide/qig.rst index 7f08777b19..da74fe90cf 100644 --- a/source/quickinstallationguide/qig.rst +++ b/source/quickinstallationguide/qig.rst @@ -353,8 +353,8 @@ section: innodb_rollback_on_timeout=1 innodb_lock_wait_timeout=600 max_connections=350 - log_bin=mysql-bin - binlog_format=ROW + log-bin=mysql-bin + binlog-format = 'ROW' Now that MySQL is properly configured we can start it and configure it to From 9e31c314caf478d5b6db9ed8c8f94fe4872114f1 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Mon, 14 Apr 2025 14:31:45 -0400 Subject: [PATCH 11/11] Update accounts.rst --- source/adminguide/accounts.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source/adminguide/accounts.rst b/source/adminguide/accounts.rst index 9f4502900a..04c431da13 100644 --- a/source/adminguide/accounts.rst +++ b/source/adminguide/accounts.rst @@ -492,16 +492,16 @@ OpenLDAP) - Active Directory - Description * - ``ldap.basedn`` - - `Ex: OU=APAC,DC=company,DC=com` - - `Ex: DC=company,DC=com` + - `Ex: OU=APAC, DC=company, DC=com` + - `Ex: DC=company, DC=com` - Sets the basedn for LDAP. * - ``ldap.search.group.principle`` - - `Ex: CN=ACSGroup,DC=company,DC=com` - - `Ex: CN=ACSGroup,CN=Users,DC=company,DC=com` + - `Ex: CN=ACSGroup, DC=company, DC=com` + - `Ex: CN=ACSGroup, CN=Users, DC=company, DC=com` - (optional) if set only Users from this group are listed. * - ``ldap.bind.principal`` - - `Ex: CN=ACSServiceAccount,OU=APAC,DC=company,DC=com` - - `Ex: CN=ACSServiceAccount,CN=Users,DC=company,DC=com` + - `Ex: CN=ACSServiceAccount, OU=APAC, DC=company, DC=com` + - `Ex: CN=ACSServiceAccount, CN=Users, DC=company, DC=com` - Service account that can list all the Users in the above basedn. Avoid using privileged account such as Administrator. * - ``ldap.bind.password`` - `******************`