Handle console session in multiple management servers

[GutoVeronezi]

Description

PR #6577 introduced a new mechanism of validation of console sessions, which makes the access tokens one time usable in order to avoid reply attacks and prevent access to the console in case of data leak. When generating the console token, the management server (MS) that processed the request saves it in memory for further validation. When using the token, a request is sent to the CPVM that will validate it (the token) against the MS.

In an environment that has more than one MS, the CPVM will establish communication with the first available MS that it founds. In this case, if the CPVM communicates with MS A and the console token is generated by MS A, the token will work; however, if the CPVM communicates with MS A and the console token is generated by MS B, the token will not work because the token is being validated against MS A and the information is in the memory of MS B.

This PR intends to handle this situation by temporally saving the console token in the database instead of saving it in the memory of the MS that generated it. This way, independently of which MS generated the token or which MS the CPVM communicates with, the token will be validated. After using the token, it is removed from the database and also from the CPVM.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

I created an environment with 2 MS (A and B) and started only A. I enabled the zone in order to create the CPVM. After that, guaranting that the CPVM was communicating with MS A, I started MS B.
Previous to the changes, I executed two test cases:

• generated a new console access URL (with the API createConsoleEndpoint) through MS A and used it. As the CPVM was communicating with MS A, it worked.
• generated a new console access URL (with the API createConsoleEndpoint) through MS B and used it. As the CPVM was communicating with MS A, it did not worked, presenting the message Failed to connect to server / access token has expired

With the changes, I executed again the two test cases:

• generated a new console access URL (with the API createConsoleEndpoint) through MS A and used it. As the CPVM was communicating with MS A, it worked.
• generated a new console access URL (with the API createConsoleEndpoint) through MS B and used it. As the CPVM was communicating with MS A, it worked too, because the session was being stored in the database.

After using the URLs, I checked the database and verified that there were no entries in cloud.allowed_console_session, as expected.

[DaanHoogland]

except for the name part 'allowed', which seems to be immplied in any case, looks good.
Also I am still not comfortable approving logs that are

1. debug
2. expanding parameters
3. not having a guard with isDebugEnabled()
   You have an PR in the making that will deal with that, can you share something about that?

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 5269

[DaanHoogland]

@blueorangutan test matrix

[blueorangutan]

@DaanHoogland a Trillian-Jenkins matrix job (centos7 mgmt + xenserver71, rocky8 mgmt + vmware67u3, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests

[GutoVeronezi]

except for the name part 'allowed', which seems to be immplied in any case, looks good. Also I am still not comfortable approving logs that are

1. debug
2. expanding parameters
3. not having a guard with isDebugEnabled()
   You have an PR in the making that will deal with that, can you share something about that?

@DaanHoogland, regarding the PR, we are working to open it today. As soon as it is opened, we ping you.

Edit 1: it will take a bit more than expected (one day or two);

[nvazquez]

@GutoVeronezi I've tested it on a single mgmt server and I'm not able to access any VM console, could you please verify? On each case I get this error from the CPVM logs:

2023-01-16 16:44:48,918 INFO  [cloud.consoleproxy.ConsoleProxyResourceHandler] (Thread-161:null) Get resource request for /resource/noVNC/vnc.html
2023-01-16 16:44:48,928 INFO  [cloud.consoleproxy.ConsoleProxyResourceHandler] (Thread-161:null) Sent file /resource/noVNC/vnc.html with content type text/html
2023-01-16 16:44:49,900 INFO  [cloud.consoleproxy.ConsoleProxyNoVNCHandler] (qtp465655017-41:null) Get websocket connection request from remote IP : 10.0.3.251
2023-01-16 16:44:49,955 WARN  [cloud.consoleproxy.ConsoleProxy] (qtp465655017-41:null) External authenticator failed authentication request for vm 60461a74-61a0-4951-b496-39f88e43b151 with sid zGvr4WyQaxJhz_lV7jCYfw
2023-01-16 16:44:49,955 WARN  [cloud.consoleproxy.ConsoleProxyNoVNCHandler] (qtp465655017-41:null) Failed to create viewer due to External authenticator failed request for vm 60461a74-61a0-4951-b496-39f88e43b151 with sid zGvr4WyQaxJhz_lV7jCYfw
com.cloud.consoleproxy.AuthenticationException: External authenticator failed request for vm 60461a74-61a0-4951-b496-39f88e43b151 with sid zGvr4WyQaxJhz_lV7jCYfw
	at com.cloud.consoleproxy.ConsoleProxy.authenticationExternally(ConsoleProxy.java:561)
	at com.cloud.consoleproxy.ConsoleProxy.getNoVncViewer(ConsoleProxy.java:595)
	at com.cloud.consoleproxy.ConsoleProxyNoVNCHandler.onConnect(ConsoleProxyNoVNCHandler.java:143)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.eclipse.jetty.websocket.common.events.annotated.CallableMethod.call(CallableMethod.java:70)
	at org.eclipse.jetty.websocket.common.events.JettyAnnotatedEventDriver.onConnect(JettyAnnotatedEventDriver.java:178)
	at org.eclipse.jetty.websocket.common.events.AbstractEventDriver.openSession(AbstractEventDriver.java:217)
	at org.eclipse.jetty.websocket.common.WebSocketSession.open(WebSocketSession.java:493)
	at org.eclipse.jetty.websocket.common.WebSocketSession.onOpened(WebSocketSession.java:459)
	at org.eclipse.jetty.io.AbstractConnection.onOpened(AbstractConnection.java:213)
	at org.eclipse.jetty.io.AbstractConnection.onOpen(AbstractConnection.java:205)
	at org.eclipse.jetty.io.AbstractEndPoint.upgrade(AbstractEndPoint.java:444)
	at org.eclipse.jetty.server.HttpConnection.onCompleted(HttpConnection.java:412)
	at org.eclipse.jetty.server.HttpChannel.onCompleted(HttpChannel.java:919)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:467)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
	at java.base/java.lang.Thread.run(Thread.java:829)
2023-01-16 16:44:50,231 INFO  [cloud.consoleproxy.ConsoleProxyResourceHandler] (Thread-162:null) Get resource request for /resource/noVNC/app/images/error.svg
2023-01-16 16:44:50,236 INFO  [cloud.consoleproxy.ConsoleProxyResourceHandler] (Thread-162:null) file does not exist/resource/noVNC/app/images/error.svg

[blueorangutan]

Trillian test result (tid-5853)
Environment: xenserver-71 (x2), Advanced Networking with Mgmt server 7
Total time taken: 40795 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7094-t5853-xenserver-71.zip
Smoke tests completed. 107 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[blueorangutan]

Trillian test result (tid-5855)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 42850 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7094-t5855-kvm-centos7.zip
Smoke tests completed. 106 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_08_upgrade_kubernetes_ha_cluster	Failure	579.56	test_kubernetes_clusters.py

[blueorangutan]

Trillian test result (tid-5854)
Environment: vmware-67u3 (x2), Advanced Networking with Mgmt server r8
Total time taken: 43843 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7094-t5854-vmware-67u3.zip
Smoke tests completed. 107 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[nvazquez]

@GutoVeronezi the problem listed previously for one mgmt server comes from the method isSessionAllowed that does not query the database for the session UUID and always returns false, therefore the ConsoleAccessAuthenticationAnswer is false

[GutoVeronezi]

@nvazquez, thanks. I missed a line while porting the changes to the PR. I fixed it with commit dec6e3f and was doing some more testing before pinging you.

[codecov]

Codecov Report

Merging #7094 (6173aa0) into main (5665782) will increase coverage by 0.01%.
The diff coverage is 0.00%.

@@             Coverage Diff              @@
##               main    #7094      +/-   ##
============================================
+ Coverage     11.76%   11.78%   +0.01%     
- Complexity     7661     7668       +7     
============================================
  Files          2503     2505       +2     
  Lines        245958   246021      +63     
  Branches      38374    38381       +7     
============================================
+ Hits          28946    28988      +42     
- Misses       213248   213261      +13     
- Partials       3764     3772       +8     

Impacted Files	Coverage Δ
...a/src/main/java/com/cloud/vm/ConsoleSessionVO.java	0.00% <0.00%> (ø)
...n/java/com/cloud/vm/dao/ConsoleSessionDaoImpl.java	0.00% <0.00%> (ø)
...ain/java/com/cloud/consoleproxy/AgentHookBase.java	0.00% <0.00%> (ø)
...udstack/consoleproxy/ConsoleAccessManagerImpl.java	5.30% <0.00%> (-0.25%)	⬇️
...m/resource/wrapper/LibvirtReadyCommandWrapper.java	61.53% <0.00%> (-11.19%)	⬇️
...oud/hypervisor/vmware/mo/HypervisorHostHelper.java	15.54% <0.00%> (-0.02%)	⬇️
...oud/hypervisor/vmware/resource/VmwareResource.java	4.50% <0.00%> (-0.01%)	⬇️
...m/cloud/hypervisor/vmware/mo/VirtualMachineMO.java	0.93% <0.00%> (-0.01%)	⬇️
...in/java/com/cloud/hypervisor/vmware/mo/HostMO.java	0.14% <0.00%> (-0.01%)	⬇️
...cloud/storage/resource/VmwareStorageProcessor.java	0.32% <0.00%> (-0.01%)	⬇️
... and 4 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[sonarqubecloud]

SonarCloud Quality Gate failed.   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

0.0% Coverage
0.0% Duplication

[weizhouapache]

these lines can be replaced by a constructor

[GutoVeronezi]

On principle, I would rather not create a constructor for informing the object properties, as the more properties it has, the longer the constructor would get, becoming harder to read/interpret the code. For Python, that supports keyword arguments, this approach works fine, though.

[nvazquez]

@GutoVeronezi thanks for the refactor, you are right I have now checked that the lastUsedTime on the ConsoleProxyLoadReportCommand keeps being updated even when the session is not used, that makes the session not to timeout

[yadvr]

Lgtm, the license header has extra newlines compared to existing files. Didn’t test it.

[yadvr]

@blueorangutan package

[blueorangutan]

@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with SystemVM template(s). I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 5300

[DaanHoogland]

clgtm

[DaanHoogland]

@blueorangutan test matrix

[blueorangutan]

@DaanHoogland a Trillian-Jenkins matrix job (centos7 mgmt + xenserver71, rocky8 mgmt + vmware67u3, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-5890)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 40757 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7094-t5890-kvm-centos7.zip
Smoke tests completed. 107 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[blueorangutan]

Trillian test result (tid-5888)
Environment: xenserver-71 (x2), Advanced Networking with Mgmt server 7
Total time taken: 44802 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7094-t5888-xenserver-71.zip
Smoke tests completed. 107 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[blueorangutan]

Trillian test result (tid-5889)
Environment: vmware-67u3 (x2), Advanced Networking with Mgmt server r8
Total time taken: 79671 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7094-t5889-vmware-67u3.zip
Smoke tests completed. 72 look OK, 35 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_09_project_suspend	Error	2.50	test_projects.py
test_10_project_activation	Error	2.42	test_projects.py
ContextSuite context=TestRouterServices>:setup	Error	0.00	test_routers.py
test_01_vm_with_thin_disk_offering	Error	6.62	test_disk_provisioning_types.py
test_02_vm_with_fat_disk_offering	Error	7.64	test_disk_provisioning_types.py
test_03_vm_with_sparse_disk_offering	Error	7.64	test_disk_provisioning_types.py
test_01_non_strict_host_anti_affinity	Error	2.41	test_nonstrict_affinity_group.py
test_02_non_strict_host_affinity	Error	1.42	test_nonstrict_affinity_group.py
test_03_deploy_vm_domain_service_offering	Error	10.71	test_domain_service_offerings.py
test_03_create_vpc_domain_vpc_offering	Error	9.26	test_domain_vpc_offerings.py
test_01_internallb_roundrobin_1VPC_3VM_HTTP_port80	Failure	5.81	test_internal_lb.py
test_02_internallb_roundrobin_1RVPC_3VM_HTTP_port80	Failure	7.88	test_internal_lb.py
test_03_vpc_internallb_haproxy_stats_on_all_interfaces	Failure	4.65	test_internal_lb.py
test_04_rvpc_internallb_haproxy_stats_on_all_interfaces	Failure	9.76	test_internal_lb.py
ContextSuite context=TestLBRuleUsage>:setup	Error	5.76	test_usage.py
ContextSuite context=TestNatRuleUsage>:setup	Error	9.14	test_usage.py
ContextSuite context=TestPublicIPUsage>:setup	Error	12.45	test_usage.py
ContextSuite context=TestSnapshotUsage>:setup	Error	15.87	test_usage.py
ContextSuite context=TestVmUsage>:setup	Error	25.79	test_usage.py
ContextSuite context=TestVolumeUsage>:setup	Error	29.37	test_usage.py
ContextSuite context=TestVpnUsage>:setup	Error	32.93	test_usage.py
test_01_events_resource	Error	3.52	test_events_resource.py
test_01_events_resource	Error	3.53	test_events_resource.py
test_deploy_vm_with_registered_userdata	Error	4.66	test_register_userdata.py
test_deploy_vm_with_registered_userdata_with_override_policy_allow	Error	4.63	test_register_userdata.py
test_deploy_vm_with_registered_userdata_with_override_policy_append	Error	4.87	test_register_userdata.py
test_deploy_vm_with_registered_userdata_with_params	Error	4.58	test_register_userdata.py
ContextSuite context=TestHostControlState>:setup	Error	0.00	test_host_control_state.py
ContextSuite context=TestIsolatedNetworks>:setup	Error	0.00	test_routers_network_ops.py
ContextSuite context=TestRedundantIsolateNetworks>:setup	Error	0.00	test_routers_network_ops.py
test_01_create_iso_with_checksum_sha1	Error	66.62	test_iso.py
test_02_create_iso_with_checksum_sha256	Error	66.54	test_iso.py
test_03_create_iso_with_checksum_md5	Error	66.59	test_iso.py
test_04_create_iso_with_no_checksum	Error	66.51	test_iso.py
test_01_create_iso	Failure	1516.60	test_iso.py
ContextSuite context=TestISO>:setup	Error	3032.15	test_iso.py
ContextSuite context=TestResetVmOnReboot>:setup	Error	0.00	test_reset_vm_on_reboot.py
test_01_invalid_upgrade_kubernetes_cluster	Failure	0.01	test_kubernetes_clusters.py
test_02_upgrade_kubernetes_cluster	Failure	0.01	test_kubernetes_clusters.py
test_03_deploy_and_scale_kubernetes_cluster	Failure	0.01	test_kubernetes_clusters.py
test_04_autoscale_kubernetes_cluster	Failure	0.01	test_kubernetes_clusters.py
test_05_basic_lifecycle_kubernetes_cluster	Failure	0.01	test_kubernetes_clusters.py
test_06_delete_kubernetes_cluster	Failure	0.01	test_kubernetes_clusters.py
test_07_deploy_kubernetes_ha_cluster	Failure	0.01	test_kubernetes_clusters.py
test_08_upgrade_kubernetes_ha_cluster	Failure	0.01	test_kubernetes_clusters.py
test_09_delete_kubernetes_ha_cluster	Failure	0.01	test_kubernetes_clusters.py
test_01_scale_vm	Error	1.29	test_scale_vm.py
test_02_scale_vm_negative_offering_disable_scaling	Error	1.24	test_scale_vm.py
test_03_scale_vm_negative_vm_disable_scaling	Error	1.25	test_scale_vm.py
test_04_scale_vm_with_user_account	Error	8.38	test_scale_vm.py
test_05_scale_vm_dont_allow_disk_offering_change	Error	1.32	test_scale_vm.py
ContextSuite context=TestLoadBalance>:setup	Error	0.00	test_loadbalance.py
ContextSuite context=TestDeployVM>:setup	Error	0.00	test_vm_life_cycle.py
test_01_offline_migrate_VM_and_root_volume	Error	1.32	test_vm_life_cycle.py
test_02_offline_migrate_VM_with_two_data_disks	Error	1.27	test_vm_life_cycle.py
test_03_live_migrate_VM_with_two_data_disks	Error	1.28	test_vm_life_cycle.py
test_04_migrate_detached_volume	Error	1.26	test_vm_life_cycle.py
ContextSuite context=TestVAppsVM>:setup	Error	1519.70	test_vm_life_cycle.py
ContextSuite context=TestVMLifeCycle>:setup	Error	1523.44	test_vm_life_cycle.py
test_01_add_delete_kubernetes_supported_version	Error	1802.36	test_kubernetes_supported_versions.py
ContextSuite context=TestRAMCPUResourceAccounting>:setup	Error	0.00	test_resource_accounting.py
ContextSuite context=TestListIdsParams>:setup	Error	0.00	test_list_ids_parameter.py
ContextSuite context=TestRouterIpTablesPolicies>:setup	Error	0.00	test_routers_iptables_default_policy.py
ContextSuite context=TestVPCIpTablesPolicies>:setup	Error	0.00	test_routers_iptables_default_policy.py
test_01_sys_vm_start	Failure	0.10	test_secondary_storage.py
ContextSuite context=TestServiceOfferings>:setup	Error	1519.42	test_service_offerings.py
ContextSuite context=TestVMWareStoragePolicies>:setup	Error	0.00	test_storage_policy.py
test_01_scale_up_verify	Failure	35.03	test_vm_autoscaling.py
test_02_update_vmprofile_and_vmgroup	Failure	245.88	test_vm_autoscaling.py
test_03_scale_down_verify	Failure	304.75	test_vm_autoscaling.py
test_04_stop_remove_vm_in_vmgroup	Failure	0.03	test_vm_autoscaling.py
test_06_autoscaling_vmgroup_on_project_network	Failure	46.49	test_vm_autoscaling.py
test_06_autoscaling_vmgroup_on_project_network	Error	46.50	test_vm_autoscaling.py
test_07_autoscaling_vmgroup_on_vpc_network	Error	3.26	test_vm_autoscaling.py
ContextSuite context=TestVmAutoScaling>:teardown	Error	11.59	test_vm_autoscaling.py
test_01_deploy_vm_on_specific_host	Error	0.24	test_vm_deployment_planner.py
test_02_deploy_vm_on_specific_cluster	Error	2.41	test_vm_deployment_planner.py
test_03_deploy_vm_on_specific_pod	Error	1.40	test_vm_deployment_planner.py
test_04_deploy_vm_on_host_override_pod_and_cluster	Error	0.19	test_vm_deployment_planner.py
test_05_deploy_vm_on_cluster_override_pod	Error	2.35	test_vm_deployment_planner.py
test_01_unmanage_vm_cycle	Error	4.46	test_vm_lifecycle_unmanage_import.py
ContextSuite context=TestUnmanageVM>:teardown	Error	4.49	test_vm_lifecycle_unmanage_import.py
test_change_service_offering_for_vm_with_snapshots	Error	1.28	test_vm_snapshots.py
ContextSuite context=TestVmSnapshot>:setup	Error	7.80	test_vm_snapshots.py
ContextSuite context=TestCreateVolume>:setup	Error	0.00	test_volumes.py
ContextSuite context=TestVolumes>:setup	Error	1518.06	test_volumes.py
ContextSuite context=TestIpv6Vpc>:setup	Error	0.00	test_vpc_ipv6.py
ContextSuite context=TestVPCRedundancy>:setup	Error	0.00	test_vpc_redundant.py
ContextSuite context=TestVPCNics>:setup	Error	0.00	test_vpc_router_nics.py
ContextSuite context=TestRVPCSite2SiteVpn>:setup	Error	0.00	test_vpc_vpn.py
ContextSuite context=TestVPCSite2SiteVPNMultipleOptions>:setup	Error	0.00	test_vpc_vpn.py
ContextSuite context=TestVpcRemoteAccessVpn>:setup	Error	0.00	test_vpc_vpn.py
ContextSuite context=TestVpcSite2SiteVpn>:setup	Error	0.00	test_vpc_vpn.py
test_01_cancel_host_maintenace_with_no_migration_jobs	Error	0.07	test_host_maintenance.py
test_02_cancel_host_maintenace_with_migration_jobs	Error	0.07	test_host_maintenance.py
test_03_cancel_host_maintenace_with_migration_jobs_failure	Error	0.06	test_host_maintenance.py

[DaanHoogland]

@blueorangutan test rocky8 vmware-67u3

[blueorangutan]

@DaanHoogland a Trillian-Jenkins test job (rocky8 mgmt + vmware-67u3) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-5906)
Environment: vmware-67u3 (x2), Advanced Networking with Mgmt server r8
Total time taken: 46574 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7094-t5906-vmware-67u3.zip
Smoke tests completed. 107 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[nvazquez]

LGTM manually tested on KVM Rocky 8 env with 2 management servers

[mlsorensen]

Nice job @GutoVeronezi - I saw this issue as well earlier. Regarding the console_session table, do you see any concern with never cleaning these up and only marking them removed? There could be a lot of rows. Perhaps there should be a cleanup introduced, similar to the events and alerts tables?

[GutoVeronezi]

@mlsorensen, as this data can be used for auditing access to the consoles, I do not see a problem with keeping them; however, the data may become obsolete or operators may not want to store them. Your proposal for a cleanup task is a good idea. We can implement it with customized intervals and retention, just like other tasks ACS has.

@DaanHoogland, do we still have time to implement this feature in 4.18 or it is already in freeze?

[nvazquez]

@DaanHoogland @GutoVeronezi I've created the PR: #7132, can you please review?

[DaanHoogland]

@mlsorensen, as this data can be used for auditing access to the consoles, I do not see a problem with keeping them; however, the data may become obsolete or operators may not want to store them. Your proposal for a cleanup task is a good idea. We can implement it with customized intervals and retention, just like other tasks ACS has.

@DaanHoogland, do we still have time to implement this feature in 4.18 or it is already in freeze?

@GutoVeronezi , I am quite lenient with freeze. I wanted to create the first RC on monday but a couple of PR do not seem to make it. Most noticably tungsten, which I really want in, albeit as experimental feature.
Let's get this task in if at all possible.

[mlsorensen]

@mlsorensen, as this data can be used for auditing access to the consoles, I do not see a problem with keeping them; however, the data may become obsolete or operators may not want to store them. Your proposal for a cleanup task is a good idea. We can implement it with customized intervals and retention, just like other tasks ACS has.

@DaanHoogland, do we still have time to implement this feature in 4.18 or it is already in freeze?

Yes, I agree it could be useful for audit. I am mostly thinking about size, a decent cloudstack install could have thousands of console requests a day. I think mysql could handle it, but it is like a log that never rolls. Probably not an immediate issue.