Merge branch 'dev' to 'uaa' #28

…ests. Change-Id: I345ecb97906ab3fa3d01d2691c2a00117684f0e5

Change-Id: I3119129d84a33523b1faf96e7247574ffed4b834

This change allows the orgunit for a computer account to be specified in DN format, for example: OU=project,OU=tenant,OU=node Note that this a partial DN within the OU=Computers container. Change-Id: If99cc186794e6d8dbfb3a283c14cf0919073b722

…PR 1817458) Change-Id: If5ac4c277a258cde8208a130a49d8a57791bd360

Change-Id: Ie76ef5e11505a6b83853a1cce7b83073a0bfcc32

Change-Id: I12ef38f81d69733d69edaff4b41891ec7cc6149e

Change-Id: I8cf44c71de464e209ed09ac662b580f58615bfee

Change-Id: I59ba09a5cbe74f9f138b3dba60cde4afed0e6ff1

Change-Id: Ia39bb2abd5faeb4413b5c2ed063bc367d895a771

Change-Id: Ibc05b7584bc3aeaa8fa20a63d0374aced2ff393c

Change-Id: I6d0e046885c6ae3fe84fc6a5ff9f6006e3026b61

sample curl REST API test output - https://bugzilla.eng.vmware.com/show_bug.cgi?id=1883274#c1 Change-Id: I1b6d546cb0b2a5148273d9fd56ad8d58b99acca8

Change-Id: If34a0dc048a7871156503f1d05289084a4be12aa

Change-Id: I9c27aa66db59eb7bd9ca974c6ceb86a136c60e3b

Change-Id: I6a706e9e88ddb48e0cd1042f66af77fdeb62a7ff

Change-Id: Ib446baf2cb45e15227c5fb52ec905fc775132e3a

Change-Id: Ie98913985bb3aeafd615385af33c633fc1888ef5

Change-Id: I2f9ab9ab97859acb4442e2d1af8760309b9cbe4c

Change-Id: Ib5eafa8cc65a21298cc475ace2ab1c0e478b1b30

…rd is running (PR 1881585) Change-Id: If10001060650eecdce06b2447fa8201daaeffb73

…ird is running (PR 1881585) Change-Id: I8184cff3d4985d6c14d7ac6f87e75c9f00efdbd7

Change-Id: Ia4307efaa123b282522e5e6d27997395c5ab27ae

Change-Id: I82860039929cfa01d872d3ffc8bd88692dc71b20

…rtAvailability + add tcp_close in cleanup Change-Id: I8b9eb1a69a80ab4796ceefa46b27b0b195eebfed

Change-Id: I4fd968a1a213b73f34525a0f0bef0d3cac2beba8

This change fixes the top-level photon OS build. The directory vmidentity/ssoclients is now built prior to lwraft and vmdir projects to satisfy library dependencies when REST is enabled. Change-Id: I3214901cc1e20596cd539de775ad89f3bf96c58b

Change-Id: I7ac528417fdcc1367db82eb75d3a812eb4b7cfb7

…ing m4 files Change-Id: I4e0e65e67a259684001f4ec73350279139f2ed59

…tion tests Change-Id: I6cfb9c92ec7cc84969dccc9b7fa973d6803246d4

root@lw-t3 [ /home/admin/workspaces/LW-5 ]# /opt/vmware/bin/lwraft-cli help Usage: lwraft-cli { arguments } Arguments: node list --server-name <host name> node state --server-name <host name> --login <user@domain> --password <password> node promote --password <password> [--host-name <host name> preferred Lightwave Raft host name, can be FQDN or IP] [--domain-name <domain name> | --partner-name <host of partner> ] node demote --server-name <host name> --login <user@domain> --password <password> --demote-host-name <host to demote>] help * Promote can specify any node in the cluster as partner. It will find the leader and does the join eventually. * also, retire lwraftleavefed. * will retire lwraftpromo later after. * address comments from Kyoung Change-Id: I9d0b62e24811b40946251da2a3204ab5fa972ac1

Change-Id: I85df8c4704b66d1eba9e818dacef52d72d01f208

* Contentrule should use Modify OP * Fix file parsing error to pick up last defintion correctly. We use to skip last def is there is no extra empty line at the end Change-Id: I8943020ef22dafe1fb029c9c8a9091d29b2c2ee6

Change-Id: Id3d0cbee385ef633e8257da704c711d6367809cd

Solve for infra node only SRP deadlock which lwraft uncovered. Pending: more general solution to solve all SRP traffic (MxN). Reverting accidental change to --enable-raft in spec file. dev branch vs master Address lopstad and sruo review comments. Fix SRP memory leaks found with valgrind. Address brownj review comments. Change-Id: Ie3c00777b240938947ba5eebecf0f295e76398d5

…onseGetError Change-Id: Id17b593d5e89cabd106045df70bb94dbfdf17565

Change-Id: Ie69b3bc2079324613aa32678431975941cf42e69

Change-Id: I66332ec1db7c254c4ece565e9ac29bd6ba58927e

1884128 don't block client when the leader cannot commit when quorum cannot be reached instead, set to leader to follower role to avoid reusing log index/term. PR 1862068 add a reg-key (RaftQuorumOverride) to override Raft consensus requirement to be able to commit transaction locally. Change-Id: Ia4ddefbbfbc8ef46db036079a76da0259f7a98df

Change-Id: Ib0a8eda3001f004cac5c4e43a01a88d2fe15a933

…mdns-cli list-zone' before promoting the instance Change-Id: I22f413afe60f69724e7ae022843fc51659235cee

Change-Id: I9e68595c519752e0bdfc1ee25106d1b857e7c56c

Change-Id: I0fea782226fb70019eac19b5627b5450115826e1

Installing vmware-sts emits the below error: lwregshell (error = 40709 - LWREG_ERROR_KEYNAME_EXIST) Creation of the desired subkey path tries to create all imtermediate subkeys, one of which already exists. This change fixes this issue. Applied same change to lightwave.spec file, as per brownj comment. Change-Id: I61a8a1acd9fb1184fb74c33a5e376c5e53385615

Change-Id: I3f0e99ad67170b686ba52e389a1f093d1d9cad63

Change-Id: Iedd67c18ccfc8c2cbd2c45cef9f629658822529f

…er use caes Change-Id: I0b8e63fa50c5a7594d3bbc58f1b4599ec46f2a0d

Change-Id: Ifaa4a34ac9795f87cda133490ac6ebfc18d4621b

Current vmdir has 65k multi-value attibute limit. It also not tuned to handle big size group membership. Here is no use case in Lightwave to maintain a group for all computers. Hence disable its usage. Change-Id: I6179cf3b878601cebe73cb293c1f281d7104bcc0

Change-Id: Ic7eaecd75d9eda8287062cd3890dd4af754c4f70

Change-Id: I9706ad61cd1685dfe0b0d3edcae53a51b926c003

…rsing audience claim which might be a single string or an array of strings. Change-Id: I575b0a540aa30f79f52f1a0591798909b2511551

Change-Id: I054bf809ce3ebde32dec780d975ac85e0bea1b2f

Do not register a service's RPC interfaces with dcerpcd. All lightwave services use well-known ports. dcerpcd is a portmapper, i.e. return the IP:[port] for an RPC interface specification. Because of firewall rules it is not possible to use ephemerial RPC ports, so no component queries dcerpcd for a service for an RPC interface. Since one deployment environment has revealed a latent bug in either dcerpcd or libdcerpcd.so, don't register with dcerpcd. Comment out calls to VmXXXRpcEpRegister as well from server.c, as per brownj comment. Change-Id: Ibdf77eb65123afe11c0c19b525f7a3da25374ce1

Change-Id: I6a72c35e1f48ac27f493df8b8cedb2fe075b9a42

Change-Id: I77f94ac2bae737c572146fefe6dcc762cfe79f33

…returned by server. if server returns error response (which contains error and error_description), we should parse that and translate the error code into the corresponding SSOERRROR. we will not propagate error_description string as that would require an extra out parameter (similar to AcquireTokens API's). Change-Id: Ib4316e423ba5f804d18ebdbb3ace65a64de4f942

Change-Id: Ia99c36cc1fcbbe29bbec2cb34fe0abdbc395a7ec

Change-Id: I6c6e2fa41478973e2c6bedffa2769f042fdd1aac

Change-Id: Ibc983c33df4b1b23e2f0e2a3db34d0fa1303b164

Change-Id: I31010a83129c7696d8b8991daa22c3cd1dbe4f72

This change adds a new REST api to query metrics data in json format. Initially it returns the existing LDAP operation statistics. This will be further enhanced to provide many other types of metrics data. Also made a few changes to fix build failures when compiling with the -g debug flag. Change-Id: I12c3155440bf474b33f907dff4f225906257bdc0

Change-Id: Ic02f0cb130d42e9314fab8a3a341c9fb2f94af3b

…files correctly (PR 1903809) Change-Id: Ic1f4e20e082cf7ae267941221e7e8461b4b45b40

… files correctly (PR 1903809) Change-Id: I6ac801fcd218435e4acdd870c7814d534aede791

Change-Id: I3a2a167c97e4d704b34c174640570b21719ee6f1

Change-Id: If7cf5837e515dfe8b6bf6d26b771f2a046c44fc8

Change-Id: Icc6ea534b04d561a9695db9086990a840a592ace

JSON output format is changed to a more structured format. Also, created a new function to get total time and display it in json output instead of the average time. Change-Id: Id62709a612f9fb5912b48d07eedc8bf984e72156

Before, the domain name used to build LDAP DNs was hardcoded as vsphere.local. In the case where the domain is not that, LDAP commands would fail due to an incorrect DN. These failing LDAP commands caused the VmDnsCacheRefreshThread to fail and exit immediately after the first run. After this failure, VmDnsCacheRefreshThread would not be running and the cache will not be synchronized with the directory. This fix obtains the domain name from the directory when building LDAP DNs and eliminates hardcoded domain names in LDAP DNs. Having correct DNs when making LDAP commands prevents the VmDnsCacheRefreshThread from failing. Now, since VmDnsCacheRefreshThread does not fail and continuously runs, the cache is synchronized with the directory every 5 seconds. This addresses bug [1818509](https://bugzilla.eng.vmware.com/show_bug.cgi?id=1818509). Changes made: - Removed hardcoded domain names from LDAP DNs in defines.h - Provided new function to assist in building LDAP DNs - Provided new function to build LDAP DNs to access Deleted Objects - Updated functions that relied on hardcoded DNs to use new functions Test plan: - Created two domain controllers (dc01 and dc02) where dc02 was partner of dc01 - Added an A record to dc01 and saw it appear in dc02's cache - Updated the record by deleting and then adding it with a modified IP - Ran list-record and query-record to see if the updated A record appeared + It did appear, but only after 5 seconds (the time interval for VmDnsCacheRefreshThread) - Created a zone on dc01 and then waited to see if it appeared on dc02 + It did appear, but only after 5 seconds (the time interval for VmDnsCacheRefreshThread) Change-Id: Ic74545ff7f8f29c5f4addbcd6498e26472a237ea

…(PR 1905019) - Based on https://reviewboard.eng.vmware.com/r/1154088/ - Grant authenticated users permission to read CA container Change-Id: If04f19778a4a1617bbedbab08430fafbc75a9518

It introduces a no-op for leader change, as the paper proposed in section 8. This eliminate depending on Raft Ping to replicate logs in older terms for new leader. It also removed backend call that explicitly persists a new term. When server restarts, the lasted term observed by the server can be obtained from the last raft log. It fixes a few potential race conditions between the update threads and RPC handling procedures. This amend adds a timeout on ldap client who makes anonymous bind for getting a server's Raft state, otherwise the the search for DSE root would get blocked when the host (VM) is down. Update the LwRaft paper for documentation. Additional change on mdb.c fixes PR 1905356, lwraft crash in AWS deployment K8S cluster Change-Id: Ic7bf2d4f98923a225f7bd64a90f7e03ae71388cf

Faced the above mentioned issue while configuring the rest end point for vmdns. Changes made: - Modified the function names in the vmsock library to resolve the name conflict with functions in c-rest-engine Change-Id: I132749f1db62450eb60194f3bac4d183d6b2601f

Change-Id: Ibfeccef7a6cb6abb67200834e66a49818b8a033d

configurable via registry key, e.g. to use default LDAP protocol ports, have following keys. [\services\lwraft\parameters\] + "LdapPort" REG_DWORD 0x00000185 (389) + "LdapsPort" REG_DWORD 0x0000027c (636) Change-Id: I22bf2a62f36bbe036d936960235bbb031b24cc00

Change-Id: Ifc20b5c7d03f85c5967003e75828badf8eb9df05

The photon RPM packaging did not have the correct package dependencies. This change makes "make package" work, and is somewhat more portable because it uses pkgconfig in the RPM spec file where possible. Also do not clean the stage directory after building RPMS. PR#1913517 Change-Id: Id2fb0589c40de288049eda7cc3295123208e9514

- Based on vmdir change (http://code.pslabs.eng.vmware.com:8082/#/c/782/) - Lwraft doesn't use this new SID during initialization yet Change-Id: Ib59d0d5f6c7f166a2275e70e5addaadb6a03cacd

I accidently remove REST PORT default value in prior checkin. Put it back. Change-Id: Ib8443201d38c396178be94c1798128d4d7ebda79

Added user capability to create a reverse zone and add,query and delete records from the same. Previous implementation did not allow the user to create a reverse zone. Default reverse zones in-addr.arpa and ip6.arpa are created at initialization. Tested the code for adding, querying and deleting PTR records for ip4 and ip6 in both the default reverse zones and user-created reverse zones. The tests were successful on both RPC port as well as DNS port (port 53) verified through cli commands and tools like nslookup, dig respectively. Unit testing was done for the code by adding, querying and deleting a PTR record. The file is included in the test directory in vmdns as TestPtr.c The scripts under vmdns/test/scripts have been included for testing and debugging purposes. They include both positive as well as negative tests for the user to gain an understanding of reverse zones and their lookups Change-Id: Id0be8f06e6e5cdda6a2c34fc6b6f284e2a8ebdcf

Before, the VMDNS init process set the service state to READY when the cache was able to load initial zone data from the directory. The point where the state was set caused some timing conflicts with other services that relied upon VMDNS to be ready. Also, the VMDNS cache refresh thread was not that reslient - it would exit if a function call resulted in an error. When the cache refresh thread died, the cache would cease to synchronize causing it to have improper data unless a manual refresh was done. This change updates the VMDNS init process such that the initialization function waits until the VMDNS state is set to READY before finishing. It will repeatedly, there is a timeout of five attempts, signal the cache refresh thread so it can attempt to propogate initial data and set the VMDNS state to ready. This change also prevents the cache refresh thread from bailing when a function call fails. Instead, all errors are logged and the cache refresh thread tries again to synchronize data. The only instance that the cache refresh thread can fail is when the timed wait fails. Changes made: - Replaced all, but one, BAILs from VmDnsCacheRefreshThread with error logging statements - Added a loop and a condition signal to VmDnsSrvInitDomain to run VmDnsCacheRefreshThread to propogate initial data from the directory and set the VMDNS state to READY - Removed hacky solution to circumvent this issue in VMAFD DNS Init sequence Test plan: - With changes from (781)[http://code.pslabs.eng.vmware.com:8082/#/c/781/], VMAFD was not able to initialize reverse DNS zones due to a timing mismatch bewteen VMAFD's thread and the VMDNS cache thread setting the service state to READY + Adding this change mitigates the failure and VMAFD is able to initialize reverse DNS zones - Before, cache refresh thread would exit if the server state was not ready and its function calls would fail + Adding this change does not cause the cache refresh thread to exit, instead, it logs errors and retries Change-Id: I4e949685264133d5329611c894aab8c4e76d6a40

This change removes the folder pscsetup and also the invocation of the related files from configure-lightwave-server Testing Done: Deployed lightwave and made sure that configure-lightwave-server works as expected. The BVTs also passed Reviewed by: Suresh Chellappan, Balaji, Lars Opstad, Wei Fu Approved by: Suresh Chellappan Documentation: None. Change-Id: I659843a9d720392f6e10f5a84108115469233813

Bugs Addressed in this commit: https://bugzilla.eng.vmware.com/show_bug.cgi?id=1909816 Reviewed by: Suresh Chellappan, Wei Fu, Abhiram Approved by: Suresh Chellappan Tests done : Basic deploy and test the heartbeat table Change-Id: Ibe7a39e9c2e0d669a3c56a7655e37e12d5bb0693

Before, when a PSC was demoted, its DNS entries were _not_ removed from the directory. Demotion seemed to have worked successfully, but it did not. When VMAFD called the VMDNS API to unconfigure the VMDNS service, it supplied an improperly formatted domain name and server name. These names were used to build queries to find and delete the proper DNS record corresponding to the demoting PSC. Since they were improperly formatted, the queries failed, the PSC's records were not found, and VMDNS was not cleaned up properly. This change assures that the PSC's server name and domain name are in the correct format that VMDNS requires - FQDN format. This change also cleans up the VMAFD DNS interface a little to make (un)configuring VMDNS during (pro/de)motion uniform. This resolves bug (1831273)[https://bugzilla.eng.vmware.com/show_bug.cgi?id=1831273]. Changes made: - Ensure VMAFD converts domain and server name to FQDN form before calling VMDNS APIs - Cleanup and consolidate VMAFD DNS interface to make API calls consistent Test plan: - Promoted DC01 in standalone mode - Listed DNS records to verify DC01's records - Demoted DC01 - Checked logs and DNS records to verify no errors and that DC01's records are no longer present - Promoted DC01 - Promoted DC02 in partner mode - Listed DNS records to verify DC01 and DC02's records are present - Demoted DC02 - Checked logs and DNS records in DC02 and DC01 that to verify no errors and that DC02's DNS records are not present in either Change-Id: If486c9a3aaf357212942ebc2b9c63cbca276625a

unnecessary heartbeat entries from VMAFD Change-Id: If0e55f31d93808850659dac8e58d87be513495e9

Why this change is needed: Rest end point to collect metrics from vmdns to send it to the wavefront. Changes made : - Added rest-head library and statically linked to vmdnsd. - Rest head specification includes only the GET method without the support for parameters. - Added opstatic.c inside vmdns/server/common/ to get/update the counter values for the vmdns metrics. - The following metrics have been addressed -dns_query_count -forwarder_query_count Comments : - Rest end point uses port 7677 Change-Id: I556a7630f627868900970f9eb89ae715839e9fb4

name of the daemon: postd name of the service: post name of the RPM: vmware-post-1.3.0-3.x86_64.rpm vmware-post-client-1.3.0-3.x86_64.rpm vmware-post-client-devel-1.3.0-3.x86_64.rpm vmware-post-debuginfo-1.3.0-3.x86_64.rpm name of the meta RPM: vmware-objectstore-1.3.0-3.x86_64.rpm LWIS registry service name: post Tools name prefix - post: post-cli,postschema,postadmintool,..etc. Correct IDL file naming Change-Id: I116124e7a25001682bd82baf202fc74987bd4c22

Change-Id: I6b760b3afb1a7c6f59d6ac31c5035238c673900e

Implemented the CNAME resolution for A and AAAA queries. In the previous implementation, queries like A and AAAA made for a name containing only a CNAME record resulted in error. In this implementation, the problem mentioned above is resolved and queries are made using the target name of the CNAME record present for the rr type of the query. Hence multiple levels of indirections through CNAME can be done before the record matching the type of query can be obtained. We have currently limited the number of indirections to 5; this can be changed as per required. Also added error checks and bails for the condition that CNAME record should not co-exist with any other record type. The changes are reflected in VmDnsIsUpdatePermitted function. Changes made: - Edited the VmDnsSrvQueryRecords function to handle CNAME records - Moved the functionality to get a record from the cache or the store to another function named VmDnsSrvGetRecords - Created VmDnsGetLinkedRecords function which handles the queries needed to be made for CNAME records - Modified the VmDnsIsUpdatePermitted function for proper error checks. Testing: The testing was done to check if A and AAAA queries for records containing only the CNAME record were successful. Both of them resulted in success on RPC as well as DNS ports. Negative tests were also done to make sure that CNAME record could co-exist with any other record. Testing was also done to ensure that upto 5 levels of indirections are supported currently, and the code fails with "ERROR_NOT_SUPPORTED" for higher number of indirections, thereby keeping a cap on the maximum response time for a query. Change-Id: Ibc5e1e51822d8f72ea939e064b0269fb954d6705

Moved the curl_global_init to init stage and added curl_global_cleanup in vmca shutdown logic. Change-Id: Id72ffc6c8d6e22f2f0816e66c1802d39094424b3

code was commented as part of "change: If9e6683f559a153558681918ec207cbdaccebc8c", VmDir REST head implementation (excluded from build + removed curl dependency) now since the issue is fixed, enabled OidcClientGlobalInit and OidcClientGlobalCleanup in vmdir. Testing: starting and stopping multiple times to ensure init and cleanup is not causing any errors. Changes were approved by Sung Ruo. Change-Id: I56402dc51405df1a73f3b2640ed8dd35f9e92e4d

Change-Id: Ic6fa25c9db8d246715318842e4f805d06eb3aa4b

before the change root@lw-t2 [ /home/admin/workspaces/LW-3/lwraft ]# curl --user [email protected]:vmware 'http://lw-t2:7577/v1/post/ldap?dn=cn%3Ddse%20root&scope=base&filter=objectclass%3D*&attrs=vmwRaftLeader,vmwRftMember,vmwRaftFollower' { "result": [ { "dn": "cn=DSE Root", "attributes": [ { "type": "vmwRaftLeader", "value": [ "lw-t2" ] } ] } ], "result_count": 1 } after the change root@lw-t2 [ /home/admin/workspaces/LW-3/lwraft ]# curl --user [email protected]:vmware 'http://lw-t1:7577/v1/post/ldap?dn=cn%3Ddse%20root&scope=base&filter=objectclass%3D*&attrs=vmwRaftLeader,vmwRftMember,vmwRaftFollower' {"result":[{"dn":"cn=DSE Root","attributes":[{"type":"vmwRaftLeader","value":["lw-t1"]}]}],"result_count":1} Change-Id: I240ae567462ece596c852f7ec0a5fa076e342923

…up before accepting traffic (PR-1901106) Enabling OidcClientGlobalInit and OidcClientGlobalCleanup during init process, since issues faced with OidcClientGlobalInit (wrapper for curl_global_init) was resolved. Change-Id: Ieeec9dba3e6f8ef438e265617498f5e3c7bd858d

change "Id72ffc6c8d6e22f2f0816e66c1802d39094424b3" broke the build in ubuntu platform. Oidc client related libraries were included only if rest services are enabled. In Photon REST services are by default enabeld. Fixed it by including OidcClientGlobalInit and OidcClientGlobalCleanup only if REST services are enabled. Change-Id: I53fac58c4308e2c330ecd17748bc9b0786429b6a

…rityDescriptor that can be applied per domain (PR 1861840, 1905019) - Generate SID with domain template when building defaultSecurityDesciptor - Replace the template with authenticated domain SID when creating object SD from defaultSecurityDescriptor - New defaultSecurityDescriptors for computer, group, and vmwcertificationauthority classes that grant read permission to all authenticated users Change-Id: Ic8a2d953b5aac7bc9cfb03bcd396c3412852f3f3

Change-Id: I488095e4c595180f2f41ef1914dacfdfb21adc2b

Updated build to accomodate newer versions. Bumped uaa to 6493af37b Change-Id: I69d266eabb8641271cd243c394d3e7d3e7b8207d

This change gets the FQDN of the host to configure lightwave PNID instead of using the result of gethostname() which is typically just the short name of the host. PR#1911810 Change-Id: Ie3feff04aa54e832cf3f166516ba316bd9953837

Change-Id: Idf76b91be3f1652ddace2e47145255d86a9dbd78

Remove all vmkdc components from lwraft. Added dependent libkrb5crypto.so and libcsrp.so libraries to lightwave-client RPM. Now lightwave and lightwave-post RPMs can be installed and promoted on the same system. Removed unused srp_verifier RPC server handler from vmdird. Change-Id: Id4a94f311440a9e43572479489df18c28058c92c

This is a major overhaul on MDB WAL implementation. It dropped the idea of running MDB WAL under MDB_WRITEMAP mode; instead, the new version runs MDB at non-MDB_WRITEMAP mode. The change should reduce the risk of altering the original MDB implementation too much. The database integrity now needs only on the recovered database, i.e. on database after rolling forward WAL files. The change also allows switching between WAL and non-WAL mode as long as the database environment is gracefully shutdown. The database remote transfer is now of capable of switching to cold copy if the source server is running at non-WAL mode. Change-Id: I5abcf4c8fc8da1258201c55ad9f5fa930052e407

This change is to add the DDNS client feature to VMAFD. With this change, clients and servers joined to a domain can automagically have their DNS records in the VMDNS updated. Change-Id: Ifd1573411ff2a0eef0f96dc6878638fe4db0b3ad

Before, demoting a DC would not remove all DNS records. SRV records for LDAP and Kerberos would still remain present. Also, when a client left a domain, its DNS A record would not be deleted either. When re-promoting a node or re-joining a domain, errors would be thrown since the directory held old data. Also, before, when demotion/domainLeave occured, the VmDir provider was being signaled to refresh at the wrong time. This would cause an authentication error because this signal was occuring _after_ the node had demoted or left the domain. This change addresses these issues by deleting _all_ DNS entries associated with a node upon demote/leave. This change also addresses authentication error by moving the call to refresh the VmDir provider after the DNS entries have been deleted, but _before_ actual demotion/leave occurs. Changes made: - Added code to VMDNS service API cleanup domain to remove DNS SRV records for LDAP, Kerberos, DC LDAP, and DC Kerberos - Refactored VMAFD's VMDIR interface to include code to delete records - Added code to delete client's A records upon domain leave - Rearranged demote/leave process in VMAFD's VMDIR interface to signal the VMDIR provider at the correct time (before actual demote/leave occurs) - Addressed a buffer overread/overwrite bug in VMAFD's VMDNS interface when crafting DNS record names - Changes error handling logic in VMAFD's VMDNS interface when crafting LotusServerName Test plan: - Created DC01 in standalone mode - Created DC02 and DC03 in replication partner mode - Created CL01 as a standard client - Verified that All DNS A records, NS records, SRV records are present - Demoted DC03 and verified that all DC03 A, NS, and SRV records are deleted - CL01 left domain and verified that CL01's A record is deleted - Demoted DC02 and verified that all DC02 A, NS, and SRV records are deleted - Repromoted and Rejoined the three nodes - Verified that records are present again - Demoted DCs and client left domain - Verified that records are not present again (only DC01 records present) - Read log messages to verify correct operations are occuring in correct order Change-Id: I28d1352fef3101620efef21db892dfdfe79131b2

Change-Id: I7a37513843601c93172bbd707b9fe7ce5ed8082b

- Make all computers implicit member of DCClients group - Strip all excessive rights granted to DCClients group - Add new defaultSecurityDescriptor for user class so DCClients group can read user object property Change-Id: I4ef62737dd6c518aaefc43dab345c347621b3403

…instead of RPRC (PR 1921086) Change-Id: I230088ec64f8c5b08be64a9326cfd2b202b98c00

Change-Id: I9c37aba83d65a6e4151c11726e0b2ceddd74b75e

Change-Id: I13d73c02415a7ab549eabc801e8dd207adc43bb9

…e security descriptor properly (PR 1917196) Change-Id: Id99c751e0fd5353973fad1ba3d517e704b9821af

This change refactors the RPM packages as follows: lightwave (contains vmware-sts) lightwave-server (contains vmdir, vmdns, vmca) lightwave-client (contains client libraries and vmafd) lightwave-post (contains post nee lwraft) lightwave-devel (contains includes files) I tested this on photon with the following package installs: lightwave-client, lightwave-server: ic-promote works lightwave-client, lightwave-server, lightwave: configure-lightwave-server works To get configure-lightwave-server to succeed I fixed several issues in vmidentity. It was checking for the package name vmware-sts; it now checks for the name lightwave. Also the jsvc command was not set correctly, and the systemd file vmware-stsd.service needed a change to the exit success value. Since the automated build will be changed to use these new packages, and the old build method will be retired, I have consolidated the configure.ac files for each subdirectory into a single top-level configure.ac and modified the Makefile.am files to reference the appropriate .la files. This makes the top level build much more usable and consistent with conventional autotools practice. PR#1910715, PR#1913710 Change-Id: I0fee39b3435b6f8e535dd69945fa7316f83dc83c

Change-Id: I43fd022aef3f02f665398b4dd9f541d24c3cd5c1

Change-Id: I71cc51024e4dc15e5aa06dacc86b727c360c8c2a

- Port RW lock from vmdir - Cache VmAfdDCNameA result - Cache VmAfdDomainName result - Cache OIDCSigningCertificatePEM Change-Id: I52e9a0ca7b2aa74bed76c31655b45e29ffaa1e15

Change-Id: Ibe9793bf206f627f88c82436aa770b2ae480dc51

Change-Id: I810a8dce60b11013f4439b7a966f8fa387c205ef

In the previous implementation, the records were returned in the order that they were stored. Hence, when a name entry with multiple records were queried, the records were always returned in the same order. In the current implementation, round robin algorithm is used to permute between the records each time the corresponding entry is queried. This is helpful for load balancing as users usually use the first entry in the response in case of multiple response entries. The index and the record type are stored in the name entry structure when a record is queried. Both these parameters are initialized when the name entry is created in cache. If subsequently the same type is queeried, the parameters from the structure are used, and if a different type is queried, the default type and index values are used, and the parameters in the name entry are set according to the current query. This solves the issues when multiple types are present in the same name entry. Changes made: -Modified the name entry structure to have two additional entries, one for round robin index and the other for round robin type -Modified the function which is used to get records from the name entry to support round robin -Added a function which permutes the record list according to round robin algorithm The code was tested for A and AAAA records. The algorithm works queries on both, the RPC port and the DNS port. The case for multiple types of records in the same name entry was also tested and verified. Change-Id: I4cbac5bad85daf3a0d2c0cc403372e34f5150c67

Change-Id: If4adb6da13552f00ba0c918c9dc8d40bc16348d9

This change contains the metrics api which can be used by all the services to maintain and get metrics. Likewise upgrade is requred for this to work. Change-Id: Icd9412f46c7edd741eb1131072fe71b671ea6130

Before, the VMDNS cache refresh thread would always print out, and immediately try again it could not refresh. This behavior would flush syslog and consume too much CPU. Now, the cache refresh thread has been changed so it sleep and waits for five seconds upon failure, and also changes the log level of the statement that flooded syslog such that it is only present if the user desires. This solves bug [1926963](https://bugzilla.eng.vmware.com/show_bug.cgi?id=1926963) Change plan: - Coditional wait if the VMDNS CacheRefreshThread cannot communicate with/query the directory - Change log level of output if the CacheRefreshThread cannot communicate with/query the directory Test plan: - Ran Lightwave and did not promote - Before, syslog would become flooded - Now, that does _not_ happen and VMDNS does not consume max CPU Change-Id: Ic93d747293cdf446677276d3b913d395bbba2c20

…898012) Change-Id: Ib1f3cc1b0d4a239cac43b96735272b93f489cdf3

…heck) esapi-2.0.1.jar esapi-2.1.0.1.jar log4j-1.2.16.jar log4j-1.2.17.jar log4j-1.2-api-2.0.2.jar log4j-1.2-api-2.8.2.jar log4j-api-2.2.jar log4j-api-2.8.2.jar log4j-core-2.2.jar log4j-core-2.8.2.jar log4j-slf4j-impl-2.2.jar log4j-slf4j-impl-2.8.2.jar slf4j-api-1.7.10.jar slf4j-api-1.7.25.jar jcl-over-slf4j-1.7.10.jar jcl-over-slf4j-1.7.25.jar serializer-2.7.1.jar serializer-2.7.2.jar xalan-2.7.1.jar xalan-2.7.2.jar tomcat-coyote-8.5.5.jar tomcat-coyote-8.5.19.jar spring-aop-4.0.6.RELEASE.jar spring-aop-4.3.4.RELEASE.jar spring-beans-4.0.6.RELEASE.jar spring-beans-4.3.4.RELEASE.jar spring-context-4.0.6.RELEASE.jar spring-context-4.3.4.RELEASE.jar spring-core-4.0.6.RELEASE.jar spring-core-4.3.4.RELEASE.jar spring-expression-4.0.6.RELEASE.jar spring-expression-4.3.4.RELEASE.jar spring-test-4.0.6.RELEASE.jar spring-test-4.3.4.RELEASE.jar spring-web-4.0.6.RELEASE.jar spring-web-4.3.4.RELEASE.jar spring-webmvc-4.0.6.RELEASE.jar spring-webmvc-4.3.4.RELEASE.jar Change-Id: I1c60bf6e13a559cf3fcdaf0cefa434e9d677aab8

Change-Id: I0fa080f7895c45e9902a36b0c0616cbad3dfed8d

retire out-dated code: 1. only support DB copy first cycle 2. remove VMDIR_REPLICATION_CONTEXT.bFirstReplicationCycle Change-Id: I38687f94e3e357af72b39e5916d515fe4ebccbe4

A far left behind raft server may not have progress in catching up the leader if leader changes is frequent. Raft protocol needs to search backward to find matching log before replicating logs thereafter. When the leader changed, the backward search would start over again with the new leader. This conditition may occur in the stress test case where a short election timeout and heavy load would trigger frequent leader change, and the node left behind wouldn't be catch up the new leaders. This check-in also fixes a race condition where a wrong leader may be elected (the new leader may not the one having the highest change log). The fix is to extend the mutex until the MDB transaction commit has comleted and after the last logIndex global variable has been incremeted. Change-Id: Ia9c5be41c6b47dfffb406bf92fbfdf0302723468

Change-Id: I9f1520fc0de52f699021b19dddff3b7cb1cfbc30

This is going to be an incremental review update. I am currently testing my code using postman and the CoreOS Etcd client Change-Id: I7fdf90e2367024b2fe213a6996f09ad8b9f76e21

Change-Id: I1536425329cf1a7778a1dcc5ae4fbfd6b73a0973

In VMIT case, the DB was created more than one year ago with beta version of Lightwave code. In that version, vmdir ACL is group based. With LW 1.2, vmdir enhances ACL to SD based. However, this new enhancement only applicable to fresh installation. Running LW 1.2 build on top of legacy data should retain origial group based ACL scheme. There is a bug in legacy scheme implementation that this diff address. Test: 1. create a normal user,say testuser1, in old DB + LW 1.2 binary setup. 2. before the fix, testuser1 has more permission than desired. 3. after the fix, testuser1 can only read/write to its own entry and nothing else. test script uploaded to PR 1930930 Change-Id: I466338e1f3490ec9e878f098e13e317a87dc7df7

In Legacy ACL, we should allow specical entries such as DSE Root SCHEMA readable by everyone, including anonymous user. Test: root@lw-t1 [ ~ ]# /opt/vmware/bin/vdcrepadmin -f showfederationstatus -h localhost -u administrator -w vmware Domain Controller: lw-t1 Invocation ID: ......... 0650f25f-b37f-464f-aa29-289cb4794bb9 Replication Cycles: .... 0 Highest Replicable USN: 4129 Highest Originating USN: 0 root@lw-t1 [ ~ ]# ldapsearch -x -b "" -s base dn dn: cn=DSE Root search: 2 result: 0 Success root@lw-t1 [ ~ ]# ldapsearch -x -b "cn=dse root" -s base dn dn: cn=DSE Root search: 2 result: 0 Success root@lw-t1 [ ~ ]# ldapsearch -x -D "cn=seven,cn=users,dc=lw,dc=local" -w 'Ssn123456#' -b "cn=dse root" -s base dn dn: cn=DSE Root search: 2 result: 0 Success root@lw-t1 [ ~ ]# Change-Id: I6a91b5df727ac322ed7d13096eead0bb7c87ac43

This changes parses the various options: no-interaction, inter-site or intra-site and considering non-reachable servers. It calls publicly exposed API and data structure and sets the demo workflow for any tool to use those public APIs. These public API are dummy. These changes are instrumental for testing any code developed to enable HA topology feature. Changes Made: -Added Public API Hooks and exposed them in the vmdirclient library -Added Data Structure that will be used across the tool and client -Added the tool-side code to execute particular command and its supported options Test Plan: - Run the command on tool and it should call corresponding API and behave according to Options provided. Change-Id: I03c7c6495ba532e74d6c0b79d540625a23d57322

This changes enables to call API directly without Username and Password if they have LDAP connection. Changes made: - Modified VmDirLdapRemoveRemoteHostRA API - Modified VmDirLdapSetupRemoteHostRA API - Modified VmDirLdapGetHighWaterMark - Modified VmDirGetReplicationPartners Test Plan: - Run vdcrepadmin tool with createagreement and removeagreement and showpartners option. Change-Id: I3c875186df76ec43ba4919f30a369d7ba807e348

Removed some relics from the old Ant build that seemed to be triggering false-positives during vulnerability scanning. Change-Id: Ic142de07d808ee05d805c9dae774927ac1fb4f86

Force BeanUtils to v1.9.3 Force FileUpload to v1.3.3 Both BeanUtils and FileUpload are transitive dependencies of ESAPI, which was accepted by AppCheck. The versions of these two dependencies, however, were not. In order to pass AppCheck, we must update these to at least their most modern version. Additionally, due to a packaging change for BeanUtils we have to set an extra exclusion on the inclusion of ESAPI in order to prevent multiple versions being included. Change-Id: Ibe14092d79301e08e8ec1942868e7d4c06c31cea

With this update, vmdir ldap request durations for different operations and ldap error counts are collected and maintained using the metrics API. There are some changes to vmdir rest-head to get these metrics in prometheus format on HTTP GET request. The update also includes some changes to Metrics API to get the data in expected format. Change-Id: I5cab22ca9a751b151eaeee0b9a5299f3f71eabee

Change-Id: Ib78f1bd165a755fb572ae206b43788b386c2ab1b

When ic-join was run without the --domain-controllers argument, it tried make a call to the vmafd service to validate domain credentials. This call was made prior to starting the vamfd service, so it failed. Move the validation of domain credentials following the startup of vmafd service. Also updated the RPM postinstall script to refresh lwsm after importing registry keys. PR#1928213 Change-Id: I3a496f0c0c1e2074b639ef733e904341d6cb14b5

The --ssl-subject-alt-name paramter to configure-lightwave-server was not being passed to ic-promote. This change restores that functionality. Also updated the default Lightwave version to 1.3.0. and changed the RPM package name check. PR#1930007 Change-Id: Ib5afb2eaee5bf66dc45c2b01baa746a546a64d2f

These versions also serve to support the eventual merging of the UAA module. | Dependency | From | To | |-----------------|-------|--------| | asm | 3.3.1 | 5.0.3 | | commons-logging | 1.1.1 | 1.2 | | jackson | 2.3.2 | 2.8.4 | | jersey | 2.12 | 2.25.1 | | joda-time | 1.6.2 | 2.2 | | opensaml | 2.5.3 | 2.6.4 | | open-ws | 1.4.4 | 1.5.4 | | velocity | 1.5 | 1.7 | | xml-sec | 1.4.5 | 1.5.7 | Change-Id: I072e1e9d4cfd651b2067da206728ca5fbb7a2187

Changes Made : Metrics included for the following Dns services: - Dns Protocol - Rpc - Store - Cache Integrated the Dns metrics with the Metrics API Added metrics.c file in server/vmdns for Metrics initialization Removed the earlier implementation of DNS Metrics in vmdns/server/common/opstatistic.c Rest Metrics End Point : http://IP_ADDRESS:7677/v1/dns/metrics Change-Id: I0542ea1ed676af37b276975cfd4eefbb3e57e70c

Change-Id: I6c918de48e5e855e063f5c858368857555df2dc8

…adherent to RAFT Browser. Change-Id: I56cd163b9ba15e34e6707128d5c61f57fbc9422a

Introduced new public functions in vmmetrics code to allow dynamic deletion of metrics Change-Id: I18b8108908e09476c1eab38b018cde65475ef14a

Below replication metrics are collected and maintained: - cycle duration - connection duration per partner - connection failure count per partner - number of unfinished attempts per partner - high water mark USN per partner - number of changes applied per partner - sync duration per partner Change-Id: I19d5f1499e351e8f7d1cccb9f43c6f8f09e60756

Add UID attribute to default index list. It is a non-unique equality match index. Change-Id: I3cede16a93ac065b494128a80ec9bdcff0b4b3f8

… vmafd/lightwave Change-Id: I856dd407ab5446e8e801c98a4b5d7b047aab4610

This change enables user to get the partners of all the servers of particular site. Changes Made: - Added life to following public APIs ~ VmDirGetCurrentTopologyAtSite ~ VmDirFreeHATopologyData ~ VmDirFreeHAServerInfo Test Plan: - Run vdcrepadmin tool with enableredundanttopology feature with -s option. ~ Keep one VM shut in the federation for checking offline node situation ~ Run on AWS with cluster having different sites Change-Id: I81b36aa8f0888af23905d64be074a34979451190

This change enables user to see the changes in topology required to create a ring Changes made: - Added life to VmDirGetProposedTopology Test Plan: - Run vdcrepadmin tool with enableredundanttopology feature with -s option. ~ Run on AWS with cluster having different sites ~ Keep one VM shut in the federation for checking offline node situation Notes: As the previous patch doesnt support considering the offline node options, that option can't be tested. Will enable offline mode option, once everything is working. Change-Id: Ida23f31b1b9e4170a166ea99b1cc2b843b332880

This change enables the user to understand the difference between current topology and new topology. Changes made: ~ Added life to following public API: - VmDirGetChangesInTopology - VmDirFreeHATopologyChanges Test Plan: ~Run vdcrepadmin tool with enableredundanttopology feature with -s option. - Keep one VM shut in the federation for checking offline node situation - Run on AWS with cluster having different sites Change-Id: I5cda0cbac7feb93c733c62efd5c76570da86b05c

…esolved a out of order issue Coredump issue In the first iteration of replication cycle, WriteSyncStateControl will have empty hash map, hence all unique entries pszEID (key) and pszUSNCreated (value) will be inserted into the hash map. After insertion ownership of both pszEID and pszUSNCreated is transferred to hash map, as expected. Since ownership was transferred in the first iteration, VMDIR_SAFE_FREE_MEMORY(pszUSNCreated) present in the cleanup section has no effect. When retry happens as part of the same connection, hash map is checked for pszEID (key) entry and corresponding pszUSNCreated is obtained. Obtained pszUSNCreated is not cleared, hence ends up getting freed in cleanup section. At the end of replication cycle, we try to free the hash map entries in VmDirDeleteConnection which results in a coredump. Out of order issue Join is performed on Z21 with Z11 Z11 starts pulling changes from Z21 and there are some out of order processing errors while doing so. At the end of replication cycle, hash table entries are populated. During retry, since the entries are already in the hash map, modify requests are sent to Z11. Modify is not able to find the Object GUID and results in backend entry does not exist error as expected. Modify logic ignores this error and at end of the replication cycle, Last USN processed is updated. Hence Z11 ends up not replicating the entries failed because of out of order processing. Changed made coredump issue was fixed by ensuring that ownership of pszEID (key) and pszUSNCreated (value) always remains with hash map. out of order issue was fixed by ensuring hash map is cleared during retry. Testing Performed - Joins with site-name, triggered out of order processing. All the out of order processing entries were retried and successfully added. - Added hacks in the code to force the replication cycle from beginning (filter USNChanged >= 1) - Added few thousands of user entries on the supplier side to enforce multi-page repl cycle and forced retry on the consumer side at the end of cycle to exercise the clear hash-map logic. - Executed test scripts to create Federations (1-master and 4-partner) in AWS with the changes. Change-Id: I821d00ffb339288cea00435578e4920afd812408

Change-Id: I8d2d43f3d87810539e14b13bca9e84f2cc6b8c1e

Changes Made: Changed the Forwarder Context to include the Metrics Context Can Dynamically initialize and delete metrics for Forwarders Change-Id: I7d721707b7cc3c16ef97afa7db7af25ea9295260

The script includes a curl command to test the VMDNS Rest end point for metrics. Change-Id: Iba665bb445a98f4fd13a20497dd348343886b636

This change adds a REST api endpoint to the post server, and adds additional metrics for DCERPC operations to the vmdir server. Change-Id: I21d659ac95c18334977ea2fcc46008c28e2144b9

for deregistering from and freeing event queue. Before, vmdns crashed when shutting down due to a race condition where shutdown thread freed memory other threads used before exiting. Also, there was a method to add a fd to event queue, but none to remove one. CloseEventQueue() did not free the queue as it claimed. It is renamed to ShutdownEventQueue and there is a separate method to free queue. Fixed use after free race condition. The shutdown thread is now responsible for closing and releasing the file descriptors epoll_wait is waiting on. On close, worker threads will check bShutdown flag and exit. Refactored code so that all fd's are removed from queue before closing and freeing. Changes: - Created method for freeing EventQueue and added it to VmSock api because CloseEventQueue() did not free it. - Created method for removing from EventQueue, similar to AddEventQueue - Renamed CloseEventQueue() to ShutdownEventQueue() - On EPOLLHUP or when closing a thread, the sock is detached from event queue - Added flag in PVM_SOCKET to check if it is in an event queue - Thread initiating shutdown will shutdown queue, remove sockets from the queue, and then close them. At the end, the queue is freed. Testing: - ran with 'lwsm gdb vmdnsd' and ensured the process exitted normally when triggering a shutdown with 'lwsm stop vmdns' and sending SIGKILL. - Also ran 'lwsm shutdown' and ensured 'lwsm start vmdns' worked. - Ran with more than default (4) threads and tested shutdown - tested with dig +tcp to see if sockets were being opened properly Change-Id: I6705e3456b06644111b1754677b4231c5647b326

before the fix root@lw-t1 [ /home/admin/workspaces/LW-12 ]# ldapsearch -h localhost -p 389 -x -D "cn=administrator,cn=users,dc=lw,dc=local" -w 'xxx' -b "dc=local" -s sub "dc=*" dc dn: dc=local dc: dc=lo dn: dc=lw,dc=local dc: dc search: 2 result: 0 Success after the fix root@lw-t1 [ /home/admin/workspaces/LW-12 ]# ldapsearch -h localhost -p 389 -x -D "cn=administrator,cn=users,dc=lw,dc=local" -w 'xxx' -b "dc=local" -s sub "dc=*" dc dn: dc=local dc: local dn: dc=lw,dc=local dc: lw search: 2 result: 0 Success This is a regression. POST does not have this problem. Change-Id: I7d87349cef88ec49db85549ca2a18e72e4a8d536

write test code first. The real fix should be in LWIS code base but I do not want to commit now. w/o thorough ACL regression test, this is too dangerous. here is the diff diff --git a/lwbase/src/security-sd-inherit.c b/lwbase/src/security-sd-inherit.c index 011b6ef..3344c43 100644 --- a/lwbase/src/security-sd-inherit.c +++ b/lwbase/src/security-sd-inherit.c @@ -1102,6 +1102,10 @@ RtlpObjectInheritSecurity( bInheritThroughContainer = TRUE; } + else + { + continue; + } } else { Change-Id: I2dce7c59333d3855fddd11d7373dbf736dce1fe6

This change enables user to modify the notified changes in replication link Changes Made: ~ Added life to VmDirApplyTopologyChanges Test Plan: ~ Run vdcrepadmin tool with enableredundanttopology feature with -s option. - Keep one VM shut in the federation for checking offline node situation - Run on AWS with cluster having different sites Change-Id: Id7b878986c83a9e4de183993e7fcbaf86d44856d

This change makes the forwarder requests in DNS to be performed asynchronously. Bug Addressed: https://bugzilla.eng.vmware.com/show_bug.cgi?id=1911809 Reviewers: Suresh Chellappan, Neel Shah, Amit Banpat Approved By: Suresh Chellappan Testing Done: Change-Id: Ie17fb477f2d35cd29dce4c157e3267a7a25de973

POST node for REST requests. The request is forwarded to leader who responds with result which is forwarded to the client. Change-Id: I9e5bb19dc26d099828e6968d190c21c2b40b6067

Changes Made: Changed the vmdns metrics names Added more buckets to the histogram metrics with respect to the SLOs Change-Id: Ib0e2927ff6b5abc1561134e10284258240f3a537

This reverts commit 2cb68f1. Change-Id: I588183810b58a0fb89379b3e5aef54dbb24ef62b

Changes Made: When forwarderd delete, Forwarder Context should be write locked, instead of read lock. Change-Id: I000d5396f3b5c88e7aa72ac120e92875ecfba701

Post bootstrap is failing if upgraded from older version without UID index Change-Id: I2c1669a1b4b992e4a358e4acc342a040a88d87c6

Change-Id: I1326841db7d66a7f69f1cfdbeb7a7573ce725ed5

The string length calculated was wrong. Change-Id: Ia1d3230c0af07aa7ffe7e2c5e0e52daa299a2f7f

Before, we had REST APIs exposed to create tenants that required a valid certificate and private key obtained through VMCA. We also had private APIs to create tenants without obtaining certificates and private keys through VMCA first; instead, we relied upon the default root certificate to sign tenant creation. This private API was used internally, but there was no public API exposed to take advantage of it. This change exposes the private API to clients such that they can create tenants through REST without needing to obtain certificates and private keys first. Instead of needing the proper certificates, clients need only authenticate using the proper username/password combination of the default tenant. Changes made: - Created an interface to `setTenantCredentials` using only the tenant name - Implemented client side API to use new `setTenantCredentials` API - Implemented server side API to use new `setTenantCredentials` API - Updated server side tenant resource to not fail upon null tenant credentials (certificate and private key) + Instead of failing upon null credentials, tenant resource leverages new APIs to create tenant using root certificate Test plan: - Before, using the create tenant REST API would not work if certificate and private key was not provided -- authentication failure - Now, using create tenant REST API with no certificate and private key succeeds + Verified tenant existance by exploring VMDIR contents, and using REST APIs to get tenant information Change-Id: I0c63f5fb8759c87f812f56a6f0d0eda53bb3bda4

POST depends on LW Client. POST should work with same or newer version of LW Client. Step to verify: admin@lw-d1 [ ~/workspaces/LW-11/build ]$ rpm -qpR rpmbuild/RPMS/x86_64/lightwave-server-1.3.1-0.x86_64.rpm | grep lightwave lightwave-client = 1.3.1 admin@lw-d1 [ ~/workspaces/LW-11/build ]$ rpm -qpR rpmbuild/RPMS/x86_64/lightwave-post-1.3.1-0.x86_64.rpm | grep lightwave lightwave-client >= 1.3.1 Change-Id: Ic4232672028160e93224d9adfd05f405604f2de8

This change enable user to fix inter-site topology Changes Made: ~ Added life to Public API VmDirGetCurrentGlobalTopology Test Plan: ~Run vdcrepadmin tool with enableredundanttopology feature. - Keep one VM shut in the federation for checking offline node situation - Don't use -s option - Run on AWS with cluster having different sites Change-Id: I7b26ac6e0a4b61cdfafd0205c8cec70ceacb4f5e

Test: migrate LW beta build to LW 1.3 (dev branch TOT) 1. start vmdir 2. add 2 schema attributes 3. restart vmdir 4. add another 2 schema attributes 5. dump idmap - there should be no id collision Change-Id: Ibb3cb69a5b002bb4f7231234b7618ada0136ead1

Changes added: 1. Added curl error code to vmdir error mapping 2. Fixed the method name for delete 3. curlopt_put method is not supported anymore chnaged to customrequest "put" Change-Id: Id59d2b7e8d345a689cab194ec80b46d02b03380e

This change makes the forwarder requests in DNS to be performed asynchronously. Bug Addressed: https://bugzilla.eng.vmware.com/show_bug.cgi?id=1911809 Reviewers: Suresh Chellappan, Neel Shah, Amit Banpat Approved By: Suresh Chellappan Testing Done: Change-Id: Idc84d5fbd5430e591b6fab533e781718174201c9

TEST: deploy two nodes vmdir and verify its replinterval attribute. root@lw-t2 [ /home/admin/workspaces/LW-12/build ]# ldapsearch -o ldif-wrap=no -x -D "cn=administrator,cn=users,dc=lw,dc=local" -w xxx -b lw,dc=local" -s sub "objectclass=vmwdirserver" replinterval dn: cn=lw-t1,cn=Servers,cn=Default-First-Site,cn=Sites,cn=Configuration,dc=lw,dc=local replInterval: 1 dn: cn=lw-t2,cn=Servers,cn=Default-First-Site,cn=Sites,cn=Configuration,dc=lw,dc=local replInterval: 1 Note: Ssetting replinterval to 1 second could have negative impact on a star topology where many nodes(say > 5) all have same sigle replication partner. In such case, the center node could potentially starve and could not catch up with changes from other nodes because there are constant repl pull from other nodes and current replication algorithm exclude roles a node can play (consumer/supplier). Change-Id: I8cc2dee86a987064676379e4dd911679faae9908

Change-Id: I3d31cde17db555e81890fcba97c6a7c6181ddd2e

Remove beta from the banner Change the name to Cascade from Lightwave Change-Id: I7912796183c1c5c242374cfebc04bbd98c3842ea

Change-Id: Ib7a30d83b18747a9ae167b4904633b5949a8a17b

Asynchronous forwarder context needed to be fixed. Since UDP socket is multicast, we need the client address and length to be part of the IoBUffer and not the client socket. The Client Socket is also now added as part of the IoBuffer. Approved By: Suresh Chellappan Reviewed By: Lars Opstad, Suresh Chellappan, Neel Shah, Amit Bapat Change-Id: I730e36d00207b3c2e9e3b57130a535e9ff8fb662

…nce UDP socket is multicast, we need the client address and length to be part of the IoBUffer and not the client socket. The Client Socket is also now added as part of the IoBuffer." This reverts commit 29d832b. Change-Id: I2b4b4a4aa58c51df7a562e3014d1677889afca22

Asynchronous forwarder context needed to be fixed. Since UDP socket is multicast, we need the client address and length to be part of the IoBUffer and not the client socket. The Client Socket is also now added as part of the IoBuffer. Approved By: Suresh Chellappan Reviewed By: Lars Opstad, Suresh Chellappan, Neel Shah, Amit Bapat Change-Id: I7b192a96448d598dc35680a426998bfc93af4572

…nce UDP socket is multicast, we need the client address and length to be part of the IoBUffer and not the client socket. The Client Socket is also now added as part of the IoBuffer." This change resulted in VMDNS continuously crashing due to asynchronous socket IO buffer handling. This reverts commit 47a6730. Change-Id: I19a21c6ef94c692e2c5e4dfbd6d67b6aaa7f417d

This change resulted in VMDNS continuously crashing due to asynchronous socket IO buffer handling. This reverts commit f2cc8fc. Change-Id: Iaab2a5797137f24472d4e27aa847ba629595720b

Change-Id: If8e3ec529e543a67a3facd4637370218ba902d16

1. http://code.pslabs.eng.vmware.com:8082/#/c/953/ fix replication retry logic error which faultily clears phmSyncStateOneMap 2. http://code.pslabs.eng.vmware.com:8082/#/c/957/ suppress benign error logs Change-Id: Ida3042d5147cafefdde4cc314e95b9ae9220134c

--domain-name and --partner-name should be exclusive root@lw-t3 [ /home/admin/workspaces/LW-13 ]# ./build/lwraft/tools/lwraft-cli/.libs/post-cli node promote --domain-name post.local --partner-name junk Initializing Persistent Objectstore Service instance ... Usage: post-cli { arguments } Arguments: node list --server-name <host name> node state --server-name <host name> --login <user@domain> --password <password> node promote --password <password> [--host-name <host name> preferred Lightwave POST host name, can be FQDN or IP] [--domain-name <domain name> (for first node deployment) or --partner-name <host of partner> (for other nodes deployment)] node demote --server-name <host name> --login <user@domain> --password <password> --demote-host-name <host to demote>] help ./build/lwraft/tools/lwraft-cli/.libs/post-cli failed, error=3 The options present on the command line are not valid. 9277 Change-Id: I02688d8b64cb065d147dbece5dca58903dcbf4d1

Before, Domain join to lightwave took about 30 secs to refresh all root certs. Now, the certs will be refreshed when a node joins the domain. Changes: - On domain join, the root certificates are refreshed - A new root cert is not generated and added on domain join Testing: - set up a DC and replication partner on AWS. On another machine, ran ic-join and verified that 2 root certs were available immediately - on domain leave, verified (with vecs-cli) certs were deleted Change-Id: I87859e033c496a00f8d0dc29b859e9cae335a9aa

The check in also enhances MDB WAL by eliminating WAL buffer, and uses pwritev() to write WAL file up to 64 pages a call. The benchmark test shown that there is no noticeable performance downgrade than using a single write() with WAL buffer, The change reduces the memory footprint by 64M (the WAL buffer). The checkin also improves error handling during WAL recovery: handling incomplete WAL file, which may occur during repeatedly killing the VM. The check in adds a new configuration key MdbChkptInterval with default value of 30 seconds. Retry fdatasync up to 3 times should it failed. Fix issue: delay LDAP thread listening on LDAP ports until Raft initialzation completes otherwise LDAP operation may pass though without getting quorum. Change-Id: I8f38e2a56c5e6a68699f8523992b37c43f4a6131

Before, uninstalling lightwave did not clean up vmdir and vmafd db files. If these files exist during promotion, it will fail. Now, lightwave backs up vmdir files on demote and cleans up the directory on uninstall. Lightwave can successfully be uninstalled, installed and repromoted. Changes: - Added command to backup vmdir db and remove vmafd files on rpm uninstall - On demote, Vmdir backs up the correct mdb file Testing: - installed and promoted lightwave. Then, uninstalled and repromoted the node - Promoted lightwave to DC and then demoted. Repromoted again Change-Id: Idcd4284ae4a7572811f8231df9b97cf97b14206b

Combined with DCERPC fix of packets fragmenation (i.e. increase RPC_C_CN_LARGE_FRAG_SIZE to 20480), this change would make MDB hot copy three times faster. Change-Id: Ida9cfd858db75b1d36eea520e015a3c737254a9b

- The appspec.yaml states which script to run on each AWS defined event - These files along with the rpms, when uploaded to the pre-defined S3 bucket will trigger the pipeline. Change-Id: I378cd9d538d0a03a9710cb90b55909c11ce613ae

Change-Id: I725140f7338fd46e9e85d544eb8658f2076aab0c

…ngUncommittedUsn case is hit Problem: If the USN, consumer is trying to pull is lowestPendingUncommittedUsn then consumer ends up sending high watermark in syncdone control which results in replication retry. Changes made: In this case replication retry is not necessary, modified the code to ensure we return lowestpendingcommittedUSN as part of sync done control in the case of continue. Testing performed: Tested on a three node ring topology and verified that consumer pulls the changes correctly if lowestpendingcommittedUSN case is hit. Change-Id: I3af0e153b57edaef71ebd92823bc591cbcace801

deploy three nodes cluster and make sure replication and repladmin works Change-Id: I04de989b744ecdb809499d2600f79d7634fa93c1

Change-Id: Ib4ccd95c9b134e0f3f6f8c54f032236154e60100

The appspec.yml file will list which scripts will run on each AWS defined event. The scripts will upgrade lightwave or install it in a fresh instance and configure it appropriately (as a DC or replication partner). If there already is a DC, then it will be configured as a partner. These files will be uploaded to a pre-defined S3 bucket (along with the built rpms) to trigger the pipeline. Testing: - Set up auto-scaling group to deploy one node and run script. Verified that the instance was sucessfully promoted to DC. - Modified auto-scaling group to deploy 2 nodes max. Verified that the newly deployed instance was configured as a replication partner to the first instance (Domain Controller). - Tested pipeline by Releasing change and verifying Alpha-Test was successful - Uploaded S3 bucket with newer rpms and verified that upgrade was triggered. Change-Id: I56ad3102c8f95d3d1d84cb8d47dc61a6b256b96d

…PR 1945205) - introduce new ldif tag 'attributeIndices' - update schema tool to perform index patch as part of schema patch - remove obsolete postd schema patch command line option - add UID index in ldif file Change-Id: Iaab786857698c7fb4c491c89c387a82155d18313

This fix is for the faulty GET response issues in PROXY. The issue was with handling the c-rest-engine error response code. Change-Id: I18f0aec7a246f970721b5598f828036a6ea65f31

…e tests. - Currently just curl the rest endpoint to check whether POST is running on not. - Would be run in the pipeline after the POST-unstable deployment is complete. - Env vars configured in the aws codebuild. Change-Id: Ic4f8f2afa7896b5730ca4a76f576cfe4711f8ba7

Change-Id: I80dac9194d922a3cb35fbd63d0e0f2508cd7ac8f

Running ic-join with the --domain-controller argument was using VmAfdJoinVmDir() which does not allow specifying the join flags argument needed for pre-joined machine accounts. This change adds a new API VmAfdJoinVmDirWithSite() that will take optional arguments for ServerName, OrgUnit, and SiteName. Tested with the following command: 20170912195053:INFO:Joining system to domain [lightwave.local] using controller at [<IP>] 20170912195053:INFO:Validating credentials to partner [<IP>] at domain [lightwave.local] 20170912195053:INFO:Starting service [dcerpc] 20170912195053:INFO:Starting service [vmafd] 20170912195054:INFO:Setting various configuration values 20170912195054:INFO:Joining system to directory service at [<IP>] 20170912195058:INFO:Refreshing root certificates from VMware Certificate Authority 20170912195058:INFO:Generating Machine SSL cert 20170912195059:INFO:Setting Machine SSL certificate Domain Join was successful PR#1953427 Change-Id: I11069098595646307d20872e797fa03b6ea1da41

Usage: vdcaclmgr { arguments } Arguments: -H <host name> -u <user UPN> For example [email protected]> -o <DN of the target object to grant/delete permission to -g/-d username> For example cn=myContainer,dc=lw,dc=local [-r] <recursively grant/delete permission to -o DN subtree> -b <base DN to find users and groups to match -g/-d username> [-g <grant username:FLAGS>] For example -g DCAdmins:RP:CI [-d <delete username:FALGS>] For example -d DCAdmins:WP:OI [-v] <verbose output> [-D] <dry run> [-w <password> | -x <password file>] Where FLAGS := (PERMISSIONS such as RPWP)*:(ACE_FLAGS such as CIOI)* 1. Clarify Usage with examples 2. Add -D dryrun option 3. Add ACE_FLAGS support - only allow "CI" "OI" 4. reorg code for cleaness 5. add VmDirStringToTokenListExt function TEST: root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -g CAAdmins: -w vmware -v -D vdcaclmgr failed. Error[9005] - Invalid parameter root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -g CAAdmins:: -w vmware -v -D vdcaclmgr failed. Error[9005] - Invalid parameter root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -g CAAdmins::: -w vmware -v -D vdcaclmgr failed. Error[9005] - Invalid parameter root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -g NoSuchAdmins: -w vmware -v -D vdcaclmgr failed. Error[9005] - Invalid parameter root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -d CAAdmins:: -w vmware -v -D vdcaclmgr failed. Error[9005] - Invalid parameter root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -d CAAdmins: -w vmware -v -D vdcaclmgr failed. Error[9005] - Invalid parameter root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -d CAAdmins:RP -w vmware -v -D vdcaclmgr failed. Error[9210] - ACE not found root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -d CAAdmins::CI -w vmware -v -D vdcaclmgr failed. Error[9210] - ACE not found root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -d CAAdmins::CJ -w vmware -v -D vdcaclmgr failed. Error[9209] - Invalid ACE root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -g CAAdmins:RP:OI -w vmware -v New ACE: (A;OI;RP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -g CAAdmins:WP:CI -w vmware -v Old ACE: (A;OI;RP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) New ACE: (A;OICI;RPWP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -g CAAdmins:WP:CI -w vmware -v Old ACE: (A;OI;RP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) New ACE: (A;OICI;RPWP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -g CAAdmins:GX: -w vmware -v Old ACE: (A;CIOI;RPWP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) New ACE: (A;CIOI;RPWPGX;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -d CAAdmins::OICI -w vmware -v Old ACE: (A;CIOI;GXGXRPWP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) New ACE: (A;;GXGXRPWP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -d CAAdmins:GXRP: -w vmware -v Old ACE: (A;;GXGXRPWP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) New ACE: (A;;WP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) root@lw-t1 [ /home/admin/workspaces/LW-11 ]# /opt/vmware/bin/vdcaclmgr -H localhost -u [email protected] -o ou=computers,dc=lw,dc=local -b dc=lw,dc=local -d CAAdmins:WP: -w vmware -v Old ACE: (A;;WP;;;S-1-7-21-2344812386-376714683-1917123636-2990712217-1-1003) New ACE: NULL root@lw-t1 [ /home/admin/workspaces/LW-11 ]# Change-Id: Ic7adc44b982bd42500606f2649e19085c371a9c9

Change-Id: Iede9b315d3ca23b2572d69ea0a674e2391dba54e

Change-Id: I8979b8cc76360a250fe8cb171fbef90e91af7a3a

… part 2 (PR 1945205) - address corner cases in firstboot/join scenarios - suppress benign schema error logs during schema loading Change-Id: I6dd1e17f075e2cc6bf4464cc0319eb4a2fa30e48

Change-Id: I7fe7b769e533944bdad6e09a97c268e4da639b9b

1. Turned off PSC HA. This will eliminate unnecessary threads working in AFD and reduce logging as well 2. Fixed the logging in VMDNS to avoid logging SRP related logs. These are spamming our logs right now. Reviewed by: Sriram Nambakam, Suresh Chellappan, Lars Opstad Approved by: Suresh Chellappan Change-Id: I96dd4d691b484b071c48a3f2085937df3ff389c2

This change makes the forwarder asynchronous so the other incoming requests are not blocked. Reviewed by: Suresh Chellappan, Lars Opstad, Neel Shah, Amit Bapat Approved by: Suresh Chellappan Bug Addressed: Change-Id: I896e88a370404128e00104ea695714a9a6ac8e53

Change-Id: I9e6aa5e359382b764c18f4815c9a48b5238f601a

let it replicate. Approved by: Suresh Chellappan Reviewed By: Suresh Chellappan, Lars Opstad, Sriram Nambakam Change-Id: I0472cc99bea1f0f3adfd0dca1ef6bb2ef3256ccd

… 1962227) - Added new functions OidcAccessTokenParse and OidcAccessTokenValidate - Marked OidcAccessTokenBuild as deprecated - Added new functions OidcIDTokenParse and OidcIDTokenValidate - Marked OidcIDTokenBuild as deprecated - Using the new functions in vmdir rest-head Change-Id: I3cd7ed4cc930361d077b03ffe91032bec89323a5

This change will allow all origins (*) for these endpoints for the request mappings registered for these endpoints. No credentials are required to get information from these endpoints. Change-Id: I1eb1a939d3640ee4a9f91d368aeb0887a56f20fa

every computer is implicitly default to a member of DCClients group. 1. allow DCClients to READ domain object 2. allow DCClients to READ site container objects 3. test output root@lw-t3 [ /home/admin/workspaces/LW-12/build/vmdir/testing ]# ./test_runner/.libs/vmdir_test_runner -H localhost -u administrator -w 'xxx' -d lw.local -t /home/admin/workspaces/LW-12/build/r/testing/integration_tests/acls/.libs VmDir integration tests starting ... Executing test module: /home/admin/workspaces/LW-12/build/vmdir/testing/integration_tests/acls/.libs/libsecuritydescriptortests.so ... Testing security descriptor code ... TestProtectedEntries succeeded (0) TestCustomGroups succeeded (0) TestK8sMachineActSelfService succeeded (0) Security descriptor tests finished successfully. Change-Id: I14d418ebe60d3ea103fe76a0ea4742edbcfea138

bug 1963159 Problem: - vmdns rest handler does not handle error case properly ends up looping without freeing pRestOp results in high memory utilization rate and vmdns crash Testing: - curl script which issues REST calls to vmdns continuously. Change-Id: Id5ab170b14b4d826aafce3e574bf2462568d1cf7

Change-Id: I9159da1185b5f89d9bcb06cdfa00257ca4b39e0d

Change-Id: I901620b9e1e405523dd5e7939b8afb65602ac1e3

This change was made to resolve the above problem. The problem was with the realloc function used to read data from c-rest-engine. The buffer was not terminated properly. Fixing the code at other places too. Change-Id: Ie62572107461a34cd15a1c9b070cd9811d944bf8

Change: Enabled HTTP over REST and HTTPS over REST end points for LDAP Testing: 1) Created test scripts to parallely perform a) HTTP over REST ldap calls b) HTTPS over REST ldap calls c) ldap calls using openssl 2) All REST calls were made using curl and for HTTPS it was executed with --insecure option which will skip the certificate validation part. 3) Parallely executing a,b and c scripts did not result in any error and ldap operations completed successfully. Change-Id: I3703a850b31abd5f0b1c2ea6a458a2782ac6fb87

Fixed shutdown logic so that threads look for shutdown flag before and after epoll_wait() spin. When shutdown signal is received, the thread will exit epoll_wait, check shutdown flag and exit. The event queue is freed only after child threads exit. Changes: - Moved FreeEventQueue to after threads join - Added check for shutdown flag after acquiring mutex lock and after epoll_wait Testing: - Tested on Code Pipeline VMs: restarted vmdns a couple times and ensured it exited properly: no coredumps, no errors in log file. Change-Id: I640bf7bf2c0f3ba9923ba5e69fd7f7667b3a8777

This change fixes a crash in vmdnsd caused by incorrect parameters to ldap_control_create() which was seen when running under valgrind. It also fixes several recurring leaks that caused the process to use large amounts of memory. Test run under valgrind: loop 25 times: add forwarder delete forwarder add forwarder loop 50 times: query internal name loop 100 times: query external name There are still some one-time memory leaks, but all recurring leaks that were reported earlier have been resolved. Change-Id: I6613bf3bc1ab504faa23ad592c348bf657be88b9

This change was made to replace the use of VmDirReallocateMemory with VmDirReallocateMemoryWithInit. This is necessary to handle NULL termination of strings. Change-Id: I0c78579814171d997aacd5c4dc9c3d19fb11c700

Change-Id: I19773564d8cdd01697fc1c9d1c4cbd1a134f46bb

When ic-join was used with the --machine-account-name and --use-machine-account parameters, it should use the machine account credentials to authenticate to the server. This changes makes this work -- it was trying to use the Administrator credentials. Add an option "create-computer-account" to vamfd-cli so that this can be tested. Test: /opt/vmware/bin/ic-join \ --domain lightwave.local \ --machine-account-name xyzzy.lightwave.local \ --password 'xxxxxxxxxxxxxxxxxxxx' \ --org-unit ou=MyOrgUnit \ --use-machine-account \ --prejoined \ --domain-controller 10.0.0.1 20170922170013:INFO:Joining system to domain [lightwave.local] using controller at [10.0.0.1] 20170922170013:INFO:Validating credentials to partner [10.0.0.1] at domain [lightwave.local] 20170922170043:INFO:Starting service [dcerpc] 20170922170043:INFO:Starting service [vmafd] 20170922170059:INFO:Setting various configuration values 20170922170059:INFO:Joining system to directory service at [10.0.0.1] 20170922170204:INFO:Refreshing root certificates from VMware Certificate Authority 20170922170219:INFO:Generating Machine SSL cert 20170922170239:INFO:Setting Machine SSL certificate Domain Join was successful Change-Id: Ibf33164bb4d58f2745e790c7e3e0a3331d7972ff

Change-Id: Ic75db7e296cfcbfdce317a9072695b65e21de832

Change-Id: I17663e86c49316ef65efd2baa317c7d57cfe3f76

Pre-requisites: 1. Running Docker on host where Hypermake is used to build 2. Installation of Hypermake Usage: 1. Use "hmake build" to build the Lightwave components for PhotonOS 2. Use "hmake pack" to build the Lightwave RPMs for PhotonOS. Context: 1. Builds a versioned lightwave-toolchain container based on PhotonOS that is used to build the Lightwave artifacts. Change-Id: I199d4f18e2b4ecfc577c7f0fa0fa73c987f9546c

This change is to address the issue of firewall ports closing after every reboot. The firewall.service will now handle the ports for POST service as well Tests Performed: 1. Install server RPM and post RPM check the iptables rules. 2. Install server and post independantly check the rules. 3. Uninstall client check the service is unistalled. 4. Reboot the machine and check if rules are preserved. Change-Id: I792555cc00e658b436ccd814da729a9ce9c66fff

test output root@lw-t1 [ /home/admin/workspaces ]# ldapsearch -o ldif-wrap=no -x -h lw-t1 -p 389 -D cn=administrator,cn=users,dc=lw,dc=local -w 'xx' -b "dc=lw,dc=local" -s base ldap_bind: Server is unwilling to perform (53) additional info: Simple bind not allowed root@lw-t1 [ /home/admin/workspaces ]# ldapsearch -o ldif-wrap=no -x -h lw-t1 -p 38900 -D cn=administrator,cn=users,dc=post,dc=local -w 'xx' -b "dc=post,dc=local" -s one ldap_bind: Server is unwilling to perform (53) additional info: Simple bind not allowed Change-Id: I56bf2296a8bf607814e273c1f965bd22cb5cbe65

Change-Id: I9ba6f982049336e1543b4af05f82739c022ca91b

Change-Id: I04278f0a12830e3cf1797f0aae4970918d30138e

Change-Id: Ide914d91e8ba4c15280e352e84722597bc451c4f

Bug 1856190: Change: Enabled HTTP over REST and HTTPS over REST end points for POST POST proxy support for HTTPS will be done in a separate check-in. Testing: 1) Issued simple curl commands on the POST end to test the functionality 2) Verified that swagger file (post-rest.json) changes does not have any effect in cascade controller 3) created kubernetes cluster using new tenant with the changes Change-Id: I10dcac1d66a2846451cd2c46e2406a98e5e8d6b2

Change-Id: I569f851485638e4ea49f69e49e9eb8799015e90f

Change-Id: Ica281ed6eebaadac90739c13f55341e64eea1c2e

Change-Id: I9d4193c8524f612ba6148035cf64b3658af3ca44

…trieving domain name from subject Change-Id: I29290f9c9b9fade978533c01c0daf8cc83328af1

Change-Id: I2e4cc56820ad3d8a74816609cabebff4d58d4e41

…1964831) Change-Id: Icdb41b4fcff943a6fffa47187c39e0d22ed8b2c8

- Add new functions which were added in http://code.pslabs.eng.vmware.com:8082/#/c/1003/ Change-Id: I2a5cd6a1c29da919500dcc6704729680093d0143

Approved By: Suresh Chellappan Reviewed By: Suresh Chellappan, Neel Shah Change-Id: I0f479a5cd689cd8e7f42c806fd813851e75c33be

Change-Id: I229c2350b3cf6cce9039707fdc22a8da5a1b24e3

1) Modified the histogram bucket ranges for ldap and dcerpc metrics. 2) Added new metrics tags for LDAP_BUSY and LDAP_OTHER. 3) Added inputs.disk to telegraf configuration. Test: 1) Promoted a Lightwave instance 2) Ran command 'curl http://localhost:7477/v1/vmdir/metrics' The response included the correct histogram bucket ranges: vmdir_ldap_request_duration_bucket{le="1",operation="search"} 132 vmdir_ldap_request_duration_bucket{le="10",operation="search"} 133 vmdir_ldap_request_duration_bucket{le="100",operation="search"} 133 vmdir_ldap_request_duration_bucket{le="500",operation="search"} 133 vmdir_ldap_request_duration_bucket{le="1000",operation="search"} 133 vmdir_ldap_request_duration_bucket{le="+Inf",operation="search"} 133 Change-Id: I6d822382ea7d5697525988d7451c9982dafecb85

Bug: 1968938 Changes: - Add HTTPS forward logic in POST proxy layer Testing: - Exercised basic curl commands with --insecure option - created a k8s cluster with the changes to ensure existing logic is intact Change-Id: I24e344ce89b42ea07e2024a905fde8a20197e444

…ay everything" case (PR 1971144) Change-Id: I62c77c67e5f1af35bf526b7e41d2e3188a572164

Deleting aws code deploy scripts as project is being moved to another repo. Change-Id: I484ff8b404ce253abd9a906893c74edcec81dd62

The active Lightwave build container is under support/toolchain/docker Change-Id: Ia3677aac1a1d61a4ed41a4ede632257283216407

Modified the histogram bucket ranges. Added 1s bucket and removed 5ms bucket. Test: Ran the command 'curl http://localhost:7677/v1/dns/metrics' The response included the updated histogram bucket ranges: vmdns_rpc_request_duration_bucket{le="1",operation="update"} 0 vmdns_rpc_request_duration_bucket{le="10",operation="update"} 0 vmdns_rpc_request_duration_bucket{le="100",operation="update"} 1 vmdns_rpc_request_duration_bucket{le="300",operation="update"} 1 vmdns_rpc_request_duration_bucket{le="1000",operation="update"} 1 vmdns_rpc_request_duration_bucket{le="+Inf",operation="update"} 1 Change-Id: I81c2c02e54fbcbd43d8d354014219bc5e5d3e4c0

Name the build container vmware/lightwave-toolchain-photon since this is based on PhotonOS. Change-Id: Ia5361b2bccc377e9f81efcbe8fbbe5aabe169c32

Bug 1969584 Change: SSL init is being done in both c-rest-engine (for https) and vmdir (for ldaps) During shutdown, calling VmDirRESTServerShutdown first, frees ssl related metrics Simultaneously if replication thread is performing SASL bind results in accessing NULL values. Disabling HTTPS end point in directory service for now, this is a temporary fix, until ssl init logic is fixed in c-rest-engine (Bug 1962032) Test: Verified that with the changes, HTTPS end point is disabled Change-Id: I0ab39cca675885b978704ebcfe02a4eb790b6fd1

This change is to address the locked state that POST nodes get into in the CI/CD pipeline. Changes made: 1. Added logging to log node the request is proxied to 2. Changed the read request for proxy. 3. Failure response handling for proxy. 4. Connection timeout for curl Tests done: 1. Set up a 3-node post cluster 2. Add users, get users, delete pointing to leader 3. Add users, get users, delete pointing to follower 4. Cause a leader change and repeat the steps 5. Check for failure scenario where leader is not present. Change-Id: I36f8f564fcf62786df194f4df3fc258e0afd3db4

Change-Id: I1d0ebdc5c1324bcd3841feca28c6565a0a7d204b

Merge branch 'dev' to 'uaa' #28

Are you sure you want to change the base?

Merge branch 'dev' to 'uaa' #28

Commits on May 24, 2017

Commits on May 26, 2017

Commits on May 27, 2017

Commits on May 30, 2017

Commits on May 31, 2017

Commits on Jun 1, 2017

Commits on Jun 2, 2017

Commits on Jun 6, 2017

Commits on Jun 7, 2017

Commits on Jun 8, 2017

Commits on Jun 9, 2017

Commits on Jun 12, 2017

Commits on Jun 14, 2017

Commits on Jun 15, 2017

Commits on Jun 16, 2017

Commits on Jun 19, 2017

Commits on Jun 20, 2017

Commits on Jun 21, 2017

Commits on Jun 22, 2017

Commits on Jun 23, 2017

Commits on Jun 24, 2017

Commits on Jun 26, 2017

Commits on Jun 29, 2017

Commits on Jul 5, 2017

Commits on Jul 6, 2017

Commits on Jul 7, 2017

Commits on Jul 10, 2017

Commits on Jul 11, 2017

Commits on Jul 12, 2017

Commits on Jul 13, 2017

Commits on Jul 14, 2017

Commits on Jul 17, 2017

Commits on Jul 18, 2017

Commits on Jul 19, 2017

Commits on Jul 20, 2017

Commits on Jul 21, 2017

Commits on Jul 24, 2017

Commits on Jul 25, 2017

Commits on Jul 26, 2017

Commits on Jul 27, 2017

Commits on Jul 28, 2017

Commits on Jul 29, 2017

Commits on Jul 31, 2017

Commits on Aug 1, 2017

Commits on Aug 2, 2017

Commits on Aug 3, 2017

Commits on Aug 4, 2017

Commits on Aug 7, 2017

Commits on Aug 8, 2017

Commits on Aug 9, 2017

Commits on Aug 10, 2017

Commits on Aug 11, 2017

Commits on Aug 14, 2017

Commits on Aug 15, 2017

Commits on Aug 16, 2017

Commits on Aug 17, 2017

Commits on Aug 18, 2017

Commits on Aug 20, 2017

Commits on Aug 21, 2017

Commits on Aug 22, 2017

Commits on Aug 23, 2017

Commits on Aug 24, 2017

Commits on Aug 25, 2017

Commits on Aug 28, 2017

Commits on Aug 29, 2017

Commits on Aug 30, 2017

Commits on Sep 1, 2017

Commits on Sep 5, 2017

Commits on Sep 6, 2017

Commits on Sep 7, 2017

Commits on Sep 8, 2017

Commits on Sep 9, 2017

Commits on Sep 11, 2017

Commits on Sep 12, 2017

Commits on Sep 13, 2017

Commits on Sep 14, 2017

Commits on Sep 15, 2017