profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/edwintorok/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

edwintorok/alcotest 0

A lightweight and colourful test framework

edwintorok/autothemer 0

Conveniently create Emacs themes

edwintorok/backtrace 0

Helper functions to preserve and transport exception backtraces

edwintorok/bcc 0

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

edwintorok/bisect-summary 0

A simple tool to analyse coverage data created with bisect_ppx

edwintorok/blktap 0

blktap, vhd stuff

edwintorok/core 0

Jane Street Capital's standard library overlay

edwintorok/corosync 0

The Corosync Cluster Engine

edwintorok/dead_code_analyzer 0

Dead-code analyzer for OCaml

edwintorok/derive-trie 0

Automatic derivation of Trie implementations.

Pull request review commentxapi-project/xen-api

Cert Refresh

+(*+ * Copyright (C) Citrix Systems Inc.+ *+ * This program is free software; you can redistribute it and/or modify+ * it under the terms of the GNU Lesser General Public License as published+ * by the Free Software Foundation; version 2.1 only. with the special+ * exception on linking described in file LICENSE.+ *+ * This program is distributed in the hope that it will be useful,+ * but WITHOUT ANY WARRANTY; without even the implied warranty of+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the+ * GNU Lesser General Public License for more details.+ *)++module D = Debug.Make (struct let name = "cert_refresh" end)++open D++let replace_extension filename ~ext =+  let base =+    match Filename.extension filename with+    | "" ->+        filename+    | _ ->+        Filename.remove_extension filename+  in+  Printf.sprintf "%s.%s" base ext++let cert_path = function+  | `host ->+      !Xapi_globs.server_cert_path+  | `host_internal ->+      !Xapi_globs.server_cert_internal_path++let new_cert_path type' = replace_extension (cert_path type') ~ext:"new"++let backup_cert_path type' = replace_extension (cert_path type') ~ext:"bak"++let new_host_cert ~dbg ~path : X509.Certificate.t =+  let name, ip =+    match Networking_info.get_management_ip_addr ~dbg with+    | None ->+        let msg = Printf.sprintf "%s: failed to get management IP" __LOC__ in+        D.error "%s" msg ;+        raise Api_errors.(Server_error (internal_error, [msg]))+    | Some ip ->+        ip+  in+  let dns_names = Networking_info.dns_names () in+  let ips = [ip] in+  Gencertlib.Selfcert.host ~name ~dns_names ~ips path++let host ~__context ~type' =+  let host = Helpers.get_localhost ~__context in+  let dbg = Context.string_of_task __context in+  let pem = cert_path type' in+  let path = new_cert_path type' in+  let cert = new_host_cert ~dbg ~path in+  let bak = backup_cert_path type' in

Good point! Maybe we should fail if the backup exists

lindig

comment created time in 29 minutes

Pull request review commentxapi-project/xs-opam

ci: detect unused packages

 jobs:           ocaml-version: ${{ matrix.ocaml-version }}           opam-repository: "." -      - name: Check whether there are packages with more than a version-        run: tools/opam-single-version-check.bash-       - name: Upgrade existing packages         run: |           opam update           opam depext -vv -y xs-toolstack           opam upgrade +      - name: Check whether there are packages with more than a version

With more than "one" version, I suppose.

psafont

comment created time in 44 minutes

Pull request review commentxapi-project/xen-api

Add more messages to a VM lifecycle

 functor                 )             )         ) ;+        let message_body =+          Printf.sprintf "VM '%s' migrated from host '%s' to host '%s'"+            (Db.VM.get_name_label ~__context ~self:vm)+            (Db.Host.get_name_label ~__context ~self:source_host)

Should this report the UUIDs, too?

benjamreis

comment created time in an hour

Pull request review commentxapi-project/xenopsd

CP-37034: move TSX handling logic out of xenopsd

 let _vdi_id = "vdi-id"  let _dp_id = "dp-id" -(* Compute the migration-safe flags *)-let upgrade_for_migration ~xc features =-  try-    let msr_arch_caps = Xenctrlext.xc_get_msr_arch_caps xc in-    let tsx_ctrl = 0x80L in-    if Int64.(logand msr_arch_caps tsx_ctrl = tsx_ctrl) then-      let cpuid_hle_rtm = (1 lsl 4) lor (1 lsl 11) |> Int64.of_int in-      features.(5) <- Int64.(logor features.(5) cpuid_hle_rtm)-    (* These still work, albeit slowly. We might prefer to hide these from-       host's CPUID for pool leveling and guest boot purposes, but can accept it-       during migration. *)-  with Xenctrlext.Unix_error (Unix.ENOSYS, _) ->-    debug "xc_get_msr_arch_caps: ENOSYS"+(** [zeroext a b] make arrays same lengths by zeroextending on the right *)+let zeroext a b =+  let len = max (Array.length a) (Array.length b) in+  let extend arr =+    Array.append arr (Array.make (len - Array.length arr) 0L)+  in+  extend a, extend b++let op_featureset op a b =+  let a, b = zeroext a b in+  Array.map2 op a b++let diff_bitset lhs rhs =+  (* lhs - rhs as feature bitsets,+     i.e. all bits that are present on lhs and missing on rhs:+     = lhs & ~rhs *)+  Int64.(logand lhs (lognot rhs))++let print_featureset name fs =

This function does not print the result but logs it.

edwintorok

comment created time in an hour

Pull request review commentxapi-project/xenopsd

CP-37034: move TSX handling logic out of xenopsd

 let _vdi_id = "vdi-id"  let _dp_id = "dp-id" -(* Compute the migration-safe flags *)-let upgrade_for_migration ~xc features =-  try-    let msr_arch_caps = Xenctrlext.xc_get_msr_arch_caps xc in-    let tsx_ctrl = 0x80L in-    if Int64.(logand msr_arch_caps tsx_ctrl = tsx_ctrl) then-      let cpuid_hle_rtm = (1 lsl 4) lor (1 lsl 11) |> Int64.of_int in-      features.(5) <- Int64.(logor features.(5) cpuid_hle_rtm)-    (* These still work, albeit slowly. We might prefer to hide these from-       host's CPUID for pool leveling and guest boot purposes, but can accept it-       during migration. *)-  with Xenctrlext.Unix_error (Unix.ENOSYS, _) ->-    debug "xc_get_msr_arch_caps: ENOSYS"+(** [zeroext a b] make arrays same lengths by zeroextending on the right *)+let zeroext a b =

The bit-manipulation functions could go into a sub module Bits, BitVec or similar - you would gain something like BitVev.diff.

edwintorok

comment created time in an hour

Pull request review commentxapi-project/xenopsd

CP-37034: move TSX handling logic out of xenopsd

 let _vdi_id = "vdi-id"  let _dp_id = "dp-id" -(* Compute the migration-safe flags *)-let upgrade_for_migration ~xc features =-  try-    let msr_arch_caps = Xenctrlext.xc_get_msr_arch_caps xc in-    let tsx_ctrl = 0x80L in-    if Int64.(logand msr_arch_caps tsx_ctrl = tsx_ctrl) then-      let cpuid_hle_rtm = (1 lsl 4) lor (1 lsl 11) |> Int64.of_int in-      features.(5) <- Int64.(logor features.(5) cpuid_hle_rtm)-    (* These still work, albeit slowly. We might prefer to hide these from-       host's CPUID for pool leveling and guest boot purposes, but can accept it-       during migration. *)-  with Xenctrlext.Unix_error (Unix.ENOSYS, _) ->-    debug "xc_get_msr_arch_caps: ENOSYS"+(** [zeroext a b] make arrays same lengths by zeroextending on the right *)+let zeroext a b =

This is also commonly called "zero padding"

edwintorok

comment created time in an hour

Pull request review commentxapi-project/xenopsd

CP-37034: move TSX handling logic out of xenopsd

 external numainfo : handle -> numainfo = "stub_xenctrlext_numainfo"  external cputopoinfo : handle -> cputopo array = "stub_xenctrlext_cputopoinfo" -external xc_get_msr_arch_caps : handle -> int64-  = "stub_xenctrlext_get_msr_arch_caps"+let string_of_leaf v =+  Printf.sprintf "%08Lx:%08Lx->%08Lx:%08Lx:%08Lx:%08Lx"+  v.leaf v.subleaf v.a v.b v.c v.d++let leaf_of_string s =+  Scanf.sscanf s "%08Lx:%08Lx->%08Lx:%08Lx:%08Lx:%08Lx" @@+  fun leaf subleaf a b c d -> { leaf; subleaf; a; b; c; d }++let string_of_msr v =+  Printf.sprintf "%08Lx->%016Lx(%08Lx)"+  v.idx v.value v.flags++let msr_of_string s =+  Scanf.sscanf s "%08Lx->%016Lx(%08Lx)"+  @@ fun idx value flags -> {idx; flags; value}++let string_of_cpu_policy policy =+  (* if the format is modified here [cpu_policy_of_string] must support+     deserializing all old and new formats *)+  let string_of_array v f = v |> Array.map f |> Array.to_list |> String.concat ";" in+  String.concat "/"+    [ string_of_array policy.leaves string_of_leaf+    ; string_of_array policy.msrs string_of_msr+    ]++let cpu_policy_of_string str =+  let array_of_string s f = s |> String.split_on_char ';' |> Array.of_list |> Array.map f in

This has the same problem @psafont pointed out - it works if the input conforms to expectations but the input is not validated - for example, the length of the arrays is not checked. If something fails here, we also won't see a good error message because it will be some generic string exception. I think this should be protected by a try block to capture syntax problems.

edwintorok

comment created time in an hour

push eventxapi-project/xs-opam

Pau Ruiz Safont

commit sha dba8afc069e217bf9929d195f4190323fef7fb25

CP-34942: Update ppxlib to 0.22.1 fixes report location on parsing failure Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>

view details

Pau Ruiz Safont

commit sha 78d4b110f5a716dd595a7c81c666416fbac47f95

CP-34643: Update xapi-stdext packages to 4.18.0 Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>

view details

Pau Ruiz Safont

commit sha 54b79337c0f221cb50bdfef2e6fa2ced47d62d67

CP-34942: update pci to 1.0.4 Fixes compatibility with ctypes 0.18 Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>

view details

Pau Ruiz Safont

commit sha ee4eb4381c837b27b65ae476478794cffe446785

CP-34942: udpate lwt to 5.4.1 Fix Lwt_fmt.stderr to actually point to stderr Handle ECONNABORTED in Lwt_io.establish_server* Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>

view details

push time in an hour

PR merged xapi-project/xs-opam

CP-34942: Update pci and xapi-stdext packages, along with some minor updatos for upstream libraries

The ocaml-pci update allows to update ctypes to 0.18, which I'd rather wait along other, more substantial changes. The ppxlib update fixes the location reported on errors The LWT library fixes handling of ECONNABORTED for Lwt_io.establish_server* the stdext updates are for listext which drops the List functions.

+26 -26

0 comment

10 changed files

psafont

pr closed time in an hour

Pull request review commentxapi-project/xen-api

Cert Refresh

+(*+ * Copyright (C) Citrix Systems Inc.+ *+ * This program is free software; you can redistribute it and/or modify+ * it under the terms of the GNU Lesser General Public License as published+ * by the Free Software Foundation; version 2.1 only. with the special+ * exception on linking described in file LICENSE.+ *+ * This program is distributed in the hope that it will be useful,+ * but WITHOUT ANY WARRANTY; without even the implied warranty of+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the+ * GNU Lesser General Public License for more details.+ *)++module D = Debug.Make (struct let name = "cert_refresh" end)++open D++let replace_extension filename ~ext =+  let base =+    match Filename.extension filename with+    | "" ->+        filename+    | _ ->+        Filename.remove_extension filename+  in+  Printf.sprintf "%s.%s" base ext++let cert_path = function+  | `host ->+      !Xapi_globs.server_cert_path+  | `host_internal ->+      !Xapi_globs.server_cert_internal_path++let new_cert_path type' = replace_extension (cert_path type') ~ext:"new"++let backup_cert_path type' = replace_extension (cert_path type') ~ext:"bak"++let new_host_cert ~dbg ~path : X509.Certificate.t =+  let name, ip =+    match Networking_info.get_management_ip_addr ~dbg with+    | None ->+        let msg = Printf.sprintf "%s: failed to get management IP" __LOC__ in+        D.error "%s" msg ;+        raise Api_errors.(Server_error (internal_error, [msg]))+    | Some ip ->+        ip+  in+  let dns_names = Networking_info.dns_names () in+  let ips = [ip] in+  Gencertlib.Selfcert.host ~name ~dns_names ~ips path++let host ~__context ~type' =+  let host = Helpers.get_localhost ~__context in+  let dbg = Context.string_of_task __context in+  let pem = cert_path type' in+  let path = new_cert_path type' in+  let cert = new_host_cert ~dbg ~path in+  let bak = backup_cert_path type' in

Ah I see we don't actually remove bak at the end. The idea is that it is useful to keep around in case the user needs to manually intervene because of a failure?

I'm thinking about the case where a cert refresh has failed - the user's first instinct after running xe cert-refresh and seeing a failure is going to be to run it again, so it would be nice not to overwrite bak in this case

lindig

comment created time in an hour

Pull request review commentxapi-project/xen-api

Cert Refresh

+(*+ * Copyright (C) Citrix Systems Inc.+ *+ * This program is free software; you can redistribute it and/or modify+ * it under the terms of the GNU Lesser General Public License as published+ * by the Free Software Foundation; version 2.1 only. with the special+ * exception on linking described in file LICENSE.+ *+ * This program is distributed in the hope that it will be useful,+ * but WITHOUT ANY WARRANTY; without even the implied warranty of+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the+ * GNU Lesser General Public License for more details.+ *)++module D = Debug.Make (struct let name = "cert_refresh" end)++open D++let replace_extension filename ~ext =+  let base =+    match Filename.extension filename with+    | "" ->+        filename+    | _ ->+        Filename.remove_extension filename+  in+  Printf.sprintf "%s.%s" base ext++let cert_path = function+  | `host ->+      !Xapi_globs.server_cert_path+  | `host_internal ->+      !Xapi_globs.server_cert_internal_path++let new_cert_path type' = replace_extension (cert_path type') ~ext:"new"++let backup_cert_path type' = replace_extension (cert_path type') ~ext:"bak"++let new_host_cert ~dbg ~path : X509.Certificate.t =+  let name, ip =+    match Networking_info.get_management_ip_addr ~dbg with+    | None ->+        let msg = Printf.sprintf "%s: failed to get management IP" __LOC__ in+        D.error "%s" msg ;+        raise Api_errors.(Server_error (internal_error, [msg]))+    | Some ip ->+        ip+  in+  let dns_names = Networking_info.dns_names () in+  let ips = [ip] in+  Gencertlib.Selfcert.host ~name ~dns_names ~ips path++let host ~__context ~type' =+  let host = Helpers.get_localhost ~__context in+  let dbg = Context.string_of_task __context in+  let pem = cert_path type' in+  let path = new_cert_path type' in+  let cert = new_host_cert ~dbg ~path in+  let bak = backup_cert_path type' in

We might want to think about the case where bak exists on the file system at this point - it probably means that a previous cert refresh failed. Do we just error out in this case or try to resolve the problem?

lindig

comment created time in an hour

Pull request review commentxapi-project/xen-api

Cert Refresh

 let import_joining_pool_ca_certificates ~__context ~ca_certs =   Worker.local_write_cert_fs ~__context ApplianceCertificate Merge     appliance_certs ;   Worker.local_regen_bundle ~__context++let distribute_new_host_cert ~__context ~host ~content =+  let hosts = Db.Host.get_all ~__context in+  let uuid = Db.Host.get_uuid ~__context ~self:host in+  let file =+    WireProtocol.{filename= Printf.sprintf "%s.new.pem" uuid; content}+  in+  let job rpc session_id host =+    Worker.remote_write_certs_fs HostPoolCertificate Merge [file] host rpc

what happens if file already exists on the remote host? We probably don't want to overwrite it, because the remote host could be relying on it

lindig

comment created time in 2 hours

Pull request review commentxapi-project/xen-api

Cert Refresh

 functor             Client.Host.get_server_certificate rpc session_id host         ) +      let refresh_server_certificate ~__context ~host =

Maybe we want to error if a refresh is already in progress

lindig

comment created time in 2 hours

Pull request review commentxapi-project/xen-api

Cert Refresh

 functor             Client.Host.get_server_certificate rpc session_id host         ) +      let refresh_server_certificate ~__context ~host =

We probably want a lock to prevent concurrent refreshes

lindig

comment created time in 2 hours

Pull request review commentxapi-project/xen-api

CA-355571: Include accumulative updates for updates description and guidances

 module GuidanceSet = struct     | l when eq_set2 l ->         (* RestartDeviceModel and RestartToolstack *)         ()-    | l when eq_set3 l ->-        (* RestartDeviceModel and EvacuateHost *)-        ()-    | l when eq_set4 l ->-        (* EvacuateHost, RestartToolstack and RestartDeviceModel *)-        ()     | l ->         let msg = error_msg l in         raise Api_errors.(Server_error (internal_error, [msg])) -  let resort_guidances ~kind gs =-    match (find_opt RebootHost gs, kind) with-    | Some _, _ ->-        singleton RebootHost-    | None, Recommended ->+  let apply_precedence higher lowers gs =+    match find_opt higher gs with+    | Some _ ->+        filter (fun elem -> not (List.mem elem lowers)) gs+    | None ->         gs-    | None, Absolute ->-        filter (fun g -> g <> EvacuateHost) gs++  let precedences =+    [+      (RebootHost, [RestartToolstack; EvacuateHost; RestartDeviceModel])+    ; (EvacuateHost, [RestartDeviceModel])+    ]++  let resort_guidances ~kind gs =

or use set difference instead of remove .. |> remove .. |> remove ..

minglumlu

comment created time in 2 hours

Pull request review commentxapi-project/xen-api

CA-355571: Include accumulative updates for updates description and guidances

 module GuidanceSet = struct     | l when eq_set2 l ->         (* RestartDeviceModel and RestartToolstack *)         ()-    | l when eq_set3 l ->-        (* RestartDeviceModel and EvacuateHost *)-        ()-    | l when eq_set4 l ->-        (* EvacuateHost, RestartToolstack and RestartDeviceModel *)-        ()     | l ->         let msg = error_msg l in         raise Api_errors.(Server_error (internal_error, [msg])) -  let resort_guidances ~kind gs =-    match (find_opt RebootHost gs, kind) with-    | Some _, _ ->-        singleton RebootHost-    | None, Recommended ->+  let apply_precedence higher lowers gs =+    match find_opt higher gs with+    | Some _ ->+        filter (fun elem -> not (List.mem elem lowers)) gs+    | None ->         gs-    | None, Absolute ->-        filter (fun g -> g <> EvacuateHost) gs++  let precedences =+    [+      (RebootHost, [RestartToolstack; EvacuateHost; RestartDeviceModel])+    ; (EvacuateHost, [RestartDeviceModel])+    ]++  let resort_guidances ~kind gs =

I'm having a hard time understand this function - is it supposed to be equivalent to something like this? (I think it gets simpler if you use sets, so take gs to be a set below)

open GuidanceSet

let clean_guidances ~kind gs =
  let gs = 
    if mem RebootHost gs then
      gs |> remove RestartToolstack |> remove EvacuateHost |> remove RestartDeviceModel 
    else 
      gs
  in
  let gs = if mem EvauateHost gs then gs |> remove RestartDeviceModel else gs
  in match kind with
  | Recommended -> gs
  | Absolute -> remove EvacuateHost gs
minglumlu

comment created time in 2 hours

Pull request review commentxapi-project/xen-api

CA-355571: Include accumulative updates for updates description and guidances

 let get_updates_from_list_updates repositories =   in   updates -let get_update_in_json ~update_ids ~installed_pkgs (new_pkg, repo) =+let validate_latest_updates ~latest_updates ~accumulative_updates =+  List.map+    (fun (pkg, repo) ->+      match List.assoc_opt pkg accumulative_updates with+      | Some uid ->+          (pkg, Some uid, repo)+      | None ->+          warn "Not found update ID for update %s" (Pkg.to_fullname pkg) ;+          (pkg, None, repo)+      )+    latest_updates++let prune_by_latest_updates latest_updates pkg uid =+  let open Pkg in+  let is_same_name_arch pkg1 pkg2 =+    pkg1.name = pkg2.name && pkg1.arch = pkg2.arch+  in+  match+    List.find_opt (fun (pkg', _) -> is_same_name_arch pkg pkg') latest_updates+  with+  | Some (pkg', repo) ->+      if+        Applicability.gt pkg.epoch pkg.version pkg.release pkg'.epoch+          pkg'.version pkg'.release

Maybe repository_helpers.ml should have a function for comparing packages

minglumlu

comment created time in 3 hours

Pull request review commentxapi-project/xenopsd

CP-37034: move TSX handling logic out of xenopsd

 external numainfo : handle -> numainfo = "stub_xenctrlext_numainfo"  external cputopoinfo : handle -> cputopo array = "stub_xenctrlext_cputopoinfo" -external xc_get_msr_arch_caps : handle -> int64-  = "stub_xenctrlext_get_msr_arch_caps"+let string_of_leaf v =+  Printf.sprintf "%08Lx:%08Lx->%08Lx:%08Lx:%08Lx:%08Lx"+  v.leaf v.subleaf v.a v.b v.c v.d++let leaf_of_string s =+  Scanf.sscanf s "%08Lx:%08Lx->%08Lx:%08Lx:%08Lx:%08Lx" @@

Each of the captured fields enforce that at most are 8 characters long, but are not enforced to be at least 8 characters long.

If this is trusted input then it's not a problem, otherwise it is.

See here for a similar situation when parsing uuids with scanf

edwintorok

comment created time in 3 hours

Pull request review commentxapi-project/xen-api

Add more messages to a VM lifecycle

 functor        let wait_for_tasks = Helpers.Task.wait_for +      let create_vm_message ~__context ~body ~message ~vm =

indeed, more coherent with the rest of the code, i'll change that right away!

benjamreis

comment created time in 7 hours

Pull request review commentxapi-project/xen-api

Add more messages to a VM lifecycle

 functor        let wait_for_tasks = Helpers.Task.wait_for +      let create_vm_message ~__context ~body ~message ~vm =
      let create_vm_message ~__context ~vm ~message_body ~message =

Changing the order and the name of the content parameter will make call sites look more straight-forward:

        create_vm_message ~__context ~vm ~message_body
          ~message:Api_messages.vm_checkpointed;
benjamreis

comment created time in 7 hours

Pull request review commentxapi-project/xen-api

Cert Refresh

 let host_query_ha = call ~flags:[`Session]       ~allowed_roles:_R_READ_ONLY       () +  let refresh_server_certificates = call+      ~lifecycle:[Published, rel_next, ""]+      ~name:"refresh_server_certificates"+      ~doc:"Replace the self-signed certficates for the host with new ones."+      ~params:[Ref _host, "host", "The host"]+      ~allowed_roles:_R_POOL_ADMIN

The external one is already handled by the call reset_server_certificate. It's a different call because users might have installed their own certificates and they just want to replace the self-signed ones without affecting the external certificates.

lindig

comment created time in 7 hours

Pull request review commentxapi-project/xen-api

Cert Refresh

 let host_query_ha = call ~flags:[`Session]       ~allowed_roles:_R_READ_ONLY       () +  let refresh_server_certificates = call+      ~lifecycle:[Published, rel_next, ""]+      ~name:"refresh_server_certificates"+      ~doc:"Replace the self-signed certficates for the host with new ones."+      ~params:[Ref _host, "host", "The host"]+      ~allowed_roles:_R_POOL_ADMIN

Ok - will limit this to the internal certificates. But to be clear: a server has two self-signed certificates, one for internal and one for external use. So don't rotate the external one? I don't think this makes sense from a security perspective.

lindig

comment created time in 8 hours

Pull request review commentxapi-project/xen-api

Cert Refresh

 let replace_host_certificate ~__context ~type' ~host   let old_certs = Db_util.get_host_certs ~__context ~type' ~host in   let new_cert = write_cert_fs () in

Maybe I should rename them to *.bak such that they would not be picked up by bundling but they would be around for recovery.

lindig

comment created time in 8 hours

Pull request review commentxapi-project/xen-api

CP-37241: Disable machine account on domain leave

 intel-igb-5.3.5.20-2.xs8.x86_64 nss-pem-1.0.3-4.el7.x86_64 gssproxy-0.7.0-17.el7.x86_64 nss-sysinit-3.36.0-7.el7_5.x86_64-pbis-open-8.2.3-1.7.8.xs8.x86_64

We are going to remove PBIS related packages, I know this is just for unittest, but remove it makes no bad.

liulinC

comment created time in 8 hours

pull request commentxapi-project/xen-api

CP-37241: Disable machine account on domain leave

Looks fine to me, once the ocaml/tests/test_data/repository_pkg_of_fullname_all changes have been reverted

Another note is that the 'Avoid using List.hd' commit contains some unrelated changes

liulinC

comment created time in 8 hours

Pull request review commentxapi-project/xen-api

CP-37241: Disable machine account on domain leave

 intel-igb-5.3.5.20-2.xs8.x86_64 nss-pem-1.0.3-4.el7.x86_64 gssproxy-0.7.0-17.el7.x86_64 nss-sysinit-3.36.0-7.el7_5.x86_64-pbis-open-8.2.3-1.7.8.xs8.x86_64

why have these been removed?

liulinC

comment created time in 8 hours

push eventxapi-project/xen-api

Lin Liu

commit sha f4a5a325442c0e849069cf8cef507b5762b55ff8

CP-37241: Avoid using List.hd Signed-off-by: Lin Liu <lin.liu@citrix.com>

view details

push time in 8 hours

push eventxapi-project/xen-api

Lin Liu

commit sha 0a7a2a8baa20b59fd2e5934b9e264bf7b5faaf23

CP-37241: Avoid using List.hd Signed-off-by: Lin Liu <lin.liu@citrix.com>

view details

push time in 13 hours

Pull request review commentxapi-project/xen-api

Cert Refresh

 let host_query_ha = call ~flags:[`Session]       ~allowed_roles:_R_READ_ONLY       () +  let refresh_server_certificates = call+      ~lifecycle:[Published, rel_next, ""]+      ~name:"refresh_server_certificates"+      ~doc:"Replace the self-signed certficates for the host with new ones."+      ~params:[Ref _host, "host", "The host"]+      ~allowed_roles:_R_POOL_ADMIN

This should not be documented, IMO. Users will find confusing having "refresh_server_certificates" and "reset_server_certificate". I think recycling certificates in this way only makes sense for internal certificates, dropping the 's' among other changes would make it less confusing even for us.

lindig

comment created time in a day

Pull request review commentxapi-project/xen-api

Cert Refresh

 let replace_host_certificate ~__context ~type' ~host   let old_certs = Db_util.get_host_certs ~__context ~type' ~host in   let new_cert = write_cert_fs () in

This overwrites the existing certificate. What happens when there's a failure and the previous certificates needs to be reinstated?

lindig

comment created time in a day