From 9c488b1a4ce4a9a669966235ac31c86edf65b0cd Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Wed, 1 Apr 2026 19:53:56 -0400 Subject: [PATCH 1/8] System VM access instructions and security details Updated instructions for accessing System VMs via SSH and Web Console, including details for enabling randomized passwords for the SysVMs. --- source/adminguide/systemvm.rst | 93 ++++++++++++++++++++++++++++------ 1 file changed, 78 insertions(+), 15 deletions(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index ec0e00d298..99704dbe78 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -147,51 +147,114 @@ Accessing System VMs It may sometimes be necessary to access System VMs for diagnostics of certain issues, for example if you are experiencing SSVM (Secondary Storage VM) -connection issues. Use the steps below in order to connect to the SSH console -of a running System VM. +connection issues. Use the methods below in order to connect to any running +System VM, including VR (Virtual Router) and CPVM (ConsoleProxyVM). + +Option A: Accessing via SSH +~~~~~~~~~~~~~~~~~~~~~~~~~~~ Accessing System VMs over the network requires the use of private keys and -connecting to System VMs SSH Daemon on port 3922. XenServer/KVM Hypervisors -store this key at /root/.ssh/id_rsa.cloud on each CloudStack agent. To access +connecting to System VMs SSH Daemon on port **3922**. XenServer/KVM Hypervisors +store this key at ``/root/.ssh/id_rsa.cloud`` on each CloudStack agent. To access System VMs running on ESXi, the key is stored on the management server at -~cloud/.ssh/id_rsa. +``~cloud/.ssh/id_rsa``. #. Find the details of the System VM - #. Log in with admin privileges to the CloudStack UI. + #. Log in with Root Admin privileges to the **CloudStack UI**. - #. Click Infrastructure, then System VMs, and then click the name of a + #. Click **Infrastructure > System VMs**, and then click the name of a running VM. #. Take a note of the 'Host', 'Private IP Address' and 'Link Local IP Address' of the System VM you wish to access. -#. XenServer/KVM Hypervisors +#. For XenServer/KVM Hypervisors - #. Connect to the Host of which the System VM is running. + #. Connect via SSH as `root` to the Host of which the System VM is running. #. SSH to the 'Link Local IP Address' of the System VM from the Host on which the VM is running. - Format: ssh -i -p 3922 + Format: ``ssh -i -p 3922`` - Example: root@kvm01:~# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.93 -p 3922 + Example: ``root@kvm01:~# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.93 -p 3922`` -#. ESXi Hypervisors +#. For ESXi Hypervisors #. Connect to your CloudStack Management Server. #. ESXi users should SSH to the private IP address of the System VM. - Format: ssh -i -p 3922 + Format: ``ssh -i -p 3922`` + + Example: ``root@management:~# ssh -i ~cloud/.ssh/id_rsa 172.16.0.250 -p 3922`` + + +Option B: Accessing via the Web Console +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If network access is restricted or the SSH daemon is unresponsive, administrators can +access the System VM directly through the CloudStack UI. + +#. For any hypervisor, using the default password. + + #. Log in with Root Admin privileges to the **CloudStack UI**. + + #. Click **Infrastructure > System VMs**, and then click the name of a + running VM. + + #. Click the **View Console** button (screen icon) in the top right toolbar. + + #. Default Username: ``root`` + + #. Default Password: ``password`` + +#. For any hypervisor, if ``system.vm.random.password`` is enabled (recommended). + + #. Log in with Root Admin privileges to the **CloudStack UI**. + + #. Click **Infrastructure > System VMs**, and then click the name of a + running VM. + + #. Click the **View Console** button (screen icon) in the top right toolbar. + + #. Default Username: ``root`` + + #. The decrypted password can be found under the ``system.vm.password`` global parameter. + + +How to Enable System VM Random Password +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To step up the security of the environment, by configuring the ``system.vm.random.password`` parameter to **True**, and restart the Management Server, a random password is generated and stored encrypted in the database. The decrypted password found under the ``system.vm.password`` global parameter, or by calling the ``listConfigurations`` API, still need to be decrypted to reveal the usable password. + +#. Find the encrypted password and encryption key + + #. Log in with Root Admin privileges to the **CloudStack UI**. + + #. Click **Configuration > Global Settings**, and search for ``system.vm.password``. + + Or using CloudMonkey: ``cmk listconfigurations name=system.vm.password`` + + #. On the Management Server, read the content of the file ``/etc/cloudstack/management/key`` to obtain + the encryption/decryption key. + + #. Decrypt the password with the obtained key from the Management Server. + + Format: ``java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ + com.cloud.utils.crypt.EncryptionCLI -p -i -d -e V2`` + + Example: ``root@management:~# java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ + com.cloud.utils.crypt.EncryptionCLI -p `cat /etc/cloudstack/management/key` -i `cmk listconfigurations \ + name=system.vm.password | jq -r '.configuration[0].value'` -d -e V2`` - Example: root@management:~# ssh -i ~cloud/.ssh/id_rsa 172.16.0.250 -p 3922 Multiple System VM Support for VMware ------------------------------------- -Every CloudStack zone has single System VM for Template processing tasks +Every CloudStack zone has a single System VM for Template processing tasks such as downloading Templates, uploading Templates, and uploading ISOs. In a zone where VMware is being used, additional System VMs can be launched to process VMware-specific tasks such as taking Snapshots and From 54f16ea1135d820f4bec98f11d4ea879d1e3e943 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Thu, 2 Apr 2026 12:05:34 -0400 Subject: [PATCH 2/8] Format SSH command examples in systemvm.rst Added code formatting for SSH command examples in the admin guide. --- source/adminguide/systemvm.rst | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index 99704dbe78..be5ac45913 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -177,9 +177,17 @@ System VMs running on ESXi, the key is stored on the management server at #. SSH to the 'Link Local IP Address' of the System VM from the Host on which the VM is running. - Format: ``ssh -i -p 3922`` + Format: - Example: ``root@kvm01:~# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.93 -p 3922`` + .. code:: bash + + ssh -i -p 3922 + + Example: + + .. code:: bash + + root@kvm01:~# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.93 -p 3922 #. For ESXi Hypervisors From 23a932b1d504d690b63012cdf4fddf36ff9c11fd Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Thu, 2 Apr 2026 12:07:25 -0400 Subject: [PATCH 3/8] Revise command formats and examples in systemvm.rst Updated SSH and decryption command formats and examples in the admin guide. --- source/adminguide/systemvm.rst | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index be5ac45913..a938700048 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -195,9 +195,17 @@ System VMs running on ESXi, the key is stored on the management server at #. ESXi users should SSH to the private IP address of the System VM. - Format: ``ssh -i -p 3922`` + Format: - Example: ``root@management:~# ssh -i ~cloud/.ssh/id_rsa 172.16.0.250 -p 3922`` + .. code:: bash + + ssh -i -p 3922 + + Example: + + .. code:: bash + + root@management:~# ssh -i ~cloud/.ssh/id_rsa 172.16.0.250 -p 3922 Option B: Accessing via the Web Console @@ -251,12 +259,20 @@ To step up the security of the environment, by configuring the ``system.vm.rando #. Decrypt the password with the obtained key from the Management Server. - Format: ``java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ - com.cloud.utils.crypt.EncryptionCLI -p -i -d -e V2`` + Format: + + .. code:: bash + + java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ + com.cloud.utils.crypt.EncryptionCLI -p -i -d -e V2 + + Example: + + .. code:: bash - Example: ``root@management:~# java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ - com.cloud.utils.crypt.EncryptionCLI -p `cat /etc/cloudstack/management/key` -i `cmk listconfigurations \ - name=system.vm.password | jq -r '.configuration[0].value'` -d -e V2`` + root@management:~# java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ + com.cloud.utils.crypt.EncryptionCLI -p `cat /etc/cloudstack/management/key` -i `cmk listconfigurations \ + name=system.vm.password | jq -r '.configuration[0].value'` -d -e V2 Multiple System VM Support for VMware From c8045fc684f45926dd730539b17979fe8fa771f2 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Thu, 2 Apr 2026 12:15:41 -0400 Subject: [PATCH 4/8] Remove asterisks from global parameter references --- source/adminguide/systemvm.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index a938700048..823451f5a0 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -124,13 +124,13 @@ of memory. #. Navigate to Configuration, Global Settings: #. Set the name of the 64-bit Template, KVM64bitTemplate, in the - *``router.template.kvm``* global parameter. + ``router.template.kvm`` global parameter. If you are using a XenServer 64-bit Template, set the name in the - *``router.template.xenserver``* global parameter. + ``router.template.xenserver`` global parameter. If you are using a VMware 64-bit Template, set the name in the - *``router.template.vmware``* global parameter. + ``router.template.vmware`` global parameter. Any new virtual router created in this Zone automatically picks up this Template. From 31b3ddfaf011989bd0dc89794483534ce16ec4aa Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Fri, 3 Apr 2026 09:52:50 -0400 Subject: [PATCH 5/8] Update source/adminguide/systemvm.rst Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- source/adminguide/systemvm.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index 823451f5a0..15e72e69ec 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -172,7 +172,7 @@ System VMs running on ESXi, the key is stored on the management server at #. For XenServer/KVM Hypervisors - #. Connect via SSH as `root` to the Host of which the System VM is running. + #. Connect via SSH as ``root`` to the Host of which the System VM is running. #. SSH to the 'Link Local IP Address' of the System VM from the Host on which the VM is running. From dbc1da7f72887b946821a4f47de1a3e9716c3c13 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Fri, 3 Apr 2026 09:54:23 -0400 Subject: [PATCH 6/8] Update source/adminguide/systemvm.rst Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- source/adminguide/systemvm.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index 15e72e69ec..fe4c126b96 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -244,7 +244,7 @@ access the System VM directly through the CloudStack UI. How to Enable System VM Random Password ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -To step up the security of the environment, by configuring the ``system.vm.random.password`` parameter to **True**, and restart the Management Server, a random password is generated and stored encrypted in the database. The decrypted password found under the ``system.vm.password`` global parameter, or by calling the ``listConfigurations`` API, still need to be decrypted to reveal the usable password. +To improve the security of the environment, set the ``system.vm.random.password`` parameter to **True** and restart the Management Server. A random password is then generated and stored in encrypted form in the database. The value returned by the ``system.vm.password`` global parameter, or by calling the ``listConfigurations`` API, must be decrypted to obtain the usable password. #. Find the encrypted password and encryption key From 7ff20e6143d4510c4c19e29c3f95cf2e1f4ea1ce Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Fri, 3 Apr 2026 09:55:56 -0400 Subject: [PATCH 7/8] Update source/adminguide/systemvm.rst Co-authored-by: Suresh Kumar Anaparti --- source/adminguide/systemvm.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index fe4c126b96..aba68c75ef 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -148,7 +148,7 @@ Accessing System VMs It may sometimes be necessary to access System VMs for diagnostics of certain issues, for example if you are experiencing SSVM (Secondary Storage VM) connection issues. Use the methods below in order to connect to any running -System VM, including VR (Virtual Router) and CPVM (ConsoleProxyVM). +System VM, including VR (Virtual Router) and CPVM (Console Proxy VM). Option A: Accessing via SSH ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From afcda839e9a8d822f9271b410e3b78c73a2880d1 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Fri, 3 Apr 2026 09:58:07 -0400 Subject: [PATCH 8/8] Update password information in systemvm.rst Clarified the description of the password in the System VM guide. --- source/adminguide/systemvm.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index aba68c75ef..ccd625ef54 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -238,7 +238,7 @@ access the System VM directly through the CloudStack UI. #. Default Username: ``root`` - #. The decrypted password can be found under the ``system.vm.password`` global parameter. + #. The encrypted password can be found under the ``system.vm.password`` global parameter and must be decrypted to be usable. How to Enable System VM Random Password