From 5abf2e91c0d3df82aeed4db375db752fd6e2b76e Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Wed, 1 Apr 2026 19:53:56 -0400 Subject: [PATCH 1/8] System VM access instructions and security details Updated instructions for accessing System VMs via SSH and Web Console, including details for enabling randomized passwords for the SysVMs. --- source/adminguide/systemvm.rst | 93 ++++++++++++++++++++++++++++------ 1 file changed, 78 insertions(+), 15 deletions(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index ec0e00d298..99704dbe78 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -147,51 +147,114 @@ Accessing System VMs It may sometimes be necessary to access System VMs for diagnostics of certain issues, for example if you are experiencing SSVM (Secondary Storage VM) -connection issues. Use the steps below in order to connect to the SSH console -of a running System VM. +connection issues. Use the methods below in order to connect to any running +System VM, including VR (Virtual Router) and CPVM (ConsoleProxyVM). + +Option A: Accessing via SSH +~~~~~~~~~~~~~~~~~~~~~~~~~~~ Accessing System VMs over the network requires the use of private keys and -connecting to System VMs SSH Daemon on port 3922. XenServer/KVM Hypervisors -store this key at /root/.ssh/id_rsa.cloud on each CloudStack agent. To access +connecting to System VMs SSH Daemon on port **3922**. XenServer/KVM Hypervisors +store this key at ``/root/.ssh/id_rsa.cloud`` on each CloudStack agent. To access System VMs running on ESXi, the key is stored on the management server at -~cloud/.ssh/id_rsa. +``~cloud/.ssh/id_rsa``. #. Find the details of the System VM - #. Log in with admin privileges to the CloudStack UI. + #. Log in with Root Admin privileges to the **CloudStack UI**. - #. Click Infrastructure, then System VMs, and then click the name of a + #. Click **Infrastructure > System VMs**, and then click the name of a running VM. #. Take a note of the 'Host', 'Private IP Address' and 'Link Local IP Address' of the System VM you wish to access. -#. XenServer/KVM Hypervisors +#. For XenServer/KVM Hypervisors - #. Connect to the Host of which the System VM is running. + #. Connect via SSH as `root` to the Host of which the System VM is running. #. SSH to the 'Link Local IP Address' of the System VM from the Host on which the VM is running. - Format: ssh -i -p 3922 + Format: ``ssh -i -p 3922`` - Example: root@kvm01:~# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.93 -p 3922 + Example: ``root@kvm01:~# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.93 -p 3922`` -#. ESXi Hypervisors +#. For ESXi Hypervisors #. Connect to your CloudStack Management Server. #. ESXi users should SSH to the private IP address of the System VM. - Format: ssh -i -p 3922 + Format: ``ssh -i -p 3922`` + + Example: ``root@management:~# ssh -i ~cloud/.ssh/id_rsa 172.16.0.250 -p 3922`` + + +Option B: Accessing via the Web Console +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If network access is restricted or the SSH daemon is unresponsive, administrators can +access the System VM directly through the CloudStack UI. + +#. For any hypervisor, using the default password. + + #. Log in with Root Admin privileges to the **CloudStack UI**. + + #. Click **Infrastructure > System VMs**, and then click the name of a + running VM. + + #. Click the **View Console** button (screen icon) in the top right toolbar. + + #. Default Username: ``root`` + + #. Default Password: ``password`` + +#. For any hypervisor, if ``system.vm.random.password`` is enabled (recommended). + + #. Log in with Root Admin privileges to the **CloudStack UI**. + + #. Click **Infrastructure > System VMs**, and then click the name of a + running VM. + + #. Click the **View Console** button (screen icon) in the top right toolbar. + + #. Default Username: ``root`` + + #. The decrypted password can be found under the ``system.vm.password`` global parameter. + + +How to Enable System VM Random Password +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To step up the security of the environment, by configuring the ``system.vm.random.password`` parameter to **True**, and restart the Management Server, a random password is generated and stored encrypted in the database. The decrypted password found under the ``system.vm.password`` global parameter, or by calling the ``listConfigurations`` API, still need to be decrypted to reveal the usable password. + +#. Find the encrypted password and encryption key + + #. Log in with Root Admin privileges to the **CloudStack UI**. + + #. Click **Configuration > Global Settings**, and search for ``system.vm.password``. + + Or using CloudMonkey: ``cmk listconfigurations name=system.vm.password`` + + #. On the Management Server, read the content of the file ``/etc/cloudstack/management/key`` to obtain + the encryption/decryption key. + + #. Decrypt the password with the obtained key from the Management Server. + + Format: ``java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ + com.cloud.utils.crypt.EncryptionCLI -p -i -d -e V2`` + + Example: ``root@management:~# java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ + com.cloud.utils.crypt.EncryptionCLI -p `cat /etc/cloudstack/management/key` -i `cmk listconfigurations \ + name=system.vm.password | jq -r '.configuration[0].value'` -d -e V2`` - Example: root@management:~# ssh -i ~cloud/.ssh/id_rsa 172.16.0.250 -p 3922 Multiple System VM Support for VMware ------------------------------------- -Every CloudStack zone has single System VM for Template processing tasks +Every CloudStack zone has a single System VM for Template processing tasks such as downloading Templates, uploading Templates, and uploading ISOs. In a zone where VMware is being used, additional System VMs can be launched to process VMware-specific tasks such as taking Snapshots and From 6391e5d3a0cfeed31415c33bdcef8d0b57551041 Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Thu, 2 Apr 2026 12:05:34 -0400 Subject: [PATCH 2/8] Format SSH command examples in systemvm.rst Added code formatting for SSH command examples in the admin guide. --- source/adminguide/systemvm.rst | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index 99704dbe78..be5ac45913 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -177,9 +177,17 @@ System VMs running on ESXi, the key is stored on the management server at #. SSH to the 'Link Local IP Address' of the System VM from the Host on which the VM is running. - Format: ``ssh -i -p 3922`` + Format: - Example: ``root@kvm01:~# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.93 -p 3922`` + .. code:: bash + + ssh -i -p 3922 + + Example: + + .. code:: bash + + root@kvm01:~# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.93 -p 3922 #. For ESXi Hypervisors From de2a965b9b182b7e5099d9873905737482e557be Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Thu, 2 Apr 2026 12:07:25 -0400 Subject: [PATCH 3/8] Revise command formats and examples in systemvm.rst Updated SSH and decryption command formats and examples in the admin guide. --- source/adminguide/systemvm.rst | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index be5ac45913..a938700048 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -195,9 +195,17 @@ System VMs running on ESXi, the key is stored on the management server at #. ESXi users should SSH to the private IP address of the System VM. - Format: ``ssh -i -p 3922`` + Format: - Example: ``root@management:~# ssh -i ~cloud/.ssh/id_rsa 172.16.0.250 -p 3922`` + .. code:: bash + + ssh -i -p 3922 + + Example: + + .. code:: bash + + root@management:~# ssh -i ~cloud/.ssh/id_rsa 172.16.0.250 -p 3922 Option B: Accessing via the Web Console @@ -251,12 +259,20 @@ To step up the security of the environment, by configuring the ``system.vm.rando #. Decrypt the password with the obtained key from the Management Server. - Format: ``java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ - com.cloud.utils.crypt.EncryptionCLI -p -i -d -e V2`` + Format: + + .. code:: bash + + java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ + com.cloud.utils.crypt.EncryptionCLI -p -i -d -e V2 + + Example: + + .. code:: bash - Example: ``root@management:~# java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ - com.cloud.utils.crypt.EncryptionCLI -p `cat /etc/cloudstack/management/key` -i `cmk listconfigurations \ - name=system.vm.password | jq -r '.configuration[0].value'` -d -e V2`` + root@management:~# java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \ + com.cloud.utils.crypt.EncryptionCLI -p `cat /etc/cloudstack/management/key` -i `cmk listconfigurations \ + name=system.vm.password | jq -r '.configuration[0].value'` -d -e V2 Multiple System VM Support for VMware From 22b98360ec0a165ac67c3aa82c74a30d0a51417c Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Thu, 2 Apr 2026 12:15:41 -0400 Subject: [PATCH 4/8] Remove asterisks from global parameter references --- source/adminguide/systemvm.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index a938700048..823451f5a0 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -124,13 +124,13 @@ of memory. #. Navigate to Configuration, Global Settings: #. Set the name of the 64-bit Template, KVM64bitTemplate, in the - *``router.template.kvm``* global parameter. + ``router.template.kvm`` global parameter. If you are using a XenServer 64-bit Template, set the name in the - *``router.template.xenserver``* global parameter. + ``router.template.xenserver`` global parameter. If you are using a VMware 64-bit Template, set the name in the - *``router.template.vmware``* global parameter. + ``router.template.vmware`` global parameter. Any new virtual router created in this Zone automatically picks up this Template. From accffff45c0d18c495214b7462743ac17778774c Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Fri, 3 Apr 2026 09:52:50 -0400 Subject: [PATCH 5/8] Update source/adminguide/systemvm.rst Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- source/adminguide/systemvm.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index 823451f5a0..15e72e69ec 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -172,7 +172,7 @@ System VMs running on ESXi, the key is stored on the management server at #. For XenServer/KVM Hypervisors - #. Connect via SSH as `root` to the Host of which the System VM is running. + #. Connect via SSH as ``root`` to the Host of which the System VM is running. #. SSH to the 'Link Local IP Address' of the System VM from the Host on which the VM is running. From e27ac99d7472222933f803908cc15321fa366d1f Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Fri, 3 Apr 2026 09:54:23 -0400 Subject: [PATCH 6/8] Update source/adminguide/systemvm.rst Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- source/adminguide/systemvm.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index 15e72e69ec..fe4c126b96 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -244,7 +244,7 @@ access the System VM directly through the CloudStack UI. How to Enable System VM Random Password ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -To step up the security of the environment, by configuring the ``system.vm.random.password`` parameter to **True**, and restart the Management Server, a random password is generated and stored encrypted in the database. The decrypted password found under the ``system.vm.password`` global parameter, or by calling the ``listConfigurations`` API, still need to be decrypted to reveal the usable password. +To improve the security of the environment, set the ``system.vm.random.password`` parameter to **True** and restart the Management Server. A random password is then generated and stored in encrypted form in the database. The value returned by the ``system.vm.password`` global parameter, or by calling the ``listConfigurations`` API, must be decrypted to obtain the usable password. #. Find the encrypted password and encryption key From 774e79d2e9c8ad40a02e97acd8e46333d72f2a8b Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Fri, 3 Apr 2026 09:55:56 -0400 Subject: [PATCH 7/8] Update source/adminguide/systemvm.rst Co-authored-by: Suresh Kumar Anaparti --- source/adminguide/systemvm.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index fe4c126b96..aba68c75ef 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -148,7 +148,7 @@ Accessing System VMs It may sometimes be necessary to access System VMs for diagnostics of certain issues, for example if you are experiencing SSVM (Secondary Storage VM) connection issues. Use the methods below in order to connect to any running -System VM, including VR (Virtual Router) and CPVM (ConsoleProxyVM). +System VM, including VR (Virtual Router) and CPVM (Console Proxy VM). Option A: Accessing via SSH ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From 935bea04b2391794babb413df412a71a939395aa Mon Sep 17 00:00:00 2001 From: Davi Torres <90287660+daviftorres@users.noreply.github.com> Date: Fri, 3 Apr 2026 09:58:07 -0400 Subject: [PATCH 8/8] Update password information in systemvm.rst Clarified the description of the password in the System VM guide. --- source/adminguide/systemvm.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/adminguide/systemvm.rst b/source/adminguide/systemvm.rst index aba68c75ef..ccd625ef54 100644 --- a/source/adminguide/systemvm.rst +++ b/source/adminguide/systemvm.rst @@ -238,7 +238,7 @@ access the System VM directly through the CloudStack UI. #. Default Username: ``root`` - #. The decrypted password can be found under the ``system.vm.password`` global parameter. + #. The encrypted password can be found under the ``system.vm.password`` global parameter and must be decrypted to be usable. How to Enable System VM Random Password