Re: [PR] System VM access instructions and security details [cloudstack-documentation]

Thu, 02 Apr 2026 09:22:37 -0700 


daviftorres commented on code in PR #638:
URL: 
https://github.com/apache/cloudstack-documentation/pull/638#discussion_r3029046213


##########
source/adminguide/systemvm.rst:
##########
@@ -147,51 +147,138 @@ Accessing System VMs
 
 It may sometimes be necessary to access System VMs for diagnostics of certain
 issues, for example if you are experiencing SSVM (Secondary Storage VM)
-connection issues. Use the steps below in order to connect to the SSH console
-of a running System VM.
+connection issues. Use the methods below in order to connect to any running 
+System VM, including VR (Virtual Router) and CPVM (ConsoleProxyVM).
+
+Option A: Accessing via SSH
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Accessing System VMs over the network requires the use of private keys and
-connecting to System VMs SSH Daemon on port 3922. XenServer/KVM Hypervisors
-store this key at /root/.ssh/id_rsa.cloud on each CloudStack agent. To access
+connecting to System VMs SSH Daemon on port **3922**. XenServer/KVM Hypervisors
+store this key at ``/root/.ssh/id_rsa.cloud`` on each CloudStack agent. To 
access
 System VMs running on ESXi, the key is stored on the management server at
-~cloud/.ssh/id_rsa.
+``~cloud/.ssh/id_rsa``.
 
 
 #. Find the details of the System VM
 
-   #. Log in with admin privileges to the CloudStack UI.
+   #. Log in with Root Admin privileges to the **CloudStack UI**.
 
-   #. Click Infrastructure, then System VMs, and then click the name of a
+   #. Click **Infrastructure > System VMs**, and then click the name of a
       running VM.
 
    #. Take a note of the 'Host', 'Private IP Address' and 'Link Local IP
       Address' of the System VM you wish to access.
 
-#. XenServer/KVM Hypervisors
+#. For XenServer/KVM Hypervisors
 
-   #. Connect to the Host of which the System VM is running.
+   #. Connect via SSH as `root` to the Host of which the System VM is running.
 
    #. SSH to the 'Link Local IP Address' of the System VM from the Host on
       which the VM is running.
 
-      Format: ssh -i <path-to-private-key> <link-local-ip> -p 3922
+      Format:
+
+      .. code:: bash
+
+         ssh -i <path-to-private-key> <link-local-ip> -p 3922
+
+      Example: 
+
+      .. code:: bash
 
-      Example: root@kvm01:~# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.93 -p 
3922
+         root@kvm01:~# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.93 -p 3922
 
-#. ESXi Hypervisors
+#. For ESXi Hypervisors
 
    #. Connect to your CloudStack Management Server.
 
    #. ESXi users should SSH to the private IP address of the System VM.
 
-      Format: ssh -i <path-to-private-key> <vm-private-ip> -p 3922
+      Format: 
+
+      .. code:: bash
+
+         ssh -i <path-to-private-key> <vm-private-ip> -p 3922
+
+      Example: 
+
+      .. code:: bash
+
+         root@management:~# ssh -i ~cloud/.ssh/id_rsa 172.16.0.250 -p 3922
+
+
+Option B: Accessing via the Web Console
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If network access is restricted or the SSH daemon is unresponsive, 
administrators can 
+access the System VM directly through the CloudStack UI.
+
+#. For any hypervisor, using the default password.
+
+   #. Log in with Root Admin privileges to the **CloudStack UI**.
+
+   #. Click **Infrastructure > System VMs**, and then click the name of a
+      running VM.
+
+   #. Click the **View Console** button (screen icon) in the top right toolbar.
+
+      #. Default Username: ``root``
+
+      #. Default Password: ``password``
+
+#. For any hypervisor, if ``system.vm.random.password`` is enabled 
(recommended).
+
+   #. Log in with Root Admin privileges to the **CloudStack UI**.
+
+   #. Click **Infrastructure > System VMs**, and then click the name of a
+      running VM.
+
+   #. Click the **View Console** button (screen icon) in the top right toolbar.
+
+      #. Default Username: ``root``
+
+      #. The decrypted password can be found under the ``system.vm.password`` 
global parameter.
+
+
+How to Enable System VM Random Password
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To step up the security of the environment, by configuring the 
``system.vm.random.password`` parameter to **True**, and restart the Management 
Server, a random password is generated and stored encrypted in the database. 
The decrypted password found under the ``system.vm.password`` global parameter, 
or by calling the ``listConfigurations`` API, still need to be decrypted to 
reveal the usable password.

Review Comment:
   These steps where lost over time with iterations of the documentation.
   
   I got them from v4.11: 
https://docs.cloudstack.apache.org/projects/archived-cloudstack-getting-started/en/latest/administration_guide.html#managing-system-vms



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to