Merge branch '4.20' of https://github.com/apache/cloudstack-documentation into 4.20-release-notes

Author: Pearl1594

source/_static/images/oauth-provider-registration.png

@@ -681,11 +681,6 @@ In any OAuth 2.0 configuration admin has to use the redirect URI "http://<manage
           server IP to host table in the local system and assign a domain, something like "management.cloud". In that redirect URI looks like
           "http://management.cloud:8080/?verifyOauth"
 
-.. image:: /_static/images/oauth-provider-registration.png
-   :width: 400px
-   :align: center
-   :alt: OAuth provider registration
-
 Following are the details needs to be provided to register the OAuth provider, this is to call the API "registerOauthProvider"
 
    -  **Provider**: Name of the provider from the list of OAuth providers supported in CloudStack
@@ -698,6 +693,11 @@ Following are the details needs to be provided to register the OAuth provider, t
 
    -  **Secret Key**: Secret Key pre-registered in the specific OAuth provider
 
+.. image:: /_static/images/oauth-provider-registration.png
+   :width: 400px
+   :align: center
+   :alt: OAuth provider registration
+
 Cloudmonkey API call looks like
 
    -  register oauthprovider provider=google description="Google Provider"

source/adminguide/accounts.rst

@@ -12,7 +12,7 @@
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.
- 
+
 
 The CloudStack API is a low level API that has been used to implement
 the CloudStack web UIs. It is also a good basis for implementing other
@@ -177,6 +177,29 @@ VMdata - a list of String arrays representing [“directory”, “filename”,
 
     - default: config-2
 
+Virtual machine password via ConfigDrive
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ConfigDrive metadata provider delivers the virtual machine password simultaneously in two variants, leaving which one to use to the user discretion:
+
+1. As the ``<mountdir>/cloudstack/password/vm_password.txt`` file.
+
+This file is intended to be used by an external script that runs inside the virtual machine every boot, and changes the password if needed.
+The init-script that implements this functionality can be found in the `Cloudstack source <https://github.com/apache/cloudstack/blob/main/setup/bindir/cloud-set-guest-password-configdrive.in>`_.
+
+.. note::
+    The ``vm_password.txt`` file is not compatible with cloud-init password module, so the cloud-init will ignore it.
+    It is up to Cloudstack administrator to include the script processing it in the virtual machines and/or their templates.
+
+2. As the ``<mountdir>/openstack/latest/vendor_data.json``.
+This is a standard password location supported by cloud-init's both ConfigDrive datasource and the password module.
+Therefore, this variant allows using cloud-init as the only tool for provisioning a virtual machine, without using external scripts.
+
+.. warning::
+    Cloud-init password module is designed to only perform the initial virtual machine password setup.
+    It will ignore the changes in ``vendor_data.json`` after the first run. Therefore, resetting the virtual machine password from Cloudstack will not work with this variant.
+
+
 For more detailed information about the Config Drive implementation refer to
 the `Wiki Article
 <https://cwiki.apache.org/confluence/display/CLOUDSTACK/Using+ConfigDrive+for+Metadata%2C+Userdata+and+Password#:~:text=CLOUDSTACK%2D9813%20%2D%20(),%2Dkeys)%20and%20password%20files>`_

source/adminguide/api.rst

@@ -0,0 +1,28 @@
+.. Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information#
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+   
+
+Best Practices
+==============
+
+This section provides the best practices to follow for your cloud.
+
+The following are some of the best practices:
+
+-  Configure 'api.allowed.source.cidr.list' at cloud level or an account
+   level to limit source IPs where the API requests are allowed from.
+   
+-  Setup fail2ban or similar tools to avoid any brute-force attempts
+   for any operations.

source/adminguide/best_practices.rst

@@ -187,3 +187,12 @@ Events and Troubleshooting
 
    events
    troubleshooting
+
+
+Best Practices
+--------------
+
+.. toctree::
+   :maxdepth: 4
+
+   best_practices

source/adminguide/index.rst

@@ -109,6 +109,10 @@ db.simulator.connectionPoolLib
 To use DBCP 2, the value for the configuration must be set to 'dbcp'. An
 empty value or 'hikaricp' will allow using HikariCP.
 
+For large-scale environments, HikariCP should perform better. For environments
+running management server with constrained memory resources, using DBCP may
+work better in terms of memory usage.
+
 
 Monitor the Database Load
 -------------------------

source/adminguide/tuning.rst

@@ -443,7 +443,7 @@ cloudstack-agent and should already be installed.
 
       #LIBVIRTD_ARGS="--listen"
 
-   On RHEL 8 / CentOS 8 / SUSE run the following command :
+   On RHEL 8 / CentOS 8 / SUSE / Ubuntu / Debian, run the following command :
 
    .. parsed-literal::