Bug 1141626
| Summary: | virt-sysprep option '--password' don't work well, it will cause login problem and if execute with other options it will take no effect | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Lingfei Kong <lkong> |
| Component: | libguestfs | Assignee: | Richard W.M. Jones <rjones> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.1 | CC: | leiwang, lkong, mbooth, ptoscano, rjones, wshi |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libguestfs-1.28.1-1.5.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 13:44:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Lingfei Kong
2014-09-15 04:25:15 UTC
Can you try it with the --selinux-relabel option? There are some problems with SELinux relabelling, both in libguestfs 1.26 and with RHEL itself. (In reply to Richard W.M. Jones from comment #2) > Can you try it with the --selinux-relabel option? > > There are some problems with SELinux relabelling, both in libguestfs 1.26 > and with RHEL itself. 1. Create a new user test in rhel6.6.img 2. #virt-sysprep --selinux-relabel --password lkong:password:lkong -a rhel6.6.img 3. Try to login the guest. I can login the guest successfully with '--selinux-relabel' and the password is changed as requested. Hi Lingfei, there are two different issues in this bug report. (In reply to Lingfei Kong from comment #0) > #virt-sysprep --password lkong:password:lkong -a rhel6.6.img > If i try to login the guest with root account, i will failed to login with > 'login incorrect' error message. But if i disabled selinux first, then i can > login with root account successfully and password for lkong account is > change as requested. Accoding to the version reported (libguestfs-1.27.43-1.1.el7), this might be another case of the switch to Augeas to edit /etc/shadow (i.e. the same issue reported as #1146275 and #1147065). This has been fixed upstream yesterday, in libguestfs 1.27.56. Can you please try this with libguestfs-1.27.56-1.1.el7? --selinux-relabel should not be needed. (In reply to Lingfei Kong from comment #0) > #virt-sysprep --operation net-hwaddr --password lkong:password:lkong -a > rhel6.6.img > [ 0.0] Examining the guest ... > [ 5.0] Performing "net-hwaddr" ... This invocation basically enables only the "net-hwaddr" operation, and thus the "customize" operation (which does the password changing) is not run. This is similar to #1141157, so a similar fix should be done in the "customize" operation. Setting needinfo of Lingfei to retest with latest virt-sysprep and without --selinux-label option. It should work. (In reply to Pino Toscano from comment #4) > Can you please try this with libguestfs-1.27.56-1.1.el7? --selinux-relabel > should not be needed. > I try it with libguestfs-1.28.1-1.2.el7, virt-sysprep --password do not change the specify user's password in guest with or without --selinux-relabel option: #virt-sysprep --password lkong:password:redhat -a rhel7_kvm.img #virt-sysprep --selinux-relabel --password lkong:password:redhat -a rhel7_kvm.img Also i try it with libguestfs-1.27.43-1.1.el7 as Comment 3, it can not work this time. I try --root-password option it do not work well too. > (In reply to Lingfei Kong from comment #0) > > #virt-sysprep --operation net-hwaddr --password lkong:password:lkong -a > > rhel6.6.img > > [ 0.0] Examining the guest ... > > [ 5.0] Performing "net-hwaddr" ... > > This invocation basically enables only the "net-hwaddr" operation, and thus > the "customize" operation (which does the password changing) is not run. > This is similar to #1141157, so a similar fix should be done in the > "customize" operation. In bug 1141157, there have no fix related to this problem, in 1141157, virt-sysprep only replace --user-accounts option with --{remove, keep}-user-accounts. When "customize" operation along with '--operation/--operations' options is it right to ignore "customize" operation? Should i file a bug for this issue? I wanted to have a reliable reproducer of this. Below is what I've worked out. It works on either Fedora 21 or RHEL 7, except that on RHEL 7 you can to use /usr/libexec/qemu-kvm. ------------- $ virt-builder fedora-20 $ qemu-kvm -hda fedora-20.img -m 512 # verify that you can log in as root using the randomly generated # root password that is printed by virt-builder # then shut the guest down properly (/sbin/poweroff) $ virt-sysprep --root-password password:123456 -a fedora-20.img $ qemu-kvm -hda fedora-20.img -m 512 # verify that you can log in using root/123456 $ rm fedora-20.img ------------- This fails on RHEL 7.1. The reason is because the Augeas /etc/shadow lens isn't working / hasn't been backported. It sees the /etc/shadow file as if it was completely empty and just doesn't work at all from there. Assigning to Pino since he knows what's going on here. Now WFM with libguestfs-1.28.1-1.5.el7 using the reproducer instructions given in comment 7. Verify with libguestfs-1.28.1-1.9.el7 Steps to verify: 1. Prepare a guest image: rhel.img 2. # virt-sysprep --root-password password:123456 -a rhel.img 3. # qemu-kvm -m 1024M -smp 3 -drive file=$PWD/rhel.img -vnc :1 4. Access the guest via vncviewer, can login root account with '123456' password. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0303.html |