Bug 1147065

Summary: regression setting root password with virt-builder/virt-customize
Product: Red Hat Enterprise Linux 7 Reporter: Richard W.M. Jones <rjones>
Component: libguestfsAssignee: Richard W.M. Jones <rjones>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: crobinso, extras-qa, lkong, mbooth, ptoscano, rjones, virt-maint, wshi, yuliu
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libguestfs-1.28.1-1.5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1146275 Environment:
Last Closed: 2015-03-05 13:45:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1146275    
Bug Blocks:    
Attachments:
Description Flags
output of command: virt-customize -a bbc.img --root-password password:testpassword3 -v -x
none
output of command: virt-customize -a bbc.img --password lkong:password:testpassword3 -v -x none

Description Richard W.M. Jones 2014-09-26 18:38:56 UTC 
+++ This bug was initially created as a clone of Bug #1146275 +++

Setting the root password with virt-customize and virt-builder doesn't seem to work with libguestfs-1.27.50. Tested against a virt-builder fedora-20 image.

It worked last week, so I downgraded arbitrarily to libguestfs-1.27.36, tried setting a password, and it worked. yum updated to latest, tried setting a password, and it failed, and the old password didn't work either.

--- Additional comment from Richard W.M. Jones on 2014-09-26 14:38:25 EDT ---

Something to do with now using Augeas to edit the /etc/shadow file?
Comment 2 Lingfei Kong 2014-09-29 02:51:49 UTC 
Can reproduce with libguestfs-1.27.55-1.1.el7
Comment 3 Richard W.M. Jones 2014-09-29 16:09:25 UTC 
Should be fixed in 1.27.56 which contains:

https://github.com/libguestfs/libguestfs/commit/5f9437ca4bb842b1e8ae91ffbf3c73820780c5a6
https://github.com/libguestfs/libguestfs/commit/35daabed8f6da1b6039c4fd32848dcff6347e0dd
Comment 5 Lingfei Kong 2014-10-23 06:10:43 UTC 
Test with libguestfs-1.28.1-1.2.el7 virt-customize/virt-builder --password/--root-password still no work.

The following command all failed to change the password of root or the specify user account.
virt-customize --selinux-relabel -a bbc.img --password lkong:password:testpassword3
virt-customize -a bbc.img --password lkong:password:testpassword3
virt-customize --selinux-relabel -a bbc.img --root-password password:testpassword3
virt-customize -a bbc.img --root-password password:testpassword3

The attachment is the -v -x output.
Comment 6 Lingfei Kong 2014-10-23 06:12:14 UTC 
Created attachment 949652 [details]
output of command: virt-customize -a bbc.img --root-password password:testpassword3 -v -x
Comment 7 Lingfei Kong 2014-10-23 06:12:56 UTC 
Created attachment 949653 [details]
output of command: virt-customize -a bbc.img --password lkong:password:testpassword3 -v -x
Comment 8 Pino Toscano 2014-10-23 09:25:13 UTC 
(In reply to Lingfei Kong from comment #5)
> Test with libguestfs-1.28.1-1.2.el7 virt-customize/virt-builder
> --password/--root-password still no work.
> 
> The following command all failed to change the password of root or the
> specify user account.
> virt-customize --selinux-relabel -a bbc.img --password
> lkong:password:testpassword3
> virt-customize -a bbc.img --password lkong:password:testpassword3
> virt-customize --selinux-relabel -a bbc.img --root-password
> password:testpassword3
> virt-customize -a bbc.img --root-password password:testpassword3
> 
> The attachment is the -v -x output.

| libguestfs: trace: aug_ls "/files/etc/shadow"
| guestfsd: main_loop: proc 16 (aug_init) took 2.53 seconds
| guestfsd: main_loop: new request, len 0x40
| guestfsd: main_loop: proc 28 (aug_ls) took 0.00 seconds
| libguestfs: trace: aug_ls = []

I guess you are using augeas-libs >= 1.1.0-16.el7, right?
Since that version, augeas provides the lenses for /etc/shadow and /etc/lvm, thus creating a conflict since two lenses can act on /etc/shadow.

Rich, I guess we should disable our lenses, and bump the augeas requirement to the version above.
Comment 9 Richard W.M. Jones 2014-10-23 09:26:35 UTC 
(In reply to Pino Toscano from comment #8)
> (In reply to Lingfei Kong from comment #5)
> > Test with libguestfs-1.28.1-1.2.el7 virt-customize/virt-builder
> > --password/--root-password still no work.
> > 
> > The following command all failed to change the password of root or the
> > specify user account.
> > virt-customize --selinux-relabel -a bbc.img --password
> > lkong:password:testpassword3
> > virt-customize -a bbc.img --password lkong:password:testpassword3
> > virt-customize --selinux-relabel -a bbc.img --root-password
> > password:testpassword3
> > virt-customize -a bbc.img --root-password password:testpassword3
> > 
> > The attachment is the -v -x output.
> 
> | libguestfs: trace: aug_ls "/files/etc/shadow"
> | guestfsd: main_loop: proc 16 (aug_init) took 2.53 seconds
> | guestfsd: main_loop: new request, len 0x40
> | guestfsd: main_loop: proc 28 (aug_ls) took 0.00 seconds
> | libguestfs: trace: aug_ls = []
> 
> I guess you are using augeas-libs >= 1.1.0-16.el7, right?
> Since that version, augeas provides the lenses for /etc/shadow and /etc/lvm,
> thus creating a conflict since two lenses can act on /etc/shadow.
> 
> Rich, I guess we should disable our lenses, and bump the augeas requirement
> to the version above.

Definitely YES.  Does this remove all the Augeas lenses that we
are shipping?  That should be the goal ..
Comment 10 Pino Toscano 2014-10-23 09:44:23 UTC 
(In reply to Richard W.M. Jones from comment #9)
> (In reply to Pino Toscano from comment #8)
> > (In reply to Lingfei Kong from comment #5)
> > > Test with libguestfs-1.28.1-1.2.el7 virt-customize/virt-builder
> > > --password/--root-password still no work.
> > > 
> > > The following command all failed to change the password of root or the
> > > specify user account.
> > > virt-customize --selinux-relabel -a bbc.img --password
> > > lkong:password:testpassword3
> > > virt-customize -a bbc.img --password lkong:password:testpassword3
> > > virt-customize --selinux-relabel -a bbc.img --root-password
> > > password:testpassword3
> > > virt-customize -a bbc.img --root-password password:testpassword3
> > > 
> > > The attachment is the -v -x output.
> > 
> > | libguestfs: trace: aug_ls "/files/etc/shadow"
> > | guestfsd: main_loop: proc 16 (aug_init) took 2.53 seconds
> > | guestfsd: main_loop: new request, len 0x40
> > | guestfsd: main_loop: proc 28 (aug_ls) took 0.00 seconds
> > | libguestfs: trace: aug_ls = []
> > 
> > I guess you are using augeas-libs >= 1.1.0-16.el7, right?
> > Since that version, augeas provides the lenses for /etc/shadow and /etc/lvm,
> > thus creating a conflict since two lenses can act on /etc/shadow.
> > 
> > Rich, I guess we should disable our lenses, and bump the augeas requirement
> > to the version above.
> 
> Definitely YES.  Does this remove all the Augeas lenses that we
> are shipping?

By the look of it, since that Augeas version.
Comment 11 Lingfei Kong 2014-10-23 09:58:10 UTC 
(In reply to Pino Toscano from comment #8)
> | libguestfs: trace: aug_ls "/files/etc/shadow"
> | guestfsd: main_loop: proc 16 (aug_init) took 2.53 seconds
> | guestfsd: main_loop: new request, len 0x40
> | guestfsd: main_loop: proc 28 (aug_ls) took 0.00 seconds
> | libguestfs: trace: aug_ls = []
> 
> I guess you are using augeas-libs >= 1.1.0-16.el7, right?
> Since that version, augeas provides the lenses for /etc/shadow and /etc/lvm,
> thus creating a conflict since two lenses can act on /etc/shadow.
> 

Yes, the version in the test machine is augeas-libs-1.1.0-16.el7. There is a lense for shadow as you say:
#rpm -ql augeas-libs-1.1.0-16.el7 |grep shadow
/usr/share/augeas/lenses/dist/shadow.aug

Where i can find the lenses that provide by libguestfs? 

Thanks :-)
Comment 12 Richard W.M. Jones 2014-10-24 15:41:02 UTC 
(In reply to Lingfei Kong from comment #11)
> (In reply to Pino Toscano from comment #8)
> > | libguestfs: trace: aug_ls "/files/etc/shadow"
> > | guestfsd: main_loop: proc 16 (aug_init) took 2.53 seconds
> > | guestfsd: main_loop: new request, len 0x40
> > | guestfsd: main_loop: proc 28 (aug_ls) took 0.00 seconds
> > | libguestfs: trace: aug_ls = []
> > 
> > I guess you are using augeas-libs >= 1.1.0-16.el7, right?
> > Since that version, augeas provides the lenses for /etc/shadow and /etc/lvm,
> > thus creating a conflict since two lenses can act on /etc/shadow.
> > 
> 
> Yes, the version in the test machine is augeas-libs-1.1.0-16.el7. There is a
> lense for shadow as you say:
> #rpm -ql augeas-libs-1.1.0-16.el7 |grep shadow
> /usr/share/augeas/lenses/dist/shadow.aug
> 
> Where i can find the lenses that provide by libguestfs? 
> 
> Thanks :-)

$ virt-rescue --scratch
><rescue> ls /usr/share/guestfs/
guestfs_lvm_conf.aug  guestfs_shadow.aug

Note that I'm just about to patch libguestfs so it doesn't use
these, although they'll still be sitting in the appliance.
Comment 14 Lingfei Kong 2014-11-11 08:32:03 UTC 
Verify with libguestfs-1.28.1-1.9.el7

Steps to verify:
1. Prepare a guest image: rhel.img

2. # virt-customize -a rhel.img --root-password password:testpassword3

3. # qemu-kvm  -m 1024M -smp 3 -drive file=$PWD/rhel.img -vnc :1

4. Access the guest via vncviewer, can login root account with 'testpassword3' password.

The same steps to virt-builder.
Comment 16 errata-xmlrpc 2015-03-05 13:45:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0303.html