Bug 1174176

Summary: RFE: provide QEMU guest agent command for setting root/administrator account password
Product: Red Hat Enterprise Linux 7 Reporter: Daniel Berrangé <berrange>
Component: qemu-guest-agentAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: areis, dyuan, hhuang, huding, jherrman, jraju, jsuchane, jtomko, juzhang, marcandre.lureau, mrezanin, ovasik, pablo.iranzo, rbalakri, virt-maint, xfu, zhwang
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-guest-agent-2.3.0-1.el7 Doc Type: Enhancement
Doc Text:
The "guest-set-user-password" command has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the administrator, when using QEMU-KVM.
 Story Points: ---
Clone Of:
: 1174177 1174181 (view as bug list) Environment:
Last Closed: 2015-11-19 07:09:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1194152, 1243458, 1243459    
Bug Blocks: 978365, 1154205, 1174177, 1174181, 1205796, 1249582, 1261100, 1303906, 1313887    

Description Daniel Berrangé 2014-12-15 10:21:35 UTC 
Description of problem:
OpenStack has a public API which allows a tenant to reset the root/administrator account password of a running guest instance. This is currently supported with XenAPI and users & customers are disappointed when they find it does not work on KVM too.

NB, while OpenStack tenants can set a root password up front with cloud-init, this does not support the same use cases. It is generally preferred to not set any root password at all - just leave the account locked to password access, and instead use SSH keys for login. Where the ability to set the root password is important is in disaster recovery. eg they have lost access to a VM (eg due to network mis-configuration). Unlocking root account console logins by setting a root password is their last ditch approach to recover the instance without taking it offline.

Thus the request here is to provide a new QEMU guest agent command

 'set-administrator-password --iscrypted CRYPTED_PASSWORD'
 'set-administrator-password RAW_PASSWORD'

Note I'm following example from kickstart files, where you allow provision of both the raw password, or a pre-encrypted/salted string. The latter is generally preferrable since then log messages will not leak the sensitive raw password.

It is desired to have this available for currently supported RHEL *and* Windows versions.
Comment 2 Daniel Berrangé 2014-12-15 13:13:36 UTC 
Here is a proof of concept implementation for modern Linux guests (eg tested it on Fedora 21):

http://lists.nongnu.org/archive/html/qemu-devel/2014-12/msg02131.html

I've not checked whether it would work for older Linux (RHEL-6), and it also needs someone with Windows knowledge to provide the Win32 impl.
Comment 4 Ján Tomko 2015-05-18 12:53:01 UTC 
I have tried the command implemented by
commit 215a2771a7b6b29037ee8deba484815d816b6fdd
    qga: add guest-set-user-password command

on Fedora 22 Beta (qemu-guest-agent-2.3.0-0.2.rc1.fc22.x86_64)

And it fails with SELinux enforcing:
type=AVC msg=audit(1431952168.903:567): avc:  denied  { write } for  pid=2097 comm="chpasswd" name=".pwd.lock" dev="vda1" ino=33595649 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0

Is it even possible to make this function work with SELinux?
Comment 5 Daniel Berrangé 2015-05-18 12:57:11 UTC 
Every new function added to qemu guest agent typically needs an addition to the SElinux policy to allow it, so not surprising that you see an AVC currently.
Comment 7 Ademar Reis 2015-06-16 15:59:29 UTC 
We have it upstream. Pending tasks:

 - Backport to 7.2
 - Create the SELinux Policy (we need a new BZ)

Libvirt support is already there.
Comment 8 Marc-Andre Lureau 2015-07-03 10:07:52 UTC 
I am looking at backport for 7.2
Comment 9 Marc-Andre Lureau 2015-07-07 15:52:54 UTC 
qemu-guest-agent has been rebased to 2.3 in 7.2, see dep bug 1194152
Comment 17 huiqingding 2015-08-07 09:58:23 UTC 
Test this bug using the following version:
Host:
kernel-3.10.0-302.el7.x86_64
qemu-kvm-rhev-2.3.0-15.el7.x86_64

RHEL7.2 guest:
kernel-3.10.0-302.el7.x86_64
qemu-guest-agent-2.3.0-2.el7.x86_64

1. boot guest:
 /usr/libexec/qemu-kvm -cpu SandyBridge -machine pc-i440fx-rhel7.2.0 -enable-kvm -m 4096 -smp 2,sockets=1,cores=2,threads=1 -name rhel7base  -drive file=/home/rhel7.2.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,werror=stop,rerror=stop,aio=native,cache.direct=on -device virtio-blk-pci,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -boot menu=on -monitor stdio -netdev tap,id=hostnet0,vhost=on,script=/etc/ovs-ifup,downscript=/etc/ovs-downscript -device virtio-net-pci,netdev=hostnet0,mac=52:54:00:c6:4b:15,id=test -nodefaults -nodefconfig -spice port=5910,seamless-migration=on,disable-ticketing -vga qxl -global qxl-vga.vram_size=67108864 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x9 -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtserialport,bus=virtio-serial0.0,chardev=qga0,id=org.qemu.guest_agent.0,name=org.qemu.guest_agent.0 -qmp tcp:0:6666,server,nowait

2. start qemu-guest-agent service inside guest
# service qemu-guest-agent start

3. change the root password with "crypted":false
# echo -n "new" | base64
bmV3
# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}}

4. change the root password with "crypted":true
#  openssl passwd -crypt newnew
DkJgpBjhzSbHM
# echo -n "DkJgpBjhzSbHM" | base64
RGtKZ3BCamh6U2JITQ==
# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"RGtKZ3BCamh6U2JITQ=="}}

Actual result:
after step3, inside guest, check the root password is changed to "new"
after step4, inside guest, check the root password is changed to "newnew"
Comment 18 juzhang 2015-08-10 05:43:07 UTC 
According to comment17, set this issue as verified.
Comment 20 errata-xmlrpc 2015-11-19 07:09:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2217.html