Bug 1174177
| Summary: | RFE: provide API for setting root/administrator account password via QEMU guest agent | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Daniel Berrangé <berrange> |
| Component: | libvirt | Assignee: | Ján Tomko <jtomko> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | amedeo.salvati, dyuan, jherrman, jraju, jsuchane, jtomko, lhuang, pablo.iranzo, rbalakri, sferdjao, shyu, virt-bugs, virt-maint, zhwang |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-1.2.16-1.el7 | Doc Type: | Enhancement |
| Doc Text: |
The "guest-set-user-password" command has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the administrator, when using QEMU-KVM.
|
Story Points: | --- |
| Clone Of: | 1174176 | Environment: | |
| Last Closed: | 2015-11-19 05:58:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1174176, 1174181, 1303906 | ||
| Bug Blocks: | 978365, 1154205, 1261100 | ||
|
Description
Daniel Berrangé
2014-12-15 10:22:31 UTC
Proposed upstream patches: https://www.redhat.com/archives/libvir-list/2015-May/msg00562.html Now pushed upstream:
commit 886f43ad781ca58b8f87010c1f7d94fa5d9bbc4a
Author: Ján Tomko <jtomko>
CommitDate: 2015-05-21 16:24:02 +0200
qemu: wire up virDomainSetUserPassword
Base-64 encode the password and pass it to the guest agent
via the 'guest-set-user-password' command.
https://bugzilla.redhat.com/show_bug.cgi?id=1174177
commit 9bcadfabaa95d6955b209f071b038af08abed434
Author: Ján Tomko <jtomko>
CommitDate: 2015-05-21 16:21:55 +0200
virsh: add set-user-password command
Expose the virDomainSetUserPassword API in virsh:
virsh set-user-password dom user 123456
commit e8982c88bd949e634075b3cc3549beddc9821683
Author: Ján Tomko <jtomko>
CommitDate: 2015-05-21 16:04:01 +0200
Introduce virDomainSetUserPassword API
For setting passwords of users inside the domain.
With the VIR_DOMAIN_PASSWORD_ENCRYPTED flag set, the password
is assumed to be already encrypted by the method required
by the guest OS.
https://bugzilla.redhat.com/show_bug.cgi?id=1174177
git describe: v1.2.15-126-g886f43a
Verify this bug with libvirt-1.2.17-2.el7.x86_64, found 1 issue that fail to login guest while set users password with --encripted option, can you help check it? thanks pkginfo kernel-3.10.0-300.el7.x86_64 libvirt-1.2.17-2.el7.x86_64 qemu-kvm-rhev-2.3.0-13.el7.x86_64 guest info qemu-guest-agent-2.3.0-2.el7.x86_64.rpm steps 1.Prepare a guest with guest agent configured 2.Get the selinux to permissive mode inside the guest guest#setenforce 0 3.Set root password of guest to 'redhat' inside guest os guest#password redhat 4.login guest from host with the new password, guest could login successfully #ssh root@guest_ip 5.Change root password of guest to '123456' with qemu agent command # virsh set-user-password virt-tests-vm1 --user root --password 123456 Password set successfully for root in virt-tests-vm1 6.login guest, could successfully login guest with the new password, will fail to login with the previous password #ssh root@guest_ip 7.Change root password of guest to '111111' with qemu agent command with --encrypted option, then login guest, found fail to login guest with the new password , or with the previous password either. # virsh set-user-password virt-tests-vm1 --user root --password 111111 --encrypted Password set successfully for root in virt-tests-vm1 # ssh root@guest_ip root@guest_ip's password: Permission denied, please try again. root@guest_ip's password: Permission denied, please try again. root@guest_ip's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). From the virsh manual page:
If --encrypted is specified, the password is assumed to be already encrypted by the method required by the guest OS.
For a Linux guest, crypt(3) is the method that generates passwords suitable for writing into the password entry in /etc/shadow.
Thanks for Jan's reply, the following steps were my whole verify steps.All my following test steps were under selinux permissive mode since bug 1243458,1243459 haven't fixed yet Scenario 1 Set the guest's password without --encrypted option 1.Prepare a running guest with guest agent configured 2.Create a normal user for the guest #useradd test1 3.Change the guest's password for the root user # virsh set-user-password virt-tests-vm1 --user root --password 1A2b3c4# Password set successfully for root in virt-tests-vm1 4.Login guest with the previously password, will fail to login guest, login the guest with the new password ,could login successfully 5.Change the guest's password for the test1 user # virsh set-user-password virt-tests-vm1 --user test1 --password 3@QWE12a Password set successfully for test1 in virt-tests-vm1 6.Login guest with the previously password, will fail to login guest, login the guest with the new password ,could login successfully 7.Set the guest's password without --user , --password option, could set the password successfully # virsh set-user-password virt-tests-vm1 test1 3@QWE12b 8.Login guest with the previously password, will fail to login guest, login the guest with the new password, could login successfully Scenario 2 Set guest's password with --encrypted option 1.Prepare a running guest with guest agent configured 2.Create a normal user for the guest #useradd test1 3.crypted the guest's password before we set the guest's password # openssl passwd -crypt 1A2b3c4# 2aXYYJmeGWrbU # virsh set-user-password virt-tests-vm1 --user root --password 2aXYYJmeGWrbU --encrypted 4.login guest with the previously password, will fail to login guest, login the guest with the new password, could login successfully 5.crypted the guest's password before we set the guest's password # openssl passwd -crypt 3@QWE12a D1uzez4R9JWE. # virsh set-user-password virt-tests-vm1 --user test1 --password D1uzez4R9JWE. --encrypted Password set successfully for test1 in virt-tests-vm1 6.login guest with the previously password, will fail to login guest, login the guest with the new password ,could login successfully 7.Set the guest's password with --encrypted but without --user , --password option, could set the password successfully # openssl passwd -crypt 3@QWE12c zVTbPXj7udwRE # virsh set-user-password virt-tests-vm1 test1 --password zVTbPXj7udwRE --encrypted Password set successfully for test1 in virt-tests-vm1 8.login guest with the previously password, will fail to login guest, login the guest with the new password ,could login successfully Scenario 3 1.Stop guest agent service inside guest, then set the password for guest, will get the expect error # virsh set-user-password virt-tests-vm1 root --password redhat error: Guest agent is not responding: QEMU guest agent is not connected # virsh set-user-password virt-tests-vm1 root --password redhat --encrypted error: Guest agent is not responding: QEMU guest agent is not connected 2.Start the guest agent service, re-run the upper commands could excuted successfully Scenario 4 1.Run the command in readonly mode, could get the expect error # virsh -r set-user-password virt-tests-vm1 root --password redhat --encrypted error: operation forbidden: read only access prevents virDomainSetUserPassword 2.Enable acl in libvirtd.conf, then set the password for guest, will get access deny with the normal user #cat /etc/libvirt/libvirtd.conf access_drivers = [ "polkit" ] auth_unix_rw = "none" unix_sock_rw_perms = "0777" #systemctl restart libvirtd #ssh test1@host_ip test1$ virsh -c qemu:///system virsh # set-user-password virt-tests-vm1 root --password redhat --encrypte error: command 'set-user-password' doesn't support option --encrypte virsh # set-user-password virt-tests-vm1 root --password redhat error: access denied virsh # set-user-password virt-tests-vm1 root --password redhat error: access denied 3.Configure the rules for the user test1 ## cat /etc/polkit-1/rules.d/100-libvirt-acl.rules polkit.addRule(function(action, subject) { if (action.id == "org.libvirt.api.domain.set-password" && subject.user == "test1") { if (action.lookup("connect_driver") == 'QEMU' && action.lookup("domain_name") == 'virt-tests-vm1') { return polkit.Result.YES; } else { return polkit.Result.NO; } } }); 4.Reset the guest's password with the normal user, could set successfully #ssh test1@host_ip test1$ virsh -c qemu:///system virsh # set-user-password virt-tests-vm1 root --password redhat --encrypted Password set successfully for test1 in virt-tests-vm1 virsh # set-user-password virt-tests-vm1 root --password 123456 Password set successfully for test1 in virt-tests-vm1 Hi Jan All the function works expectly in this bug as comment 9 description and i think it should be better if we could improved the follow error, how do you think about it? thanks # virsh set-user-password virt-tests-vm1 --user user1 --password redhat error: internal error: unable to execute QEMU agent command 'guest-set-user-password': child process has failed to set user password lost something in comment 10 that the user "user1" was a non-exsiting user, and we better get some clear error while set password for a non-exsiting user inside guest The error would need to be improved in qemu-guest-agent, as libvirt has no knowledge of guest user accounts. The mesasge 'child process has failed to set user password' already comes from qemu-guest-agent, so any improvement of the error in the guest agent would be picked up by libvirt. Thanks, so file a new bug 1247822 to track that issue and mark this bug verified according to comment 9 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2202.html |