Bug 1174181

Summary: RFE: provide QEMU guest agent command for setting root account password (Linux guest)
Product: Red Hat Enterprise Linux 6 Reporter: Daniel Berrangé <berrange>
Component: qemu-kvmAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact: Jiri Herrmann <jherrman>
Priority: high    
Version: 6.7CC: ailan, amedeo.salvati, areis, berrange, chayang, jherrman, jraju, juzhang, knoel, marcandre.lureau, mkenneth, rbalakri, rpacheco, salmy, virt-bugs, virt-maint, weliao, zhguo
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1.2-2.490.el6 Doc Type: Release Note
Doc Text:
Setting the account password is now possible for any guest user The "guest-set-user-password" command has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the root, when using QEMU and KVM.
 Story Points: ---
Clone Of: 1174176
: 1303906 1313887 (view as bug list) Environment:
Last Closed: 2016-05-10 20:56:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1174176    
Bug Blocks: 978365, 1172231, 1174177, 1261100, 1303906, 1313887    

Description Daniel Berrangé 2014-12-15 10:24:28 UTC 
+++ This bug was initially created as a clone of Bug #1174176 +++

Description of problem:
OpenStack has a public API which allows a tenant to reset the root/administrator account password of a running guest instance. This is currently supported with XenAPI and users & customers are disappointed when they find it does not work on KVM too.

NB, while OpenStack tenants can set a root password up front with cloud-init, this does not support the same use cases. It is generally preferred to not set any root password at all - just leave the account locked to password access, and instead use SSH keys for login. Where the ability to set the root password is important is in disaster recovery. eg they have lost access to a VM (eg due to network mis-configuration). Unlocking root account console logins by setting a root password is their last ditch approach to recover the instance without taking it offline.

Thus the request here is to provide a new QEMU guest agent command

 'set-administrator-password --iscrypted CRYPTED_PASSWORD'
 'set-administrator-password RAW_PASSWORD'

Note I'm following example from kickstart files, where you allow provision of both the raw password, or a pre-encrypted/salted string. The latter is generally preferrable since then log messages will not leak the sensitive raw password.

It is desired to have this available for currently supported RHEL *and* Windows versions.
Comment 2 Marc-Andre Lureau 2015-07-03 10:11:19 UTC 
I am looking at backport
Comment 3 Marc-Andre Lureau 2015-12-01 15:55:03 UTC 
patch backport ready, adding devel+
Comment 5 Jeff Nelson 2016-01-18 21:50:03 UTC 
Fix included in qemu-kvm-0.12.1.2-2.484.el6
Comment 7 weliao 2016-01-27 09:19:59 UTC 
Test this bug using the following version:
Host:
2.6.32-607.el6.x86_64
qemu-kvm-0.12.1.2-2.485.el6.x86_64

Guest:
2.6.32-595.el6.x86_64
qemu-guest-agent-0.12.1.2-2.485.el6.x86_64

1. boot guest:
/usr/libexec/qemu-kvm -name rhel6.8 -machine pc  -drive id=drive_image1,if=none,cache=none,snapshot=off,format=qcow2,file=/mnt/RHEL-Server-6.7-64-virtio.qcow2 -device virtio-blk-pci,id=image1,drive=drive_image1,bus=pci.0,bootindex=0 -netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,mac=52:54:25:93:79:67,id=net0  -m 2048 -smp 4,maxcpus=8,cores=4,threads=1,sockets=1 -cpu SandyBridge -boot menu=on -enable-kvm -qmp tcp:0:5556,nowait,server -monitor stdio -spice port=5901,disable-ticketing -global qxl-vga.vram_size=67108864 -vga qxl -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0


2. start qemu-guest-agent service inside guest
# service qemu-ga start

3. change the root password with "crypted":false
# echo -n "new" | base64
bmV3
# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}}

4. change the root password with "crypted":true
# openssl passwd -crypt newnew
HLGUSfQ2hF5Wg
#echo -n "HLGUSfQ2hF5Wg" | base64
SExHVVNmUTJoRjVXZw==

# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"SExHVVNmUTJoRjVXZw=="}}
{"return": {}}

Actual result:
after step3, inside guest, check the root password is changed to "new"
after step4, inside guest, check the root password is changed to "newnew"
Comment 8 weliao 2016-01-28 04:31:06 UTC 
Tested with win10 guest and install virtio-win-1.7.5-0.el6 provide qemu-ga-x64, seems windows guest didn't support set password by qemu-guest-agent.


# nc -U /tmp/qga.sock
{"execute":"guest-info"}
{"return": {"version": "0.12.1", "supported_commands": [{"enabled": true, "name": "guest-set-vcpus"}, {"enabled": true, "name": "guest-get-vcpus"}, {"enabled": true, "name": "guest-network-get-interfaces"}, {"enabled": true, "name": "guest-suspend-hybrid"}, {"enabled": true, "name": "guest-suspend-ram"}, {"enabled": true, "name": "guest-suspend-disk"}, {"enabled": true, "name": "guest-fstrim"}, {"enabled": true, "name": "guest-fsfreeze-thaw"}, {"enabled": true, "name": "guest-fsfreeze-freeze"}, {"enabled": true, "name": "guest-fsfreeze-status"}, {"enabled": true, "name": "guest-file-flush"}, {"enabled": true, "name": "guest-file-seek"}, {"enabled": true, "name": "guest-file-write"}, {"enabled": true, "name": "guest-file-read"}, {"enabled": true, "name": "guest-file-close"}, {"enabled": true, "name": "guest-file-open"}, {"enabled": true, "name": "guest-shutdown"}, {"enabled": true, "name": "guest-info"}, {"enabled": true, "name": "guest-set-time"}, {"enabled": true, "name": "guest-get-time"}, {"enabled": true, "name": "guest-ping"}, {"enabled": true, "name": "guest-sync"}, {"enabled": true, "name": "guest-sync-delimited"}]}}

{"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"cmVkaGF0"}}
{"error": {"desc": "The command guest-set-user-password has not been found"}}
Comment 15 Jeff Nelson 2016-02-29 18:54:09 UTC 
Fix included in qemu-kvm-0.12.1.2-2.490.el6
Comment 17 weliao 2016-03-01 07:43:47 UTC 
Test this bug using the following version:
Host:
2.6.32-621.el6.x86_64
qemu-kvm-0.12.1.2-2.490.el6.x86_64

Guest:
2.6.32-615.el6.x86_64
qemu-guest-agent-0.12.1.2-2.490.el6.x86_64

1. boot guest:
/usr/libexec/qemu-kvm -name aaa  -M rhel6.6.0 -enable-kvm -m 4096  -realtime mlock=off -smp 2,sockets=2,cores=1,threads=1 -uuid 8f751f99-1dc9-c004-2b1a-595876325a48 -nodefconfig -nodefaults  -rtc base=utc -no-shutdown -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x5.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x5 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x5.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x5.0x2 -drive file=/home/RHEL-Server-6.8-64-virtio.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,id=hostnet0,vhost=on -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:b7:eb:79,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5900,disable-ticketing -vga qxl -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on -monitor stdio -qmp tcp:0:5555,nowait,server -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0

2. start qemu-guest-agent service inside guest
# service qemu-ga start

3. change the root password with "crypted":false
# echo -n "new" | base64
bmV3
# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}}

4. change the root password with "crypted":true
# openssl passwd -crypt newnew
HLGUSfQ2hF5Wg
#echo -n "HLGUSfQ2hF5Wg" | base64
SExHVVNmUTJoRjVXZw==

# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"SExHVVNmUTJoRjVXZw=="}}
{"return": {}}

Actual result:
after step3, inside guest, check the root password is changed to "new"
after step4, inside guest, check the root password is changed to "newnew"

so, for linux guest, this bug fixed.
Comment 19 Guo, Zhiyi 2016-03-22 09:12:44 UTC 
Test this bug using the following version:
Host:
2.6.32-633.el6.x86_64
qemu-kvm-0.12.1.2-2.490.el6.x86_64

Guest:
2.6.32-633.el6.x86_64
qemu-guest-agent-0.12.1.2-2.490.el6.x86_64

1. boot guest:
/usr/libexec/qemu-kvm -name rhel -m 2048 -machine pc,accel=kvm -cpu SandyBridge -smp 2,cores=1,threads=1,sockets=1,maxcpus=4 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -qmp tcp:0:5555,nowait,server -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -drive file=/home/images/80g.qcow2,if=none,id=drive-ide0-0-0,format=qcow2,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -vga qxl -monitor stdio -spice port=3001,disable-ticketing -netdev tap,id=idinWyYp,vhost=on -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp

2. start qemu-guest-agent service inside guest
# service qemu-ga start

3. change the root password with "crypted":false
# echo -n "new" | base64
bmV3
# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}}

4. change the root password with "crypted":true
# openssl passwd -crypt newnew
HLGUSfQ2hF5Wg
#echo -n "HLGUSfQ2hF5Wg" | base64
Wm0xRGF5SEZGem95cw==

# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"Wm0xRGF5SEZGem95cw=="}}
{"return": {}}

Actual result:
after step3, inside guest, check the root password is changed to "new"
after step4, inside guest, check the root password is changed to "newnew"
Comment 21 errata-xmlrpc 2016-05-10 20:56:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0815.html