Bug 1307094
Summary: | Passwords disappear from domain XML passed to virDomainRestoreFlags or virDomainSaveImageDefineXML | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jiri Denemark <jdenemar> | ||||
Component: | libvirt | Assignee: | Jiri Denemark <jdenemar> | ||||
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 6.7 | CC: | bmcclain, dyuan, fjin, fromani, jdenemar, jherrman, jsuchane, knoel, michal.skrivanek, mkolaja, mzhan, pkrempa, rbalakri, rhodain, salmy, security-response-team, tlavigne, virt-bugs | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | libvirt-0.10.2-59.el6 | Doc Type: | Bug Fix | ||||
Doc Text: |
Prior to this update, the libvirt service in some cases removed the password for the SPICE client from the domain XML file after modifying the file and restoring the domain. As a consequence, anyone was able to connect to the SPICE client without password authentication. With this update, the code that updates XML configuration of a saved domain uses correct internal options to avoid removing passwords. As a result, users can change the XML file of a saved domain without the risk of losing set-up passwords.
|
Story Points: | --- | ||||
Clone Of: | 1254164 | ||||||
: | 1310747 (view as bug list) | Environment: | |||||
Last Closed: | 2016-05-10 19:26:13 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1254164 | ||||||
Bug Blocks: | 1305530, 1310747 | ||||||
Attachments: |
|
Description
Jiri Denemark
2016-02-12 17:10:09 UTC
Could reproduce the bug with libvirt-0.10.2-56.el6.x86_64 with the comment0's steps The following steps were my verify steps Scenario1 1.Prepare a running guest with vnc&spice configured #virsh dumpxml aa --security-info -- <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1' passwd='123456'> <listen type='address' address='127.0.0.1'/> </graphics> <graphics type='vnc' port='5901' autoport='yes' listen='127.0.0.1' passwd='111111'> <listen type='address' address='127.0.0.1'/> </graphics> 2.save the guest #virsh save aa aa.save 3. check the password is present in the save file #virsh save-image-dumpxml aa.save --security-info -- <graphics type='spice' autoport='yes' passwd='123456'/> <graphics type='vnc' port='-1' autoport='yes' passwd='111111'/> 4.change the password for spice or vnc,then save the edit #virsh save-image-edit aa.save -- <graphics type='spice' autoport='yes' passwd='222222'/> <graphics type='vnc' port='-1' autoport='yes' passwd='111111'/> wq: 5.Check the password is presend in the save file #virsh save-image-dumpxml aa.save --security-info <graphics type='spice' autoport='yes' passwd='222222'/> <graphics type='vnc' port='-1' autoport='yes' passwd='111111'/> 6.Restore the guest and check the password still present in the guest's xml #virsh restore aa.save #virsh dumpxml aa --security-info <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1' passwd='222222'> <listen type='address' address='127.0.0.1'/> </graphics> <graphics type='vnc' port='5901' autoport='yes' listen='127.0.0.1' passwd='111111'> <listen type='address' address='127.0.0.1'/> 7.Connect the guest with remote-viewer, the new password works # remote-viewer spice://127.0.0.1:5900 # remote-viewer vnc://127.0.0.1:5901 8.Restart libvirtd service, could still get the expect result Scenario2 1.Prepare the migration env with share storage in the nfs server 2.Prepare a running guest on the source host #virsh dumpxml aa --security-info -- <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1' passwd='123456'> <listen type='address' address='127.0.0.1'/> </graphics> <graphics type='vnc' port='5901' autoport='yes' listen='127.0.0.1' passwd='111111'> <listen type='address' address='127.0.0.1'/> </graphics> 3.Dump the guest's xml and modify the spice or vnc's password in the guest's xml #virsh dumpxml aa --security-info >aa.xml #vim aa.xml 4.Migrate the guest with modified guest's xml, guest could migrate successfully #virsh migrate --live aa --xml aa.xml qemu+ssh://$dest_ip/system --verbose 5.After migration finished, check the guest's password changed and present #virsh dumpxml aa --security-info #virsh dumpxml aa --migratable 6.Connect the guest with remote-viewer, the new password works # remote-viewer spice://127.0.0.1:5900 # remote-viewer vnc://127.0.0.1:5901 According to upper steps, mark this bug verified Forget to offer the verify libvirt version, list it here libvirt-0.10.2-57.el6.x86_64 Hi Jiri Found 1 issue that libvirtd will crash while restore a guest which with host-passthrough cpu model in guest's xml, please help check, thanks version: libvirt-0.10.2-57.el6.x86_64 steps 1.Prepare a running guest with host-passthrough cpu model #virsh dumpxml aa -- <cpu mode='host-passthrough'/> 2.Save the guest #virsh save aa aa.save 3.change any content in the save file #virsh save-image-edit aa.save -- <on_crash>restart</on_crash> to <on_crash>coredump-restart</on_crash> wq: 4.Restore the guest from the save file, guest crashed # virsh restore /root/aa.save error: Failed to restore domain from /root/aa.save error: End of file while reading data: Input/output error error: One or more references were leaked after disconnect from the hypervisor error: Failed to reconnect to the hypervisor 5.debug log and coredump info will upload the attachment later Created attachment 1133131 [details]
The debug log for libvirtd crash
OK, file a separate bug for it since it has nothing to do with this bug. So after discussing this on IRC, the crash is apparently caused by the patch for this bug. Verify the issue in comment 8 with build libvirt-0.10.2-59.el6.x86_64. - PASSED Steps: 1. Start a guest with the following setting: <cpu mode='host-passthrough'> 2. Save guest: # virsh save rhel6.6 /tmp/rhel6.6.save Domain rhel6.6 saved to /tmp/rhel6.6.save 3. Edit saved image(just add a blank in xml) # virsh save-image-edit /tmp/rhel6.6.save State file /tmp/rhel6.6.save edited. 4. Restore guest # virsh restore /tmp/rhel6.6.save Domain restored from /tmp/rhel6.6.save 5. Do step 1~4 again with cpu mode='host-model'. 6. Do step 1-4 again with cpu mode='custom' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0738.html |