| Summary: | virt-sysprep --ssh-inject failed to create the right selinux context for .ssh in the guest | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Bin Han <bihan> |
| Component: | libguestfs | Assignee: | Richard W.M. Jones <rjones> |
| Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | bihan, leiwang, ptoscano |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-27 07:41:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Bin Han
2016-09-22 05:43:13 UTC
Hi Bin Han, (In reply to Bin Han from comment #0) > 3.Inject your public key and a string to the guest: > # virt-sysprep -a tmp.qcow2 --ssh-inject root:file:/root/.ssh/id_rsa.pub > --ssh-inject root:string:"ssh-rsa AAtesttesttest" As also described in the documentation of virt-sysprep, you need to use --selinux-relabel when editing guests with SELinux enabled, at least with the invocation before the actual boot (in this case it's one, so here). This applies to virt-customize, virt-builder, and virt-sysprep. As well as doing what Pino says, please try the RHEL 7.3 packages since some other bugs were fixed in both SSH key injection and SELinux relabelling: https://people.redhat.com/~rjones/libguestfs-RHEL-7.3-preview/ (In reply to Richard W.M. Jones from comment #3) > As well as doing what Pino says, please try the RHEL 7.3 packages since > some other bugs were fixed in both SSH key injection and SELinux > relabelling: > > https://people.redhat.com/~rjones/libguestfs-RHEL-7.3-preview/ Ah, I see that you're using these packages or RHEL 7.3 already .. Carry on. Please check whether using --selinux-relabel works (it should). (In reply to Pino Toscano from comment #5) > Please check whether using --selinux-relabel works (it should). yes,if relabel the selinux context, it works. Can login without password. The changing steps show below. steps: #chcon -t ssh_home_t /root/.ssh/authorized_keys # ls -Z /root/.ssh/authorized_keys -rw-------. root root system_u:object_r:ssh_home_t:s0 /root/.ssh/authorized_keys (In reply to Pino Toscano from comment #5) > Please check whether using --selinux-relabel works (it should). I add --selinux-relabel into the command "virt-sysprep --selinux-relabel -a tmp.qcow2 --ssh-inject root:file:/root/.ssh/id_rsa.pub --ssh-inject root:string:"ssh-rsa AAtesttesttest". It works well. It can relabel the selinux context. So the problem isn't a bug ? But I also have anther problem why not set the parameter --selinux-relabel as default setting. (In reply to Bin Han from comment #7) > (In reply to Pino Toscano from comment #5) > > Please check whether using --selinux-relabel works (it should). > > I add --selinux-relabel into the command "virt-sysprep --selinux-relabel -a > tmp.qcow2 --ssh-inject root:file:/root/.ssh/id_rsa.pub --ssh-inject > root:string:"ssh-rsa AAtesttesttest". It works well. It can relabel the > selinux context. Good thing, thanks for checking. > So the problem isn't a bug ? Indeed, this is not an issue. If you have are modifying a guest with SELinux enabled, you must use --selinux-relabel in the last libguestfs command before you boot it. > But I also have anther problem > why not set the parameter --selinux-relabel as default setting. See bug 1340312, comment 3, for some data points regarding this. |