Bug 1444702

Summary: [virtio-win][qemu-ga-win]set DCOM permission during installation qemu-ga
Product: Red Hat Enterprise Linux 7 Reporter: lijin <lijin>
Component: virtio-winAssignee: Sameeh Jubran <sjubran>
virtio-win sub component: qemu-ga-win QA Contact: Virtualization Bugs <virt-bugs>
Status: CLOSED WONTFIX Docs Contact:
Severity: medium    
Priority: low CC: ailan, demeng, xiagao
Version: 7.7Keywords: RFE
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-27 14:27:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1473046    

Description lijin 2017-04-24 03:21:12 UTC 
Description of problem:

set DCOM permission during qemu-ga-win installation as https://bugzilla.redhat.com/show_bug.cgi?id=1387125#c55 requests,so that manual configuration as https://bugzilla.redhat.com/show_bug.cgi?id=1387125#c36 can be avoided.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Sameeh Jubran 2018-09-27 14:27:47 UTC 
Issue Description:
Error 8194 appears in Windows Event Log when running Qemu-ga commands: guest-fsfreeze-freeze and guest-fsfreeze-thaw.
Error code 8194 is an "Accessed Denied" error caused by the inability of one or more VSS system writers to communicate with the Remote Backup VSS requestor process via the "COM" calls exposed in the IVssWriterCallback interface (Microsoft programming interface to the Volume Shadow Service).

Background:
In order to use VSS API Qemu GA implements a VSS requester  that runs under Local System account. Requester applications communicate via DCOM with writers to gather information on the system and to signal writers to prepare their data for backup. One of the In-Box VSS Writers is System Writer which runs as part of the Cryptographic Services service which runs under Network_Service account.

Issue Cause:
DCOM blocks communication between Processes that run under different accounts by default, Which in our case blocks communication between Qemu GA VSS requester which runs under Local System accound and System Writer which runs under Network_Service account.

Impact:
These errors DO NOT generally impact the ability of the program to perform online backups, but often raise questions from system administrators or managed service providers due the error status indicated. Specifically in this case the program performance remains unaffected..

Workaround:
1.	Run “dcomcnfg”.
2.	Navigate to “Component Services” > “ Computer” > “MyComputer”.
3.	Right Click “MyComputer” and go to “Properties”.
4.	Got to “COM Security” tab, click on “Edit Default” button under “Access Permissions”.
5.	Click on “Add…” button and add “Network Service” account to permission list.
6.	Verify that only “Local Access” box is checked and click OK.
7.	Close “Component Services” and reboot the VM.