Bug 1695618

Summary: Spice connection is interrupted during migration if migrated after spice password expiration
Product: Red Hat Enterprise Linux 8 Reporter: Radek Duda <rduda>
Component: spice-gtkAssignee: Victor Toso <victortoso>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 8.2CC: bsanford, cfergeau, dblechte, djasa, hhan, lsurette, mtessun, royoung, tpelka, uril, victortoso, yafu, zhguo
Target Milestone: rcKeywords: Regression
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1761776 (view as bug list) Environment:
Last Closed: 2020-11-04 04:07:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Spice RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1761776    
Attachments:
Description Flags
spice-debug.log
none
engine.log
none
destination:qemu.log
none
source:qemu.log
none
source:vdsm.log
none
destination:vdsm.log none

Description Radek Duda 2019-04-03 12:56:05 UTC 
Created attachment 1551367 [details]
spice-debug.log

Description of problem:
If I migrate VM after spice password expires, the spice connection is interrupted

Version-Release number of selected component (if applicable):
client rhel8.0:
spice-glib-0.35-7.el8.x86_64
spice-gtk3-0.35-7.el8.x86_64
virt-viewer-7.0-3.el8.x86_64

guest rhel8.1:
spice-vdagent-0.18.0-3.el8.x86_64
spice-server-0.14.0-7.el8.x86_64
spice-glib-0.35-7.el8.x86_64
spice-gtk3-0.35-7.el8.x86_64

host rhel7.6-z:
qemu-kvm-rhev-2.12.0-21.el7.x86_64
spice-server-0.14.0-6.el7_6.1.x86_64
vdsm-4.30.12-1.el7ev.x86_64
libvirt-4.5.0-10.el7_6.6.x86_64

migration performed using rhv-4.3.3.1-0.1


How reproducible:
always

Steps to Reproduce:
1.run VM in RHV
2.connect to it using remote-viewer
3.wait 120s
4.migrate VM

Actual results:
Two possible results
Either remote-viewer prompts for spice password
or shows display of disconnected VM

Expected results:
Guest Vm is available through SPICE after migration

Additional info:
Comment 1 Radek Duda 2019-04-03 13:04:52 UTC 
Created attachment 1551368 [details]
engine.log
Comment 2 Radek Duda 2019-04-03 13:10:56 UTC 
Created attachment 1551370 [details]
destination:qemu.log
Comment 3 Radek Duda 2019-04-03 13:12:43 UTC 
Created attachment 1551371 [details]
source:qemu.log
Comment 4 Radek Duda 2019-04-03 13:18:10 UTC 
Created attachment 1551372 [details]
source:vdsm.log
Comment 5 Radek Duda 2019-04-03 13:31:36 UTC 
Created attachment 1551387 [details]
destination:vdsm.log
Comment 8 Victor Toso 2019-04-03 13:58:26 UTC 
Target host has:
> (process:4881): Spice-WARNING **: 14:53:06.632: reds.c:2318:reds_handle_read_link_done: spice channels 1 should be encrypted
> (process:4881): Spice-WARNING **: 14:53:06.654: reds.c:2079:reds_handle_ticket: Ticketing is enabled, but no password is set. please set a ticket first

I have to double check but this is likely qemu/spice issue.
Comment 15 Victor Toso 2019-04-03 15:45:33 UTC 
Radek, as this is marked as regression, could you please confirm the last RHV version this was working?
Comment 16 Victor Toso 2019-04-04 09:54:24 UTC 
Discussed a bit with Frediano yesterday about this bug.

- Given that the password expires, this might be the right outcome (although the error message mentioned in comment #8 is a bit misleading).
- If that was working before, it might have been a security bug (pointed out by Frediano) as the migration data between source and target host
can't verify that is the same client connecting.

So, this might not be a bug but a feature and requiring that client stays connected on migration with expired password would be an RFE with new protocol.
Comment 17 Radek Duda 2019-04-04 10:11:13 UTC 
I can not reproduce this with latest rhv4.2.8.6_SNAPSHOT-163.g5b23737.0.scratch.master.el7ev . So it seems this is a regression to me.
Comment 18 Victor Toso 2019-04-04 10:47:38 UTC 
I'll be looking at what might have changed from the versions you mentioned, many thanks for the test.

- stays connected: rhv-4.2.8.6_SNAPSHOT-163.g5b23737.0.scratch.master.el7ev
- this bug ..... : rhv-4.3.3.1-0.1

> So it seems this is a regression to me.

Just to clarify the comment #16 - this is a behavior regression but the expected behavior might have been a bug, which by fixing it introduced this change in behavior.
Let me see how it was working before and what changed before anything else.
Comment 22 Victor Toso 2019-09-04 12:41:15 UTC 
With the following patch [0], the client would not hang any more. The authentication failure is raised from spice-gtk to remote-viewer which asks for user/password to login. Considering that the login was using the vv file, likely we should not request user input for user/password and just raise a notification that connection is dropped due lack of permissions on new host after migration, or something like that.

[0] https://lists.freedesktop.org/archives/spice-devel/2019-September/050710.html

As mentioned in comment #16 - having the client to connect from current host to target host with expired authentication would require some work, likely new protocol messages to keep sessions secure.

- Setting needinfo to PM to see what should be done and prioritized.
- Setting the bug to POST as patch [0] fixes the hang and exits the client after it cancels the user/password widget.
Comment 23 Martin Tessun 2019-09-06 08:28:57 UTC 
Hi Victor,

as the hang is resolved, I think reconnecting is something that could be done. For security reasons we should probably still investigate into that session persistence across live-migrations.

The main attack vectors I can see:
- The session disconnects
- Someone else connects to the session and reuses the users session

Of course we could lock the screen but would that happen in this scenario as well?
Can we ensure that the screen is locked everytime this happens?

As I believe that this is hard to achieve, I would suggest to open a new RFE for getting that session persistence.

Thanks!
Martin
Comment 24 Victor Toso 2019-10-15 11:06:26 UTC 
Reproduced with spice-gtk-0.35-4.el7 so I'll clone for RHEL 7.8 too and as discussed, I'll be fixing the hang.

Moving this bug to spice-gtk and cloning it.
Comment 25 Victor Toso 2020-01-22 09:36:03 UTC 
Current merge request for the hang:

https://gitlab.freedesktop.org/spice/spice-gtk/merge_requests/20
Comment 26 Victor Toso 2020-05-25 05:27:25 UTC 
This is fixed by rebase bug 1817471 - Moving to MODIFIED so we can add to errata.
Comment 37 errata-xmlrpc 2020-11-04 04:07:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (spice-gtk bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4817