Bug 1801153

Summary: Ignition: user and passwordHash in ignition script is not working with RHCOS
Product: [oVirt] ovirt-engine Reporter: Nisim Simsolo <nsimsolo>
Component: BLL.VirtAssignee: Michal Skrivanek <michal.skrivanek>
Status: CLOSED NOTABUG QA Contact: Nisim Simsolo <nsimsolo>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.4.0CC: bugs, jlebon, lrotenbe, miabbott, nsimsolo, rbarry
Target Milestone: ---Flags: mavital: blocker?
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-13 08:49:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1712746    
Attachments:
Description Flags
engine.log
none
vdsm.log none

Description Nisim Simsolo 2020-02-10 11:26:53 UTC 
Description of problem:
- Running an RHCOS VM with ignition script of user and password does not function as expected, VM is booted normally (means script is valid) but the user and password authentication is not working.
Using the same script with FCOS (but with ignition version 3.0.0 instead of 2.3.0 for RHCOS) is working and it is possible to login VM with script user and password.

- trying to create different password hash with different encryption methods is not solving this issue.

- Ignition script for RHCOS (password is changeme):
{
  "ignition": { "version": "2.3.0" },
  "passwd": {
    "users": [
      {
        "name": "core",
        "passwordHash": "$y$j9T$skCa2x5kFis7p58gYjz3C1$ykelHfCckRToZKAVYK7GDdLOCi3pcF2WMioI.vmYkj5"
      }
    ]
  }
}

Version-Release number of selected component (if applicable):
ovirt-engine-4.4.0-0.19.master.el7
vdsm-4.40.2-1.el8ev.x86_64
qemu-kvm-4.2.0-8.module+el8.2.0+5607+dc756904.x86_64
libvirt-client-6.0.0-4.module+el8.2.0+5642+838f3513.x86_64
rhcos-4.4-44.81.202001241431.0

How reproducible:
100%

Steps to Reproduce:
1. Download latest RHCOS openstack qcow image (from rhcos.json), or use latest RHCOS template.
2. Create a VM, set OS type to RHCOS, check ignition checkbox and add script mentioned above with  "ignition": { "version": "2.3.0" }
3. Run VM and try to login with user: core password: changeme

Actual results:
Login with this user and password failed.
Expected results:
Login with this user and password should succeed.

Additional info:
vdsm.log and engine.log attached
RHCOS VM name/ID: ignition_from_temp/c9edb803-62d5-4f48-81bc-35bd0fbc3c26
FCOS VM name/ID: ignition_FCOS/321df2d2-3545-47fe-9967-d5bfd53e8c39
Comment 1 Nisim Simsolo 2020-02-10 11:30:32 UTC 
Created attachment 1662124 [details]
engine.log
Comment 2 Nisim Simsolo 2020-02-10 11:31:03 UTC 
Created attachment 1662125 [details]
vdsm.log
Comment 3 Ryan Barry 2020-02-11 01:22:36 UTC 
Ignition has some breaking changes. The only references I'm seeing in the docs are for sha hashed passwords. We also wouldn't expect ignition for upstream versions (e.g. FCOS) to necessarily be compatible with RHCOS.

Are you sure this is a bug?
Comment 4 Nisim Simsolo 2020-02-11 08:14:48 UTC 
(In reply to Ryan Barry from comment #3)
> Ignition has some breaking changes. The only references I'm seeing in the
> docs are for sha hashed passwords. We also wouldn't expect ignition for
> upstream versions (e.g. FCOS) to necessarily be compatible with RHCOS.
> 
> Are you sure this is a bug?

Currently I can't test ignition on RHCOS because I cannot login the VMs in order to verify if ignition configuration is applied.
It also looks like the UI option for hashed password is not working.
Comment 5 Ryan Barry 2020-02-11 12:52:43 UTC 
Which algorithm was used for the hash?

Is the UI option not working the same as the other reported bug, or different?
Comment 6 Jonathan Lebon 2020-02-11 14:40:12 UTC 
Yeah, this is likely due to a hashing algorithm we turn off by default. How did you generate the hash? Works for me with one generated using `mkpasswd -m sha-512` at least.
Comment 7 Jonathan Lebon 2020-02-11 14:52:46 UTC 
Ahh OK yup, RHCOS just inherits el8's sha512-by-default here:

```
[root@coreos ~]# grep password /etc/pam.d/system-auth
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password    required      pam_deny.so
```
Comment 8 Jonathan Lebon 2020-02-11 19:04:47 UTC 
The original comment didn't mention it, though just in case this was tried over SSH, note that RHCOS disables SSH password authentication (https://github.com/openshift/os/issues/374). It works fine on serial though. (One can of course always go against that opinion and turn it back on via Ignition if so determined.)