Bug 901497

Summary: "Enable ssh password authentication" option will be reset after reboot if user set password for adding node through RHEV-M UI.
Product: Red Hat Enterprise Virtualization Manager Reporter: cshao <cshao>
Component: ovirt-node-plugin-vdsmAssignee: Douglas Schilling Landgraf <dougsland>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.3.0CC: aberezin, acathrow, bazulay, bsarathy, cpelland, dougsland, fdeutsch, gouyang, hadong, huiwa, iheim, jboggs, leiwang, mburns, ovirt-maint, ycui
Target Milestone: ---Keywords: ZStream
Target Release: 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: ovirt-node-plugin-vdsm-0.1.1-11.el6ev Doc Type: Bug Fix
Doc Text:
Previously, sshd_config was not persisted by default. As a result, the "Enable ssh password authentication" option was not persisted when setting the Manager password. Now, the sshd_config file is persisted by default, so ssh password authentication persists upon reboot.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-21 22:14:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 916185    

Description cshao 2013-01-18 10:25:00 UTC 
Description of problem:
1. The default ssh option is disable after TUI install RHEV-H, if user set password for adding node through RHEV-M UI in RHEV-M page, the ssh will be enabled in security page.
But after reboot, the option "Enable ssh password authentication" will be disabled.

2. If user enable ssh option in secutity page directly, after reboot, the ssh  state is unchanged(still enable).

Version-Release number of selected component (if applicable):
rhev-hypervisor6-6.4-20130116.3.0.el6

How reproducible:
100%

Steps to Reproduce:
1. TUI Install RHEV-H and config network.
2. Set password for adding node through RHEV-M UI in RHEV-M page,
3. Reboot RHEV-H.
4. Focus on Security page and check ssh status.

Actual results:
"Enable ssh password authentication" option will be reset after reboot if user set password for adding node through RHEV-M UI.

Expected results:
SSH can be enabled after reboot if user set password for adding node through RHEV-M UI in RHEV-M page,

Additional info:
Comment 3 Mike Burns 2013-02-21 21:12:13 UTC 
Upstream patch:

http://gerrit.ovirt.org/#/c/12300/
Comment 7 cshao 2013-10-25 03:30:43 UTC 
Hi Fabiand,

The RHEVM UI has been removed from RHEV-H 6.5 base image, so I can't verify this bug. But I have checked the path and noticed that the sshd config is persisted now. I think the bug should be fixed.

So could you help to move the bug component to RHEVM?

Thanks!
Comment 8 Fabian Deutsch 2013-10-25 06:41:03 UTC 
Chen, sure!
Comment 12 Jiri Belka 2013-10-30 10:29:05 UTC 
What should be the version to verify this BZ? I tried with 'ed Hat Enterprise Virtualization Hypervisor release 6.5 (20131011.0.el6)' and sshd is (still) enabled after reboot if I added password in oVirt engine submenu in TUI.
Comment 14 Douglas Schilling Landgraf 2013-11-07 19:14:06 UTC 
(In reply to Jiri Belka from comment #12)
> What should be the version to verify this BZ? I tried with 'ed Hat
> Enterprise Virtualization Hypervisor release 6.5 (20131011.0.el6)' and sshd
> is (still) enabled after reboot if I added password in oVirt engine submenu
> in TUI.

This is correct behavior. rhev-hypervisor6-6.5-20131106.0.el6ev [1] is last iso available which includes the Mike's patch. However, looks like the original report is about setting the password on oVirt engine menu and back to Security menu it shows ssh checkbox disabled even when enabled.

Here the steps:
--------------------
- Setup Network by Network tab
- Set password on oVirt Engine tab for adding node through oVirt Engine

* At this moment, ssh will be enabled 

Back to Security menu and the item "Enable SSH password authentication" checkbox is disabled.

If you reboot the RHEV-H it will keep the ssh enabled but on security menu it will keep disabled.

Fabian, on ovirt-node-plugin-vdsm we are using the below code, anything we need to call specifically by node API to make security tab be updated or is it something on security_page?

<snip>
 passwd = utils.security.Passwd()
 passwd.set_password("root", self.password)

 sshd = utils.security.Ssh()
 sshd.password_authentication(True)
 sshd.restart()
</snip>

I have verified, it changes PasswordAuthentication in /etc/ssh/sshd_config
Comment 15 Fabian Deutsch 2013-11-11 14:52:31 UTC 
(In reply to Douglas Schilling Landgraf from comment #14)
> Fabian, on ovirt-node-plugin-vdsm we are using the below code, anything we
> need to call specifically by node API to make security tab be updated or is
> it something on security_page?
> 
> <snip>
>  passwd = utils.security.Passwd()
>  passwd.set_password("root", self.password)
> 
>  sshd = utils.security.Ssh()
>  sshd.password_authentication(True)
>  sshd.restart()
> </snip>
> 
> I have verified, it changes PasswordAuthentication in /etc/ssh/sshd_config

Hey Douglas,

the problem here is that the TUI uses the /etc/default/ovirt file to determin if pwauth is enabled or not. The vdsm plugin is currently "bypassing" this, because that file is not updated, and thus the TUI is unaware that pwauth is used. Does this make the cause clearer?
The classes in ovirt.node.config.defaults.* can be used to configure the aspects of ovirt-node, this classes also take care that the correct files are persisted and the ovirt node configuration file is uddated, so please use a snippet like:

sshcfg = defaults.SSH()
sshcfg.update(pwauth=True)
sshcfg.commit()

This will enable SSH password authentication, persist the files and update the node config file. In general, it should solves this bug.
Comment 16 Douglas Schilling Landgraf 2013-11-13 03:22:05 UTC 
(In reply to Fabian Deutsch from comment #15)
> (In reply to Douglas Schilling Landgraf from comment #14)
> > Fabian, on ovirt-node-plugin-vdsm we are using the below code, anything we
> > need to call specifically by node API to make security tab be updated or is
> > it something on security_page?
> > 
> > <snip>
> >  passwd = utils.security.Passwd()
> >  passwd.set_password("root", self.password)
> > 
> >  sshd = utils.security.Ssh()
> >  sshd.password_authentication(True)
> >  sshd.restart()
> > </snip>
> > 
> > I have verified, it changes PasswordAuthentication in /etc/ssh/sshd_config
> 
> Hey Douglas,
> 
> the problem here is that the TUI uses the /etc/default/ovirt file to
> determin if pwauth is enabled or not. The vdsm plugin is currently
> "bypassing" this, because that file is not updated, and thus the TUI is
> unaware that pwauth is used. Does this make the cause clearer?
> The classes in ovirt.node.config.defaults.* can be used to configure the
> aspects of ovirt-node, this classes also take care that the correct files
> are persisted and the ovirt node configuration file is uddated, so please
> use a snippet like:
> 
> sshcfg = defaults.SSH()
> sshcfg.update(pwauth=True)
> sshcfg.commit()
> 
> This will enable SSH password authentication, persist the files and update
> the node config file. In general, it should solves this bug.

Thanks for clarification Fabian, I have sent a patch.
Comment 17 Douglas Schilling Landgraf 2013-11-20 16:24:52 UTC 
ovirt-node-plugin-vdsm-0.1.1-11.el6ev
https://brewweb.devel.redhat.com/buildinfo?buildID=313971
Comment 18 Jiri Belka 2013-11-22 13:09:42 UTC 
ok, rhev-hypervisor6-6.5-20131121.0.el6ev. after setting password in oVirt engine tab, enable ssh is checked in Security menu.
Comment 19 Itamar Heim 2014-01-21 22:14:47 UTC 
Closing - RHEV 3.3 Released
Comment 20 Itamar Heim 2014-01-21 22:22:19 UTC 
Closing - RHEV 3.3 Released