Red Hat Bugzilla – Bug 1029126
Handle failure to decrypt LocalAdminPassword
Last modified: 2014-08-27 03:03:38 EDT
Description of problem:
Currently, when RHEV-M fails to decrypt LocalAdminPassword, it passes the plaintext value to the sysprep file. The plaintext value can however contain forbidden characters for Windows that effectively break Windows sysprep mechanism. Based on above, the condition of non-decryptable LocalAdminPassword should be handled somehow:
* don't run VM at all, issue Error in Events
* don't set Admin Password at all in sysprep, issue Warning in Events, run VM
Version-Release number of selected component (if applicable):
is21 / rhevm-backend-3.3.0-0.31.beta1.el6ev.noarch
Steps to Reproduce:
1. replace keys used to encrypt LocalAdminPassword in /etc/pki/ovirt-engine
2. run sealed Windows 7 VM with sysprep floppy attached
Windows is likely to fail sysprep because the password may contain illegal characters
failure to decrypt password is detected and handled somehow
it takes going through some hoops to run into this bug so I think that it can have low priority.
makes sense to fail, not urgent though
Closing this since the problem reproduces only when the system is in illegal state (db values aren't encrypted by currently used keys).
This state is reported by engine in the logs (ERROR [...] Failed to decrypt value for property XYZ). As a consequence, plaintext value is used. It is up to administrator not to ignore this log line and ensure that password values are encrypted/decryptable correctly, or use plaintext at their own risk.