RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1174176 - RFE: provide QEMU guest agent command for setting root/administrator account password
Summary: RFE: provide QEMU guest agent command for setting root/administrator account ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-guest-agent
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Marc-Andre Lureau
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 1194152 1243458 1243459
Blocks: 978365 1154205 1174177 1174181 1205796 1249582 1261100 1303906 1313887
TreeView+ depends on / blocked
 
Reported: 2014-12-15 10:21 UTC by Daniel Berrangé
Modified: 2019-09-12 08:08 UTC (History)
17 users (show)

Fixed In Version: qemu-guest-agent-2.3.0-1.el7
Doc Type: Enhancement
Doc Text:
The "guest-set-user-password" command has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the administrator, when using QEMU-KVM.
Clone Of:
: 1174177 1174181 (view as bug list)
Environment:
Last Closed: 2015-11-19 07:09:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2217 0 normal SHIPPED_LIVE qemu-guest-agent bug fix and enhancement update 2015-11-19 08:26:27 UTC

Description Daniel Berrangé 2014-12-15 10:21:35 UTC 
Description of problem:
OpenStack has a public API which allows a tenant to reset the root/administrator account password of a running guest instance. This is currently supported with XenAPI and users & customers are disappointed when they find it does not work on KVM too.

NB, while OpenStack tenants can set a root password up front with cloud-init, this does not support the same use cases. It is generally preferred to not set any root password at all - just leave the account locked to password access, and instead use SSH keys for login. Where the ability to set the root password is important is in disaster recovery. eg they have lost access to a VM (eg due to network mis-configuration). Unlocking root account console logins by setting a root password is their last ditch approach to recover the instance without taking it offline.

Thus the request here is to provide a new QEMU guest agent command

 'set-administrator-password --iscrypted CRYPTED_PASSWORD'
 'set-administrator-password RAW_PASSWORD'

Note I'm following example from kickstart files, where you allow provision of both the raw password, or a pre-encrypted/salted string. The latter is generally preferrable since then log messages will not leak the sensitive raw password.

It is desired to have this available for currently supported RHEL *and* Windows versions.
Comment 2 Daniel Berrangé 2014-12-15 13:13:36 UTC 
Here is a proof of concept implementation for modern Linux guests (eg tested it on Fedora 21):

http://lists.nongnu.org/archive/html/qemu-devel/2014-12/msg02131.html

I've not checked whether it would work for older Linux (RHEL-6), and it also needs someone with Windows knowledge to provide the Win32 impl.
Comment 4 Ján Tomko 2015-05-18 12:53:01 UTC 
I have tried the command implemented by
commit 215a2771a7b6b29037ee8deba484815d816b6fdd
    qga: add guest-set-user-password command

on Fedora 22 Beta (qemu-guest-agent-2.3.0-0.2.rc1.fc22.x86_64)

And it fails with SELinux enforcing:
type=AVC msg=audit(1431952168.903:567): avc:  denied  { write } for  pid=2097 comm="chpasswd" name=".pwd.lock" dev="vda1" ino=33595649 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0

Is it even possible to make this function work with SELinux?
Comment 5 Daniel Berrangé 2015-05-18 12:57:11 UTC 
Every new function added to qemu guest agent typically needs an addition to the SElinux policy to allow it, so not surprising that you see an AVC currently.
Comment 7 Ademar Reis 2015-06-16 15:59:29 UTC 
We have it upstream. Pending tasks:

 - Backport to 7.2
 - Create the SELinux Policy (we need a new BZ)

Libvirt support is already there.
Comment 8 Marc-Andre Lureau 2015-07-03 10:07:52 UTC 
I am looking at backport for 7.2
Comment 9 Marc-Andre Lureau 2015-07-07 15:52:54 UTC 
qemu-guest-agent has been rebased to 2.3 in 7.2, see dep bug 1194152
Comment 17 huiqingding 2015-08-07 09:58:23 UTC 
Test this bug using the following version:
Host:
kernel-3.10.0-302.el7.x86_64
qemu-kvm-rhev-2.3.0-15.el7.x86_64

RHEL7.2 guest:
kernel-3.10.0-302.el7.x86_64
qemu-guest-agent-2.3.0-2.el7.x86_64

1. boot guest:
 /usr/libexec/qemu-kvm -cpu SandyBridge -machine pc-i440fx-rhel7.2.0 -enable-kvm -m 4096 -smp 2,sockets=1,cores=2,threads=1 -name rhel7base  -drive file=/home/rhel7.2.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,werror=stop,rerror=stop,aio=native,cache.direct=on -device virtio-blk-pci,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -boot menu=on -monitor stdio -netdev tap,id=hostnet0,vhost=on,script=/etc/ovs-ifup,downscript=/etc/ovs-downscript -device virtio-net-pci,netdev=hostnet0,mac=52:54:00:c6:4b:15,id=test -nodefaults -nodefconfig -spice port=5910,seamless-migration=on,disable-ticketing -vga qxl -global qxl-vga.vram_size=67108864 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x9 -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtserialport,bus=virtio-serial0.0,chardev=qga0,id=org.qemu.guest_agent.0,name=org.qemu.guest_agent.0 -qmp tcp:0:6666,server,nowait

2. start qemu-guest-agent service inside guest
# service qemu-guest-agent start

3. change the root password with "crypted":false
# echo -n "new" | base64
bmV3
# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}}

4. change the root password with "crypted":true
#  openssl passwd -crypt newnew
DkJgpBjhzSbHM
# echo -n "DkJgpBjhzSbHM" | base64
RGtKZ3BCamh6U2JITQ==
# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"RGtKZ3BCamh6U2JITQ=="}}

Actual result:
after step3, inside guest, check the root password is changed to "new"
after step4, inside guest, check the root password is changed to "newnew"
Comment 18 juzhang 2015-08-10 05:43:07 UTC 
According to comment17, set this issue as verified.
Comment 20 errata-xmlrpc 2015-11-19 07:09:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2217.html
Note You need to log in before you can comment on or make changes to this bug.