Bug 1174181 - RFE: provide QEMU guest agent command for setting root account password (Linux guest)
Summary: RFE: provide QEMU guest agent command for setting root account password (Linu...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.7
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Marc-Andre Lureau
QA Contact: Virtualization Bugs
Jiri Herrmann
URL:
Whiteboard:
Depends On: 1174176
Blocks: 1172231 978365 1174177 1261100 1303906 1313887
TreeView+ depends on / blocked
 
Reported: 2014-12-15 10:24 UTC by Daniel Berrangé
Modified: 2019-09-12 08:08 UTC (History)
18 users (show)

Fixed In Version: qemu-kvm-0.12.1.2-2.490.el6
Doc Type: Release Note
Doc Text:
Setting the account password is now possible for any guest user The "guest-set-user-password" command has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the root, when using QEMU and KVM.
Clone Of: 1174176
: 1303906 1313887 (view as bug list)
Environment:
Last Closed: 2016-05-10 20:56:59 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0815 normal SHIPPED_LIVE qemu-kvm bug fix and enhancement update 2016-05-10 22:39:31 UTC

Description Daniel Berrangé 2014-12-15 10:24:28 UTC
+++ This bug was initially created as a clone of Bug #1174176 +++

Description of problem:
OpenStack has a public API which allows a tenant to reset the root/administrator account password of a running guest instance. This is currently supported with XenAPI and users & customers are disappointed when they find it does not work on KVM too.

NB, while OpenStack tenants can set a root password up front with cloud-init, this does not support the same use cases. It is generally preferred to not set any root password at all - just leave the account locked to password access, and instead use SSH keys for login. Where the ability to set the root password is important is in disaster recovery. eg they have lost access to a VM (eg due to network mis-configuration). Unlocking root account console logins by setting a root password is their last ditch approach to recover the instance without taking it offline.

Thus the request here is to provide a new QEMU guest agent command

 'set-administrator-password --iscrypted CRYPTED_PASSWORD'
 'set-administrator-password RAW_PASSWORD'

Note I'm following example from kickstart files, where you allow provision of both the raw password, or a pre-encrypted/salted string. The latter is generally preferrable since then log messages will not leak the sensitive raw password.

It is desired to have this available for currently supported RHEL *and* Windows versions.

Comment 2 Marc-Andre Lureau 2015-07-03 10:11:19 UTC
I am looking at backport

Comment 3 Marc-Andre Lureau 2015-12-01 15:55:03 UTC
patch backport ready, adding devel+

Comment 5 Jeff Nelson 2016-01-18 21:50:03 UTC
Fix included in qemu-kvm-0.12.1.2-2.484.el6

Comment 7 weliao 2016-01-27 09:19:59 UTC
Test this bug using the following version:
Host:
2.6.32-607.el6.x86_64
qemu-kvm-0.12.1.2-2.485.el6.x86_64

Guest:
2.6.32-595.el6.x86_64
qemu-guest-agent-0.12.1.2-2.485.el6.x86_64

1. boot guest:
/usr/libexec/qemu-kvm -name rhel6.8 -machine pc  -drive id=drive_image1,if=none,cache=none,snapshot=off,format=qcow2,file=/mnt/RHEL-Server-6.7-64-virtio.qcow2 -device virtio-blk-pci,id=image1,drive=drive_image1,bus=pci.0,bootindex=0 -netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,mac=52:54:25:93:79:67,id=net0  -m 2048 -smp 4,maxcpus=8,cores=4,threads=1,sockets=1 -cpu SandyBridge -boot menu=on -enable-kvm -qmp tcp:0:5556,nowait,server -monitor stdio -spice port=5901,disable-ticketing -global qxl-vga.vram_size=67108864 -vga qxl -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0


2. start qemu-guest-agent service inside guest
# service qemu-ga start

3. change the root password with "crypted":false
# echo -n "new" | base64
bmV3
# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}}

4. change the root password with "crypted":true
# openssl passwd -crypt newnew
HLGUSfQ2hF5Wg
#echo -n "HLGUSfQ2hF5Wg" | base64
SExHVVNmUTJoRjVXZw==

# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"SExHVVNmUTJoRjVXZw=="}}
{"return": {}}

Actual result:
after step3, inside guest, check the root password is changed to "new"
after step4, inside guest, check the root password is changed to "newnew"

Comment 8 weliao 2016-01-28 04:31:06 UTC
Tested with win10 guest and install virtio-win-1.7.5-0.el6 provide qemu-ga-x64, seems windows guest didn't support set password by qemu-guest-agent.


# nc -U /tmp/qga.sock
{"execute":"guest-info"}
{"return": {"version": "0.12.1", "supported_commands": [{"enabled": true, "name": "guest-set-vcpus"}, {"enabled": true, "name": "guest-get-vcpus"}, {"enabled": true, "name": "guest-network-get-interfaces"}, {"enabled": true, "name": "guest-suspend-hybrid"}, {"enabled": true, "name": "guest-suspend-ram"}, {"enabled": true, "name": "guest-suspend-disk"}, {"enabled": true, "name": "guest-fstrim"}, {"enabled": true, "name": "guest-fsfreeze-thaw"}, {"enabled": true, "name": "guest-fsfreeze-freeze"}, {"enabled": true, "name": "guest-fsfreeze-status"}, {"enabled": true, "name": "guest-file-flush"}, {"enabled": true, "name": "guest-file-seek"}, {"enabled": true, "name": "guest-file-write"}, {"enabled": true, "name": "guest-file-read"}, {"enabled": true, "name": "guest-file-close"}, {"enabled": true, "name": "guest-file-open"}, {"enabled": true, "name": "guest-shutdown"}, {"enabled": true, "name": "guest-info"}, {"enabled": true, "name": "guest-set-time"}, {"enabled": true, "name": "guest-get-time"}, {"enabled": true, "name": "guest-ping"}, {"enabled": true, "name": "guest-sync"}, {"enabled": true, "name": "guest-sync-delimited"}]}}

{"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"cmVkaGF0"}}
{"error": {"desc": "The command guest-set-user-password has not been found"}}

Comment 15 Jeff Nelson 2016-02-29 18:54:09 UTC
Fix included in qemu-kvm-0.12.1.2-2.490.el6

Comment 17 weliao 2016-03-01 07:43:47 UTC
Test this bug using the following version:
Host:
2.6.32-621.el6.x86_64
qemu-kvm-0.12.1.2-2.490.el6.x86_64

Guest:
2.6.32-615.el6.x86_64
qemu-guest-agent-0.12.1.2-2.490.el6.x86_64

1. boot guest:
/usr/libexec/qemu-kvm -name aaa  -M rhel6.6.0 -enable-kvm -m 4096  -realtime mlock=off -smp 2,sockets=2,cores=1,threads=1 -uuid 8f751f99-1dc9-c004-2b1a-595876325a48 -nodefconfig -nodefaults  -rtc base=utc -no-shutdown -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x5.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x5 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x5.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x5.0x2 -drive file=/home/RHEL-Server-6.8-64-virtio.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,id=hostnet0,vhost=on -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:b7:eb:79,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5900,disable-ticketing -vga qxl -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on -monitor stdio -qmp tcp:0:5555,nowait,server -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0

2. start qemu-guest-agent service inside guest
# service qemu-ga start

3. change the root password with "crypted":false
# echo -n "new" | base64
bmV3
# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}}

4. change the root password with "crypted":true
# openssl passwd -crypt newnew
HLGUSfQ2hF5Wg
#echo -n "HLGUSfQ2hF5Wg" | base64
SExHVVNmUTJoRjVXZw==

# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"SExHVVNmUTJoRjVXZw=="}}
{"return": {}}

Actual result:
after step3, inside guest, check the root password is changed to "new"
after step4, inside guest, check the root password is changed to "newnew"

so, for linux guest, this bug fixed.

Comment 19 Guo, Zhiyi 2016-03-22 09:12:44 UTC
Test this bug using the following version:
Host:
2.6.32-633.el6.x86_64
qemu-kvm-0.12.1.2-2.490.el6.x86_64

Guest:
2.6.32-633.el6.x86_64
qemu-guest-agent-0.12.1.2-2.490.el6.x86_64

1. boot guest:
/usr/libexec/qemu-kvm -name rhel -m 2048 -machine pc,accel=kvm -cpu SandyBridge -smp 2,cores=1,threads=1,sockets=1,maxcpus=4 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -qmp tcp:0:5555,nowait,server -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -drive file=/home/images/80g.qcow2,if=none,id=drive-ide0-0-0,format=qcow2,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -vga qxl -monitor stdio -spice port=3001,disable-ticketing -netdev tap,id=idinWyYp,vhost=on -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp

2. start qemu-guest-agent service inside guest
# service qemu-ga start

3. change the root password with "crypted":false
# echo -n "new" | base64
bmV3
# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}}

4. change the root password with "crypted":true
# openssl passwd -crypt newnew
HLGUSfQ2hF5Wg
#echo -n "HLGUSfQ2hF5Wg" | base64
Wm0xRGF5SEZGem95cw==

# nc -U /tmp/qga.sock
{"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"Wm0xRGF5SEZGem95cw=="}}
{"return": {}}

Actual result:
after step3, inside guest, check the root password is changed to "new"
after step4, inside guest, check the root password is changed to "newnew"

Comment 21 errata-xmlrpc 2016-05-10 20:56:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0815.html


Note You need to log in before you can comment on or make changes to this bug.