Red Hat Bugzilla – Bug 1174181
RFE: provide QEMU guest agent command for setting root account password (Linux guest)
Last modified: 2016-05-10 16:56:59 EDT
+++ This bug was initially created as a clone of Bug #1174176 +++ Description of problem: OpenStack has a public API which allows a tenant to reset the root/administrator account password of a running guest instance. This is currently supported with XenAPI and users & customers are disappointed when they find it does not work on KVM too. NB, while OpenStack tenants can set a root password up front with cloud-init, this does not support the same use cases. It is generally preferred to not set any root password at all - just leave the account locked to password access, and instead use SSH keys for login. Where the ability to set the root password is important is in disaster recovery. eg they have lost access to a VM (eg due to network mis-configuration). Unlocking root account console logins by setting a root password is their last ditch approach to recover the instance without taking it offline. Thus the request here is to provide a new QEMU guest agent command 'set-administrator-password --iscrypted CRYPTED_PASSWORD' 'set-administrator-password RAW_PASSWORD' Note I'm following example from kickstart files, where you allow provision of both the raw password, or a pre-encrypted/salted string. The latter is generally preferrable since then log messages will not leak the sensitive raw password. It is desired to have this available for currently supported RHEL *and* Windows versions.
I am looking at backport
patch backport ready, adding devel+
Fix included in qemu-kvm-0.12.1.2-2.484.el6
Test this bug using the following version: Host: 2.6.32-607.el6.x86_64 qemu-kvm-0.12.1.2-2.485.el6.x86_64 Guest: 2.6.32-595.el6.x86_64 qemu-guest-agent-0.12.1.2-2.485.el6.x86_64 1. boot guest: /usr/libexec/qemu-kvm -name rhel6.8 -machine pc -drive id=drive_image1,if=none,cache=none,snapshot=off,format=qcow2,file=/mnt/RHEL-Server-6.7-64-virtio.qcow2 -device virtio-blk-pci,id=image1,drive=drive_image1,bus=pci.0,bootindex=0 -netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,mac=52:54:25:93:79:67,id=net0 -m 2048 -smp 4,maxcpus=8,cores=4,threads=1,sockets=1 -cpu SandyBridge -boot menu=on -enable-kvm -qmp tcp:0:5556,nowait,server -monitor stdio -spice port=5901,disable-ticketing -global qxl-vga.vram_size=67108864 -vga qxl -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 2. start qemu-guest-agent service inside guest # service qemu-ga start 3. change the root password with "crypted":false # echo -n "new" | base64 bmV3 # nc -U /tmp/qga.sock {"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}} 4. change the root password with "crypted":true # openssl passwd -crypt newnew HLGUSfQ2hF5Wg #echo -n "HLGUSfQ2hF5Wg" | base64 SExHVVNmUTJoRjVXZw== # nc -U /tmp/qga.sock {"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"SExHVVNmUTJoRjVXZw=="}} {"return": {}} Actual result: after step3, inside guest, check the root password is changed to "new" after step4, inside guest, check the root password is changed to "newnew"
Tested with win10 guest and install virtio-win-1.7.5-0.el6 provide qemu-ga-x64, seems windows guest didn't support set password by qemu-guest-agent. # nc -U /tmp/qga.sock {"execute":"guest-info"} {"return": {"version": "0.12.1", "supported_commands": [{"enabled": true, "name": "guest-set-vcpus"}, {"enabled": true, "name": "guest-get-vcpus"}, {"enabled": true, "name": "guest-network-get-interfaces"}, {"enabled": true, "name": "guest-suspend-hybrid"}, {"enabled": true, "name": "guest-suspend-ram"}, {"enabled": true, "name": "guest-suspend-disk"}, {"enabled": true, "name": "guest-fstrim"}, {"enabled": true, "name": "guest-fsfreeze-thaw"}, {"enabled": true, "name": "guest-fsfreeze-freeze"}, {"enabled": true, "name": "guest-fsfreeze-status"}, {"enabled": true, "name": "guest-file-flush"}, {"enabled": true, "name": "guest-file-seek"}, {"enabled": true, "name": "guest-file-write"}, {"enabled": true, "name": "guest-file-read"}, {"enabled": true, "name": "guest-file-close"}, {"enabled": true, "name": "guest-file-open"}, {"enabled": true, "name": "guest-shutdown"}, {"enabled": true, "name": "guest-info"}, {"enabled": true, "name": "guest-set-time"}, {"enabled": true, "name": "guest-get-time"}, {"enabled": true, "name": "guest-ping"}, {"enabled": true, "name": "guest-sync"}, {"enabled": true, "name": "guest-sync-delimited"}]}} {"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"cmVkaGF0"}} {"error": {"desc": "The command guest-set-user-password has not been found"}}
Fix included in qemu-kvm-0.12.1.2-2.490.el6
Test this bug using the following version: Host: 2.6.32-621.el6.x86_64 qemu-kvm-0.12.1.2-2.490.el6.x86_64 Guest: 2.6.32-615.el6.x86_64 qemu-guest-agent-0.12.1.2-2.490.el6.x86_64 1. boot guest: /usr/libexec/qemu-kvm -name aaa -M rhel6.6.0 -enable-kvm -m 4096 -realtime mlock=off -smp 2,sockets=2,cores=1,threads=1 -uuid 8f751f99-1dc9-c004-2b1a-595876325a48 -nodefconfig -nodefaults -rtc base=utc -no-shutdown -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x5.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x5 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x5.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x5.0x2 -drive file=/home/RHEL-Server-6.8-64-virtio.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,id=hostnet0,vhost=on -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:b7:eb:79,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5900,disable-ticketing -vga qxl -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on -monitor stdio -qmp tcp:0:5555,nowait,server -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 2. start qemu-guest-agent service inside guest # service qemu-ga start 3. change the root password with "crypted":false # echo -n "new" | base64 bmV3 # nc -U /tmp/qga.sock {"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}} 4. change the root password with "crypted":true # openssl passwd -crypt newnew HLGUSfQ2hF5Wg #echo -n "HLGUSfQ2hF5Wg" | base64 SExHVVNmUTJoRjVXZw== # nc -U /tmp/qga.sock {"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"SExHVVNmUTJoRjVXZw=="}} {"return": {}} Actual result: after step3, inside guest, check the root password is changed to "new" after step4, inside guest, check the root password is changed to "newnew" so, for linux guest, this bug fixed.
Test this bug using the following version: Host: 2.6.32-633.el6.x86_64 qemu-kvm-0.12.1.2-2.490.el6.x86_64 Guest: 2.6.32-633.el6.x86_64 qemu-guest-agent-0.12.1.2-2.490.el6.x86_64 1. boot guest: /usr/libexec/qemu-kvm -name rhel -m 2048 -machine pc,accel=kvm -cpu SandyBridge -smp 2,cores=1,threads=1,sockets=1,maxcpus=4 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -qmp tcp:0:5555,nowait,server -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -drive file=/home/images/80g.qcow2,if=none,id=drive-ide0-0-0,format=qcow2,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -vga qxl -monitor stdio -spice port=3001,disable-ticketing -netdev tap,id=idinWyYp,vhost=on -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp 2. start qemu-guest-agent service inside guest # service qemu-ga start 3. change the root password with "crypted":false # echo -n "new" | base64 bmV3 # nc -U /tmp/qga.sock {"execute":"guest-set-user-password","arguments":{"crypted":false,"username":"root","password":"bmV3"}} 4. change the root password with "crypted":true # openssl passwd -crypt newnew HLGUSfQ2hF5Wg #echo -n "HLGUSfQ2hF5Wg" | base64 Wm0xRGF5SEZGem95cw== # nc -U /tmp/qga.sock {"execute":"guest-set-user-password","arguments":{"crypted":true,"username":"root","password":"Wm0xRGF5SEZGem95cw=="}} {"return": {}} Actual result: after step3, inside guest, check the root password is changed to "new" after step4, inside guest, check the root password is changed to "newnew"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0815.html