1444702 – [virtio-win][qemu-ga-win]set DCOM permission during installation qemu-ga

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1444702 - [virtio-win][qemu-ga-win]set DCOM permission during installation qemu-ga

Summary: [virtio-win][qemu-ga-win]set DCOM permission during installation qemu-ga

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	virtio-win
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Sameeh Jubran
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1473046
TreeView+	depends on / blocked

Reported:	2017-04-24 03:21 UTC by lijin
Modified:	2021-06-22 09:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-09-27 14:27:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description lijin 2017-04-24 03:21:12 UTC

Description of problem:

set DCOM permission during qemu-ga-win installation as https://bugzilla.redhat.com/show_bug.cgi?id=1387125#c55 requests,so that manual configuration as https://bugzilla.redhat.com/show_bug.cgi?id=1387125#c36 can be avoided.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Sameeh Jubran 2018-09-27 14:27:47 UTC

Issue Description:
Error 8194 appears in Windows Event Log when running Qemu-ga commands: guest-fsfreeze-freeze and guest-fsfreeze-thaw.
Error code 8194 is an "Accessed Denied" error caused by the inability of one or more VSS system writers to communicate with the Remote Backup VSS requestor process via the "COM" calls exposed in the IVssWriterCallback interface (Microsoft programming interface to the Volume Shadow Service).

Background:
In order to use VSS API Qemu GA implements a VSS requester that runs under Local System account. Requester applications communicate via DCOM with writers to gather information on the system and to signal writers to prepare their data for backup. One of the In-Box VSS Writers is System Writer which runs as part of the Cryptographic Services service which runs under Network_Service account.

Issue Cause:
DCOM blocks communication between Processes that run under different accounts by default, Which in our case blocks communication between Qemu GA VSS requester which runs under Local System accound and System Writer which runs under Network_Service account.

Impact:
These errors DO NOT generally impact the ability of the program to perform online backups, but often raise questions from system administrators or managed service providers due the error status indicated. Specifically in this case the program performance remains unaffected..

Workaround:
1. Run “dcomcnfg”.
2. Navigate to “Component Services” > “ Computer” > “MyComputer”.
3. Right Click “MyComputer” and go to “Properties”.
4. Got to “COM Security” tab, click on “Edit Default” button under “Access Permissions”.
5. Click on “Add…” button and add “Network Service” account to permission list.
6. Verify that only “Local Access” box is checked and click OK.
7. Close “Component Services” and reboot the VM.

Note You need to log in before you can comment on or make changes to this bug.