Bug 1455491
| Summary: | spice/vnc password should keep when clone a guest | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | zhoujunqin <juzhou> | ||||||
| Component: | virt-manager | Assignee: | Pavel Hrdina <phrdina> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 7.4 | CC: | kuwei, mxie, phrdina, tzheng, xiaodwan | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | virt-manager-1.4.3-1.el7 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2018-04-10 11:40:46 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1473046 | ||||||||
| Attachments: |
|
||||||||
May be can add a new option like --security-info to support clone security info explicitly. Upstream patch posted: https://www.redhat.com/archives/virt-tools-list/2017-September/msg00098.html Upstream commit:
commit 8e0303059ee540040ec01cf6ccb12f0303791192
Author: Pavel Hrdina <phrdina>
Date: Fri Sep 15 18:34:58 2017 +0200
cloner: get original XML with security informations
I can reproduce this bug with package:
virt-manager-1.4.1-7.el7.noarch
Then try to verify this bug with new build:
virt-manager-1.4.3-1.el7.noarch
virt-install-1.4.3-1.el7.noarch
libvirt-3.7.0-2.el7.x86_64
qemu-kvm-rhev-2.9.0-16.el7_4.8.x86_64
Steps:
1. Prepare a spice guest with password setting.
# virsh dumpxml rhel7.4 --security-info
...
<graphics type='spice' autoport='yes' passwd='aabb'>
<listen type='address'/>
<image compression='off'/>
</graphics>
2. Start guest, then connect to guest via virt-manager.
Launch virt-manager-> Double click guest -> Input password 'aabb' in next page ->click 'Login'
Result: Connect to guest console with correct password.
3. Force off guest.
4. Clone guest.
Right click guest-> select 'Clone' button -> Click 'Clone' in next 'Clone Virtual Machine' page.
Actual results:
1. Clone finished without error, then check guest xml ,finding that graphics password keep while cloning.
# virsh dumpxml rhel7.4-clone --security-info
...
<graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1' passwd='aabb'>
<listen type='address' address='127.0.0.1'/>
<image compression='off'/>
</graphics>
2. I find that security graphics password we can see in virt-manager debug log, it's not safe.
Details please see attachment.
Created attachment 1328851 [details]
password info shows in virt-manager debug log
Right, that's not safe since the debug log is located at ~/.cache/virt-clone.log and that might be accessible. This was probably the reason why we didn't include the security info while cloning a guest. I'll look into it to fix it. (In reply to Pavel Hrdina from comment #8) > Right, that's not safe since the debug log is located at > ~/.cache/virt-clone.log and that might be accessible. This was probably the > reason why we didn't include the security info while cloning a guest. > > I'll look into it to fix it. Yes, so shall we move this bug back to ASSIGNED status or file a new bug to track, thanks. Well, the issue here is that virt-manager/virt-clone doesn't have any knowledge which parts of XML contains security information. Currently it's only the graphics password. This will require some extra coding to hide the password from debug logs. I would create a new BUG to track it. (In reply to Pavel Hrdina from comment #10) > Well, the issue here is that virt-manager/virt-clone doesn't have any > knowledge which parts of XML contains security information. Currently it's > only the graphics password. This will require some extra coding to hide the > password from debug logs. I would create a new BUG to track it. Ok, Pavel, after you file that bug, please leave bug id here, thanks. Then i can change bug status. BZ 1495505 created to track the debug log issue. Since bug itself has been fixed, and as Comment 12 said, move this bug from ON_QA to VERIFIED status, thanks Pavel. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0726 |
Created attachment 1282223 [details] virt-manager debug log for cloning Description of problem: spice/vnc password should keep when clone a guest Version-Release number of selected component (if applicable): virt-manager-1.4.1-5.el7.noarch libvirt-3.2.0-6.virtcov.el7.x86_64 qemu-kvm-rhev-2.9.0-6.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Prepare a spice guest with password setting. # virsh dumpxml rhel7.4 --security-info ... <graphics type='spice' autoport='yes' passwd='aabb'> <listen type='address'/> <image compression='off'/> </graphics> 2. Start guest, then connect to guest via virt-manager. Launch virt-manager-> Double click guest -> Input password 'aabb' in next page ->click 'Login' Result: Connect to guest console with correct password. 3. Force off guest. 4. Clone guest. Right click guest-> select 'Clone' button -> Click 'Clone' in next 'Clone Virtual Machine' page. Actual results: Clone finished without error, then check guest xml ,finding that no password showing for spice graphics. # virsh dumpxml rhel7.4-clone --security-info ... <graphics type='spice' autoport='yes'> <listen type='address'/> <image compression='off'/> </graphics> Expected results: spice/vnc password should keep when clone a guest Additional info: I can also reproduce this issue with vnc guest.