You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Jorge Luiz Correa <jo...@embrapa.br.INVALID> on 2022/04/08 19:38:28 UTC
Problem with libvirt 8 and domain VNC passwords.
Hi!
I'm testing CS with Ubuntu 22.04 LTS that uses libvirt 8.0.0-1ubuntu6
(using CS repository from focal 20.04). After all the installation process,
when the manager tries to start some system VMs (like SSVM), the hypervisor
hosts can't do that. In the agent logs I can see:
2022-04-08 16:17:30,142 WARN [resource.wrapper.LibvirtStartCommandWrapper]
(agentRequest-Handler-5:null) (logid:f1b7f404) LibvirtException
org.libvirt.LibvirtException: unsupported configuration: VNC password is 22
characters long, only 8 permitted
at org.libvirt.ErrorHandler.processError(Unknown Source)
at org.libvirt.ErrorHandler.processError(Unknown Source)
at org.libvirt.Connect.domainCreateXML(Unknown Source)
at
com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.startVM(LibvirtComputingResource.java:1736)
at
com.cloud.hypervisor.kvm.resource.wrapper.LibvirtStartCommandWrapper.execute(LibvirtStartCommandWrapper.java:86)
at
com.cloud.hypervisor.kvm.resource.wrapper.LibvirtStartCommandWrapper.execute(LibvirtStartCommandWrapper.java:46)
at
com.cloud.hypervisor.kvm.resource.wrapper.LibvirtRequestWrapper.execute(LibvirtRequestWrapper.java:78)
at
com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:1768)
at com.cloud.agent.Agent.processRequest(Agent.java:661)
at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:1079)
at com.cloud.utils.nio.Task.call(Task.java:83)
at com.cloud.utils.nio.Task.call(Task.java:29)
at
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
In the libvirt logs I can see:
● libvirtd.service - Virtualization daemon
Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor
preset: enabled)
Active: active (running) since Fri 2022-04-08 16:05:56 -03; 10min ago
Docs: man:libvirtd(8)
https://libvirt.org
Main PID: 44140 (libvirtd)
Tasks: 19 (limit: 32768)
Memory: 17.5M
CPU: 3.342s
CGroup: /system.slice/libvirtd.service
└─44140 /usr/sbin/libvirtd --listen
Apr 08 16:14:00 hpc-p01c01h01 libvirtd[44140]: unsupported configuration:
VNC password is 22 characters long, only 8 permitted
Apr 08 16:14:01 hpc-p01c01h01 libvirtd[44140]: unsupported configuration:
VNC password is 22 characters long, only 8 permitted
Apr 08 16:14:29 hpc-p01c01h01 libvirtd[44140]: unsupported configuration:
VNC password is 22 characters long, only 8 permitted
Apr 08 16:14:30 hpc-p01c01h01 libvirtd[44140]: unsupported configuration:
VNC password is 22 characters long, only 8 permitted
Looking for something about that I realized that older versions of libvirt
could just ignore VNC passwords bigger than 8 chars. Now it looks like an
error is triggered.
I tried to find where CS stores the .xml file for the SSVM domain to see if
the password is really a 22 chars password, but I didn't find it.
I think the problem is when generating the .xml file for the new domains.
Probably CS generates a long password.
Is there any way to configure the size of VNC password that CS generates?
Thank you!
--
Jorge Luiz Corrêa
Embrapa Agricultura Digital
echo "CkpvcmdlIEx1aXogQ29ycmVhCkFu
YWxpc3RhIGRlIFJlZGVzIGUgU2VndXJhbm
NhCkVtYnJhcGEgQWdyaWN1bHR1cmEgRGln
aXRhbCAtIE5USQpBdi4gQW5kcmUgVG9zZW
xsbywgMjA5IChCYXJhbyBHZXJhbGRvKQpD
RVAgMTMwODMtODg2IC0gQ2FtcGluYXMsIF
NQClRlbGVmb25lOiAoMTkpIDMyMTEtNTg4
Mgpqb3JnZS5sLmNvcnJlYUBlbWJyYXBhLm
JyCgo="|base64 -d
--
__________________________
Aviso de confidencialidade
Esta mensagem da
Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica
federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro
de 1972, e enviada exclusivamente a seu destinatario e pode conter
informacoes confidenciais, protegidas por sigilo profissional. Sua
utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei.
Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao
emitente, esclarecendo o equivoco.
Confidentiality note
This message from
Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government
company established under Brazilian law (5.851/72), is directed
exclusively to its addressee and may contain confidential data,
protected under professional secrecy rules. Its unauthorized use is
illegal and may subject the transgressor to the law's penalties. If you
are not the addressee, please send it back, elucidating the failure.
Re: Problem with libvirt 8 and domain VNC passwords.
Posted by Wei ZHOU <us...@gmail.com>.
Hi Jorge,
Thanks for the reporting and the analysis. Ubuntu 22.04 is not officially
released, it is not tested and officially supported in cloudstack for now.
I have noticed the issue many years ago that only the first 8 chars in vnc
password is effective. The fix in libvirt does not make sense to me.
Anyway, I have created a pull request to truncate the vnc password to 8
chars: https://github.com/apache/cloudstack/pull/6244 . I will test it. It
would
-Wei
On Mon, 11 Apr 2022 at 15:51, Jorge Luiz Correa
<jo...@embrapa.br.invalid> wrote:
> Just to confirm the incompatibility. When Zone was enabled, the CS manager
> started to try to launch some system VMs like s-NNNN-VM and v-NNNN-VM. At
> hypervisors, all attempts were failing because the libvirtd didn't accept a
> vnc_password bigger than 8 chars.
>
> libvirtd[44140]: unsupported configuration: VNC password is 22 characters
> long, only 8 permitted
>
> Then, I changed the vnc_passwords directly in the database.
>
> In manager, generate the string for password 12345678:
>
> java -cp /usr/share/cloudstack-common/lib/jasypt-1.9.3.jar
> org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="12345678"
> password="DATABASE_KEY"
>
> ----OUTPUT----------------------
> ohM+JhNfT0xFJC3HtveMGTI5CJCjkcN5
>
> In database, update to new value:
> update vm_instance set vnc_password = "ohM+JhNfT0xFJC3HtveMGTI5CJCjkcN5="
> where name like "s-%" or name like "v-%";
>
> After that, using an 8 chars password, all system VMs started fine!
>
> In https://qemu-project.gitlab.io/qemu/system/vnc-security.html we can
> see:
>
> *The VNC protocol has limited support for password based authentication.
> Since the protocol limits passwords to 8 characters it should not be
> considered to provide high security.*
>
> Before my tests with Libvirt 8 I was using Libvirt 6 with Ubuntu 20.04. It
> looks like Libvirt 6 just drops what is after 8 chars in passwords. So,
> sending a bigger password does not increase the security because the
> protocol has the limitation, right?
>
> In Libvirt 8 some modification is generating a Warning/Error. This shows
> something about that modification:
>
> https://www.mail-archive.com/libvir-list@redhat.com/msg224586.html
>
> That warning/error is causing System VMs to not start! So, to use Libvirt 8
> with CloudStack I think vnc_password length needs to be 8 in some way
> because Libvirt 8 is not dropping anymore what is bigger than that.
>
> Thanks!
> :)
>
> --
> __________________________
> Aviso de confidencialidade
>
> Esta mensagem da
> Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica
> federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro
> de 1972, e enviada exclusivamente a seu destinatario e pode conter
> informacoes confidenciais, protegidas por sigilo profissional. Sua
> utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei.
> Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao
> emitente, esclarecendo o equivoco.
>
> Confidentiality note
>
> This message from
> Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government
> company established under Brazilian law (5.851/72), is directed
> exclusively to its addressee and may contain confidential data,
> protected under professional secrecy rules. Its unauthorized use is
> illegal and may subject the transgressor to the law's penalties. If you
> are not the addressee, please send it back, elucidating the failure.
>
Re: Problem with libvirt 8 and domain VNC passwords.
Posted by Jorge Luiz Correa <jo...@embrapa.br.INVALID>.
Just to confirm the incompatibility. When Zone was enabled, the CS manager
started to try to launch some system VMs like s-NNNN-VM and v-NNNN-VM. At
hypervisors, all attempts were failing because the libvirtd didn't accept a
vnc_password bigger than 8 chars.
libvirtd[44140]: unsupported configuration: VNC password is 22 characters
long, only 8 permitted
Then, I changed the vnc_passwords directly in the database.
In manager, generate the string for password 12345678:
java -cp /usr/share/cloudstack-common/lib/jasypt-1.9.3.jar
org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="12345678"
password="DATABASE_KEY"
----OUTPUT----------------------
ohM+JhNfT0xFJC3HtveMGTI5CJCjkcN5
In database, update to new value:
update vm_instance set vnc_password = "ohM+JhNfT0xFJC3HtveMGTI5CJCjkcN5="
where name like "s-%" or name like "v-%";
After that, using an 8 chars password, all system VMs started fine!
In https://qemu-project.gitlab.io/qemu/system/vnc-security.html we can see:
*The VNC protocol has limited support for password based authentication.
Since the protocol limits passwords to 8 characters it should not be
considered to provide high security.*
Before my tests with Libvirt 8 I was using Libvirt 6 with Ubuntu 20.04. It
looks like Libvirt 6 just drops what is after 8 chars in passwords. So,
sending a bigger password does not increase the security because the
protocol has the limitation, right?
In Libvirt 8 some modification is generating a Warning/Error. This shows
something about that modification:
https://www.mail-archive.com/libvir-list@redhat.com/msg224586.html
That warning/error is causing System VMs to not start! So, to use Libvirt 8
with CloudStack I think vnc_password length needs to be 8 in some way
because Libvirt 8 is not dropping anymore what is bigger than that.
Thanks!
:)
--
__________________________
Aviso de confidencialidade
Esta mensagem da
Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica
federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro
de 1972, e enviada exclusivamente a seu destinatario e pode conter
informacoes confidenciais, protegidas por sigilo profissional. Sua
utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei.
Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao
emitente, esclarecendo o equivoco.
Confidentiality note
This message from
Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government
company established under Brazilian law (5.851/72), is directed
exclusively to its addressee and may contain confidential data,
protected under professional secrecy rules. Its unauthorized use is
illegal and may subject the transgressor to the law's penalties. If you
are not the addressee, please send it back, elucidating the failure.