Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

CLOUDSTACK-10381: Fix password reset / reset ssh key with ConfigDrive#2705

Merged
PaulAngus merged 1 commit intoapache:4.11apache/cloudstack:4.11from
nuagenetworks:bugfix/CLOUDSTACK-10381nuagenetworks/cloudstack:bugfix/CLOUDSTACK-10381Copy head branch name to clipboard
Jun 11, 2018
Merged

CLOUDSTACK-10381: Fix password reset / reset ssh key with ConfigDrive#2705
PaulAngus merged 1 commit intoapache:4.11apache/cloudstack:4.11from
nuagenetworks:bugfix/CLOUDSTACK-10381nuagenetworks/cloudstack:bugfix/CLOUDSTACK-10381Copy head branch name to clipboard

Conversation

@fmaximus
Copy link
Contributor

@fmaximus fmaximus commented Jun 8, 2018

Description

Let ConfigDriveElement remember the new password,
so it can be put on the ConfigDrive iso while vm is starting.

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)

How Has This Been Tested?

Checklist:

  • I have read the CONTRIBUTING document.
  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
    Testing
  • I have added tests to cover my changes.
  • All relevant new and existing integration tests have passed.
  • A full integration testsuite with all test that can run on my environment has passed.

@fmaximus fmaximus added this to the 4.11.1.0 milestone Jun 8, 2018
@fmaximus fmaximus self-assigned this Jun 8, 2018
@fmaximus fmaximus requested a review from yadvr June 8, 2018 16:53
@yadvr
Copy link
Member

yadvr commented Jun 8, 2018

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Jun 8, 2018

@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

DaanHoogland
DaanHoogland reviewed Jun 8, 2018
View reviewed changes
Copy link
Contributor

@DaanHoogland DaanHoogland left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

neat trick, how did you test this? I think there might be a problem with the ssh key method.

server/src/com/cloud/network/element/ConfigDriveNetworkElement.java
final boolean canHandle = canHandle(network.getTrafficType());

if (canHandle) {
storePasswordInVmDetails(vm);
Copy link
Contributor

@DaanHoogland DaanHoogland Jun 8, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we storing passwd on saveSSHKey, @fmaximus ?

Copy link
Member

@yadvr yadvr Jun 11, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I may be wrong, but when I tested it I could see different passwords in the isos before shutdown and post-reset password and startup of the VM @fmaximus. Have you tested this against a normal config drive enabled network such as a L2 network?

Copy link
Contributor Author

@fmaximus fmaximus Jun 11, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SaveSshKey implicitly also resets the password. So I'm also saving it in this case.

@blueorangutan
Copy link

blueorangutan commented Jun 8, 2018

Packaging result: ✔centos6 ✔centos7 ✔debian. JID-2111

@PaulAngus
Copy link
Member

PaulAngus commented Jun 8, 2018

From what i read, it looks to me like you're using the standard encryption algorithm to store the users' password - I would be quite strongly opposed to storing these passwords (and i think that people would have compliance issues) outside of a proper 'vault'.

I'd also ask if the password is removed from the config drive once a VM has booted.

rafaelweingartner
rafaelweingartner reviewed Jun 8, 2018
View reviewed changes
server/src/com/cloud/network/element/ConfigDriveNetworkElement.java
/**
* Store password in vm details so it can be picked up during VM start.
*/
private void storePasswordInVmDetails(VirtualMachineProfile vm) {
Copy link
Member

@rafaelweingartner rafaelweingartner Jun 8, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you mind creating a unit test for this method?

yadvr
yadvr requested changes Jun 11, 2018
View reviewed changes
Copy link
Member

@yadvr yadvr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Questions pending.

server/src/com/cloud/network/element/ConfigDriveNetworkElement.java
final boolean canHandle = canHandle(network.getTrafficType());

if (canHandle) {
storePasswordInVmDetails(vm);
Copy link
Member

@yadvr yadvr Jun 11, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I may be wrong, but when I tested it I could see different passwords in the isos before shutdown and post-reset password and startup of the VM @fmaximus. Have you tested this against a normal config drive enabled network such as a L2 network?

@fmaximus
Copy link
Contributor Author

fmaximus commented Jun 11, 2018

I've used the same code as is used in VRElement, when VR is stopped.
There it's delayed to when the VM is starting, as by then the VR is running.

We've looked at removing the password from the config drive, it soon becomes complex.

  • As you can't be certain that the password has been requested (like in VR),
    you don't know for sure when to remove it.
  • The only way to remove it is to build a new iso, and change the config drive disk.
    This can only be done safely when the VM is stopped.

@yadvr
Copy link
Member

yadvr commented Jun 11, 2018

@fmaximus yes, it is a requirement that VM is stopped for doing password reset and this also ensures that a new ISO will be built when VM is started (if config drive is enabled/available). Per the apidocs, similar to the reset SSH key API I've added a check that will not allow reset password API to work if VM is not stopped. /cc @PaulAngus @DaanHoogland

yadvr
yadvr approved these changes Jun 11, 2018
View reviewed changes
Copy link
Member

@yadvr yadvr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, if password is not saved/seen in the config drive post-reset API and start of VM.

@PaulAngus
Copy link
Member

PaulAngus commented Jun 11, 2018

LGTM - tested by;
creating an L2 network with configdrive
marking a template as password enabled and then starting the built-in template
inspecting config drive i can find password file with correct password inside
stopping and starting vm, password file is removed
stopping vm and resetting password
after starting VM password file has correct password
stopping and starting vm, password file is removed again.

@DaanHoogland
Copy link
Contributor

DaanHoogland commented Jun 11, 2018

@rhtyd you approve and say LGTM but then say "if..." effectively -1ing the PR. the password will remain available in the configdrive until it is rereated, won't it? @fmaximus am I seeing this wrong?

@PaulAngus PaulAngus merged commit 3b89e02 into apache:4.11 Jun 11, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DaanHoogland DaanHoogland DaanHoogland left review comments

@rafaelweingartner rafaelweingartner rafaelweingartner left review comments

@yadvr yadvr yadvr approved these changes

Assignees

@fmaximus fmaximus

Labels

status:work-in-progress type:bug

Projects

None yet

Milestone

4.11.1.0

Development

Successfully merging this pull request may close these issues.

6 participants

@fmaximus @yadvr @blueorangutan @PaulAngus @DaanHoogland @rafaelweingartner
Morty Proxy This is a proxified and sanitized view of the page, visit original site.