Project

General

Profile

Bug #35024

Foreman Libvirt Plugin requesting +8 chars for remote console VNC Password

Added by Matt Darcy 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Compute resources - libvirt
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

VNC is limited to 8 characters for the console password. Libvirt is used to set this password when provisioning guests via the Libvirt Foreman plugin.
Pre Libvirt 8.0 more than 8 characters could be requested for the VNC console password, libvirt would truncate the characters beyond the 8 character limit, with no error or warning suggesting that the user had a +8 character password, when infact they only had 8 characters.

in Libvirt 8.0 the libvirt team have enforced the 8 character limit so that people know they are limited to 8 characters for the VNC password. This Libvirt version was introduced sometime in the EL 8-Stream cycle (8.0.0-6 confirmed a broken version)

Foreman provisioning a Libvirt guests against a EL8-stream host running Libvirt 8.X will generate the error

Failed to create a compute $hostname KVM (Libvirt) instance $guestname: Error saving the server: Call to virDomainDefineXML failed: unsupported configuration: VNC password is 16 characters long, only 8 permitted

This will stop all provisioning tasks against hosts with Libvirt 8.0.X or later.

There has been discussion in the foreman IRC channel about work arounds, but these seem to weaken the overall security posture of Foreman's password capability

[ included for reference ]

[Friday, June 3, 2022] [3:26:12 PM CEST] <lero> hi folks. it seems libvirt 8.0.0 (rhel 8.6) is now limiting the VNC password length to 8 chars and foreman does 16, which is breaking.
[Friday, June 3, 2022] [3:27:06 PM CEST] <lero> https://paste.centos.org/view/raw/c4b0683d
[Friday, June 3, 2022] [3:27:41 PM CEST] <lero> https://www.mail-archive.com/libvir-list@redhat.com/msg224586.html
[Friday, June 3, 2022] [3:28:05 PM CEST] <lero> is there an easy way to patch Foreman?
[Friday, June 3, 2022] [3:28:22 PM CEST] <lero> I didn't look yet where it does it or so
[Friday, June 3, 2022] [3:28:30 PM CEST] <lero> maybe you folks know it already :)
[Friday, June 3, 2022] [3:32:39 PM CEST] <aruzicka_> lero: hi, for a quick and dirty fix just try changing 8 to 4 in random_password at line 429 in ~foreman/app/models/compute_resource.rb
[Friday, June 3, 2022] [3:32:52 PM CEST] <aruzicka_> just beware that it will affect other compute resources as well if you have any
[Friday, June 3, 2022] [3:33:15 PM CEST] <aruzicka_> in the mean time, could you file us an issue? Or even better, take a stab at putting together a proper fix?
[Friday, June 3, 2022] [3:35:24 PM CEST] <lero> aruzicka_: cool, I just saw the def random_password on compute_resource and was playing around :)
[Friday, June 3, 2022] [3:35:47 PM CEST] <lero> yeah, I'll try to do it on the weekend
[Friday, June 3, 2022] [3:38:11 PM CEST] <aruzicka_> feel free to reach out if you need anything
[Friday, June 3, 2022] [3:38:18 PM CEST] <aruzicka_> although probably not during the weekend :)
[Friday, June 3, 2022] [3:56:07 PM CEST] <lero> aruzicka_: but we use that random_password to other things right
[Friday, June 3, 2022] [3:56:17 PM CEST] <lero> so reducing to 8 digits is not a good idea maybe?
[Friday, June 3, 2022] [3:56:43 PM CEST] <lero> so maybe better to create a vnc_random_password() limited to 8?
[Friday, June 3, 2022] [3:57:24 PM CEST] <aruzicka_> that was a quick and dirty solution to unblock you, proper one would be to override the random_password method in app/models/compute_resources/foreman/mode/libvirt.rb
[Friday, June 3, 2022] [3:57:39 PM CEST] <aruzicka_> which inherits from the generic compute resource
[Friday, June 3, 2022] [3:59:48 PM CEST] <lero> hmm ok
[Friday, June 3, 2022] [3:59:54 PM CEST] <lero> I'll have a look this weekend :)

[ end ]

A requirement to have the VNC password for the Libvirt provisioning plugin as a separate password option (or hardcoded to 8 chars) is needed to return EL8 hosts to active virtual machine hosts on Libvirt


Related issues

Related to Foreman - Bug #35035: VM creation is broken with libvirt >= 8.0.0Closed

History

#1 Updated by Robert Frank about 2 months ago

  • Related to Bug #35035: VM creation is broken with libvirt >= 8.0.0 added

Also available in: Atom PDF