OpenStack Compute (nova)

set_admin_password in the libvirt driver does not save the password in system metadata

Bug #1748544 reported by melanie witt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
melanie witt
Pike
Fix Committed
Medium
Matt Riedemann
Queens
Fix Committed
Medium
Matt Riedemann

Bug Description

We have an API for setting the admin password for an already created
instance and we have a metadata API for retrieving the encrypted
password. In the libvirt driver, when a request to set the admin
password is received, it is indeed set in the guest but the instance
system metadata is never updated with the encrypted password, so
attempts to retrieve the password via the metadata service API result
in an empty string returned instead of the encrypted password.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/543032

Changed in nova:
status: New → In Progress
Revision history for this message
melanie witt (melwitt) wrote :

Related tempest change is here: https://review.openstack.org/543029

Revision history for this message
melanie witt (melwitt) wrote :

I was able to test the proposed patch with devstack by booting an instance with an ubuntu cloud image with hw_qemu_guest_agent=yes and then installing the qemu-guest-agent in the instance.

Before this patch:

 $ nova set-password test
 New password:
 Again:

 $ nova get-password test

After this patch:

 $ nova set-password test
 New password:
 Again:

 $ nova get-password test
 eEv1bBKyjwt5OItQG1Bw+Qk6Ur0x2s8oIYhrEtsR9zIecAoSG9OqmVsRUVYbUF68TQw4p3iMpndABcsNu
 ub/B2aBgxuRqeFP5TMss/FD91kOp8bUDWJ+GthneoDGTd7cS73UfSK41hqPkqTJRouWiRksisGbJefk7cj4
 uIqOBGU9vPuG+XmGXRA8nVxdw7zw5vQx78/sAKRpgt4oge3rEhSSOK7iO4L6aLx8ufOC16HgD/qpUcVu
 ctf0Oiy0W2t8h0YG+eEBiGyYUGBeZVRhCb2kXyXt77QGVTvSQZqVst81B9dK5DpUGGP1NOYHRq49xo6
 37blpuHpDMDO+3t70qg==

 $ nova get-password test somekey.private
 foo

melanie witt (melwitt)
tags: added: metadata
Matt Riedemann (mriedem)
Changed in nova:
importance: Undecided → Medium
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: melanie witt (melwitt) → Matt Riedemann (mriedem)
Matt Riedemann (mriedem)
Changed in nova:
assignee: Matt Riedemann (mriedem) → melanie witt (melwitt)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/543032
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=715a3cadb07fb92cc11542cfb5001844122b6f60
Submitter: Zuul
Branch: master

commit 715a3cadb07fb92cc11542cfb5001844122b6f60
Author: melanie witt <email address hidden>
Date: Fri Feb 9 19:43:30 2018 +0000

    Save admin password to sysmeta in libvirt driver

    We have an API for setting the admin password for an already created
    instance and we have a metadata API for retrieving the encrypted
    password. In the libvirt driver, when a request to set the admin
    password is received, it is indeed set in the guest but the instance
    system metadata is never updated with the encrypted password, so
    attempts to retrieve the password via the metadata service API result
    in an empty string returned instead of the encrypted password.

    This has been broken in the libvirt driver since the set admin password
    password feature was added, as far as I can tell. The xen api driver,
    however, handles the same thing correctly and this adds similar logic
    to the libvirt driver to fix the problem.

    Closes-Bug: #1748544

    Change-Id: Icf44c4c94529cb75232abe1f3ecc5a4d3646b0cc

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/550489

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/550498

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/queens)

Reviewed: https://review.openstack.org/550489
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=6ed7fc11459eb5a69088630e5ea4d12e441f80f2
Submitter: Zuul
Branch: stable/queens

commit 6ed7fc11459eb5a69088630e5ea4d12e441f80f2
Author: melanie witt <email address hidden>
Date: Fri Feb 9 19:43:30 2018 +0000

    Save admin password to sysmeta in libvirt driver

    We have an API for setting the admin password for an already created
    instance and we have a metadata API for retrieving the encrypted
    password. In the libvirt driver, when a request to set the admin
    password is received, it is indeed set in the guest but the instance
    system metadata is never updated with the encrypted password, so
    attempts to retrieve the password via the metadata service API result
    in an empty string returned instead of the encrypted password.

    This has been broken in the libvirt driver since the set admin password
    password feature was added, as far as I can tell. The xen api driver,
    however, handles the same thing correctly and this adds similar logic
    to the libvirt driver to fix the problem.

    Closes-Bug: #1748544

    Change-Id: Icf44c4c94529cb75232abe1f3ecc5a4d3646b0cc
    (cherry picked from commit 715a3cadb07fb92cc11542cfb5001844122b6f60)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/pike)

Reviewed: https://review.openstack.org/550498
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=685f174eaa2086166b04dcb6b49bb0b1a7c23642
Submitter: Zuul
Branch: stable/pike

commit 685f174eaa2086166b04dcb6b49bb0b1a7c23642
Author: melanie witt <email address hidden>
Date: Fri Feb 9 19:43:30 2018 +0000

    Save admin password to sysmeta in libvirt driver

    We have an API for setting the admin password for an already created
    instance and we have a metadata API for retrieving the encrypted
    password. In the libvirt driver, when a request to set the admin
    password is received, it is indeed set in the guest but the instance
    system metadata is never updated with the encrypted password, so
    attempts to retrieve the password via the metadata service API result
    in an empty string returned instead of the encrypted password.

    This has been broken in the libvirt driver since the set admin password
    password feature was added, as far as I can tell. The xen api driver,
    however, handles the same thing correctly and this adds similar logic
    to the libvirt driver to fix the problem.

    Closes-Bug: #1748544

    Change-Id: Icf44c4c94529cb75232abe1f3ecc5a4d3646b0cc
    (cherry picked from commit 715a3cadb07fb92cc11542cfb5001844122b6f60)
    (cherry picked from commit 6ed7fc11459eb5a69088630e5ea4d12e441f80f2)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 17.0.2

This issue was fixed in the openstack/nova 17.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 16.1.1

This issue was fixed in the openstack/nova 16.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 18.0.0.0b1

This issue was fixed in the openstack/nova 18.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.