remotely executed netcat (nc) uses -q option which is not universally supported

Bug #517478 reported by zigi
38
This bug affects 7 people
Affects Status Importance Assigned to Milestone
libvirt
Fix Released
Medium
libvirt (CentOS)
Unknown
libvirt (Fedora)
Invalid
Medium
libvirt (Ubuntu)
Low
Unassigned
virt-manager (Fedora)
Fix Released
Medium

Bug Description

I Can't connect to none-debian based distros with remote tunel over SSH (qemu+ssh) - virsh / virt-manager.

LIBVIRT_DEBUG=1 virsh -c qemu+ssh://<email address hidden>/system:
...
debug : virExecWithHook:620 : ssh -l root xxx.xxx.xxx.xxx nc -q 0 -U /var/run/libvirt/libvirt-sock
...

As you can see nc is executed with -q option. This option isn't universally supported (at least in CentOS, Fedora, RedHat, OpenSuse), it's debian patch.

My system is (K)Ubuntu 10.04 Lucid:
libvirt - 0.7.5-5ubuntu5
netcat-openbsd - 1.89-3ubuntu1
virt-manager - 0.8.2-2ubuntu1

Patches which cause this problem:
libvirt : 0006-Terminate-nc-on-EOF.patch
virt-manager : 0003-Make-sure-we-quit-afer-EOF-on-stdin.patch

Solutions:
Disable these patches until the nc patch "quit-timer.patch" will be accepted by upstream or distributed into other main distributions.

Related branches

Revision history for this message
zigi (ziegleka) wrote :

virsh;
$ virsh -c qemu+ssh://<email address hidden>/system
error: server closed connection
error: failed to connect to the hypervisor

virt-manager:
Unable to open connection to hypervisor URI 'qemu+ssh://<email address hidden>/system':
server closed connection
Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/connection.py", line 896, in _try_open
    None], flags)
  File "/usr/lib/python2.6/dist-packages/libvirt.py", line 111, in openAuth
    if ret is None:raise libvirtError('virConnectOpenAuth() failed')
libvirtError: server closed connection

Maybe you need to install ssh-askpass in order to authenticate.

Revision history for this message
zigi (ziegleka) wrote :
Revision history for this message
zigi (ziegleka) wrote :

You can fix it temporarily by installing a version of nc which recognizes the -q option on the remote server. You can try my workaround.

On ubuntu system:
# apt-get install build-essential quilt

$ cd /usr/src
$ apt-get source netcat-openbsd
$ cd ./netcat-openbsd-1.89
$ ./debian/rules

Now you have in current directory patched version which you download on the remote server and there compile it.

Revision history for this message
zigi (ziegleka) wrote :
Revision history for this message
In , Ziegler (ziegler-redhat-bugs) wrote :

Description of problem:

From debian-based distributions (Ubuntu in my case) I can't connect to none-debian based distros with remote tunel over SSH (qemu+ssh) - virsh / virt-manager.

I attach patch from Ubuntu (Debian) which is applied on nc. This patch adds q option [quit after EOF on stdin and delay of secs (-1 to not quit)].

How reproducible:
Ubuntu 9.10 (10.04) as administrator desktop system.
RedHat as server system.

Steps to Reproduce:
1. From Ubuntu to RedHat (xxx.xxx.xxx.xxx)
$ virsh -c qemu+ssh://<email address hidden>/system

Actual results:
Can't connect to libvirt via virsh / virt-manager from Ubuntu.

Expected results:
Can connect to libvirt via virsh / virt-manager from Ubuntu.

Additional info:
I use Fedora and CentOS on my host machines (servers) and Ubuntu on my desktop.

Reported as bug:
for Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/517478
for CentOS: http://bugs.centos.org/view.php?id=4188

Revision history for this message
In , Jan (jan-redhat-bugs) wrote :

I'm setting proper flags for product management to consider inclusion in RHEL 5.6

Revision history for this message
In , Ziegler (ziegler-redhat-bugs) wrote :

Created attachment 389086
nc -q option patch

Revision history for this message
zigi (ziegleka) wrote :
Revision history for this message
zigi (ziegleka) wrote :

Can't connect from RedHat based systems: https://bugzilla.redhat.com/show_bug.cgi?id=517778

Scott Moser (smoser)
Changed in libvirt (Ubuntu):
importance: Undecided → Low
Revision history for this message
Martin Emrich (emme) wrote :

Same here (Client: Ubuntu 9.10, libvirt server: CentOS 5.4). The patch in Bug #474107 fixes it for me.

Changed in libvirt (Ubuntu):
status: New → Confirmed
Revision history for this message
brainstorm (brainstorm) wrote :

Bug #474107 does not fix it for me since libvirt itself (virsh) is using -q anyway on new releases:

LIBVIRT_DEBUG=1 virsh -c qemu+ssh://root@xxxx/system

It seems that "nc -q" code is present on libvirt itself too:

13:55:49.688: debug : doRemoteOpen:564 : proceeding with name = qemu:///system
13:55:49.688: debug : virExecWithHook:640 : ssh -l root xxxx nc -q 0 -U /var/run/libvirt/libvirt-sock
13:55:49.701: debug : remoteIO:8431 : Do proc=66 serial=0 length=28 wait=(nil)
13:55:49.702: debug : remoteIO:8493 : We have the buck 66 0xb76f8008 0xb76f8008
13:55:50.049: debug : remoteIOEventLoop:8378 : Giving up the buck due to I/O error 66 0xb76f8008 (nil)
13:55:50.049: debug : do_open:1126 : driver 4 remote returned ERROR

Putting a nc binary that supports "-q" flag under /usr/local/bin fixes it for me, see (as zigi wrote):

http://bugs.centos.org/view.php?id=4188

Revision history for this message
zigi (ziegleka) wrote :
Revision history for this message
zigi (ziegleka) wrote :

Libvirt should use similar hack like in virt-manager (from previous RedHat's bugzilla report):

"we pass a shell script as the SSH command, and try
to detect these incompatibilities. It's definitely a hack, but we don't have a
lot of options:

http://hg.fedorahosted.org/hg/virt-manager/rev/1f781890ea4a "

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I've built updated libvirt packages in my testing PPA that should fix this:

https://launchpad.net/~mdeslaur/+archive/testing

Please test them and indicate here if they solve the issue for you.

Thanks

Revision history for this message
zigi (ziegleka) wrote :

@Marc Deslauriers:

Nice work, your version works just fine. Please upload your patch to upstream.

Marc, can you give me advice, how to start with patching/bug fixing, making own packages and building own PPA repository, thank you.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@zigi:

Thanks for testing, I'll upload it today.

off topic: This link has the info you are looking for: https://wiki.ubuntu.com/UbuntuDevelopment

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.7.5-5ubuntu10

---------------
libvirt (0.7.5-5ubuntu10) lucid; urgency=low

  * debian/patches/9015-autodetect-nc-params.patch: autodetect if the
    remote nc command supports the -q option. (LP: #517478)
  * debian/patches/0006-Terminate-nc-on-EOF.patch: disabled
    as the previous patch replaces it.
 -- Marc Deslauriers <email address hidden> Thu, 04 Mar 2010 07:58:52 -0500

Changed in libvirt (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
In , Marc (marc-redhat-bugs-1) wrote :

Created attachment 397928
Patch to autodetect netcat parameters

Debian/Ubuntu hosts need to add "-q 0" to netcat to properly quit. A similar bug existed in virt-manager:

https://bugzilla.redhat.com/show_bug.cgi?id=517778

Attached is a patch for libvirt that uses the same technique as virt-manager now does to autodetect if the remote netcat tool needs the -q parameter.

Based on the following virt-manager commit:

http://hg.fedorahosted.org/hg/virt-manager/rev/1f781890ea4a

Revision history for this message
In , Cole (cole-redhat-bugs) wrote :

I posted a similar patch upstream last month:

https://www.redhat.com/archives/libvir-list/2010-February/msg00444.html

Danpb wasn't a fan of it (understandably) and suggested a long term approach of making a custom helper to drop in /usr/libexec so that we don't need to rely on 'nc'.

However, until that work is done, it would be nice if one of these patches could be applied.

Revision history for this message
In , Ziegler (ziegler-redhat-bugs) wrote :

Created attachment 399858
autodetect nc params

This patch was written by Marc Deslauriers from Ubuntu and inspired by http://hg.fedorahosted.org/hg/virt-manager/rev/1f781890ea4a and I hope that Marc sent this patch to upstream.

Revision history for this message
Raghav (raghavendrac) wrote :

@Marc Deslauriers

Hi this is Raghav I have installed 10.04 Lucid beta 2 Desktop and also have ssh askpass;

I have virt-manager version 0.8.2;

I have made the changes to console.py and invoke virt-manager; i still face the problem
Unable to open connection to hypervisor URI qemu+ssh://root@10.18.14.186/system
cannot recv data : connection reset by peer

May beyou need to install ssh askpass; Could you pls let me know how to fix this issue

zigi (ziegleka)
tags: added: karmic lucid
Revision history for this message
zigi (ziegleka) wrote :

@Raghav

After virt-manager (0.8.2-2ubuntu4) and libvirt (0.7.5-5ubuntu10) were released you don't have to patch virt-manager.

Actually I don't use ssh keys with password for virt-manager (no X ssh-askpass installed) and I have installed these packages:

libvirt-bin 0.7.5-5ubuntu27
libvirt0 0.7.5-5ubuntu27
libvirt0-dbg 0.7.5-5ubuntu27
python-libvirt 0.7.5-5ubuntu27
virt-manager 0.8.2-2ubuntu8

I can normaly manage remote systems via virt-manager and virsh.

Revision history for this message
Raghav (raghavendrac) wrote : Re: [Bug 517478] Re: remotely executed netcat (nc) uses -q option which is not universally supported

@Zigi
MAny thanks for the support
it resolved the issue
Raghav

******************************************************************************************
 This email and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained here in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this email in error, please notify the sender by phone or email immediately and delete it!
 *****************************************************************************************

----- Original Message -----
From: zigi <email address hidden>
Date: Sunday, April 25, 2010 12:46 pm
Subject: [Bug 517478] Re: remotely executed netcat (nc) uses -q option which is not universally supported
To: <email address hidden>

> @Raghav
>
> After virt-manager (0.8.2-2ubuntu4) and libvirt (0.7.5-5ubuntu10) were
> released you don't have to patch virt-manager.
>
> Actually I don't use ssh keys with password for virt-manager (no X
> ssh-
> askpass installed) and I have installed these packages:
>
> libvirt-bin 0.7.5-5ubuntu27
> libvirt0 0.7.5-5ubuntu27
> libvirt0-dbg 0.7.5-5ubuntu27
> python-libvirt 0.7.5-5ubuntu27
> virt-manager 0.8.2-2ubuntu8
>
> I can normaly manage remote systems via virt-manager and virsh.
>
> --
> remotely executed netcat (nc) uses -q option which is not
> universally supported
> https://bugs.launchpad.net/bugs/517478
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in libvirt virtualization API: Unknown
> Status in “libvirt” package in Ubuntu: Fix Released
> Status in “libvirt” package in CentOS: Unknown
> Status in “libvirt” package in Fedora: Unknown
> Status in “virt-manager” package in Fedora: Unknown
>
> Bug description:
> I Can't connect to none-debian based distros with remote tunel
> over SSH (qemu+ssh) - virsh / virt-manager.
>
> LIBVIRT_DEBUG=1 virsh -c qemu+ssh://<email address hidden>/system:
> ...
> debug : virExecWithHook:620 : ssh -l root xxx.xxx.xxx.xxx nc -q 0 -
> U /var/run/libvirt/libvirt-sock
> ...
>
> As you can see nc is executed with -q option. This option isn't
> universally supported (at least in CentOS, Fedora, RedHat,
> OpenSuse), it's debian patch.
>
> My system is (K)Ubuntu 10.04 Lucid:
> libvirt - 0.7.5-5ubuntu5
> netcat-openbsd - 1.89-3ubuntu1
> virt-manager - 0.8.2-2ubuntu1
>
> Patches which cause this problem:
> libvirt : 0006-Terminate-nc-on-EOF.patch
> virt-manager : 0003-Make-sure-we-quit-afer-EOF-on-stdin.patch
>
> Solutions:
> Disable these patches until the nc patch "quit-timer.patch" will
> be accepted by upstream or distributed into other main distributions.
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/libvirt/+bug/517478/+subscribe
>

Revision history for this message
glance (glance-acc) wrote :

Sorry but this "fix" breaks ssh-connections for everyone not using a sh-based shell as login-shell.

I personally use tcsh as login shell and "nc -q 2>&1 | grep -q 'requires an argument';if [ $? -eq 0 ] ; then CMD='-q 0';else CMD='';fi;" isn't valid csh line.

glance (glance-acc)
tags: added: regression-potential
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@glance: please open a new bug for that. Thanks.

tags: removed: regression-potential
Revision history for this message
In , Petr (petr-redhat-bugs) wrote :

I don't really like the idea of adding more options not accepted upstream.
Moreover, EL5+ and Fedora netcats quit after SIGHUP so I don't really see a problem there.

If anything, libvirt shouldn't rely on such made-up option.

Could you elaborate on what's actually expected?

Changed in libvirt (CentOS):
status: Unknown → New
Revision history for this message
In , Petr (petr-redhat-bugs) wrote :

Apparently Debian patched their client.

There's no need to add an exception to server for this; closing.

Revision history for this message
In , Eric (eric-redhat-bugs) wrote :

Fixed in 0.9.7 with this commit:

commit a2b5c57db83559d4fe32ee90fbb6685555388e06
Author: Guido Günther <email address hidden>
Date: Fri Jul 8 21:07:29 2011 +0200

    Autodetect if the remote nc command supports the -q option

    Based on a patch by Marc Deslauriers <email address hidden>

    RH: https://bugzilla.redhat.com/show_bug.cgi?id=562176
    Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/517478
    Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573172

Changed in virt-manager (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
Changed in libvirt (Fedora):
importance: Unknown → Medium
status: Unknown → Invalid
Changed in libvirt:
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.