cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "dsclose (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-9058) Password server causes Windows VMs to switch to blank passwords after each reboot
Date Thu, 12 Nov 2015 08:04:10 GMT
dsclose created CLOUDSTACK-9058:
-----------------------------------

             Summary: Password server causes Windows VMs to switch to blank passwords after
each reboot
                 Key: CLOUDSTACK-9058
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9058
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: ISO, Virtual Router
    Affects Versions: 4.5.2
            Reporter: dsclose
            Priority: Critical


Previous versions of the systemvm.iso used a shell script to serve passwords. In response
to a "send_my_password" query, if no password was to be served, the /opt/cloud/bin/serve_password.sh
script would issue a response with "saved_password" in the body.

The new version of the systemvm.iso supercedes serve_password.sh with a python script at /opt/cloud/bin/passwd_server_ip.py.
This script's behaviour is different to the original serve_password.sh. In response to a "send_my_password"
query, if no password was to be served, the /opt/cloud/bin/passwd_server_ip.py script issues
an empty response.

Linux guests handle this appropriately. The cloud-set-guest-password init script uses a case
statement to ignore blank responses. I've not been able to examine the code for the equivalent
Windows guest service but it responds very differently.

If a Windows guest receives a blank response from the password server then it assumes that
the password needs to be blank. The log on the windows guest reports the following:

[INFO] Need to set new password for this VM. First letter in password :  
[INFO] New password has been set for this VM

The windows guest expects a "saved_password" response if a password isn't being issued. If
it receives this response then it logs the following:

[INFO] No need to set password, because http://10.1.1.1:8080/ said so with response saved_password

Because the password server is queried every time the windows service starts, this will result
in the guest adopting a blank password every time it is rebooted or the service is restarted.
It's probably unrealistic to consider updating the Windows service in every guest currently
running in cloudstack. As such it looks like the password server's behaviour needs to be adjusted
to match the behaviour that guests expect.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message