Re: [Qemu-devel] [PATCH] qga: add guest-set-admin-password command

[Daniel P. Berrange]

On Thu, Jan 08, 2015 at 06:21:19PM -0600, Michael Roth wrote:
> Quoting Daniel P. Berrange (2014-12-15 06:47:46)
> > Add a new 'guest-set-admin-password' command for changing the
> > root/administrator password. This command is needed to allow
> > OpenStack to support its API for changing the admin password
> > on a running guest.
> > 
> > Accepts either the raw password string:
> > 
> > $ virsh -c qemu:///system  qemu-agent-command f21x86_64 \
> >    '{ "execute": "guest-set-admin-password", "arguments":
> >      { "crypted": false, "password": "12345678" } }'
> >   {"return":{}}
> > 
> > Or a pre-encrypted string (recommended)
> > 
> > $ virsh -c qemu:///system  qemu-agent-command f21x86_64 \
> >    '{ "execute": "guest-set-admin-password", "arguments":
> >      { "crypted": true, "password":
> >         "$6$T9O/j/aGPrE...snip....rQoRN4F0.GG0MPjNUNyml." } }'
> > 
> > NB windows support is desirable, but not implemented in this
> > patch.
> > 
> > Signed-off-by: Daniel P. Berrange <address@hidden>
> > ---
> >  qga/commands-posix.c | 89 
> > ++++++++++++++++++++++++++++++++++++++++++++++++++++
> >  qga/commands-win32.c |  6 ++++
> >  qga/qapi-schema.json | 13 ++++++++
> >  3 files changed, 108 insertions(+)
> > 

> > +
> > +    if (write(datafd[1], acctpw, strlen(acctpw)) != strlen(acctpw)) {
> > +        error_setg(errp, "cannot write new account password");
> > +        goto out;
> > +    }
> 
> We should probably retry on EINTR, and for cases where -1 is returned I
> think error_setg_errno() would be useful.

I'll make it use  qemu_write_full

> > +    if (!WIFEXITED(status)) {
> > +        error_setg(errp, "child process has terminated abnormally");
> > +        goto out;
> > +    }
> > +
> > +    if (WEXITSTATUS(status)) {
> > +        error_setg(errp, "child process has failed to suspend");
> 
> "... has failed to set admin password" or somesuch

Opps yes, copy+paste mistake.


> > diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
> > index 376e79f..202d3be 100644
> > --- a/qga/qapi-schema.json
> > +++ b/qga/qapi-schema.json
> > @@ -738,3 +738,16 @@
> >  ##
> >  { 'command': 'guest-get-fsinfo',
> >    'returns': ['GuestFilesystemInfo'] }
> > +
> > +##
> > +# @guest-set-admin-password
> > +#
> > +# @crypted: true if password is already crypt()d, false if raw
> 
> Should we have some sort of note about what sort of encryption
> scheme is expected, or a way to query for it?

I was explicitly not saying anything about the crypt scheme,
because it is not really very easy to determine what is
supported by any given guest OS. In the context in which
this is used, I think the sysadmin will be able to easily
figure out themselves what's needed.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|