6:44 p.m.
I recently followed the instructions for enabling VNC encryption for FIPS enabled hosts
[1]. The VNC console seem to be fine on the host where the VM is initially started
(excluding noVNC in the browser). The qemu-kvm arguments are not maintained properly upon
VM migration, declaring "password=on" in the -vnc argument. Subsequent VNC
console requests will result in an authentication failure. SPICE seems to be fine. All
hosts and the engine are FIPS enabled running oVirt-4.5.4-1.el8.
Is there a way to maintain the absence of "password=on"after VM migation?
Perhaps a hook in the interim.
Initial VM start:
-object
{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/vdsm/libvirt-vnc","endpoint":"server","verify-peer":false}
-vnc 192.168.100.67:0,tls-creds=vnc-tls-creds0,sasl=on,audiodev=audio1 -k en-us
Debug output from remote-viewer:
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.812: vncconnection.c Possible VeNCrypt
sub-auth 263
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.812: vncconnection.c Emit main context
12
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.812: vncconnection.c Requested auth
subtype 263
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.813: vncconnection.c Waiting for VeNCrypt
auth subtype
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.813: vncconnection.c Choose auth 263
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.813: vncconnection.c Checking if
credentials are needed
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.813: vncconnection.c No credentials
required
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.813: vncconnection.c Read error Resource
temporarily unavailable
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.841: vncconnection.c Do TLS handshake
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.944: vncconnection.c Checking if
credentials are needed
(remote-viewer:1495470): gtk-vnc-DEBUG: 12:51:55.944: vncconnection.c Want a TLS
clientname
... snip ...
Migrated VM:
-object
{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/vdsm/libvirt-vnc","endpoint":"server","verify-peer":false}
-vnc 192.168.100.68:0,password=on,tls-creds=vnc-tls-creds0,sasl=on,audiodev=audio1 -k
en-us
Debug output from remote-viewer:
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.487: vncconnection.c Possible VeNCrypt
sub-auth 261
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.487: vncconnection.c Emit main context
12
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.488: vncconnection.c Requested auth
subtype 261
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.488: vncconnection.c Waiting for VeNCrypt
auth subtype
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.488: vncconnection.c Choose auth 261
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.488: vncconnection.c Checking if
credentials are needed
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.488: vncconnection.c No credentials
required
... snip ...
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.780: vncconnection.c Checking auth
result
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.808: vncconnection.c Fail Authentication
failed
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.808: vncconnection.c Error:
Authentication failed
(remote-viewer:1495270): gtk-vnc-DEBUG: 12:50:29.808: vncconnection.c Emit main context
16
(remote-viewer:1495270): virt-viewer-WARNING **: 12:50:29.808: vnc-session: got vnc error
Authentication failed
Thank you,
Jon
[1]
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/...
6:15 p.m.
New subject: Encrypted VNC request using SASL not maintained after VM migration
It took me a few days, but I was able to come up with one potential solution. On each of
the hypervisors I modified /usr/libexec/vdsm/vm_libvirt_hook.py (vdsm) to include the
following:
--- before: /usr/libexec/vdsm/vm_libvirt_hook.py.bak
+++ after: /usr/libexec/vdsm/vm_libvirt_hook.py
@@ -5,8 +5,23 @@
import sys
import xml.etree.ElementTree as ET
+import logging
from vdsm.virt.vmdevices import storage
+from vdsm.common import commands
+
+
+# Read FIPS status using sysctl
+def _get_fips_enabled():
+ SYSCTL_FIPS_COMMAND = ["/usr/sbin/sysctl",
"crypto.fips_enabled"],
+
+ try:
+ output = commands.run(*SYSCTL_FIPS_COMMAND)
+ enabled = output.split(b'=')[1].strip()
+ return enabled == b'1'
+ except Exception as e:
+ logging.error("Could not read FIPS status with sysctl: %s", e)
+ return False
# dynamic_ownership workaround (required for 4.2 incoming migrations)
@@ -34,6 +49,12 @@
passwd = graphics.attrib['passwd']
if len(passwd) > 8:
graphics.set('passwd', passwd[:8])
+ # VNC console authentication requests fail when migrating VMs to a
+ # destination where FIPS is enforced. Let's remove the passwd attribute
+ # to make libvirt start qemu-kvm without "-vnc password=on".
+ fips = _get_fips_enabled()
+ if fips:
+ graphics.attrib.pop('passwd')
The _get_fips_enabled() function is a copy of _getFipsEnabled() from
/usr/lib/python3.6/site-packages/vdsm/host/caps.py (vdsm-python).
Perhaps a check can be added to libvirt directly to see if FIPS mode is enforced, and if
so, skip the password=on [1] option for qemu.
--
[1] https://github.com/libvirt/libvirt/blob/v8.0.0/src/qemu/qemu_command.c#L8295
603
days inactive
608
days old
1 comments
1 participants
participants (1)
-
Jon Sattelberger