Error creating libvirt based guest after upgrading to 3.10

jdeniz · June 6, 2024, 11:45am

Problem:

After upgrading to foreman 3.10, hosts created using libvirt compute resources lack vnc passwd in their definition.

Expected outcome:
Hosts created using libvirt are able to use vnc passwords

Foreman and Proxy versions:
3.10
Foreman and Proxy plugin versions:
3.10
Distribution and version:
rhel 8
Other relevant data:
It’s been working fine for years before 3.10. Not sure if it can be related to some fog:libvirt interaction and if it’s a general bug or something local to my installation. It’s unrelated to old bug of vnc passwords being longer than 8. If I shutdown the guest node after it’s created and manually alter it to enable vnc password, everything including novnc console works as expected.
It does not fail creating the host, it does not enable vnc password. And this can’t be enabled in libvirt on a running guest later, so it keeps running without password protection, fully open. Also another symptom is that pressing console button password assignation fails, same as in this old bug (Bug #10626: Openning a novnc console of a libvirt VM returns with error: "Failed to set console : call to VirDomainUpdateDeviceFlags failed : Internal error : unable to execute QEMU command 'set_password' : Could not set password" - Foreman)

angry_yak_shaver · June 7, 2024, 12:50am

Not a dev but speaking as a end user:

With version 3.10 we can no longer use compute resources running CentOS 7.
It works with CentOS Stream 9 compute resources.
VNC console is not usable because no password is set - can be fixed after VM creation using virsh edit or Ansible. Requires VM shutdown (needs killing and restart the qemu process).

HTH.

jdeniz · June 7, 2024, 8:43am

Thanks for your feedback. Time to build a develop rig, dig into all that code and try to find a solution.

angry_yak_shaver · June 8, 2024, 2:10am

If you do I am happy to test things out in our environment as I too would like to see this fixed as well!

I am no RoR dev but I see a password in the defaults but for some reasons it’s not getting used:

github.com

theforeman/foreman/blob/develop/app/models/compute_resources/foreman/model/libvirt.rb#L291-L295


      
            :display    => { :type     => display_type,
                             :listen   => Setting[:libvirt_default_console_address],
                             :password => random_password(console_password_length(display_type)),
                             :port     => '-1' }
          )

jdeniz · June 12, 2024, 11:25am

Located the issue. It’s a regression in fog-libvirt
Downgrading manually to 0.11 in foreman 3.10 makes it work again

Steps that I followed in my test env:
I installed previous version of fog-libvirt (from 3.8)

wget https://yum.theforeman.org/releases/3.8/el8/x86_64/rubygem-fog-libvirt-0.11.0-1.el8.noarch.rpm
rpm -i rubygem-fog-libvirt-0.11.0-1.el8.noarch.rpm  --force
rpm -e rubygem-fog-libvirt-0.12.0-1.el8.noarch

And after a restart VMs are again created with VNC password

This has some side effects. VMs are created using old fog-libvirt definition. So for example if you use a enterprise linux 9 they will fail if you don’t change cpu type from default to host-passthrough, but it’s a first step knowing this is a regression from 0.11 release

ekohl · June 12, 2024, 4:02pm

Then it’s likely somewhere in Replace server XML with Nokogiri::XML::Builder · fog/fog-libvirt@6db6f80 · GitHub. I can spot the bug now: passwd vs password. Would you mind testing out Correct the VNC password attribute by ekohl · Pull Request #139 · fog/fog-libvirt · GitHub for me?

jdeniz · June 12, 2024, 4:02pm

Error is due to a typo in server.rb at fog:libvirt

diff --git a/lib/fog/libvirt/models/compute/server.rb b/lib/fog/libvirt/models/compute/server.rb
index 55241f2..2506561 100644
--- a/lib/fog/libvirt/models/compute/server.rb
+++ b/lib/fog/libvirt/models/compute/server.rb
@@ -408,7 +408,7 @@ module Fog
                     graphics.autoport = "yes"
                   end
                   graphics.listen = display[:listen] unless display[:listen].empty?
-                  graphics.password = display[:password] unless display[:password].empty?
+                  graphics.passwd = display[:password] unless display[:password].empty?
 
                   xml.video do
                     xml.model(:type => "cirrus", :vram => 9216, :heads => 1)
@@ -678,7 +678,7 @@ module Fog
         end
 
         def default_display
-          {:port => '-1', :listen => '127.0.0.1', :type => 'vnc', :password => '' }
+          {:port => '-1', :listen => '127.0.0.1', :type => 'vnc', :passwd => '' }
         end
       end
     end

As a temporal solution you can apply that diff on fog:libvirt 0.12. File location is /usr/share/gems/gems/fog-libvirt-0.12.0/lib/fog/libvirt/models/compute/server.rb in a standard installation and run a restart.
I always do this procedure if edit some file manually into foreman

systemctl stop httpd foreman.service foreman.socket dynflow\*
foreman-rake db:migrate
foreman-rake db:seed
foreman-rake tmp:cache:clear
foreman-rake db:sessions:clear
systemctl start httpd foreman.service foreman.socket

Password atribute for xml graphics is passwd and not password. Easy to mix up.

jdeniz · June 12, 2024, 4:04pm

Hi @ekohl
Can you also modify the default_display at the bottom of that file?
So we fix both occurrences in a single pull request.
Thanks!!

ekohl · June 12, 2024, 4:07pm

I don’t think that’s needed. That hash is the defaults, which we pass around. Only in the resulting XML it needs to change.

Also, feedback on the PR itself would be preferable so other maintainers don’t need to switch back & forth.

jdeniz · June 12, 2024, 4:09pm

Perfect, I’ll rollback my diff, reinstall fog-libvirt, cleanup, apply your PR and test. I’ll add feeback in the PR itself. Thanks!