Bug 6849 - Randomize systemvm passwords (edit)

status 6849: resolved fixed
2012-02-03 17:27:57 -08:00 · 2012-02-03 17:27:57 -08:00 · 890bfffe2f
parent a70ea7f745
commit 890bfffe2f
6 changed files with 59 additions and 2 deletions
--- a/patches/systemvm/debian/config/etc/init.d/cloud-early-config
+++ b/patches/systemvm/debian/config/etc/init.d/cloud-early-config
@ -695,6 +695,13 @@ iface eth0 inet dhcp
 EOF
 }

+change_password() {
+	if [ x"$VM_PASSWORD" != x"" ]
+	then
+		echo "root:$VM_PASSWORD" | chpasswd
+	fi
+}
+
 start() {
  local hyp=$(hypervisor)
  [ $? -ne 0 ] && log_it "Failed to detect hypervisor type, bailing out of early init" && exit 10
@ -702,6 +709,7 @@ start() {
  get_boot_params
  patch
  parse_cmd_line
+  change_password
  case $TYPE in 
     router)
         [ "$NAME" == "" ] && NAME=router
@ -741,6 +749,7 @@ DISABLE_RP_FILTER="false"
 STORAGE_IP=""
 STORAGE_NETMASK=""
 STORAGE_CIDR=""
+VM_PASSWORD=""

 for i in $CMDLINE
  do
@ -856,6 +865,9 @@ for i in $CMDLINE
      storagecidr)
        STORAGE_CIDR=$VALUE
        ;;
+      vmpassword)
+        VM_PASSWORD=$VALUE
+        ;;
    esac
 done
 }
--- a/server/src/com/cloud/configuration/Config.java
+++ b/server/src/com/cloud/configuration/Config.java
@ -183,7 +183,8 @@ public enum Config {
 	SystemVMUseLocalStorage("Advanced", ManagementServer.class, Boolean.class, "system.vm.use.local.storage", "false", "Indicates whether to use local storage pools or shared storage pools for system VMs.", null),
    SystemVMAutoReserveCapacity("Advanced", ManagementServer.class, Boolean.class, "system.vm.auto.reserve.capacity", "true", "Indicates whether or not to automatically reserver system VM standby capacity.", null),
 	SystemVMDefaultHypervisor("Advanced", ManagementServer.class, String.class, "system.vm.default.hypervisor", null, "Hypervisor type used to create system vm", null),
-    CPUOverprovisioningFactor("Advanced", ManagementServer.class, String.class, "cpu.overprovisioning.factor", "1", "Used for CPU overprovisioning calculation; available CPU will be (actualCpuCapacity * cpu.overprovisioning.factor)", null),
+    SystemVMRandomPassword("Advanced", ManagementServer.class, Boolean.class, "system.vm.random.password", "false", "Randomize system vm password each time management server starts", null),
+	CPUOverprovisioningFactor("Advanced", ManagementServer.class, String.class, "cpu.overprovisioning.factor", "1", "Used for CPU overprovisioning calculation; available CPU will be (actualCpuCapacity * cpu.overprovisioning.factor)", null),
 	MemOverprovisioningFactor("Advanced", ManagementServer.class, String.class, "mem.overprovisioning.factor", "1", "Used for memory overprovisioning calculation", null),
 	LinkLocalIpNums("Advanced", ManagementServer.class, Integer.class, "linkLocalIp.nums", "10", "The number of link local ip that needed by domR(in power of 2)", null),
 	HypervisorList("Advanced", ManagementServer.class, String.class, "hypervisor.list", HypervisorType.KVM + "," + HypervisorType.XenServer + "," + HypervisorType.VMware + "," + HypervisorType.BareMetal + "," + HypervisorType.Ovm, "The list of hypervisors that this deployment will use.", "hypervisorList"),
@ -202,7 +203,7 @@ public enum Config {
 	SecStorageSessionMax("Advanced", AgentManager.class, Integer.class, "secstorage.session.max", "50", "The max number of command execution sessions that a SSVM can handle", null),
 	SecStorageCmdExecutionTimeMax("Advanced", AgentManager.class, Integer.class, "secstorage.cmd.execution.time.max", "30", "The max command execution time in minute", null),
 	SecStorageProxy("Advanced", AgentManager.class, String.class, "secstorage.proxy", null, "http proxy used by ssvm, in http://username:password@proxyserver:port format", null),
-
+	

 	DirectAttachNetworkEnabled("Advanced", ManagementServer.class, Boolean.class, "direct.attach.network.externalIpAllocator.enabled", "false", "Direct-attach VMs using external DHCP server", "true,false"),
 	DirectAttachNetworkExternalAPIURL("Advanced", ManagementServer.class, String.class, "direct.attach.network.externalIpAllocator.url", null, "Direct-attach VMs using external DHCP server (API url)", null),
--- a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@ -1407,6 +1407,10 @@ public class ConsoleProxyManagerImpl implements ConsoleProxyManager, ConsoleProx
        if (externalDhcpStr != null && externalDhcpStr.equalsIgnoreCase("true")) {
            externalDhcp = true;
        }
+        
+        if (Boolean.valueOf(_configDao.getValue("system.vm.random.password"))) {
+        	buf.append(" vmpassword=").append(_configDao.getValue("system.vm.password"));
+        }

        for (NicProfile nic : profile.getNics()) {
            int deviceId = nic.getDeviceId();
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@ -1571,6 +1571,10 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian
        buf.append(" template=domP type=" + type+rpFilter);
        buf.append(" name=").append(profile.getHostName());

+        if (Boolean.valueOf(_configDao.getValue("system.vm.random.password"))) {
+        	buf.append(" vmpassword=").append(_configDao.getValue("system.vm.password"));
+        }
+        
        boolean isRedundant = router.getIsRedundantRouter();
        if (isRedundant) {
            buf.append(" redundant_router=1");
--- a/server/src/com/cloud/server/ConfigurationServerImpl.java
+++ b/server/src/com/cloud/server/ConfigurationServerImpl.java
@ -262,6 +262,9 @@ public class ConfigurationServerImpl implements ConfigurationServer {

        // store the public and private keys in the database
        updateKeyPairs();
+        
+        // generate a random password for system vm
+        updateSystemvmPassword();

        // generate a random password used to authenticate zone-to-zone copy
        generateSecStorageVmCopyPassword();
@ -542,6 +545,35 @@ public class ConfigurationServerImpl implements ConfigurationServer {
        }
    }

+    @DB
+    protected void updateSystemvmPassword() {
+        String userid = System.getProperty("user.name");
+        if (!userid.startsWith("cloud")) {
+            return;
+        }
+        
+        if (!Boolean.valueOf(_configDao.getValue("system.vm.random.password"))) {
+        	return;
+        }
+
+		String already = _configDao.getValue("system.vm.password");
+		if (already == null) {
+			Transaction txn = Transaction.currentTxn();
+			try {
+				String rpassword = PasswordGenerator.generatePresharedKey(8);
+				String wSql = "INSERT INTO `cloud`.`configuration` (category, instance, component, name, value, description) "
+				        + "VALUES ('Hidden','DEFAULT', 'management-server','system.vm.password', '" + rpassword
+				        + "','randmon password generated each management server starts for system vm')";
+				PreparedStatement stmt = txn.prepareAutoCloseStatement(wSql);
+				stmt.executeUpdate(wSql);
+				s_logger.info("Updated systemvm password in database");
+			} catch (SQLException e) {
+				s_logger.error("Cannot retrieve systemvm password", e);
+			}
+		}
+
+	}
+    
    @DB
    protected void updateKeyPairs() {
        // Grab the SSH key pair and insert it into the database, if it is not present
--- a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
+++ b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
@ -1040,6 +1040,10 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
        if (externalDhcpStr != null && externalDhcpStr.equalsIgnoreCase("true")) {
            externalDhcp = true;
        }
+        
+        if (Boolean.valueOf(_configDao.getValue("system.vm.random.password"))) {
+        	buf.append(" vmpassword=").append(_configDao.getValue("system.vm.password"));
+        }

        for (NicProfile nic : profile.getNics()) {
            int deviceId = nic.getDeviceId();