From 890bfffe2f60b1e96cce8db1acc4bed59e01c799 Mon Sep 17 00:00:00 2001
From: frank <frank.zhang@citrix.com>
Date: Fri, 3 Feb 2012 17:27:57 -0800
Subject: [PATCH] Bug 6849 - Randomize systemvm passwords (edit)

status 6849: resolved fixed
---
 .../config/etc/init.d/cloud-early-config      | 12 +++++++
 .../src/com/cloud/configuration/Config.java   |  5 +--
 .../consoleproxy/ConsoleProxyManagerImpl.java |  4 +++
 .../VirtualNetworkApplianceManagerImpl.java   |  4 +++
 .../cloud/server/ConfigurationServerImpl.java | 32 +++++++++++++++++++
 .../SecondaryStorageManagerImpl.java          |  4 +++
 6 files changed, 59 insertions(+), 2 deletions(-)

diff --git a/patches/systemvm/debian/config/etc/init.d/cloud-early-config b/patches/systemvm/debian/config/etc/init.d/cloud-early-config
index 82ec7098fe2..f3df6c08857 100755
--- a/patches/systemvm/debian/config/etc/init.d/cloud-early-config
+++ b/patches/systemvm/debian/config/etc/init.d/cloud-early-config
@@ -695,6 +695,13 @@ iface eth0 inet dhcp
 EOF
 }
 
+change_password() {
+	if [ x"$VM_PASSWORD" != x"" ]
+	then
+		echo "root:$VM_PASSWORD" | chpasswd
+	fi
+}
+
 start() {
   local hyp=$(hypervisor)
   [ $? -ne 0 ] && log_it "Failed to detect hypervisor type, bailing out of early init" && exit 10
@@ -702,6 +709,7 @@ start() {
   get_boot_params
   patch
   parse_cmd_line
+  change_password
   case $TYPE in 
      router)
          [ "$NAME" == "" ] && NAME=router
@@ -741,6 +749,7 @@ DISABLE_RP_FILTER="false"
 STORAGE_IP=""
 STORAGE_NETMASK=""
 STORAGE_CIDR=""
+VM_PASSWORD=""
 
 for i in $CMDLINE
   do
@@ -856,6 +865,9 @@ for i in $CMDLINE
       storagecidr)
         STORAGE_CIDR=$VALUE
         ;;
+      vmpassword)
+        VM_PASSWORD=$VALUE
+        ;;
     esac
 done
 }
diff --git a/server/src/com/cloud/configuration/Config.java b/server/src/com/cloud/configuration/Config.java
index e06e384d6b0..b725f7c8c1a 100755
--- a/server/src/com/cloud/configuration/Config.java
+++ b/server/src/com/cloud/configuration/Config.java
@@ -183,7 +183,8 @@ public enum Config {
 	SystemVMUseLocalStorage("Advanced", ManagementServer.class, Boolean.class, "system.vm.use.local.storage", "false", "Indicates whether to use local storage pools or shared storage pools for system VMs.", null),
     SystemVMAutoReserveCapacity("Advanced", ManagementServer.class, Boolean.class, "system.vm.auto.reserve.capacity", "true", "Indicates whether or not to automatically reserver system VM standby capacity.", null),
 	SystemVMDefaultHypervisor("Advanced", ManagementServer.class, String.class, "system.vm.default.hypervisor", null, "Hypervisor type used to create system vm", null),
-    CPUOverprovisioningFactor("Advanced", ManagementServer.class, String.class, "cpu.overprovisioning.factor", "1", "Used for CPU overprovisioning calculation; available CPU will be (actualCpuCapacity * cpu.overprovisioning.factor)", null),
+    SystemVMRandomPassword("Advanced", ManagementServer.class, Boolean.class, "system.vm.random.password", "false", "Randomize system vm password each time management server starts", null),
+	CPUOverprovisioningFactor("Advanced", ManagementServer.class, String.class, "cpu.overprovisioning.factor", "1", "Used for CPU overprovisioning calculation; available CPU will be (actualCpuCapacity * cpu.overprovisioning.factor)", null),
 	MemOverprovisioningFactor("Advanced", ManagementServer.class, String.class, "mem.overprovisioning.factor", "1", "Used for memory overprovisioning calculation", null),
 	LinkLocalIpNums("Advanced", ManagementServer.class, Integer.class, "linkLocalIp.nums", "10", "The number of link local ip that needed by domR(in power of 2)", null),
 	HypervisorList("Advanced", ManagementServer.class, String.class, "hypervisor.list", HypervisorType.KVM + "," + HypervisorType.XenServer + "," + HypervisorType.VMware + "," + HypervisorType.BareMetal + "," + HypervisorType.Ovm, "The list of hypervisors that this deployment will use.", "hypervisorList"),
@@ -202,7 +203,7 @@ public enum Config {
 	SecStorageSessionMax("Advanced", AgentManager.class, Integer.class, "secstorage.session.max", "50", "The max number of command execution sessions that a SSVM can handle", null),
 	SecStorageCmdExecutionTimeMax("Advanced", AgentManager.class, Integer.class, "secstorage.cmd.execution.time.max", "30", "The max command execution time in minute", null),
 	SecStorageProxy("Advanced", AgentManager.class, String.class, "secstorage.proxy", null, "http proxy used by ssvm, in http://username:password@proxyserver:port format", null),
-
+	
 
 	DirectAttachNetworkEnabled("Advanced", ManagementServer.class, Boolean.class, "direct.attach.network.externalIpAllocator.enabled", "false", "Direct-attach VMs using external DHCP server", "true,false"),
 	DirectAttachNetworkExternalAPIURL("Advanced", ManagementServer.class, String.class, "direct.attach.network.externalIpAllocator.url", null, "Direct-attach VMs using external DHCP server (API url)", null),
diff --git a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
index b85e4262f52..5254cf7c3b2 100755
--- a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@@ -1407,6 +1407,10 @@ public class ConsoleProxyManagerImpl implements ConsoleProxyManager, ConsoleProx
         if (externalDhcpStr != null && externalDhcpStr.equalsIgnoreCase("true")) {
             externalDhcp = true;
         }
+        
+        if (Boolean.valueOf(_configDao.getValue("system.vm.random.password"))) {
+        	buf.append(" vmpassword=").append(_configDao.getValue("system.vm.password"));
+        }
 
         for (NicProfile nic : profile.getNics()) {
             int deviceId = nic.getDeviceId();
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index 8e14ee29e1f..680ca763bac 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -1571,6 +1571,10 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian
         buf.append(" template=domP type=" + type+rpFilter);
         buf.append(" name=").append(profile.getHostName());
 
+        if (Boolean.valueOf(_configDao.getValue("system.vm.random.password"))) {
+        	buf.append(" vmpassword=").append(_configDao.getValue("system.vm.password"));
+        }
+        
         boolean isRedundant = router.getIsRedundantRouter();
         if (isRedundant) {
             buf.append(" redundant_router=1");
diff --git a/server/src/com/cloud/server/ConfigurationServerImpl.java b/server/src/com/cloud/server/ConfigurationServerImpl.java
index 586e009274d..42a23b81dea 100755
--- a/server/src/com/cloud/server/ConfigurationServerImpl.java
+++ b/server/src/com/cloud/server/ConfigurationServerImpl.java
@@ -262,6 +262,9 @@ public class ConfigurationServerImpl implements ConfigurationServer {
 
         // store the public and private keys in the database
         updateKeyPairs();
+        
+        // generate a random password for system vm
+        updateSystemvmPassword();
 
         // generate a random password used to authenticate zone-to-zone copy
         generateSecStorageVmCopyPassword();
@@ -542,6 +545,35 @@ public class ConfigurationServerImpl implements ConfigurationServer {
         }
     }
 
+    @DB
+    protected void updateSystemvmPassword() {
+        String userid = System.getProperty("user.name");
+        if (!userid.startsWith("cloud")) {
+            return;
+        }
+        
+        if (!Boolean.valueOf(_configDao.getValue("system.vm.random.password"))) {
+        	return;
+        }
+
+		String already = _configDao.getValue("system.vm.password");
+		if (already == null) {
+			Transaction txn = Transaction.currentTxn();
+			try {
+				String rpassword = PasswordGenerator.generatePresharedKey(8);
+				String wSql = "INSERT INTO `cloud`.`configuration` (category, instance, component, name, value, description) "
+				        + "VALUES ('Hidden','DEFAULT', 'management-server','system.vm.password', '" + rpassword
+				        + "','randmon password generated each management server starts for system vm')";
+				PreparedStatement stmt = txn.prepareAutoCloseStatement(wSql);
+				stmt.executeUpdate(wSql);
+				s_logger.info("Updated systemvm password in database");
+			} catch (SQLException e) {
+				s_logger.error("Cannot retrieve systemvm password", e);
+			}
+		}
+
+	}
+    
     @DB
     protected void updateKeyPairs() {
         // Grab the SSH key pair and insert it into the database, if it is not present
diff --git a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
index 0d3802a5e2a..ee696ab6d7f 100755
--- a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
+++ b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
@@ -1040,6 +1040,10 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
         if (externalDhcpStr != null && externalDhcpStr.equalsIgnoreCase("true")) {
             externalDhcp = true;
         }
+        
+        if (Boolean.valueOf(_configDao.getValue("system.vm.random.password"))) {
+        	buf.append(" vmpassword=").append(_configDao.getValue("system.vm.password"));
+        }
 
         for (NicProfile nic : profile.getNics()) {
             int deviceId = nic.getDeviceId();