RosiKyu commented on PR #12404:
URL: https://github.com/apache/cloudstack/pull/12404#issuecomment-3765517897
**WIP**
### Test Case 1: VM Start - VNC Password Masking
**Objective** Verify that the VNC password is masked (shown as *****) in the
agent log when a VM is started.
**Test Steps**
1. Deploy a new VM (or start a stopped VM) in the CloudStack environment
2. SSH to the KVM host where the VM is running
3. Search the agent log for VM start entries containing VNC graphics
configuration:
```
grep -i "Starting.*:" /var/log/cloudstack/agent/agent.log | tail -5
```
4. Search for VNC password entries in the log:
```
grep -E "graphics.*vnc.*passwd" /var/log/cloudstack/agent/agent.log
```
4. Verify no unmasked passwords exist:
```
grep -E "graphics.*vnc.*passwd=['\"][^*]" /var/log/cloudstack/agent/agent.log
```
**Expected Result**
- The VNC password in the logged XML should be masked as `passwd='*****'`
- No unmasked VNC passwords should appear in the agent log
**Actual Result** **PASSED**
- The VNC password is correctly masked as `passwd='*****'`
- No unmasked VNC passwords found in the log
**Evidence**
- VM Start log entry found:
```
2026-01-18 16:57:28,843 DEBUG [resource.wrapper.LibvirtStartCommandWrapper]
(AgentRequest-Handler-5:[]) (logid:) Starting r-4-VM : <domain type='kvm'>
```
VNC password masked (grep output):
```
[root@ref-trl-6151-k-Mol9-rositsa-kyuchukova-kvm1 ~]# grep -E
"graphics.*vnc.*passwd" /var/log/cloudstack/agent/agent.log
<graphics type='vnc' autoport='yes' listen='10.1.34.189' passwd='*****'/>
```
- No unmasked passwords (empty result confirms fix):
```
[root@ref-trl-6151-k-Mol9-rositsa-kyuchukova-kvm1 ~]# grep -E
"graphics.*vnc.*passwd=['\"][^*]" /var/log/cloudstack/agent/agent.log
```
### Test Case 2: Live Migration - VNC Password Masking.
**Objective** Verify that the VNC password is masked (shown as *****) in the
agent log when a VM is live migrated between KVM hosts.
**Test Steps**
1. Identify a running user VM and the host it is currently on
2. Live migrate the VM to another KVM host:
3. After migration completes, SSH to the source host (where VM was before
migration) and search for live migration log entries:
```
grep -i "live migration" /var/log/cloudstack/agent/agent.log
```
4. Search for VNC password entries:
```
grep -E "graphics.*vnc.*passwd" /var/log/cloudstack/agent/agent.log
```
5. Check for any unmasked passwords:
```
grep -E "graphics.*vnc.*passwd=['\"][^*]" /var/log/cloudstack/agent/agent.log
```
**Expected Result**
- All VNC passwords in the logged XML should be masked as `passwd='*****'`
- No unmasked VNC passwords should appear in any migration-related log
entries
**Actual Result** **PARTIALLY PASSED / BUG FOUND**
- The main migration XML configuration is correctly masked
- However, the `replaceIpForVNCInDescFile` log message **still exposes the
actual VNC password**
**Evidence**
- Live migration entry (masked correctly):
```
[root@ref-trl-6151-k-Mol9-rositsa-kyuchukova-kvm1 ~]# grep -i "live
migration" /var/log/cloudstack/agent/agent.log
2026-01-18 17:05:14,161 INFO
[resource.wrapper.LibvirtMigrateCommandWrapper] (AgentRequest-Handler-3:[])
(logid:) Starting live migration of instance i-2-3-VM to destination host
qemu+tls://10.1.33.95/system having the final XML configuration: <domain
type='kvm'>
```
- VNC password entries (mixed results):
```
[root@ref-trl-6151-k-Mol9-rositsa-kyuchukova-kvm1 ~]# grep -E
"graphics.*vnc.*passwd" /var/log/cloudstack/agent/agent.log
<graphics type='vnc' autoport='yes' listen='10.1.34.189' passwd='*****'/>
<graphics type='vnc' autoport='yes' listen='10.1.34.189' passwd='*****'/>
<graphics type='vnc' port='-1' autoport='yes' listen='10.1.34.189'
passwd='*****'>
2026-01-18 17:05:14,129 DEBUG
[resource.wrapper.LibvirtMigrateCommandWrapper] (AgentRequest-Handler-3:[])
(logid:)
```
- Replaced the VNC IP address
```
[<graphics type='vnc' port='-1' autoport='yes' listen='10.1.34.189'
passwd='UzAp0PQ9'>
</graphics>] with [<graphics type='vnc' port='-1' autoport='yes'
listen='10.1.33.95' passwd='UzAp0PQ9'>
<graphics type='vnc' port='-1' autoport='yes' listen='10.1.33.95'
passwd='*****'>
```
- Unmasked password found (bug):
```
[root@ref-trl-6151-k-Mol9-rositsa-kyuchukova-kvm1 ~]# grep -E
"graphics.*vnc.*passwd=['\"][^*]" /var/log/cloudstack/agent/agent.log
2026-01-18 17:05:14,129 DEBUG
[resource.wrapper.LibvirtMigrateCommandWrapper] (AgentRequest-Handler-3:[])
(logid:)
```
- Replaced the VNC IP address
```
[<graphics type='vnc' port='-1' autoport='yes' listen='10.1.34.189'
passwd='UzAp0PQ9'>
</graphics>] with [<graphics type='vnc' port='-1' autoport='yes'
listen='10.1.33.95' passwd='UzAp0PQ9'>
```
**Bug Details**
The `replaceIpForVNCInDescFile` method in
`LibvirtMigrateCommandWrapper.java` logs the old and new XML snippets when
replacing the VNC IP address, but this log statement is not using the
maskSensitiveInfoInXML() function, causing the actual VNC password (UzAp0PQ9)
to be exposed in the agent log.
**Affected log message:** "Replaced the VNC IP address [...] with [...]"
### Test Case 3: Console Access Regression Test
**Objective** Verify that the VNC password masking in logs does not break
the actual VM console access functionality.
**Test Steps**
1. Open the CloudStack UI
2. Navigate to the test VM (i-2-3-VM)
3. Click on "View Console" button
4. Verify the console window opens and displays the VM screen
5. Verify keyboard input works (login to the VM)
**Expected Result**
- Console should connect successfully
- VM display should be visible
- User should be able to interact with the VM (keyboard/mouse)
**Actual Result: ** **PASSED**
- Console connected successfully via Console Proxy
- VM display visible (CentOS 5.5 login screen)
- Successfully logged in as root - keyboard input working
**Evidence**
<img width="3055" height="1632" alt="Image"
src="https://github.com/user-attachments/assets/dea2d094-abb3-46e7-90aa-a8b4b2507e97";
/>
### Test Case 4: VM Stop and Start - VNC Password Masking
**Objective** Verify that the VNC password remains masked in the agent log
when a VM is stopped and then started again.
**Test Steps**
1. Stop the test VM:
2. Wait for the VM to stop completely
3. Start the VM again:
4. Check the agent log on the host where the VM started:
```
grep -i "Starting.*:" /var/log/cloudstack/agent/agent.log | tail -5
grep -E "graphics.*vnc.*passwd" /var/log/cloudstack/agent/agent.log
grep -E "graphics.*vnc.*passwd=['\"][^*]" /var/log/cloudstack/agent/agent.log
```
**Expected Result**
- The VNC password in the logged XML should be masked as `passwd='*****'`
- No unmasked VNC passwords should appear in the agent log
**Actual Result:** **PASSED**
- VM stopped and started successfully on kvm2
- VNC password correctly masked in the start log
**Evidence:**
- VM Start log entry found on kvm2:
```
2026-01-18 17:17:44,269 DEBUG [resource.wrapper.LibvirtStartCommandWrapper]
(AgentRequest-Handler-4:[]) (logid:) Starting i-2-3-VM : <domain type='kvm'>
```
- VNC password masked:
```
[root@ref-trl-6151-k-Mol9-rositsa-kyuchukova-kvm2 ~]# grep -E
"graphics.*vnc.*passwd" /var/log/cloudstack/agent/agent.log
<graphics type='vnc' autoport='yes' listen='10.1.33.95' passwd='*****'/>
```
- No unmasked passwords found:
```
[root@ref-trl-6151-k-Mol9-rositsa-kyuchukova-kvm2 ~]# grep -E
"graphics.*vnc.*passwd=['\"][^*]" /var/log/cloudstack/agent/agent.log
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
