It took me a few days, but I was able to come up with one potential solution.
On each of the hypervisors I modified /usr/libexec/vdsm/vm_libvirt_hook.py
(vdsm) to include the following:
--- before: /usr/libexec/vdsm/vm_libvirt_hook.py.bak
+++ after: /usr/libexec/vdsm/vm_libvirt_hook.py
@@ -5,8 +5,23 @@
import sys
import xml.etree.ElementTree as ET
+import logging
from vdsm.virt.vmdevices import storage
+from vdsm.common import commands
+
+
+# Read FIPS status using sysctl
+def _get_fips_enabled():
+ SYSCTL_FIPS_COMMAND = ["/usr/sbin/sysctl", "crypto.fips_enabled"],
+
+ try:
+ output = commands.run(*SYSCTL_FIPS_COMMAND)
+ enabled = output.split(b'=')[1].strip()
+ return enabled == b'1'
+ except Exception as e:
+ logging.error("Could not read FIPS status with sysctl: %s", e)
+ return False
# dynamic_ownership workaround (required for 4.2 incoming migrations)
@@ -34,6 +49,12 @@
passwd = graphics.attrib['passwd']
if len(passwd) > 8:
graphics.set('passwd', passwd[:8])
+ # VNC console authentication requests fail when migrating VMs to a
+ # destination where FIPS is enforced. Let's remove the passwd attribute
+ # to make libvirt start qemu-kvm without "-vnc password=on".
+ fips = _get_fips_enabled()
+ if fips:
+ graphics.attrib.pop('passwd')
The _get_fips_enabled() function is a copy of _getFipsEnabled() from
/usr/lib/python3.6/site-packages/vdsm/host/caps.py (vdsm-python).
Perhaps a check can be added to libvirt directly to see if FIPS mode is
enforced, and if so, skip the password=on [1] option for qemu.
--
[1] https://github.com/libvirt/libvirt/blob/v8.0.0/src/qemu/qemu_command.c#L8295
_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/7X7NOQVY7H2ZGWHTYUF53X3PO2CPJLII/
