Sunday, May 1, 2016

oVirt how to

In this post I will put some interesting discoveries using oVirt engine.
Today I git’ed oVirt node sources and going to build it :-) Oops.
I need a oVirt Engine. Wait, wait. Not so quick. cat'ing TODO gave me the following link: http://wiki.ovirt.org/wiki/Node_Backlog. Please clone it before diving deeper.
git clone https://github.com/oVirt/ovirt-engine 
cd to ovirt-engine
Do not forget read README.adoc. What I loved there is: "Build locales requires at least 10240 file descriptors". Good start, IMO. Blablahblah. Let’s do real stuff.
mvn clean install
Errors ... :-(
Tests in error: test1(org.ovirt.engine.core.uutils.crypto.EnvelopeEncryptDecryptTest): Illegal key size or default parameters test2(org.ovirt.engine.core.uutils.crypto.EnvelopeEncryptDecryptTest): Illegal key size 
Time to fix.
  • Open with eclipse uutils project. 
  • Import maven project … CNTL+SHIFT+R EnvelopeEncryptDecryptTest 
Problem one: no header of the file. You know - copyright, license etc.
Problem two: names of the tests: test1, test2 … not bad, very creative!

Solution 1: Most likely you don't have the unlimited strength file installed now. Download and install: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download. Accept and download. 8 means - Java 8.
Install the file in ${java.home}/jre/lib/security/
Quotation: “In case you later decide to revert to the original "strong" but limited policy versions, first make a copy of the original JCE policy files (US_export_policy.jar and local_policy.jar). Then replace the strong policy files with the unlimited strength versions extracted in the previous step. The standard place for JCE jurisdiction policy JAR files is: /lib/security [Unix] \lib\security [Windows]"
Solution 2: Change 256 to 128 - length of the key to be generated, in assertArrayEquals( test, EnvelopeEncryptDecrypt.decrypt( entry, EnvelopeEncryptDecrypt.encrypt( "AES/OFB/PKCS5Padding", 256, entry.getCertificate(), 100, test ) ) ); 

Now let’s rerun: 
mvn clean install 
Next station is: Common utilities. 
Import utils to Eclipse. 
Next Error ...
testCanReadFile(org.ovirt.engine.core.utils.servlet.ServletUtilsTest): We should not be able to read this file. 

The problem is: /etc/securetty does exist. 
Solution 1: delete it … however be aware of: "/etc/securetty is consulted by pam_securetty module to decide from which virtual terminals (ttyS) root is allowed to login from. In the past, /etc/securetty was consulted by programs like login directly, but now PAM handles that. So changes to /etc/securetty will affect anything using PAM with a configuration file that uses pam_securetty.so. So, only the login program is affected by default. /etc/pam.d/login is used for local logins and /etc/pam.d/remote is used for remote logins (like telnet). The primary entry types and their affects are as follows: If /etc/securetty doesn't exist, root is allowed to login from any tty If /etc/securetty exist and is empty, root access will be restricted to single user mode or programs that are not restricted by pam_securetty (i.e. su, sudo, ssh, scp, sftp) if you are using devfs (a deprecated filesystem for handling /dev), adding entries of the form vc/[0-9]* will permit root login from the given virtual console number if you are using udev (for dynamic device management and replacement for devfs), adding entries of the form tty[0-9]* will permit root login from the given virtual console number listing console in securetty, normally has no effect since /dev/console points to the current console and is normally only used as the tty filename in single user mode, which is unaffected by /etc/securetty adding entries like pts/[0-9]* will allow programs that use pseudo-terminals (pty) and pam_securetty to login into root assuming the allocated pty is one of the ones listed; it's normally a good idea not to include these entries because it's a security risk; it would allow, for instance, someone to login into root via telnet, which sends passwords in plaintext (note that pts/[0-9]* is the format for udev which is used in RHEL 5.5; it will be different if using devfs or some other form of device management)".

Solution 2: probably need to change test. Ask community. 
file = new File("/etc/securetty"); 
// may I change it or there is some hidden logic. 
assertFalse("We should not be able to read this file.", ServletUtils.canReadFile(file));
Some interesting stuff how to use if user is not root ... 
// Make sure the user is not root 
// This tests relies on EXISTING files which only root can access 
String userName = System.getProperty("user.name"); assumeTrue(!"root".equals(userName)); 

Guys, sorry for touching your feelings however we are on Linux. Current user can be any user that named differently than "root" but he can have permissions as a root, can be in admin group etc. What I mean here, it’s not real checking if user is root or not. 


Posted by at No comments:
Subscribe to: Posts (Atom)