Password key (v2_key) changes


#1

This pull request changes behavior around the password key (certs/v2_key) and was just merged.

If you don’t care about the details, skip to the bold sections below.

The motivation was to prevent appliances from having a dirty git status as shown below:

We now have two v2_keys:

certs/v2_key: The key that is used by our password code to encrypt/decrypt two-way passwords. Unless you’re a developer wanting to share your database (AND passwords), never share this key outside of your organization. This file is never committed to git as it’s in the .gitignore.

certs/v2_key.dev: This is the developer public v2_key that enables us to share databases between each other and be able to read existing passwords in the database.

Appliance Users

If you’re a user of manageiq on an appliance and you want to update to the latest manageiq code, you’ll need to copy off your generated v2_key that’s currently used to encrypt/decrypt 2-way passwords, discard any changes to the v2_key, git pull the latest code, and move your generated v2_key to certs/v2_key.

vmdb
git status  # verify the certs/v2_key is modified as shown above
cp certs/v2_key certs/v2_key.mine
git checkout -- certs/v2_key
git pull
mv certs/v2_key.mine certs/v2_key

ManageIQ Developers

If you’re developer, you’ll be greeted with this warning at startup seeding since you only have the developer key: certs/v2_key.dev.

irb(main):002:0> MiqDatabase.seed
...

/Users/joerafaniello/Code/manageiq/certs/v2_key doesn't exist!
On an appliance, it should be generated on boot by evmserverd.

If you're a developer, you can copy the /Users/joerafaniello/Code/manageiq/certs/v2_key.dev to /Users/joerafaniello/Code/manageiq/certs/v2_key.

Caution, using the developer key will allow anyone with the public developer key to decrypt the two-way
passwords in your database.
...
RuntimeError: no encryption key v2_key

For developers only:

cp certs/v2_key.dev certs/v2_key

Now, MiqDatabase.seed will work as before:

irb(main):001:0> MiqDatabase.seed
...
=> nil

You should now have a cleaner git status on manageiq when running on appliances.

Thanks,
Joe


#2

To add to what joe just posted.

You may find yourself in a situation where you have a modified v2_key.dev, and are missing a v2_key.

that is easy to fix:

mv v2_key.dev v2_key
git checkout v2_key.dev

If you are checking out an older branch, it may complain that you need to remove certs/v2_key in order to change to another branch.

mv certs/v2_key certs/v2_key.mine
git checkout <branch>
git pull upstream master
mv certs/v2_key.mine certs/v2_key

#3

whoever works with rake db:migrate will not get this warning and will spend some time trying to figure out what the problem is and why ManageIQ doesn’t start (it is in evm.log but it really takes time to find it since it’s not an exception)


#4

Good point @abonas@kbrock mentioned maybe we want to move it to the config/application.rb although my hunch is we sometimes load the application without a database/v2_key, such as during assets:precompile.


#5

When switching from a new branch to an older one and back, git removes my v2_key.

So to second the message from @abonas, lets make sure db:migrate properly displays the missing v2_key message.

@jrafanie Since assets:precompile uses a bogus database url, a v2_key does not need to be present. If it is required, nightly build will break. So we have a daily reminder to help us detect if we introduce a regression there.


#6

Hi,

We have a capablanca version installed and was running until yesterday. Apparently, someone has generated a new encryption key at the ‘appliance_console’. Now ManageIQ don’t starts. How can I fix this?

This is the error:

/var/www/miq/vmdb/gems/pending/util/miq-password.rb:39:in `rescue in decrypt’: can not decrypt v2_key encrypted string (MiqPassword::MiqPasswordError)


#8

Got it work.

After using of new v2_key, also remove of db configuration file with old encrypted data is needed, to be able to reconfigure environment again.

[root@appliance ~]# vmdb
[root@appliance vmdb]# cd config
[root@appliance config]# mv database.yml old-database.yml
[root@appliance config]# appliance_console

select configure DB and reenter data again. If you already have v2_key, you should download it from master server, so encryption will be the same on both ends.


#9

Hi. I tried configure external database step by step, but i have this:
[----] I, [2016-05-24T09:04:54.714176 #2729:54397c] INFO – : MIQ(MiqServer#monitor) Reconnecting to database after error…
[----] E, [2016-05-24T09:04:54.714448 #2729:54397c] ERROR – : MIQ(MiqServer#monitor) invalid encoding name: utf8, during reconnect!


#10

Strange… for me it looks like you somewhere set wrong “encoding” variable and “utf8” is not valid value. Try to use “UTF-8” or something or configure all via web-UI or appliance-console.


#11

@the_error I try to configure in manageiq-darga. So i can’t use we-UI. But may be, this error depends on this new version.


#12

It worked for me as well… Thanks mate…