Katy Feng [Thu, 16 Nov 2023 17:21:20 +0000 (09:21 -0800)]
Change in Guest Data Producer plugin API and Guest Data Producer
protocol/handshake between the host and guest to support ‘no subscribers’
error feedback.
The Service Discovery plugin was updated for API compatibility.
Changes in the GDP protocol/handshake introduce versioning of the protocol.
The new version is “2” and introduces new attributes (‘version’ and
‘requireSubs’) in the guest request header sent to the host publisher service.
The response from the host publisher service to the guest producer client is
also versioned and changes more significantly: V2 response messages have new
attributes (‘version’, ‘error-id’, and ‘error-text’) and have the ‘status’
attributes type change from string (‘ok’, ‘bad’) to Boolean (‘true’, ‘false’).
The ‘error-id’, when present, contains a string identifier for an error
type/code and ‘error-text’, when present, contains textual details for the error.
The host publisher supports all protocol versions up to the version it provides
for backward and forward compatibility. The host publisher service responds with
the same version of protocol as the incoming request or its highest protocol
version when the incoming request version is higher than it supports.
The guest producer client supports all response versions up to the version it
provides for backward and forward compatibility. The guest producer client
always sends request to the host publisher service using the highest protocol
version it supports.
Katy Feng [Mon, 13 Nov 2023 20:07:34 +0000 (12:07 -0800)]
Guest identification: Asianux Linux is now Miracle Linux
The Asianux distro rebranded itself as Miracle Linux. Our
infrastructure already knows about Asianux however the guest
identification that runs in tools does not. Add the necessary
aliasing code to the "in guest" code.
Katy Feng [Mon, 13 Nov 2023 20:07:34 +0000 (12:07 -0800)]
File descriptor vulnerability in the open-vm-tools vmware-user-suid-wrapper
on Linux
Move the privilege drop logic (dropping privilege to the real uid and
gid of the process for the vmusr service) from suidWrapper to vmtoolsd code.
Now vmtoolsd is not executed with dropped privileges (started as setuid
program) and the dumpable attribute of the process is not reset.
Unprivileged users will not have access to the privileged file descriptors
in the vmtoolsd vmusr process.
Also, set the FD_CLOEXEC flag for both uinputFd and blockFd preventing
those file descriptors from being inherited any further from vmtoolsd.
Katy Feng [Mon, 13 Nov 2023 20:07:33 +0000 (12:07 -0800)]
Checking flag 'disable_vmware_customization' in more cloud-init config files
Currently, the deployPkg plugin checks the existence of the flag
'disable_vmware_customization: false' in the /etc/cloud/cloud.cfg file
to determine whether VMware customization is enabled on cloud-init
side when cloud-init is available in guest. Instead, keep local settings,
such as this flag, in config files under the /etc/cloud/cloud.cfg.d directory,
for example: /etc/cloud/cloud.cfg.d/somefile.cfg
This change implements the following adjustments to make sure this flag is
handled the same way as cloud-init does in ds-identify and Datasource:
1. Instead of regex matching flag 'disable_vmware_customization: false',
check the value of flag 'disable_vmware_customization':
If the value is 'false', it means VMware customization is enabled.
If the value is 'true', it means VMware customization is disabled.
If the flag is not set, by default VMware customization is disabled
on cloud-init side.
2. Besides cloud-init /etc/cloud/cloud.cfg file, also check all .cfg
files under /etc/cloud/cloud.cfg.d directory.
3. The value of flag 'disable_vmware_customization' in .cfg files under
/etc/cloud/cloud.cfg.d directory will overwrite the one in the
/etc/cloud/cloud.cfg file.
4. The value of flag 'disable_vmware_customization' in a .cfg file listed
further down in alphabetical order under the /etc/cloud/cloud.cfg.d
directory will overwrite the value in a .cfg file listed earier.
5. If a cloud-init config file contains more than one instance of this
flag, the value of the later flag will overwrite the former one.
Katy Feng [Thu, 26 Oct 2023 15:39:15 +0000 (08:39 -0700)]
=================================================
open-vm-tools 12.3.5 released at this point.
=================================================
Update of the ChangeLog with the final changes in preparation for
the open-vm-tools 12.3.5 release.
Katy Feng [Tue, 17 Oct 2023 22:24:48 +0000 (15:24 -0700)]
File descriptor vulnerability in the open-vm-tools vmware-user-suid-wrapperx
on Linux
Moving the privilege drop logic (dropping privilege to the real uid and
gid of the process for the vmusr service) from suidWrapper to vmtoolsd code.
Now the vmtoolsd is not executed with dropped privileges (started as setuid
program) and the dumpable attribute of the process is not reset.
The unprivileged user will not have access to the privileged file descriptors
in the vmtoolsd vmusr process.
Also, setting the FD_CLOEXEC flag for both uinputFd and blockFd preventing
the file descriptors being inherited any further from the vmtoolsd.
Katy Feng [Tue, 17 Oct 2023 22:24:48 +0000 (15:24 -0700)]
Suppress optional arg to backup scripts when empty string.
Backup scripts can be called with an optional argument. Don't pass the
optional arg to the script if it's an empty string.
Katy Feng [Tue, 17 Oct 2023 22:24:48 +0000 (15:24 -0700)]
Checking flag 'disable_vmware_customization' in more cloud-init config files
Currently, deployPkg plugin checks the existence of flag
'disable_vmware_customization: false' in the /etc/cloud/cloud.cfg file
to determine if VMware customization is enabled or not on cloud-init
side when cloud-init is available in guest.
Both cloud-init team and customers suggested that it's better practice to
put local configuration like this flag into some .cfg files under
/etc/cloud/cloud.cfg.d directory, ex: /etc/cloud/cloud.cfg.d/somefile.cfg
This change implements the following adjustments to make sure we handle
this flag the same way as cloud-init does in ds-identify and Datasource:
1. Instead of regex matching flag 'disable_vmware_customization: false',
we will check the value of flag 'disable_vmware_customization':
If the value is 'false', it means VMware customization is enabled.
If the value is 'true', it means VMware customization is disabled.
If the flag is not set, by default VMware customization is disabled
on cloud-init side.
2. Besides cloud-init /etc/cloud/cloud.cfg file, we will check all .cfg
files under /etc/cloud/cloud.cfg.d directory.
3. The value of flag 'disable_vmware_customization' in .cfg files under
/etc/cloud/cloud.cfg.d directory will overwrite the one in
/etc/cloud/cloud.cfg file.
4. The value of flag 'disable_vmware_customization' in a .cfg file listed
further down the alphabetical order under /etc/cloud/cloud.cfg.d directory
will overwrite the value in a .cfg file listed earier.
5. If a cloud-init config file contains more than one instance of this
flag, the value of the later flag will overwrite the former one's.
Katy Feng [Thu, 5 Oct 2023 17:35:25 +0000 (10:35 -0700)]
Allow pre-Windows 2000 style user logon for Linux Guests.
With this change, applications that require user/password type
authentication/authorization (done by VGAuth service) for guestOps
can now use pre-windows 2000 style user logon for Linux Guests too.
Katy Feng [Tue, 29 Aug 2023 14:26:13 +0000 (07:26 -0700)]
Preparing for the open-vm-tools 12.3.0 release.
Syncing the tools version, build number and product build number with
the internal official build of VMware Tools / open-vm-tools 12.3.0.
projects / thirdparty / open-vm-tools.git / log
