Just to confirm the incompatibility. When Zone was enabled, the CS manager started to try to launch some system VMs like s-NNNN-VM and v-NNNN-VM. At hypervisors, all attempts were failing because the libvirtd didn't accept a vnc_password bigger than 8 chars.
libvirtd[44140]: unsupported configuration: VNC password is 22 characters long, only 8 permitted Then, I changed the vnc_passwords directly in the database. In manager, generate the string for password 12345678: java -cp /usr/share/cloudstack-common/lib/jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="12345678" password="DATABASE_KEY" ----OUTPUT---------------------- ohM+JhNfT0xFJC3HtveMGTI5CJCjkcN5 In database, update to new value: update vm_instance set vnc_password = "ohM+JhNfT0xFJC3HtveMGTI5CJCjkcN5=" where name like "s-%" or name like "v-%"; After that, using an 8 chars password, all system VMs started fine! In https://qemu-project.gitlab.io/qemu/system/vnc-security.html we can see: *The VNC protocol has limited support for password based authentication. Since the protocol limits passwords to 8 characters it should not be considered to provide high security.* Before my tests with Libvirt 8 I was using Libvirt 6 with Ubuntu 20.04. It looks like Libvirt 6 just drops what is after 8 chars in passwords. So, sending a bigger password does not increase the security because the protocol has the limitation, right? In Libvirt 8 some modification is generating a Warning/Error. This shows something about that modification: https://www.mail-archive.com/libvir-list@redhat.com/msg224586.html That warning/error is causing System VMs to not start! So, to use Libvirt 8 with CloudStack I think vnc_password length needs to be 8 in some way because Libvirt 8 is not dropping anymore what is bigger than that. Thanks! :) -- __________________________ Aviso de confidencialidade Esta mensagem da Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro de 1972, e enviada exclusivamente a seu destinatario e pode conter informacoes confidenciais, protegidas por sigilo profissional. Sua utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao emitente, esclarecendo o equivoco. Confidentiality note This message from Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government company established under Brazilian law (5.851/72), is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you are not the addressee, please send it back, elucidating the failure.
