<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<STYLE type=text/css> <!--@import url(scrollbar.css); --></STYLE>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<STYLE> body{FONT-SIZE:12pt; FONT-FAMILY:宋体,serif;} </STYLE>
<META name=GENERATOR content="MSHTML 8.00.7600.16385"><BASE
target=_blank></HEAD>
<BODY
style="LINE-HEIGHT: 1.3; BORDER-RIGHT-WIDTH: 0px; MARGIN: 12px; BORDER-TOP-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; BORDER-LEFT-WIDTH: 0px"
marginwidth="0" marginheight="0">
<DIV>
<DIV><FONT face=微软雅黑><FONT face=微软雅黑><FONT face=微软雅黑><FONT
color=#000000 size=3 face=宋体>Thanks Juerg!</FONT></FONT></FONT></FONT></DIV>
<DIV><FONT face=微软雅黑><FONT face=微软雅黑><FONT face=宋体>when I use a debian7 image
without cloudinit, I login the instance successfully!</FONT></FONT></FONT></DIV>
<DIV><FONT face=微软雅黑><FONT face=微软雅黑><FONT face=宋体>it's because cloudinit locks
password.</FONT></DIV>
<DIV><FONT face=微软雅黑></FONT> </DIV></FONT></FONT>
<DIV><FONT face=微软雅黑>2014-06-25 16:14 (UTC+8)</FONT></DIV>
<DIV><FONT face=微软雅黑>Wangpan</FONT></DIV>
<DIV><FONT size=2 face=微软雅黑></FONT> </DIV>
<DIV><FONT size=2 face=微软雅黑>----- Original Message -----</FONT></DIV>
<DIV><FONT size=2 face=微软雅黑>> From: Juerg Haefliger
<juergh@gmail.com></FONT></DIV>
<DIV><FONT size=2 face=微软雅黑>> To:
"Wangpan"<hzwangpan@corp.netease.com><BR>>
Sent: 2014-06-25 15:50</FONT></DIV>
<DIV><FONT size=2 face=微软雅黑>> Subject: Re: [Openstack] [Nova] Admin pass
injection in launch libvirt/kvm instance</FONT></DIV>
<DIV><FONT size=2 face=微软雅黑>
<TABLE width="100%">
<TBODY>
<TR>
<TD width="100%">
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV dir=ltr>
<DIV>
<DIV><BR><BR><BR>On Wed, Jun 25, 2014 at 9:07 AM, Wangpan <<A
href="mailto:hzwangpan@corp.netease.com">hzwangpan@corp.netease.com</A>>
wrote:<BR>><BR>> Hi all,<BR>> <BR>> I debug the
process of libvirt admin password injection, I found everything is OK
before the instance is booting up,<BR>> the /etc/shadow is modified
normally, such as:<BR>>
Wangpan@10-120-120-7:/tmp/openstack-vfs-localfsX_J5ke/etc$ sudo cat
shadow<BR>>
root:$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::<BR>>
daemon:*:15822:0:99999:7:::<BR>> bin:*:15822:0:99999:7:::<BR>>
...<BR>> <BR>> but after the instance is running up, I login
it by ssh+keypair, I cat this file again, it is changed like
this:<BR>> root@t1:~# cat /etc/shadow<BR>>
root:!$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::<BR>>
daemon:*:15822:0:99999:7:::<BR>> bin:*:15822:0:99999:7:::<BR>>
<BR>> the difference is:<BR>>
root:$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::
(before running up)<BR>>
root:!$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::
(after running up)<BR>> you can find that a '!' prefix is
added to the encrypted password, if I remove it, then I can login the
instance by VNC successfully!<BR>> I don't know what happened? anyone
can help me?<BR><BR></DIV>
<DIV>What image is this?<BR></DIV><BR>Probably cloud-init locking the
root password. Check /etc/cloud/cloud.cfg for:<BR></DIV>
<DIV>lock_passwd: True<BR></DIV>
<DIV><BR></DIV>...Juerg<BR><BR>
<DIV>
<DIV><BR>> thanks!<BR>> <BR>> <BR>> 2014-06-25
14:57 (UTC+8)<BR>> Wangpan<BR>> <BR>> ----- Original
Message -----<BR>> > From: CôngTT <<A
href="mailto:tcvn1985@gmail.com">tcvn1985@gmail.com</A>><BR>> >
To: "Thang Pham"<<A
href="mailto:thang.g.pham@gmail.com">thang.g.pham@gmail.com</A>><BR>>
> Sent: 2014-06-25 12:21<BR>> > Subject: Re: [Openstack] [Nova]
Admin pass injection in launch libvirt/kvm instance<BR>><BR>> Hi
Thang Pham and all !<BR>><BR>> I am using KVM on OpenStack
Havana , OpenStack Icehouse , And inject admin password OK.
SURE 100% <BR>><BR>><BR>> Step 1 : Edit
/etc/nova/nova.conf<BR>><BR>> [DEFAULT ]<BR>>
....<BR>><BR>> libvirt_inject_password=True<BR>>
enable_instance_password = True<BR>><BR>><BR>> Step 22:<BR>>
If you use image cirros, ubuntu .... downloading from Internet, then you
will modify /etc/ssh/sshd_config to disable authentication private key
(rsa): (Example Ubuntu 13.10)<BR>><BR>><BR>> #Line 15
Un-comment<BR>> UsePrivilegeSeparation yes<BR>><BR>> #Line 30:
Comment 30<BR>> #RSAAuthentication no<BR>><BR>> #Line
31<BR>> PubkeyAuthentication no<BR>><BR>> #Line 51<BR>>
PasswordAuthentication yes<BR>><BR>><BR>><BR>> Besides, You
can create image for GLANCE by yourself.<BR>><BR>> Note: On KVM
not support reset password. You can see <A
href="https://wiki.openstack.org/wiki/HypervisorSupportMatrix">https://wiki.openstack.org/wiki/HypervisorSupportMatrix</A><BR>><BR>>
Good luck for U !<BR>><BR>> P/S: Thắng: Tính năng này là tính năng
chèn password ngay khi khởi tạo máy, mình thực hiện tốt trên KVM
<BR>><BR>> tu0ng_c0ng<BR>><BR>> On Wed, Jun 25, 2014 at
10:48 AM, Thang Pham <<A
href="mailto:thang.g.pham@gmail.com">thang.g.pham@gmail.com</A>>
wrote:<BR>>><BR>>> Hi Wangpan,<BR>>><BR>>>
Injecting admin password is not implemented or supported in libvirt/kvm.
I believe only Xen supports it.<BR>>><BR>>>
Regards,<BR>>> Thang<BR>>><BR>>><BR>>> On Tue,
Jun 24, 2014 at 11:36 PM, Wangpan <<A
href="mailto:hzwangpan@corp.netease.com">hzwangpan@corp.netease.com</A>>
wrote:<BR>>>><BR>>>> Hi all,<BR>>>>
<BR>>>> I want to inject admin password to a libvirt/kvm
instance, and I enable the config libvirt_inject_password=true on the
compute node,<BR>>>> I also find the /etc/shadow file in the
instance is changed, but when I use the adminPass to login the instance
from vnc, it is failed.<BR>>>> I find that the admin password
is encrypted in nova/virt/disk/api.py:_set_password()
method,<BR>>>> evenif I encrypt my adminPass and replace the
root password in /etc/shadow manually, I can't login the instance with
vnc.<BR>>>> <BR>>>> My questions
are:<BR>>>> 1) Does this admin password injection function of
libvirt driver useable? In other words, my issue is a bug or
not?<BR>>>> 2) Are there some special details I was losing
sight of? such as any configs should change?<BR>>>> 3) Is this
function depends on the libc version?<BR>>>>
<BR>>>> BTW, I'm using stable havana and booting a
debian7 instance, and this is the admin guide page of this
function:<BR>>>> <A
href="http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html">http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html</A><BR>>>>
<BR>>>> thanks!<BR>>>> <BR>>>>
2014-06-25 11:16 (UTC+8)<BR>>>>
Wangpan<BR>>>><BR>>>>
_______________________________________________<BR>>>> Mailing
list: <A
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</A><BR>>>>
Post to : <A
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</A><BR>>>>
Unsubscribe : <A
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</A><BR>>>><BR>>><BR>>><BR>>>
_______________________________________________<BR>>> Mailing
list: <A
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</A><BR>>>
Post to : <A
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</A><BR>>>
Unsubscribe : <A
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</A><BR>>><BR>><BR>><BR>>
_______________________________________________<BR>> Mailing list: <A
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</A><BR>>
Post to : <A
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</A><BR>>
Unsubscribe : <A
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</A><BR>><BR></DIV></DIV></DIV></BLOCKQUOTE></TD></TR></TBODY></TABLE></FONT><FONT
size=2 face="Times New Roman"></DIV></FONT></DIV></BODY></HTML>