<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">I found the following documentation on it: <a href="http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html">http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html</a>.</div>
<div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">I initially thought it was not implemented because the set_admin_password method was not implemented in the libvirt driver. Now I see there is another way to do it, which is easier to login than using ssh key pairs :)</div>
<div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Thanks for pointing it out,</div><div class="gmail_default" style="font-family:verdana,sans-serif">
Thang</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jun 25, 2014 at 4:16 AM, Wangpan <span dir="ltr"><<a href="mailto:hzwangpan@corp.netease.com" target="_blank">hzwangpan@corp.netease.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div style="LINE-HEIGHT:1.3;BORDER-RIGHT-WIDTH:0px;MARGIN:12px;BORDER-TOP-WIDTH:0px;BORDER-BOTTOM-WIDTH:0px;BORDER-LEFT-WIDTH:0px" marginwidth="0" marginheight="0">
<div>
<div><font face="微软雅黑"><font face="微软雅黑"><font face="微软雅黑"><font color="#000000" size="3" face="宋体">Thanks Juerg!</font></font></font></font></div>
<div><font face="微软雅黑"><font face="微软雅黑"><font face="宋体">when I use a debian7 image
without cloudinit, I login the instance successfully!</font></font></font></div>
<div><font face="微软雅黑"><font face="微软雅黑"><font face="宋体">it's because cloudinit locks
password.</font></font></font></div>
<div><font face="微软雅黑"></font> </div>
<div><font face="微软雅黑"><a href="tel:2014-06-25%C2%A016" value="+12014062516" target="_blank">2014-06-25 16</a>:14 (UTC+8)</font></div><div class="">
<div><font face="微软雅黑">Wangpan</font></div>
<div><font face="微软雅黑"></font> </div>
<div><font face="微软雅黑">----- Original Message -----</font></div>
</div><div><div class="h5"><div><font face="微软雅黑">> From: Juerg Haefliger
<<a href="mailto:juergh@gmail.com" target="_blank">juergh@gmail.com</a>></font></div>
<div><font face="微软雅黑">> To:
"Wangpan"<<a href="mailto:hzwangpan@corp.netease.com" target="_blank">hzwangpan@corp.netease.com</a>><br>>
Sent: <a href="tel:2014-06-25%C2%A015" value="+12014062515" target="_blank">2014-06-25 15</a>:50</font></div>
<div><font face="微软雅黑">> Subject: Re: [Openstack] [Nova] Admin pass
injection in launch libvirt/kvm instance</font></div>
<div><font face="微软雅黑">
<table width="100%">
<tbody>
<tr>
<td width="100%">
<blockquote style="BORDER-LEFT:#000000 2px solid;PADDING-LEFT:5px;PADDING-RIGHT:0px;MARGIN-LEFT:5px;MARGIN-RIGHT:0px">
<div dir="ltr">
<div>
<div><br><br><br>On Wed, Jun 25, 2014 at 9:07 AM, Wangpan <<a href="mailto:hzwangpan@corp.netease.com" target="_blank">hzwangpan@corp.netease.com</a>>
wrote:<br>><br>> Hi all,<br>> <br>> I debug the
process of libvirt admin password injection, I found everything is OK
before the instance is booting up,<br>> the /etc/shadow is modified
normally, such as:<br>>
Wangpan@10-120-120-7:/tmp/openstack-vfs-localfsX_J5ke/etc$ sudo cat
shadow<br>>
root:$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::<br>>
daemon:*:15822:0:99999:7:::<br>> bin:*:15822:0:99999:7:::<br>>
...<br>> <br>> but after the instance is running up, I login
it by ssh+keypair, I cat this file again, it is changed like
this:<br>> root@t1:~# cat /etc/shadow<br>>
root:!$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::<br>>
daemon:*:15822:0:99999:7:::<br>> bin:*:15822:0:99999:7:::<br>>
<br>> the difference is:<br>>
root:$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::
(before running up)<br>>
root:!$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::
(after running up)<br>> you can find that a '!' prefix is
added to the encrypted password, if I remove it, then I can login the
instance by VNC successfully!<br>> I don't know what happened? anyone
can help me?<br><br></div>
<div>What image is this?<br></div><br>Probably cloud-init locking the
root password. Check /etc/cloud/cloud.cfg for:<br></div>
<div>lock_passwd: True<br></div>
<div><br></div>...Juerg<br><br>
<div>
<div><br>> thanks!<br>> <br>> <br>> 2014-06-25
14:57 (UTC+8)<br>> Wangpan<br>> <br>> ----- Original
Message -----<br>> > From: CôngTT <<a href="mailto:tcvn1985@gmail.com" target="_blank">tcvn1985@gmail.com</a>><br>> >
To: "Thang Pham"<<a href="mailto:thang.g.pham@gmail.com" target="_blank">thang.g.pham@gmail.com</a>><br>>
> Sent: 2014-06-25 12:21<br>> > Subject: Re: [Openstack] [Nova]
Admin pass injection in launch libvirt/kvm instance<br>><br>> Hi
Thang Pham and all !<br>><br>> I am using KVM on OpenStack
Havana , OpenStack Icehouse , And inject admin password OK.
SURE 100% <br>><br>><br>> Step 1 : Edit
/etc/nova/nova.conf<br>><br>> [DEFAULT ]<br>>
....<br>><br>> libvirt_inject_password=True<br>>
enable_instance_password = True<br>><br>><br>> Step 22:<br>>
If you use image cirros, ubuntu .... downloading from Internet, then you
will modify /etc/ssh/sshd_config to disable authentication private key
(rsa): (Example Ubuntu 13.10)<br>><br>><br>> #Line 15
Un-comment<br>> UsePrivilegeSeparation yes<br>><br>> #Line 30:
Comment 30<br>> #RSAAuthentication no<br>><br>> #Line
31<br>> PubkeyAuthentication no<br>><br>> #Line 51<br>>
PasswordAuthentication yes<br>><br>><br>><br>> Besides, You
can create image for GLANCE by yourself.<br>><br>> Note: On KVM
not support reset password. You can see <a href="https://wiki.openstack.org/wiki/HypervisorSupportMatrix" target="_blank">https://wiki.openstack.org/wiki/HypervisorSupportMatrix</a><br>><br>>
Good luck for U !<br>><br>> P/S: Thắng: Tính năng này là tính năng
chèn password ngay khi khởi tạo máy, mình thực hiện tốt trên KVM
<br>><br>> tu0ng_c0ng<br>><br>> On Wed, Jun 25, 2014 at
10:48 AM, Thang Pham <<a href="mailto:thang.g.pham@gmail.com" target="_blank">thang.g.pham@gmail.com</a>>
wrote:<br>>><br>>> Hi Wangpan,<br>>><br>>>
Injecting admin password is not implemented or supported in libvirt/kvm.
I believe only Xen supports it.<br>>><br>>>
Regards,<br>>> Thang<br>>><br>>><br>>> On Tue,
Jun 24, 2014 at 11:36 PM, Wangpan <<a href="mailto:hzwangpan@corp.netease.com" target="_blank">hzwangpan@corp.netease.com</a>>
wrote:<br>>>><br>>>> Hi all,<br>>>>
<br>>>> I want to inject admin password to a libvirt/kvm
instance, and I enable the config libvirt_inject_password=true on the
compute node,<br>>>> I also find the /etc/shadow file in the
instance is changed, but when I use the adminPass to login the instance
from vnc, it is failed.<br>>>> I find that the admin password
is encrypted in nova/virt/disk/api.py:_set_password()
method,<br>>>> evenif I encrypt my adminPass and replace the
root password in /etc/shadow manually, I can't login the instance with
vnc.<br>>>> <br>>>> My questions
are:<br>>>> 1) Does this admin password injection function of
libvirt driver useable? In other words, my issue is a bug or
not?<br>>>> 2) Are there some special details I was losing
sight of? such as any configs should change?<br>>>> 3) Is this
function depends on the libc version?<br>>>>
<br>>>> BTW, I'm using stable havana and booting a
debian7 instance, and this is the admin guide page of this
function:<br>>>> <a href="http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html" target="_blank">http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html</a><br>
>>>
<br>>>> thanks!<br>>>> <br>>>>
2014-06-25 11:16 (UTC+8)<br>>>>
Wangpan<br>>>><br>>>>
_______________________________________________<br>>>> Mailing
list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>>>>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>>>>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>>>><br>>><br>>><br>>>
_______________________________________________<br>>> Mailing
list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>>>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>>>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>>><br>><br>><br>>
_______________________________________________<br>> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>><br></div></div></div></blockquote></td>
</tr></tbody></table></font><font face="Times New Roman"></font></div></div></div></div></div></blockquote></div><br></div>