<div dir="ltr"><div><div><br><br><br>On Wed, Jun 25, 2014 at 9:07 AM, Wangpan <<a href="mailto:hzwangpan@corp.netease.com">hzwangpan@corp.netease.com</a>> wrote:<br>><br>> Hi all,<br>> <br>> I debug the process of libvirt admin password injection, I found everything is OK before the instance is booting up,<br>
> the /etc/shadow is modified normally, such as:<br>> Wangpan@10-120-120-7:/tmp/openstack-vfs-localfsX_J5ke/etc$ sudo cat shadow<br>> root:$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::<br>> daemon:*:15822:0:99999:7:::<br>
> bin:*:15822:0:99999:7:::<br>> ...<br>> <br>> but after the instance is running up, I login it by ssh+keypair, I cat this file again, it is changed like this:<br>> root@t1:~# cat /etc/shadow<br>> root:!$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::<br>
> daemon:*:15822:0:99999:7:::<br>> bin:*:15822:0:99999:7:::<br>> <br>> the difference is:<br>> root:$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7::: (before running up)<br>> root:!$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7::: (after running up)<br>
> you can find that a '!' prefix is added to the encrypted password, if I remove it, then I can login the instance by VNC successfully!<br>> I don't know what happened? anyone can help me?<br><br></div><div>
What image is this?<br></div><br>Probably cloud-init locking the root password. Check /etc/cloud/cloud.cfg for:<br></div><div>lock_passwd: True<br></div><div><br></div>...Juerg<br><br><div><div><br>> thanks!<br>> <br>
> <br>> 2014-06-25 14:57 (UTC+8)<br>> Wangpan<br>> <br>> ----- Original Message -----<br>> > From: CôngTT <<a href="mailto:tcvn1985@gmail.com">tcvn1985@gmail.com</a>><br>> > To: "Thang Pham"<<a href="mailto:thang.g.pham@gmail.com">thang.g.pham@gmail.com</a>><br>
> > Sent: 2014-06-25 12:21<br>> > Subject: Re: [Openstack] [Nova] Admin pass injection in launch libvirt/kvm instance<br>><br>> Hi Thang Pham and all !<br>><br>> I am using KVM on OpenStack Havana , OpenStack Icehouse , And inject admin password OK. SURE 100% <br>
><br>><br>> Step 1 : Edit /etc/nova/nova.conf<br>><br>> [DEFAULT ]<br>> ....<br>><br>> libvirt_inject_password=True<br>> enable_instance_password = True<br>><br>><br>> Step 22:<br>> If you use image cirros, ubuntu .... downloading from Internet, then you will modify /etc/ssh/sshd_config to disable authentication private key (rsa): (Example Ubuntu 13.10)<br>
><br>><br>> #Line 15 Un-comment<br>> UsePrivilegeSeparation yes<br>><br>> #Line 30: Comment 30<br>> #RSAAuthentication no<br>><br>> #Line 31<br>> PubkeyAuthentication no<br>><br>> #Line 51<br>
> PasswordAuthentication yes<br>><br>><br>><br>> Besides, You can create image for GLANCE by yourself.<br>><br>> Note: On KVM not support reset password. You can see <a href="https://wiki.openstack.org/wiki/HypervisorSupportMatrix">https://wiki.openstack.org/wiki/HypervisorSupportMatrix</a><br>
><br>> Good luck for U !<br>><br>> P/S: Thắng: Tính năng này là tính năng chèn password ngay khi khởi tạo máy, mình thực hiện tốt trên KVM <br>><br>> tu0ng_c0ng<br>><br>> On Wed, Jun 25, 2014 at 10:48 AM, Thang Pham <<a href="mailto:thang.g.pham@gmail.com">thang.g.pham@gmail.com</a>> wrote:<br>
>><br>>> Hi Wangpan,<br>>><br>>> Injecting admin password is not implemented or supported in libvirt/kvm. I believe only Xen supports it.<br>>><br>>> Regards,<br>>> Thang<br>>><br>
>><br>>> On Tue, Jun 24, 2014 at 11:36 PM, Wangpan <<a href="mailto:hzwangpan@corp.netease.com">hzwangpan@corp.netease.com</a>> wrote:<br>>>><br>>>> Hi all,<br>>>> <br>>>> I want to inject admin password to a libvirt/kvm instance, and I enable the config libvirt_inject_password=true on the compute node,<br>
>>> I also find the /etc/shadow file in the instance is changed, but when I use the adminPass to login the instance from vnc, it is failed.<br>>>> I find that the admin password is encrypted in nova/virt/disk/api.py:_set_password() method,<br>
>>> evenif I encrypt my adminPass and replace the root password in /etc/shadow manually, I can't login the instance with vnc.<br>>>> <br>>>> My questions are:<br>>>> 1) Does this admin password injection function of libvirt driver useable? In other words, my issue is a bug or not?<br>
>>> 2) Are there some special details I was losing sight of? such as any configs should change?<br>>>> 3) Is this function depends on the libc version?<br>>>> <br>>>> BTW, I'm using stable havana and booting a debian7 instance, and this is the admin guide page of this function:<br>
>>> <a href="http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html">http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html</a><br>>>> <br>>>> thanks!<br>
>>> <br>>>> 2014-06-25 11:16 (UTC+8)<br>>>> Wangpan<br>>>><br>>>> _______________________________________________<br>>>> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>>> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>>>> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>>><br>>><br>>><br>>> _______________________________________________<br>>> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>>> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>><br>><br>><br>> _______________________________________________<br>> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
><br></div></div></div>