[Openstack] [Nova] What is the correct way to provide Windows instance password for user?

Clark, Robert Graham robert.clark at hp.com
Thu Jan 23 08:52:34 UTC 2014 

On Thu Jan 23 07:54:23 2014, Juerg Haefliger wrote:
> On Tue, Jan 21, 2014 at 8:22 AM, Joe Topjian <joe at topjian.net
> <mailto:joe at topjian.net>> wrote:
> >
> > Hi Juerg,
> >
> > That's a really creative way of setting the password. Are you able
> to share your powershell script?
>
> Sorry, missed this request earlier. Need to check with legal (sigh).
>
> ..Juerg
>
>
> > Thanks,
> > Joe
> >
> >
> > On Tue, Jan 21, 2014 at 8:15 AM, Juerg Haefliger <juergh at gmail.com
> <mailto:juergh at gmail.com>> wrote:
> >>
> >>
> >> On Tue, Jan 21, 2014 at 3:15 AM, jeffty <wantwatering at gmail.com
> <mailto:wantwatering at gmail.com>> wrote:
> >> >
> >> > Thanks Joe, It really helps.
> >> >
> >> > Will check them to find the proper way.
> >> >
> >> > Thanks.
> >> >
> >> > On 1/19/2014 3:32 PM, Joe Topjian wrote:
> >> > > Hello,
> >> > >
> >> > > We've used this in the past:
> >> > >
> >> > > https://github.com/jordanrinke/openstack
> >> > >
> >> > > It allows a user to type in an Administrator password in the
> Post Config
> >> > > text box when launching an instance in Horizon. The password is
> then
> >> > > retrieved when Windows first boots via the metadata service.
> >> > >
> >> > > We stopped using it for two reasons, though:
> >> > >
> >> > > 1. The password was permanently stored in the metadata server
> >> > > 2. There was no (default) way to let the user know that the
> password
> >> > > they chose was not a strong enough password
> >> > >
> >> > > We now just have users connect to the VNC console and set the
> password
> >> > > upon first boot.
> >> > >
> >> > > There have been a few discussions over the past year on the
> >> > > openstack-operators list about the cloudbase Windows cloud-init
> service.
> >> > > I think one or two people have been able to get the password
> injection
> >> > > portion working. It might be worth a shot to search the archives:
> >> > >
> >> > > http://www.gossamer-threads.com/lists/openstack/operators/
> >> > >
> >> > > Joe
> >> > >
> >> > >
> >> > > On Sun, Jan 19, 2014 at 4:21 AM, jeffty <wantwatering at gmail.com
> <mailto:wantwatering at gmail.com>
> >> > > <mailto:wantwatering at gmail.com
> <mailto:wantwatering at gmail.com>>> wrote:
> >> > >
> >> > >     Thanks Jacob.
> >> > >
> >> > >     Is there any openstack API guide for send instance password
> while
> >> > >     launch it?
> >> > >
> >> > >     Thanks.
> >> > >
> >> > >     On 1/19/2014 11:08 AM, Jacob Godin wrote:
> >> > >     > Yes, they must input a password every time. It's within
> Windows, they
> >> > >     > must use the console.
> >> > >     >
> >> > >     > Sent from my mobile device
> >> > >     >
> >> > >     > On Jan 18, 2014 10:51 PM, "jeffty"
> <wantwatering at gmail.com <mailto:wantwatering at gmail.com>
> >> > >     <mailto:wantwatering at gmail.com <mailto:wantwatering at gmail.com>>
> >> > >     > <mailto:wantwatering at gmail.com
> <mailto:wantwatering at gmail.com> <mailto:wantwatering at gmail.com
> <mailto:wantwatering at gmail.com>>>>
> >> > >     wrote:
> >> > >     >
> >> > >     >     Thanks Jacob.
> >> > >     >
> >> > >     >     Then the user must input a password for every windows
> instance he
> >> > >     >     launched?
> >> > >     >
> >> > >     >     In other word different instance owns different
> password even
> >> > >     they are
> >> > >     >     launched at the same time? e.g. Input 3 while launching
> >> > >     instance in
> >> > >     >     Horizon portal for this windows image.
> >> > >     >
> >> > >     >     If yes, how to send this password to the instance in
> portal?
> >> > >     That should
> >> > >     >     be implemented by meta service.
> >> > >     >
> >> > >     >     If no, all of the instances have the same default
> password, right?
> >> > >     >
> >> > >     >
> >> > >     >     On 1/19/2014 10:02 AM, Jacob Godin wrote:
> >> > >     >     > We've used sysprep to have the administrator
> provide a password
> >> > >     >     when the
> >> > >     >     > instance is first booted.
> >> > >     >
> >>
> >> We use a simple powershell script that generates a random
> Administrator password on first boot, pulls the SSH key from the
> metadata server, encrypts the password with the key and writes the
> encrypted password to the serial port.
> >>
> >> The user retrieves the encrypted password through the nova
> console-log and decrypts it with his private key. The image is setup
> such that the user is prompted to change the (random) password the
> first time he logs into the instance.
> >>
> >> ...Juerg
> >>
> >>
> >>
> >> > >
> >> > >     _______________________________________________
> >> > >     Mailing list:
> >> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> > >     Post to     : openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
> >> > >     <mailto:openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>>
> >> > >     Unsubscribe :
> >> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> > >
> >> > >
> >> >
> >> >
> >> > _______________________________________________
> >> > Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> > Post to     : openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
> >> > Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >
> >

If it's not possible to release the script it shouldn't be to hard to 
re-create. Juerg has already described the tricky bit, which is the 
crypto stuff, the only piece missing is putting the password into 
Windows :)

More information about the Openstack mailing list