[Openstack] [Nova] Admin pass injection in launch libvirt/kvm instance

Wangpan hzwangpan at corp.netease.com
Wed Jun 25 07:07:30 UTC 2014 

Hi all,

I debug the process of libvirt admin password injection, I found everything is OK before the instance is booting up,
the /etc/shadow is modified normally, such as:
Wangpan at 10-120-120-7:/tmp/openstack-vfs-localfsX_J5ke/etc$ sudo cat shadow
root:$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::
daemon:*:15822:0:99999:7:::
bin:*:15822:0:99999:7:::
...

but after the instance is running up, I login it by ssh+keypair, I cat this file again, it is changed like this:
root at t1:~# cat /etc/shadow
root:!$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::
daemon:*:15822:0:99999:7:::
bin:*:15822:0:99999:7:::

the difference is:
root:$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::      (before running up)
root:!$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::     (after running up)
you can find that a '!' prefix is added to the encrypted password, if I remove it, then I can login the instance by VNC successfully!
I don't know what happened? anyone can help me?
thanks!


2014-06-25 14:57 (UTC+8)
Wangpan

----- Original Message -----
> From: CôngTT <tcvn1985 at gmail.com>
> To: "Thang Pham"<thang.g.pham at gmail.com>
> Sent: 2014-06-25 12:21
> Subject: Re: [Openstack] [Nova] Admin pass injection in launch libvirt/kvm instance
Hi  Thang Pham and all !

I am using KVM on OpenStack Havana , OpenStack Icehouse  , And inject admin password OK.  SURE 100% 




Step 1 : Edit /etc/nova/nova.conf


[DEFAULT ]
....


libvirt_inject_password=True
enable_instance_password = True


Step 22:
If you use image cirros, ubuntu .... downloading from Internet, then you will modify /etc/ssh/sshd_config to disable authentication private key (rsa): (Example Ubuntu 13.10)


#Line 15 Un-comment
UsePrivilegeSeparation yes


#Line 30: Comment 30
#RSAAuthentication no


#Line 31
PubkeyAuthentication no


#Line 51
PasswordAuthentication yes




Besides, You can create image for GLANCE by yourself.


Note: On KVM not support reset password. You can see https://wiki.openstack.org/wiki/HypervisorSupportMatrix


Good luck for U !


P/S: Thắng: Tính năng này là tính năng chèn password ngay khi khởi tạo máy, mình thực hiện tốt trên KVM 


tu0ng_c0ng


On Wed, Jun 25, 2014 at 10:48 AM, Thang Pham <thang.g.pham at gmail.com> wrote:

Hi Wangpan,


Injecting admin password is not implemented or supported in libvirt/kvm.  I believe only Xen supports it.


Regards,
Thang



On Tue, Jun 24, 2014 at 11:36 PM, Wangpan <hzwangpan at corp.netease.com> wrote:

Hi all,

I want to inject admin password to a libvirt/kvm instance, and I enable the config libvirt_inject_password=true on the compute node,
I also find the /etc/shadow file in the instance is changed, but when I use the adminPass to login the instance from vnc, it is failed.
I find that the admin password is encrypted in nova/virt/disk/api.py:_set_password() method,
evenif I encrypt my adminPass and replace the root password in /etc/shadow manually, I can't login the instance with vnc.

My questions are:
1) Does this admin password injection function of libvirt driver useable? In other words, my issue is a bug or not?
2) Are there some special details I was losing sight of? such as any configs should change?
3) Is this function depends on the libc version?

BTW, I'm using stable havana and booting a debian7 instance, and this is the admin guide page of this function:
http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html

thanks!

2014-06-25 11:16 (UTC+8)
Wangpan


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack





_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140625/f83f5fbf/attachment.html>

More information about the Openstack mailing list