[Openstack] [Nova] Admin pass injection in launch libvirt/kvm instance

Thang Pham thang.g.pham at gmail.com
Wed Jun 25 14:41:56 UTC 2014


I found the following documentation on it:
http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html
.

I initially thought it was not implemented because the set_admin_password
method was not implemented in the libvirt driver.  Now I see there is
another way to do it, which is easier to login than using ssh key pairs :)

Thanks for pointing it out,
Thang


On Wed, Jun 25, 2014 at 4:16 AM, Wangpan <hzwangpan at corp.netease.com> wrote:

>   Thanks Juerg!
> when I use a debian7 image without cloudinit, I login the instance
> successfully!
> it's because cloudinit locks password.
>
> 2014-06-25 16:14 (UTC+8)
> Wangpan
>
> ----- Original Message -----
> > From: Juerg Haefliger <juergh at gmail.com>
> > To: "Wangpan"<hzwangpan at corp.netease.com>
> > Sent: 2014-06-25 15:50
> > Subject: Re: [Openstack] [Nova] Admin pass injection in launch
> libvirt/kvm instance
>
>
>
>
> On Wed, Jun 25, 2014 at 9:07 AM, Wangpan <hzwangpan at corp.netease.com>
> wrote:
> >
> > Hi all,
> >
> > I debug the process of libvirt admin password injection, I found
> everything is OK before the instance is booting up,
> > the /etc/shadow is modified normally, such as:
> > Wangpan at 10-120-120-7:/tmp/openstack-vfs-localfsX_J5ke/etc$ sudo cat
> shadow
> > root:$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::
> > daemon:*:15822:0:99999:7:::
> > bin:*:15822:0:99999:7:::
> > ...
> >
> > but after the instance is running up, I login it by ssh+keypair, I cat
> this file again, it is changed like this:
> > root at t1:~# cat /etc/shadow
> > root:!$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::
> > daemon:*:15822:0:99999:7:::
> > bin:*:15822:0:99999:7:::
> >
> > the difference is:
> > root:$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::      (before
> running up)
> > root:!$1$n1j7WavS$FYuXUja3LSUvwOT8yqyt2/:15822:0:99999:7:::     (after
> running up)
> > you can find that a '!' prefix is added to the encrypted password, if I
> remove it, then I can login the instance by VNC successfully!
> > I don't know what happened? anyone can help me?
>
> What image is this?
>
> Probably cloud-init locking the root password. Check /etc/cloud/cloud.cfg
> for:
> lock_passwd: True
>
> ...Juerg
>
>
> > thanks!
> >
> >
> > 2014-06-25 14:57 (UTC+8)
> > Wangpan
> >
> > ----- Original Message -----
> > > From: CôngTT <tcvn1985 at gmail.com>
> > > To: "Thang Pham"<thang.g.pham at gmail.com>
> > > Sent: 2014-06-25 12:21
> > > Subject: Re: [Openstack] [Nova] Admin pass injection in launch
> libvirt/kvm instance
> >
> > Hi  Thang Pham and all !
> >
> > I am using KVM on OpenStack Havana , OpenStack Icehouse  , And inject
> admin password OK.  SURE 100%
> >
> >
> > Step 1 : Edit /etc/nova/nova.conf
> >
> > [DEFAULT ]
> > ....
> >
> > libvirt_inject_password=True
> > enable_instance_password = True
> >
> >
> > Step 22:
> > If you use image cirros, ubuntu .... downloading from Internet, then you
> will modify /etc/ssh/sshd_config to disable authentication private key
> (rsa): (Example Ubuntu 13.10)
> >
> >
> > #Line 15 Un-comment
> > UsePrivilegeSeparation yes
> >
> > #Line 30: Comment 30
> > #RSAAuthentication no
> >
> > #Line 31
> > PubkeyAuthentication no
> >
> > #Line 51
> > PasswordAuthentication yes
> >
> >
> >
> > Besides, You can create image for GLANCE by yourself.
> >
> > Note: On KVM not support reset password. You can see
> https://wiki.openstack.org/wiki/HypervisorSupportMatrix
> >
> > Good luck for U !
> >
> > P/S: Thắng: Tính năng này là tính năng chèn password ngay khi khởi tạo
> máy, mình thực hiện tốt trên KVM
> >
> > tu0ng_c0ng
> >
> > On Wed, Jun 25, 2014 at 10:48 AM, Thang Pham <thang.g.pham at gmail.com>
> wrote:
> >>
> >> Hi Wangpan,
> >>
> >> Injecting admin password is not implemented or supported in
> libvirt/kvm.  I believe only Xen supports it.
> >>
> >> Regards,
> >> Thang
> >>
> >>
> >> On Tue, Jun 24, 2014 at 11:36 PM, Wangpan <hzwangpan at corp.netease.com>
> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> I want to inject admin password to a libvirt/kvm instance, and I
> enable the config libvirt_inject_password=true on the compute node,
> >>> I also find the /etc/shadow file in the instance is changed, but when
> I use the adminPass to login the instance from vnc, it is failed.
> >>> I find that the admin password is encrypted in
> nova/virt/disk/api.py:_set_password() method,
> >>> evenif I encrypt my adminPass and replace the root password in
> /etc/shadow manually, I can't login the instance with vnc.
> >>>
> >>> My questions are:
> >>> 1) Does this admin password injection function of libvirt driver
> useable? In other words, my issue is a bug or not?
> >>> 2) Are there some special details I was losing sight of? such as any
> configs should change?
> >>> 3) Is this function depends on the libc version?
> >>>
> >>> BTW, I'm using stable havana and booting a debian7 instance, and this
> is the admin guide page of this function:
> >>>
> http://docs.openstack.org/admin-guide-cloud/content/admin-password-injection.html
> >>>
> >>> thanks!
> >>>
> >>> 2014-06-25 11:16 (UTC+8)
> >>> Wangpan
> >>>
> >>> _______________________________________________
> >>> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >>> Post to     : openstack at lists.openstack.org
> >>> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >>>
> >>
> >>
> >> _______________________________________________
> >> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> Post to     : openstack at lists.openstack.org
> >> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >>
> >
> >
> > _______________________________________________
> > Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to     : openstack at lists.openstack.org
> > Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140625/9644265e/attachment.html>


More information about the Openstack mailing list