cloud-init

data source config drive doesn't use the Admin Pass given by OpenStack

Bug #1236883 reported by Alexandre Bécholey on 2013-10-08

This bug affects 7 people

Affects		Status	Importance	Assigned to	Milestone
	cloud-init	Expired	Low	Unassigned

Bug Description

The script cloudinit/sources/DataSourceConfigDrive.py doesn't use the Admin Pass that is generated by OpenStack or given by the user at the creation of a VM.

Here is a quick patch that uses this information and passes it to cloud config, let me know what you think.

Revision history for this message

Alexandre Bécholey (alexandre-becholey) wrote on 2013-10-08:

patch to set the Admin Pass given by OpenStack Edit (799 bytes, text/plain)

Revision history for this message

Anthony Woods (awoods-0) wrote on 2014-02-20:

Patch to use admin_pass from datasource if it is available Edit (594 bytes, text/plain)

I think a better approach for using the admin_pass available in the ConfigDriver is to pull it in within the cc_set_passwords plugin.

This will allow users to override the password by adding it to their config, either directly in /etc/cloud/ or via a cloud-init config in user-data.

see attached patch

Revision history for this message

Scott Moser (smoser) wrote on 2014-07-28:

The logic to do this seems sane, but generally I think its dangerous to just start setting root passwords at all.
My personal feeling is that cloud-init's path to root is superior (provisioning ssh keys to a non-root user with sudo access). I'd like to keep that the default behavior.

I'm not opposed to allowing config to turn this "use MD provided password". But generally, it just seems like an un-necessary security regression.

Thoughts?

(and thanks for taking the time to file the bug).

Changed in cloud-init:
importance:	Undecided → Low
status:	New → Triaged

Revision history for this message

Abel Lopez (al592b) wrote on 2014-08-27:

Can we have cloud-init set the password for the default_user using the admin-pass in the metadata? This would make the VNC console a viable tool for troubleshooting. Users could `nova get-password` the value out of metadata, and use that to login.

Revision history for this message

Abel Lopez (al592b) wrote on 2014-08-27:

It seems reasonable to have this as as option, since the admin-pass is random or user-specified, we should be able to say something in cloud.cfg like
password: ADMIN-PASS
and have cc_set_passwords.py know that means "Take the admin-pass out of the metadata", it's already there, and it sure beats libvirt injection.

Revision history for this message

Anthony Woods (awoods-0) wrote on 2014-08-28:

While using ssh keys is generally a 'better' option for access control, it is not always compatible with existing tools policies.

So, I agree that the default behavior should be SSH keys, but we still need a way to set a password if desired.

I think that Abel's suggestion of a configuration option to enable using the admin_pass in the ConfigDrive is a good one.

Revision history for this message

Abel Lopez (al592b) wrote on 2015-01-21:

There are two cases where having the root pass would be helpful.
1. You've misconfigured your network in someway (sshd died?) and need to get in via VNC console
2. You've fubar'd your sudoers file and can no longer sudo

I'd imagine being able to use "nova get-password" to get this, which requires the ssh key for encrypting

Revision history for this message

James Falcon (falcojr) wrote on 2023-05-10:

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/2402