Nova Doesn't Set Instance Passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Expired
|
Undecided
|
Unassigned |
Bug Description
I've filed bugs against two deployment stacks regarding this(https:/
Using the various deployment mechanisms, i've found that in Wallaby with libvirt+kvm compute services and OVN networking, instance passwords are never set. Passwords can not be set by setting them in Horizon, in the CLI, nor are they randomly set when not set by the operator in any way - resulting in a security issue on Windows images (and others) which have default passwords baked in under the expectation that they will be reset by cloud-init at the first boot to something other than the well known default of the image (https:/
Current openstack deployment is Kolla-Ansible 12.2, but this happened with the Juju stack as well, so its probably a Wallaby (or prior recent release) issue.
description: | updated |
description: | updated |
Changed in nova: | |
status: | New → Incomplete |
@Boris: Thanks for reporting the bug!
I think I can reproduce the problem with devstack on master. At least the "The instance metadata password URI is always empty." part of it. The metadata service looks into the instance. system_ metadata for password [1]. But simply booting an instance does not store the password there.
I also checked the what happens if config drive is used instead, e.g. creating a server with --use-config-drive flag in the openstack CLI. Then I can see that the admin password I provided on at boot ends up stored in the meta_data.json on the config drive.
Do you have info about an OpenStack version where the password via the metadata service worked?
[1] https:/ /github. com/openstack/ nova/blob/ 402fe188b4e7ff7 6109e8a5ea1f24a 5e915eaa09/ nova/api/ metadata/ password. py#L37