Default container user's password is hardcoded

Thanks for reporting this Jimmy! We'll work on a patch on our end and post it here soon so you can review it and make sure it works for you.

Jimmy, I should have looked around sooner. This has been re-ticketed as https://bugs.launchpad.net/openstack-ansible/+bug/1437063 and has 3 reviews open:

Master: https://review.openstack.org/#/c/168170/1
Juno: https://review.openstack.org/168172
Icehouse: https://review.openstack.org/168174

Thanks Ian. Unfortunately, this looks to still be an issue when using the default lxc ubuntu template.
https://github.com/lxc/lxc/blob/master/templates/lxc-ubuntu.in#L705

Hi Jimmy, as Ian said thank you for reporting this issue. On an unrelated thread we began removing the templates that we no longer use/rely on however this is still prevalent in the ubuntu templates as found within a basic installation of LXC. To resolve this issue I am presently working a patch to the lxc-container module which will expose the password / user create function. I should have something soon.

Please review the following patch whenever possible. This should ensure that the lxc module has the ability to randomly generate passwords on all containers built with all lxc container templates provided by the default lxc packages.

This also creates an additional task entry in the `lxc-container-create` role to randomly generate a password for the {{ lxc_container_user }} on every lxc-container-create run and provides a tag to be used to regen a password for the {{ lxc_container_user }} if the regeneration is needed/required to be run as an individual task.

This is a patch to ensure that passwords are regenerated within containers as needed via an additional play. the play has the tag "lxc-user-password-regen" to allow the task to be run separately from everything else while also being added to a new play, which follows the pattern of everything else in icehouse.

This is a patch to ensure that passwords are regenerated within containers as needed via an additional play. the play has the tag "lxc-user-password-regen" to allow the task to be run separately from everything else while also being added to a new play, which follows the pattern of everything else in juno.

Security patch for icehouse

security patch for juno

Security patch for trunk

The patches submitted earlier have been revised because it is impossible to assume that all lxc templates will implement users and passwords in the same way. While we can safely assume that the templates will be created using Ubuntu others in the community may port the functionality to "other" OS's As such the changes made to the lxc-container module have been removed in-favor of adding additional template variables and an additional task that will ensure that the container user's password is able to be reset on demand. Please review these new patches at your earliest convenience.

A private CVE has been requested.

Adding the manual command that can be run to mitigate this issue while the patches are evaluated:

From within your rpc_deployment directory:

ansible all_containers -m shell -a 'echo "ubuntu:$(date --rfc-3339=ns | sha512sum | base64 | head -c 32; echo)" | chpasswd;'

CVE-2015-2777 has been registered.

Not sure what shell the initial command was run in, or if ansible is at play, this is what worked (quotes swapped):

ansible all_containers -m shell -a "echo 'ubuntu:$(date --rfc-3339=ns | sha512sum | base64 | head -c 32; echo)' | chpasswd;"

Ran the most recent patches for icehouse and juno against deployments and this issue looks to be mitigated. New passwords were generated for existing and new containers.

Thanks for responding so quickly!

I've taken a look at the patches, it all works ok on master, I have a few minor nits and one fix that'll need to go in for icehouse/juno to work properly.

The minor nits are as follows:
* The password will get reset each run - this isn't terrible but seems overkill/unnecessary? Not sure if that is an intended behaviour
* In the master patch the lxc_container_release var is set as a var in the lxc-containers-create play, and is also set in defaults/main.yml which is a bit confusing. I'm guessing the one in defaults should be removed since the containers have a release_version so the playbook var seems more correct.

The master code works fine (aside from the 2 nits above which don't really change the fact that it still works).

For juno and icehouse there is a weird bug where it doesn't evaluate the if statement correctly, meaning that the password is never actually changed - as an aside it doesn't let you know it couldn't change the password, so thats something worth watching out for (I guess this will only impact currently deployed users though).

I was able to get this to work by adjusting the command run to the following:

container_command: getent passwd "{{ lxc_container_user_name }}" && echo "{{ lxc_container_user_name }}:{{ lxc_container_user_password }}" | chpasswd

This works and removes the if statement, I think the $(getent passwd <>) is where it was failing, as it was struggling with the $() evaluation for some reason.

One way we could make it more obvious when the password hasn't changed might be to do it like this:

container_command: getent passwd "{{ lxc_container_user_name }}" && echo "{{ lxc_container_user_name }}:{{ lxc_container_user_password }}" | chpasswd || echo "Error: Password not changed successfully"
return_facts: True

This will output "Error: Password not changed successfully" to the ansible output when it runs, and perhaps we can do a "failed when:" on this also - for bonus points! - I'm not sure if we think thats necessary though - happy for it to go in without that, but just an idea.

Otherwise this all works well, I'm happy for this to be merged once the above concerns have been addressed!

+2 on this with Andy's Juno/Icehouse fixes.

As far as the nits go, I don't think it matters that the password changes every time as no one should ever use it, probably overkill but more is better than less :)

If I'm reading this correctly lxc_container_release is being defined in defaults/main.yml and then being referenced in lxc-conatiners-create.yml with a default set as trusty.

re: lxc_container_release I mean that its defined in playbooks/roles/lxc_container_create/defaults/main.yml in line 30 or so (just above) to be trusty.
Its also defined as a var that is passed to that role when it's called as the properties.container_release|default('trusty') so I think the var in line 30 should be removed.

Otherwise alls good!

Does this affect kilo as well, since it's in Trunk?

Fix proposed to branch: master
Review: https://review.openstack.org/179825

Fix proposed to branch: juno
Review: https://review.openstack.org/179829

Fix proposed to branch: kilo
Review: https://review.openstack.org/179836

Fix proposed to branch: icehouse
Review: https://review.openstack.org/179837

Reviewed: https://review.openstack.org/179836
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=6ee4ba809642ebdff3b6b14b9f72c350817698ed
Submitter: Jenkins
Branch: kilo

commit 6ee4ba809642ebdff3b6b14b9f72c350817698ed
Author: Kevin Carter <email address hidden>
Date: Mon May 4 10:36:55 2015 -0500

    Fixed container user create issue

    This patch resolves an issue where the LXC container create user
    password is being hard coded due to how the default LXC container
    template is being used. The template allows for a container to be
    created without specifying a password at create time however when
    doing this the default LXC template will create a user and a
    password based on the linux distribution's name. This means that
    all users of a "ubuntu" template will have a "ubuntu" user which
    will have a "ubuntu" password. While the container user must exist
    the password does not need to be known to the end user/deployer
    because there are other means to gain access to a container from
    within the host. So to correct this issue for all deployers as
    well as all future deployments this patch ensures that the container
    user is created with a random password and provides for an additional
    tag to allow the deployer to regenerate the password at will.

    Change-Id: I81d0e8b0d8e9e431cd8eebd43ceaffab7e61b207
    Closes-Bug: 1437054
    (cherry pick from commit 8efb09f90dae73a21ec3dc21842fe28e668ead39)

Reviewed: https://review.openstack.org/179829
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=a60b10bfbfa745d118047d2d3a60057c100d4c27
Submitter: Jenkins
Branch: juno

commit a60b10bfbfa745d118047d2d3a60057c100d4c27
Author: Kevin Carter <email address hidden>
Date: Mon May 4 11:07:18 2015 -0500

    Fixed container user create issue

    This patch resolves an issue where the LXC container create user
    password is being hard coded due to how the default LXC container
    template is being used. The template allows for a container to be
    created without specifying a password at create time however when
    doing this the default LXC template will create a user and a
    password based on the linux distribution's name. This means that
    all users of a "ubuntu" template will have a "ubuntu" user which
    will have a "ubuntu" password. While the container user must exist
    the password does not need to be known to the end user/deployer
    because there are other means to gain access to a container from
    within the host. So to correct this issue for all deployers as
    well as all future deployments this patch ensures that the container
    user is created with a random password and provides for an additional
    tag to allow the deployer to regenerate the password at will.

    Change-Id: I46d8d407028485ad99f89347bf93354ed5043150
    Closes-Bug: 1437054

Reviewed: https://review.openstack.org/179837
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=dc210dcb265709ce159be0d2620759283a0b3f15
Submitter: Jenkins
Branch: icehouse

commit dc210dcb265709ce159be0d2620759283a0b3f15
Author: Kevin Carter <email address hidden>
Date: Mon May 4 11:31:57 2015 -0500

    Fixed container user create issue

    This patch resolves an issue where the LXC container create user
    password is being hard coded due to how the default LXC container
    template is being used. The template allows for a container to be
    created without specifying a password at create time however when
    doing this the default LXC template will create a user and a
    password based on the linux distribution's name. This means that
    all users of a "ubuntu" template will have a "ubuntu" user which
    will have a "ubuntu" password. While the container user must exist
    the password does not need to be known to the end user/deployer
    because there are other means to gain access to a container from
    within the host. So to correct this issue for all deployers as
    well as all future deployments this patch ensures that the container
    user is created with a random password and provides for an additional
    tag to allow the deployer to regenerate the password at will.

    Change-Id: Id1d142dda967921450ddcecb0d7f70baf2218a42
    Closes-Bug: 1437054

Reviewed: https://review.openstack.org/179825
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=f1ecad70a22943446742953de3f66f39ac1d47d0
Submitter: Jenkins
Branch: master

commit f1ecad70a22943446742953de3f66f39ac1d47d0
Author: Kevin Carter <email address hidden>
Date: Mon May 4 10:36:55 2015 -0500

    Fixed container user create issue

    This patch resolves an issue where the LXC container create user
    password is being hard coded due to how the default LXC container
    template is being used. The template allows for a container to be
    created without specifying a password at create time however when
    doing this the default LXC template will create a user and a
    password based on the linux distribution's name. This means that
    all users of a "ubuntu" template will have a "ubuntu" user which
    will have a "ubuntu" password. While the container user must exist
    the password does not need to be known to the end user/deployer
    because there are other means to gain access to a container from
    within the host. So to correct this issue for all deployers as
    well as all future deployments this patch ensures that the container
    user is created with a random password and provides for an additional
    tag to allow the deployer to regenerate the password at will.

    Change-Id: I81d0e8b0d8e9e431cd8eebd43ceaffab7e61b207
    Closes-Bug: 1437054

This issue was fixed in the openstack/openstack-ansible 11.2.11 release.

This issue was fixed in the openstack/openstack-ansible 11.2.12 release.

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.