When one spins up a cloud image with Cloud-Init installed, password authentication via SSH is typically disabled by default. This requires that one SSH into the instance by injecting a public key. One can override this behavior by passing the following cloud-config directives which correspond to the cc_set_passwords.py module set to run during Cloud-Init's config stage (/etc/cloud/cloud.cfg).
- ssh_pwauth - edits sshd config to either allow or unallow password auth via ssh.
- password - set password for default user (default user specified in /etc/cloud/cloud.cfg, i.e. ubuntu on ubuntu cloud image, centos on centos7 cloud image, etc.)
- chpasswd - allows you to provide a list of user password changes as well as ensure the passwords do not expire. If expire is not set to False, one will be prompted to set a new password after authenticating. Provide RANDOM or R as the password to have it auto-generate a password. The password will appear in the console-log (nova console-log <your_instance_id>) and inside /var/log/cloud-init-output.log.
#cloud-config
ssh_pwauth: True
password: passw0rd
chpasswd:
list: |
user1:password1
user2:password2
user3:RANDOM
expire: False
You can modify the cc_set_passwords.py module to allow it to set root's password to the metadata admin_pass value found here:
+--------------------------------------+---------------------------------------------------+
| Property | Value |
+--------------------------------------+---------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | - |
| OS-EXT-SRV-ATTR:hypervisor_hostname | - |
| OS-EXT-SRV-ATTR:instance_name | instance-0000000e |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | AcSVqg3koaeS |
| config_drive | |
| created | 2016-05-04T01:05:46Z |
| flavor | m1.summit (8) |
| hostId | |
| id | ed7b97ef-cea9-4140-8cd0-d30d6abba802 |
| image | ubuntu1604 (ad673fbe-2402-462b-b29c-d10d49252310) |
| key_name | - |
| metadata | {} |
| name | myinstance |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | default |
| status | BUILD |
| tenant_id | 9d119a1e9de4498da818abe32124eb32 |
| updated | 2016-05-04T01:05:46Z |
| user_id | 3545fc68adb349828d3f98893fb0d47f |
+--------------------------------------+---------------------------------------------------+
You can also force a specific admin pass while booting:
nova boot --image ubuntu1604 --flavor m1.summit --admin-pass mypassword mycustomrootpasswordinstance
Here is a link to a modified cc_set_passwords to fetch admin_pass from metadata and set as root password.
Cloud-Init python modules:
- Ubuntu 14.04: /usr/lib/python2.7/dist-packages/cloudinit/config/
- Ubuntu 16.04: /usr/lib/python3/dist-packages/cloudinit/config/
Comments
comments powered by Disqus