openstack team mailing list archive

Thread
Date

Re: Handling of adminPass is arguably broken (essex)

To: Sam Stoelinga <sammiestoel@xxxxxxxxx>, Pádraig Brady <P@xxxxxxxxxxxxxx>
From: John Garbutt <John.Garbutt@xxxxxxxxxx>
Date: Wed, 28 Nov 2012 17:27:56 +0000
Accept-language: en-US
Acceptlanguage: en-US
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAJQK-mgjubLHy2kitdZj14aXU0_spi9hG9WQ-hiM7vemhcuHpA@mail.gmail.com>
Thread-index: Ac3NMUhtSQpDVIH0QM2ftKPddUagRAAW/LzQ
Thread-topic: [Openstack] Handling of adminPass is arguably broken (essex)

Those agents use the Xen/XenAPI specific stuff called xenstore.

There was talk of extending cloud-init and the metadata service to support some kind of password generation on boot or at a poll interval, but I don't remember that conversation getting too far. Anyone one else remember what came of those ideas?

John

From: openstack-bounces+john.garbutt=citrix.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+john.garbutt=citrix.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Sam Stoelinga
Sent: 28 November 2012 06:26
To: Pádraig Brady
Cc: openstack@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openstack] Handling of adminPass is arguably broken (essex)

Hi,

Just noticed the following two projects:
https://github.com/rackspace/openstack-guest-agents-windows-xenserver
https://github.com/rackspace/openstack-guest-agents-unix

Would those be useful in creating an agent like Vish described?
It seems they currently only support Xen? Haven't taken a deep look yet.

a) put a public key on the instance via metadata or config drive (for ease of use this could actually just be the ssh public key you normally use for logging into the vm).
b) have a daemon in the windows instance that:
 * generates a random password
 * sets the administrator password to the random password
 * encrypts it with the public key
 * serves the encrypted password over https on a known port (say 9999)
c) open up port (9999) in the instance's security group
d) retrieve the encrypted password and decrypt it
e) close port (9999) in the instances security group

Was wondering if it's planned for Grizzly a way to change the password for libvirt/kvm guests (unix and windows)?
Is there any blueprint available?

Sam
On Sat, Nov 3, 2012 at 3:15 AM, Pádraig Brady <P@xxxxxxxxxxxxxx<mailto:P@xxxxxxxxxxxxxx>> wrote:
On 11/02/2012 07:03 PM, Lars Kellogg-Stedman wrote:
On Thu, Nov 01, 2012 at 11:03:14AM -0700, Vishvananda Ishaya wrote:
The new config drive code defaults to iso-9660, so that should work. The
vfat version should probably create a partition table.

Is that what Folsom is using?  Or is it new-er than that?

That's in Folsom

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

References

Handling of adminPass is arguably broken (essex)
From: Lars Kellogg-Stedman, 2012-11-01
Re: Handling of adminPass is arguably broken (essex)
From: Lars Kellogg-Stedman, 2012-11-01
Re: Handling of adminPass is arguably broken (essex)
From: Vishvananda Ishaya, 2012-11-01
Re: Handling of adminPass is arguably broken (essex)
From: Lars Kellogg-Stedman, 2012-11-02
Re: Handling of adminPass is arguably broken (essex)
From: Pádraig Brady, 2012-11-02
Re: Handling of adminPass is arguably broken (essex)
From: Sam Stoelinga, 2012-11-28