Hello,
The only why to access image imported from MarketPlace in OpenNebula Sunstone is with the Public SSH Key.
So, is there any way to set initial root password for Linux images without using SSH Key ? only with a sample text password like PASSWORD=123456.
This could be a possible solution. Some user posted this a while back. You have to integrate it in your image.
#!/bin/bash
# -------------------------------------------------------------------------- #
# Copyright 2016, Équipe EOLE <eole-team@ac-dijon.fr> #
# Author: Daniel Dehennin <daniel.dehennin@ac-dijon.fr> #
# #
# License CeCILL: #
# * in french: http://www.cecill.info/licences/Licence_CeCILL_V2-fr.html #
# * in english http://www.cecill.info/licences/Licence_CeCILL_V2-en.html #
# -------------------------------------------------------------------------- #
if ! command -v pwgen > /dev/null
then
exit 0
fi
if [ -z "${USERNAME}" ]
then
USERNAME=root
fi
if ! getent passwd "${USERNAME}" > /dev/null 2>&1
then
exit 0
fi
# PASSWORD/CRYPTED_PASSWORD take precedence over RANDOM_PASSWORD=true
# Generate password only on first boot
if [ -z "${PASSWORD}${CRYPTED_PASSWORD}" ] \
&& expr "${RANDOM_PASSWORD}" : '[tT][rR][uU][eE]' > /dev/null \
&& [ ! -f /etc/ssh/ssh_host_rsa_key ]
then
PASSWORD=$(pwgen -c -n -y -B -1 12)
if chpasswd -c SHA512 <<< "${USERNAME}:${PASSWORD}"
then
# Take care to escape backslashed getty commands in password
cat > /etc/issue <<EOF
$(lsb_release -sd) \l
Default connection:
- Login: ${USERNAME}
- Password: $(echo "${PASSWORD}" | sed -e 's,\\,\\\\,g')
EOF
fi
fi
Thomas Stein opennebula@discoursemail.com writes:
This could be a possible solution. Some user posted this a while back. You have to integrate it in your image.
In fact, setting the password is already included in the context
package[1][2], you can find the script loc-20-set-username-password[3].
The RANDOM_PASSWORD generator is not included, if someone think it may
be a good idea, I can submit a patch.
Regards.
Footnotes:
[1] Cleartext: Merge pull request #25 from baby-gnu/feature/set-username-password · OpenNebula/addon-context-linux@bbcadaa · GitHub
I just make it working:
Debian 8.6 - KVM into my OpenNebulaDebian 8.6 - KVM VM templateCustom vars in template Context: PASSWORD = foo
root user and foo passwordThis is working for me.
Regards.
thank you for your replay, latest version of OpenNebula can set root password by many ways, i’m using the starter script with this one line command : echo -e "123456\n123456" | passwd root
Thank you all
Or update the template using the oneadmin cli:
echo CONTEXT = [ USERNAME = root, PASSWORD = password, NETWORK = YES ] > context.one
onetemplate update testvm -a context.one
You will need to specify the whole context. It would be nice if cli allowed one to update only a part of the context.
Or maybe there is already a way to achieve that with cli?
I would also like to add another question to this topic: is there any way do remove PASSWORD variable (or any other ones) after the first (successful) boot? For example, to let VM admin to set temp root passwd, boot VM and then be able to change root password inside of the VM and keep it across reboots? I don’t like setting passwords via context for many reasons but have been asked about this functionality by users.
You could remove one-context service from the startup after the initial contextualization. This could be done via a script executed by the context plugin.
If you do that though you will not get any more updates you might send via onegate and basically onegate on the host will fail as the token and so on might not be there after a cleanup of tmp. That could be ok if the node is fully managed by it’s owner at that point.
Removing one-context service will cut too much functionality, so I would prefer to find an another way.
Of course the simplest option is to keep hashed variable value inside of the VM and assume that if it is equal to the hashed value during boot it was already set and do nothing. But this way also leads to some sort of inconvenience, so I would prefer check another solutions first.
As loc-20-set-username-password does not do anything when there is no password you could try to remove the password attribute via onegate. I’m not sure if this is possible via onegate though.
Besides that you could drop the set password script from the installed plugin after the first run. I’d rather patch it than removing the script but you could do that without touching the other context functionality via a script at the end of the first context run. At least that would be last option if everything else fails.