Setting a user password when launching cloud images

Posted on Friday, 5 July 2013 at 16:11 UTC
— Filed in Fedora OpenStack

If you're using e.g. the new Fedora 19 cloud images (see my previous post) you might have noticed that logging in with a password is disabled, both as root or the default user fedora. Usually, that's no issue and actually a security feature. Injecting and using SSH keys instead is the accepted solution. But that's not what I'm here to discuss today.

Still, sometimes logging in over SSH does not do the job. Maybe networking in your cloud is broken and you need access to a guest to further debug it. But no networking, no SSH login. Fortunately, you can use (no)VNC and a tty to log in, right? Well, except SSH keys don't work there. Hence you need the user (or root) to accept password based logins.

Cloud-Init

Luckily, Fedora 19 like most other modern cloud images uses cloud-init and thereby supports userdata (which basically is user-provided metadata). Now, with userdata, you can write a simple "script" (it's actually a YAML-style config file) to set a password. By default, that password can be used only just once and needs to be changed upon login. Unless you diable the expiration with another parameter. And if you want enable password login over SSH, there's a parameter for that as well. So putting all together, your userdata script could look like this:
#cloud-config
password: mysecret
chpasswd: { expire: False }
ssh_pwauth: True

Please note, that the first line is not a comment but actually a required "keyword".

Now, there's as many ways to provide the cloud image with the userdata as there are different ways to launch a cloud image. Let me cover what I know.

Horizon

If you're launching your instances through Horizon, the OpenStack Dashboard, you go to Instances, click the Launch Instance button, do your usual settings, go to the Post-Creation tab and insert the above code as a Customization Script. Hit the Launch button and that's it. Once the instance is up, you should be able to log in with the configured password.

Nova CLI

On the command line, you need to create a text file with the code above. Then, you just give that nova boot command a --user-data <myscript> parameter and there you go. Again, once the instance is up, you should be able to log in with the configure password.

Other clouds, other tools and the APIs

Right, obviously the userdata mechanism isn't exclusive to OpenStack. I'm certain Amazon EC2 does it too (probably did it first) and so might other cloud stacks like Eucalyptus. Also, other tools than the Nova CLI do support it, e.g. the euca2ools. And both the OpenStack Compute API and the EC2 API, probably among others, do support it, too. Unfortunately, my experience and knowledge are limited and therefore I'll have to send you to the respective documentation or support channels. But as long as your cloud image is using (a current version of) cloud-init, the above script should work independent of the underlying solutions. After all, isn't that the purpose of true cloud computing?

« Previous post
Next post »