uncleofthestick's picture
uncleofthestick - Wed, 2013/02/20 - 12:47

Hi folks,

following with our tests of the virtual appliances, we would like to know if there is a way to pass as user data or metadata at boot time the default passwords for root, admin etc... from the Horizon console or Openstack API.

We have seen that the passwords are generated at boot time and printed in the log, but we would like to have more control of this passwords and 'inject' them more or less like cloud-init does in ubuntu images.

Regards,

Forum: 
Support
Tags: 
security
openstack
inithooks
Alon Swartz's picture

Alon Swartz - Wed, 2013/02/20 - 14:43

As mentioned in the announcement, it is possible to preseed inithooks via user data. Because OpenStack builds are headless, they include an inithook which preseeds default values and random passwords (as you've noted).

The builds do support user-data, so you can just pass it a script which begins with a shebang that writes /etc/inithooks.conf with the preseeds (you need to specify ALL of them). The default preseeding inithook will be skipped if /etc/inithooks.conf exists, and inithooks.conf will be deleted post inithooks.

But, please keep in mind that there are security implications including sensitive information in userdata such as passwords, as any process or user with network access on the system could query for userdata at a later stage.

There are several ways to get around this, such as:

  • blocking access to the metadata service via iptables
  • having the userdata pull the passwords from a different server, then write the inithooks.conf
  • having a post-deployment script execute the inithooks directly providing the passwords as arguments.

BTW, I did a write up of how we do secure preseeding via the Hub which might be of interest.

I hope the above helps.

uncleofthestick's picture

uncleofthestick - Thu, 2013/02/21 - 00:17

Thank you, it was enlightening :-)


Add new comment