TurnKey Linux Virtual Appliance Library

Passing as user data or metadada the default passwords in Openstack apliances

diego.parrilla.santamaria's picture

Hi folks,

following with our tests of the virtual appliances, we would like to know if there is a way to pass as user data or metadata at boot time the default passwords for root, admin etc... from the Horizon console or Openstack API.

We have seen that the passwords are generated at boot time and printed in the log, but we would like to have more control of this passwords and 'inject' them more or less like cloud-init does in ubuntu images.


Alon Swartz's picture

It's possible, but there are security implications

As mentioned in the announcement, it is possible to preseed inithooks via user data. Because OpenStack builds are headless, they include an inithook which preseeds default values and random passwords (as you've noted).

The builds do support user-data, so you can just pass it a script which begins with a shebang that writes /etc/inithooks.conf with the preseeds (you need to specify ALL of them). The default preseeding inithook will be skipped if /etc/inithooks.conf exists, and inithooks.conf will be deleted post inithooks.

But, please keep in mind that there are security implications including sensitive information in userdata such as passwords, as any process or user with network access on the system could query for userdata at a later stage.

There are several ways to get around this, such as:

  • blocking access to the metadata service via iptables
  • having the userdata pull the passwords from a different server, then write the inithooks.conf
  • having a post-deployment script execute the inithooks directly providing the passwords as arguments.

BTW, I did a write up of how we do secure preseeding via the Hub which might be of interest.

I hope the above helps.

uncleofthestick's picture

Really helpful

Thank you, it was enlightening :-)

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)