[lxc-devel] default root password has to be random in default debian template

Michael H. Warfield mhw at WittsEnd.com
Sat Aug 23 20:44:05 UTC 2014


On Sat, 2014-08-23 at 11:04 +0200, Thomas Moschny wrote:
> 2014-08-20 18:32 GMT+02:00 Michael H. Warfield <mhw at wittsend.com>:
> > Yes, it does apply to more templates (but not all templates).
> >
> > This has been discussed before.  Please look at the Fedora and CentOS
> > templates for how we handle them there.  In those cases, it's
> > configurable and supports templating.  It's up to the other template
> > maintainers if they want to pull that over and there are issues with the
> > download template and its defaults (if you use the download template to
> > pull a Fedora rootfs, you still get root:root).  I'm not familiar with
> > who the maintainer of the Debian template is.  I've only contributed to
> > the Fedora, CentOS, and OpenSUSE templates.

> This issue has been reported as a security bug against the Fedora packages:

> https://bugzilla.redhat.com/show_bug.cgi?id=1132001

Sigh...

> It would be nice if we could get that fixed for all templates. Instead
> of letting different template maintainers fix that in different ways,
> we should probably factor this out into a common routine?

I just looked at the code I did in the Fedora template.  Yeah, I think I
could abstract that out into a "functions" file without too much
trouble.  I know Stéphane wants users to be using the download template
more, because the raw templates generally can not be used by non-priv
users but it would make things easier if we started building up a
scaffolding of common functions that could be used in templates.  This
might be a good place to start.

This has also raised the complicating question of changing the root
password from the host system when needed.  Some cases are straight
forward with a "chroot ${root_fs} passwd" but things can get much more
complicated depending on backing store (cow2, lvm, etc).

The download template is a special case where the whole rootfs is
downloaded and cached from an image site.

> Regards,
> Thomas

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140823/36939320/attachment.sig>


More information about the lxc-devel mailing list