[lxc-devel] [PATCH] Add tuning knob to not expire root password in centos template

Michael H. Warfield mhw at WittsEnd.com
Mon Mar 17 15:42:23 UTC 2014 

On Mon, 2014-03-17 at 09:06 -0500, Serge Hallyn wrote:
> Quoting Mingjiang Shi (mrjewes at gmail.com):
> > Hi All,
> > This patch adds a tuning knob (environment variable) to not expire the root
> > password.
> > 
> > Use case: One wants to set the root password when creating the container,
> > so he/she doesn't want to the password to be expired.
> > 
> > Usage:
> > root_password="<root password for the container>" root_expire_password=no
> > lxc-create -t centos -n <container name>
> > 
> > Signed-off-by: Mingjiang Shi <mrjewes at gmail dot com>

> I don't particularly like the use of == in shell (except when
> intended), but it'll do the right thing in this case.

Yeah, I saw that little niggle and thought it might be one more thing to
clean up down the road (script has a couple of problems when switching
from #!/bin/bash to #!/bin/sh) but wasn't going to call that a show
stopper.

> Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> I'll wait until Michael's review to apply.

I'm good with it.

Acked-by: Michael H. Warfield <mhw at WittsEnd.com>

Regards,
Mike

> > 
> > ---
> > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> > index 55e0531..93f4f93 100644
> > --- a/templates/lxc-centos.in
> > +++ b/templates/lxc-centos.in
> > @@ -43,10 +43,12 @@ default_path=@LXCPATH@
> >  #
> >  # If root_display_password = yes, display the temporary root password at
> > exit.
> >  # If root_store_password = yes, store it in the configuration directory
> >  # If root_prompt_password = yes, invoke "passwd" to force the user to
> > change
> >  # the root password after the container is created.
> > +# If root_expire_password = yes, you will be prompted to change the root
> > +# password at the first login.
> >  #
> >  # These are conditional assignments...  The can be overridden from the
> >  # preexisting environment variables...
> >  #
> >  # Make sure this is in single quotes to defer expansion to later!
> > @@ -59,10 +61,14 @@ default_path=@LXCPATH@
> >  : ${root_store_password='yes'}
> >  # Prompting for something interactive has potential for mayhem
> >  # with users running under the API...  Don't default to "yes"
> >  : ${root_prompt_password='no'}
> > 
> > +# Expire root password? Default to yes, but can be overridden from
> > +# the environment variable
> > +: ${root_expire_password='yes'}
> > +
> >  # These are only going into comments in the resulting config...
> >  lxc_network_type=veth
> >  lxc_network_link=lxcbr0
> > 
> >  # is this centos?
> > @@ -337,12 +343,14 @@ EOF
> >          echo ${root_password} > ${config_path}/tmp_root_pass
> >          echo "Storing root password in '${config_path}/tmp_root_pass'"
> >      fi
> > 
> >      echo "root:$root_password" | chroot $rootfs_path chpasswd
> > -    # Also set this password as expired to force the user to change it!
> > -    chroot $rootfs_path passwd -e root
> > +    if [ ${root_expire_password} == "yes" ];then
> > +        # set this password as expired to force the user to change it!
> > +        chroot $rootfs_path passwd -e root
> > +    fi
> > 
> >      # This will need to be enhanced for CentOS 7 when systemd
> >      # comes into play...   /\/\|=mhw=|\/\/
> > 
> >      return 0
> > @@ -879,15 +887,17 @@ then
> > 
> >          chroot ${rootfs_path} passwd
> >  "
> >      chroot ${rootfs_path} passwd
> >  else
> > -    echo "
> > -The root password is set up as "expired" and will require it to be changed
> > -at first login, which you should do as soon as possible.  If you lose the
> > -root password or wish to change it without starting the container, you
> > -can change it from the host by running the following command (which will
> > -also reset the expired flag):
> > -
> > -        chroot ${rootfs_path} passwd
> > -"
> > +    if [ ${root_expire_password} = "yes" ];then
> > +        echo "
> > +    The root password is set up as "expired" and will require it to be
> > changed
> > +    at first login, which you should do as soon as possible.  If you lose
> > the
> > +    root password or wish to change it without starting the container, you
> > +    can change it from the host by running the following command (which
> > will
> > +    also reset the expired flag):
> > +
> > +            chroot ${rootfs_path} passwd
> > +    "
> > +    fi
> >  fi
> > ---
> > -- 
> > Thanks
> > -Mingjiang
> 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
> 

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140317/7284ed1b/attachment.pgp>

More information about the lxc-devel mailing list