[lxc-devel] [PATCH] Add tuning knob to not expire root password in centos template
Michael H. Warfield
mhw at WittsEnd.com
Mon Mar 17 15:42:23 UTC 2014
On Mon, 2014-03-17 at 09:06 -0500, Serge Hallyn wrote:
> Quoting Mingjiang Shi (mrjewes at gmail.com):
> > Hi All,
> > This patch adds a tuning knob (environment variable) to not expire the root
> > password.
> >
> > Use case: One wants to set the root password when creating the container,
> > so he/she doesn't want to the password to be expired.
> >
> > Usage:
> > root_password="<root password for the container>" root_expire_password=no
> > lxc-create -t centos -n <container name>
> >
> > Signed-off-by: Mingjiang Shi <mrjewes at gmail dot com>
> I don't particularly like the use of == in shell (except when
> intended), but it'll do the right thing in this case.
Yeah, I saw that little niggle and thought it might be one more thing to
clean up down the road (script has a couple of problems when switching
from #!/bin/bash to #!/bin/sh) but wasn't going to call that a show
stopper.
> Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> I'll wait until Michael's review to apply.
I'm good with it.
Acked-by: Michael H. Warfield <mhw at WittsEnd.com>
Regards,
Mike
> >
> > ---
> > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> > index 55e0531..93f4f93 100644
> > --- a/templates/lxc-centos.in
> > +++ b/templates/lxc-centos.in
> > @@ -43,10 +43,12 @@ default_path=@LXCPATH@
> > #
> > # If root_display_password = yes, display the temporary root password at
> > exit.
> > # If root_store_password = yes, store it in the configuration directory
> > # If root_prompt_password = yes, invoke "passwd" to force the user to
> > change
> > # the root password after the container is created.
> > +# If root_expire_password = yes, you will be prompted to change the root
> > +# password at the first login.
> > #
> > # These are conditional assignments... The can be overridden from the
> > # preexisting environment variables...
> > #
> > # Make sure this is in single quotes to defer expansion to later!
> > @@ -59,10 +61,14 @@ default_path=@LXCPATH@
> > : ${root_store_password='yes'}
> > # Prompting for something interactive has potential for mayhem
> > # with users running under the API... Don't default to "yes"
> > : ${root_prompt_password='no'}
> >
> > +# Expire root password? Default to yes, but can be overridden from
> > +# the environment variable
> > +: ${root_expire_password='yes'}
> > +
> > # These are only going into comments in the resulting config...
> > lxc_network_type=veth
> > lxc_network_link=lxcbr0
> >
> > # is this centos?
> > @@ -337,12 +343,14 @@ EOF
> > echo ${root_password} > ${config_path}/tmp_root_pass
> > echo "Storing root password in '${config_path}/tmp_root_pass'"
> > fi
> >
> > echo "root:$root_password" | chroot $rootfs_path chpasswd
> > - # Also set this password as expired to force the user to change it!
> > - chroot $rootfs_path passwd -e root
> > + if [ ${root_expire_password} == "yes" ];then
> > + # set this password as expired to force the user to change it!
> > + chroot $rootfs_path passwd -e root
> > + fi
> >
> > # This will need to be enhanced for CentOS 7 when systemd
> > # comes into play... /\/\|=mhw=|\/\/
> >
> > return 0
> > @@ -879,15 +887,17 @@ then
> >
> > chroot ${rootfs_path} passwd
> > "
> > chroot ${rootfs_path} passwd
> > else
> > - echo "
> > -The root password is set up as "expired" and will require it to be changed
> > -at first login, which you should do as soon as possible. If you lose the
> > -root password or wish to change it without starting the container, you
> > -can change it from the host by running the following command (which will
> > -also reset the expired flag):
> > -
> > - chroot ${rootfs_path} passwd
> > -"
> > + if [ ${root_expire_password} = "yes" ];then
> > + echo "
> > + The root password is set up as "expired" and will require it to be
> > changed
> > + at first login, which you should do as soon as possible. If you lose
> > the
> > + root password or wish to change it without starting the container, you
> > + can change it from the host by running the following command (which
> > will
> > + also reset the expired flag):
> > +
> > + chroot ${rootfs_path} passwd
> > + "
> > + fi
> > fi
> > ---
> > --
> > Thanks
> > -Mingjiang
>
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140317/7284ed1b/attachment.pgp>
More information about the lxc-devel
mailing list