[lxc-devel] [PATCH 4/4] Added root_password_expired password control tuning knob.
Stéphane Graber
stgraber at ubuntu.com
Sun Mar 23 00:56:39 UTC 2014
On Sat, Mar 22, 2014 at 01:59:59PM -0400, Michael H. Warfield wrote:
> Added root_password_expired password control tuning knob.
>
> Added the environment variable "root_password_expired" to
> control if the initial, temporary, root password is initially
> set up as "expired". If set to "yes" (default), the root password
> is set as "expired" and the user must change it at first login.
>
> Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> templates/lxc-centos.in | 21 +++++++++++++++++----
> templates/lxc-fedora.in | 21 +++++++++++++++++----
> 2 files changed, 34 insertions(+), 8 deletions(-)
>
> diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> index 6d9e512..238159a 100644
> --- a/templates/lxc-centos.in
> +++ b/templates/lxc-centos.in
> @@ -29,7 +29,7 @@
> #Configurations
> default_path=@LXCPATH@
>
> -# Some combinations of the tunning knobs below do not exactly make sense.
> +# Some combinations of the tuning knobs below do not exactly make sense.
> # but that's ok.
> #
> # If the "root_password" is non-blank, use it, else set a default.
> @@ -45,6 +45,8 @@ default_path=@LXCPATH@
> # If root_store_password = yes, store it in the configuration directory
> # If root_prompt_password = yes, invoke "passwd" to force the user to change
> # the root password after the container is created.
> +# If root_expire_password = yes, you will be prompted to change the root
> +# password at the first login.
> #
> # These are conditional assignments... The can be overridden from the
> # preexisting environment variables...
> @@ -61,6 +63,10 @@ default_path=@LXCPATH@
> # with users running under the API... Don't default to "yes"
> : ${root_prompt_password='no'}
>
> +# Expire root password? Default to yes, but can be overridden from
> +# the environment variable
> +: ${root_expire_password='yes'}
> +
> # These are only going into comments in the resulting config...
> lxc_network_type=veth
> lxc_network_link=lxcbr0
> @@ -346,8 +352,12 @@ EOF
> fi
>
> echo "root:$root_password" | chroot $rootfs_path chpasswd
> - # Also set this password as expired to force the user to change it!
> - chroot $rootfs_path passwd -e root
> +
> + if [ ${root_expire_password} = "yes" ]
> + then
> + # Also set this password as expired to force the user to change it!
> + chroot $rootfs_path passwd -e root
> + fi
>
> # This will need to be enhanced for CentOS 7 when systemd
> # comes into play... /\/\|=mhw=|\/\/
> @@ -900,7 +910,9 @@ then
> "
> chroot ${rootfs_path} passwd
> else
> - echo "
> + if [ ${root_expire_password} = "yes" ]
> + then
> + echo "
> The root password is set up as "expired" and will require it to be changed
> at first login, which you should do as soon as possible. If you lose the
> root password or wish to change it without starting the container, you
> @@ -909,4 +921,5 @@ also reset the expired flag):
>
> chroot ${rootfs_path} passwd
> "
> + fi
> fi
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index 16f0c55..5414b4e 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -29,7 +29,7 @@
> #Configurations
> default_path=@LXCPATH@
>
> -# Some combinations of the tunning knobs below do not exactly make sense.
> +# Some combinations of the tuning knobs below do not exactly make sense.
> # but that's ok.
> #
> # If the "root_password" is non-blank, use it, else set a default.
> @@ -45,6 +45,8 @@ default_path=@LXCPATH@
> # If root_store_password = yes, store it in the configuration directory
> # If root_prompt_password = yes, invoke "passwd" to force the user to change
> # the root password after the container is created.
> +# If root_expire_password = yes, you will be prompted to change the root
> +# password at the first login.
> #
> # These are conditional assignments... The can be overridden from the
> # preexisting environment variables...
> @@ -61,6 +63,10 @@ default_path=@LXCPATH@
> # with users running under the API... Don't default to "yes"
> : ${root_prompt_password='no'}
>
> +# Expire root password? Default to yes, but can be overridden from
> +# the environment variable
> +: ${root_expire_password='yes'}
> +
> # These are only going into comments in the resulting config...
> lxc_network_type=veth
> lxc_network_link=lxcbr0
> @@ -294,8 +300,12 @@ EOF
> fi
>
> echo "root:$root_password" | chroot $rootfs_path chpasswd
> - # Also set this password as expired to force the user to change it!
> - chroot $rootfs_path passwd -e root
> +
> + if [ ${root_expire_password} = "yes" ]
> + then
> + # Also set this password as expired to force the user to change it!
> + chroot $rootfs_path passwd -e root
> + fi
>
> # specifying this in the initial packages doesn't always work.
> # Even though it should have...
> @@ -1412,7 +1422,9 @@ then
> "
> chroot ${rootfs_path} passwd
> else
> - echo "
> + if [ ${root_expire_password} = "yes" ]
> + then
> + echo "
> The root password is set up as "expired" and will require it to be changed
> at first login, which you should do as soon as possible. If you lose the
> root password or wish to change it without starting the container, you
> @@ -1421,4 +1433,5 @@ also reset the expired flag):
>
> chroot ${rootfs_path} passwd
> "
> + fi
> fi
> --
> 1.8.3.1
>
>
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140322/2de6a22d/attachment.pgp>
More information about the lxc-devel
mailing list