[lxc-devel] [PATCH v2 3/3] Improve setting the default password in a new container

TAMUKI Shoichi tamuki at linet.gr.jp
Sat Oct 11 02:57:01 UTC 2014 

Hello,

From: Serge Hallyn <serge.hallyn at ubuntu.com>
Subject: Re: [lxc-devel] [PATCH v2 3/3] Improve setting the default password in a new container
Date: Thu, 9 Oct 2014 18:46:19 +0000

> > The default password in a new container is now auto-generated using
> > phoneme rules and (good) random numbers.
> > 
> > Even if the default random password is set in a distribution-specific
> > template and you use the download template to pull a pre-built rootfs
> > image, you will get the same password every time unless the pre-built
> > rootfs image is updated.
> > 
> > So, the default random password in a new container is to be set after
> > container creation.  The user names whose passwords to be changed are
> > stored in *.chpasswd file which is located at /usr/share/lxc/config.
> > Each line of the file specifies a user name whose password is to be
> > changed.  If the target *.chpasswd file does not exist, no password is
> > changed in a new container.
> > 
> > Signed-off-by: TAMUKI Shoichi <tamuki at linet.gr.jp>
> 
> Hi.
> 
> After a "brief" look over this patch I didn't see any technical problems,
> but let's take a step back and talk about the usage of this.
> 
> Three things I'd like to discuss, and I'm curious whether you've talked
> at all with Michael or Stephane about this approach.

Sure, I would like to discuss the approach with the people interested.

> 1. You print out the new passwords on lxc-create command line.
>    a. You always do this, -q or no (trivial fix)
>    b. The resulting passwords aren't available for later perusal.  This
>       works fine if i sit at the command line and create one container,
>       but not if a script is creating one
>       One might say "well you can reset it using attach" but if that is
>       our feeling then we may as well set all passwords to invalid and
>       always require users to set them.

The way the resulting passwords are not available for later perusal is
much safer/secure, but we indeed need to take it into consideration
that the resulting passwords are notified under various conditions.

> 2. The resetting of passwords is guided only via the template.chpasswd
>    files.  There should be a way to override these via the configuration file
>    or command line.  What about simply making this a list in the configuration
>    file?  So the $distro.common configuration file could have
> 
> lxc.chpasswd = joe
> lxc.chpasswd = root
> 
>    then my own configuration file could include that and do
> 
> lxc.chpasswd =
> 
>    to clear out the list and request no changes

What is the purpose of chpasswd files configurable?  If the user name
in the chpasswd file is wrong from the actual user in the container,
the chpasswd command will fail.  I think, what about adding the new
command option that requests no changes to lxc-create.

In addition, the method that the resetting of passwords is guided via
template.chpasswd, does not work well in the following cases:

  - Given the '-t' template option to lxc-create, if the template is a
    full executable path, no password is changed in the container.

  - Some templates (e.g. gentoo, ubuntu) create 'root' or 'ubuntu'
    user by default, however the user name can be configurable using
    --user option.  If so, the resetting of password will fail.

To solve that, instead of preparing template.chpasswd files, the
template should inform the user name to be changed via something like
$lxcpath/$container/chpasswd file.  Then, after the template runs,
lxc-create will read the file and do chpasswd for them.

When using the download template to pull a pre-built rootfs image,
lxc-create will also read the $lxcpath/$container/users file.  So,
when making a pre-built rootfs image, the script will read the
$lxcpath/$container/users file which the template has informed, and
store the user name into the meta.tar.xz.  And then, the download
template invoked by lxc-create should store the user name to be
changed into $lxcpath/$container/chpasswd file.

> 3. To fix 1b, I think it'd be ok to have a (default-off) config item
> 
> lxc.store-passwords = 1
> 
>    which will store the uname:passwd entries in 700-mode
>    $lcxpath/$container/passwords
> 
> Comments?

I think it will be ok to have a config item or a command-line option.

Regards,
TAMUKI Shoichi

More information about the lxc-devel mailing list