[lxc-users] credentials for fedora container

Michael H. Warfield mhw at WittsEnd.com
Thu Dec 26 15:57:28 UTC 2013 

On Thu, 2013-12-26 at 07:16 -0800, Alan Hewson wrote: 
> On Wed, Dec 25, 2013 at 08:55:50PM -0500, Michael H. Warfield wrote:
> > On Wed, 2013-12-25 at 20:13 -0500, Leonid Isaev wrote: 
> > > On Wed, 25 Dec 2013 19:17:19 -0500
> > > "Michael H. Warfield" <mhw at WittsEnd.com> wrote:
> > > 
> > > > On Wed, 2013-12-25 at 13:19 -0500, Leonid Isaev wrote: 
> > > > > On Wed, 25 Dec 2013 10:17:20 -0500
> > > > > "Michael H. Warfield" <mhw at WittsEnd.com> wrote:
> > > > 
> > > > > > In that case, you definitely need to go with 1.0.0-beta1 or better.  I
> > > > 
> > > > > is there anything special in the template that expects lxc-start 1.0.0, or
> > > > > one can simply download the template and run it as a bash script, and keep
> > > > > lxc 0.9.0?
> > > > 
> > > > Nope.  If you have a fully configured template from 1.0.0-beta1 and it
> > > > should work perfectly fine on what you have.
> > > > 
> > > > > > just did the same thing and root/root worked (we've got to figure out
> > > > > > something better there)
> > > > 
> > > > > What about generating a random passwd from /dev/random, e.g.
> > > > > root_password="$(tr -cd '[:graph:]' < /dev/random | head -c 15)", echo
> > > > > $root_password to stdout and prompt the user to take note/change it on 1st
> > > > > login?
> > > > 
> > > > I'm working on something now.  I've already submitted a strawman
> > > > proposal to the lxc-devel list for a root password like this:
> > > > 
> > > > Root-${Container_Name}-${RANDOM}
> > > > 
> > > > We'll see.
> > > 
> > > Ah, sorry, I did not see that email...
> > 
> > Understandable.  That was on the lxc-devel list and this is on the
> > lxc-users list.  They don't (always) overlap.  I'm proposing a change
> > for these templates (and Dwight has to chime in on the Oracle template)
> > and soliciting discussion.
> > 
> > > I'll try to do something similar for the
> > > archlinux template (it has an empty root password by default).
> > 
> > And that's really bad if you have remote access enabled.
> > 
> > > Also, as long as fedora/centos/oracle (not sure if that file exists in
> > > debian/ubuntu) are concerned, perhaps one can use host's /etc/machine-id as a
> > > ${RANDOM} part of the password. It is of course weaker than a random string
> > > but still no secrets are shipped in the template and at least an admin won't
> > > be accidently locked out of a remotely-generated container...
> > 
> > Well, there's three parts to that...  One is the root (sic) "Root".
> > Then you have the ${Container_name}" like TwiddleDee.  Then you have a
> > 2^15 random number from ${RANDOM} (is that only a bashism???").
> > 
> > So...  A new root password for TwiddleDee would be something like...
> > 
> > Root-TwiddleDee-25984
> > 
> > With warnings to record it and change it.
> > 

> I believe you can set passwd as "-e expired" forcing change at login.

That's an interesting thought as well.

> charles

Regards,
Mike

> > Not great but better than what we have and it can easily (as always) be
> > changed from the host.
> > 
> > > Thanks,
> > > Leonid.
> > 
> > Regards,
> > Mike
> > 
> > > > 
> > > > > > 
> > > > > > Regards,
> > > > > > Mike
> > > > > > 
> > > > > 
> > > > > Cheers,
> > > > > Leonid.
> > > > 
> > > > Regards,
> > > > Mike
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > lxc-users mailing list
> > > lxc-users at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > 
> > -- 
> > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> >    NIC whois: MHW9          | An optimist believes we live in the best of all
> >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > 
> 
> 
> 
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
> 

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20131226/e1711eef/attachment.pgp>

More information about the lxc-users mailing list