[lxc-users] Problem with CentOS download from images.linuxcontainers.org

Stéphane Graber stgraber at ubuntu.com
Mon Apr 28 23:05:48 UTC 2014

On Mon, Apr 28, 2014 at 06:50:41PM -0400, Michael H. Warfield wrote:
> On Mon, 2014-04-28 at 22:26 +0100, Matt Saunders wrote:
> > Hi there,
> > 
> > I'm enjoying using the lxc-download template to get slimmed down
> > containers.  This works really well for me with the Ubuntu container.
> > 
> > However, I'm having a problem with the CentOS 6 amd64 one at
> > http://images.linuxcontainers.org/images/centos/6/amd64/default/20140426_02:16/
> > 
> > The post-create message says "The default root password is: root" but I
> > can't log in on the console with that password.  I have to edit
> > /etc/shadow manually to get into the container but it'd be much easier
> > to know what the password actually is.
> Rather than editing /etc/shadow manually, the correct practice is to
> either run:
> chroot /var/lib/lxc/{Container}/rootfs password
> or
> echo root:${Password_Hash} | chroot /var/lib/lxc/{Container}/rootfs setpasswd -e
> The later is safer (no password exposure and no static password), if
> you're a security paranoid like I am, but more complicated.
> > Can anyone help?
> I see Stéphane is saying he is fixing that in git.  Can't say I agree
> with the practice of setting initial passwords to static values but the
> download template is his.

The download template is designed to be minimal, never run any code from
the downloaded files on the host and the actual images are updated
daily, so using a static password seemed like the obvious choice there
as changing it would be a problem (either missing commands or possibly
running code in a potentially unsafe way) and using your password
generator would have meant that anyone using an image made on the same
day would also get a shared password.

I have a vague plan to have lxc-download allow hooks provided by the
actual templates, those would be trusted in that they'd be shipped with
LXC and not as part of what's downloaded by the download template and
would be able to do things like locale configuration, password changes,
ssh key config, ...

However this is still a pretty vague plan and obviously not something
we'd ever backport to 1.0.x.

> > Thanks!
> > Matt.
> > -- 
> >   Matt Saunders 
> >   07506 857125
> >   http://www.yoyo.org/matts/contacts/
> Regards,
> Mike
> -- 
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

Stéphane Graber
Ubuntu developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140428/169a9576/attachment.sig>

More information about the lxc-users mailing list