[lxc-users] Problem with CentOS download from images.linuxcontainers.org

Serge Hallyn serge.hallyn at ubuntu.com
Tue Apr 29 13:17:25 UTC 2014 

Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Mon, Apr 28, 2014 at 06:50:41PM -0400, Michael H. Warfield wrote:
> > On Mon, 2014-04-28 at 22:26 +0100, Matt Saunders wrote:
> > > Hi there,
> > > 
> > > I'm enjoying using the lxc-download template to get slimmed down
> > > containers.  This works really well for me with the Ubuntu container.
> > > 
> > > However, I'm having a problem with the CentOS 6 amd64 one at
> > > http://images.linuxcontainers.org/images/centos/6/amd64/default/20140426_02:16/
> > > 
> > > The post-create message says "The default root password is: root" but I
> > > can't log in on the console with that password.  I have to edit
> > > /etc/shadow manually to get into the container but it'd be much easier
> > > to know what the password actually is.
> > 
> > Rather than editing /etc/shadow manually, the correct practice is to
> > either run:
> > 
> > chroot /var/lib/lxc/{Container}/rootfs password
> > 
> > or
> > 
> > echo root:${Password_Hash} | chroot /var/lib/lxc/{Container}/rootfs setpasswd -e
> > 
> > The later is safer (no password exposure and no static password), if
> > you're a security paranoid like I am, but more complicated.
> > 
> > > Can anyone help?
> > 
> > I see Stéphane is saying he is fixing that in git.  Can't say I agree
> > with the practice of setting initial passwords to static values but the
> > download template is his.
> 
> The download template is designed to be minimal, never run any code from
> the downloaded files on the host and the actual images are updated
> daily, so using a static password seemed like the obvious choice there
> as changing it would be a problem (either missing commands or possibly
> running code in a potentially unsafe way) and using your password
> generator would have meant that anyone using an image made on the same
> day would also get a shared password.
> 
> 
> I have a vague plan to have lxc-download allow hooks provided by the
> actual templates, those would be trusted in that they'd be shipped with

I do think we should have lxc.hook.create, and think we've discussed
it before.  Just noone's implemented it yet.

> LXC and not as part of what's downloaded by the download template and
> would be able to do things like locale configuration, password changes,
> ssh key config, ...
> 
> However this is still a pretty vague plan and obviously not something
> we'd ever backport to 1.0.x.
> 
> 
> > 
> > > Thanks!
> > > Matt.
> > > -- 
> > >   Matt Saunders 
> > >   07506 857125
> > >   http://www.yoyo.org/matts/contacts/
> > 
> > Regards,
> > Mike
> > -- 
> > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> >    NIC whois: MHW9          | An optimist believes we live in the best of all
> >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > 
> 
> 
> 
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com



> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list