[lxc-users] Problem with CentOS download from images.linuxcontainers.org

Stéphane Graber stgraber at ubuntu.com
Tue Apr 29 13:59:00 UTC 2014 

On Tue, Apr 29, 2014 at 01:17:25PM +0000, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > On Mon, Apr 28, 2014 at 06:50:41PM -0400, Michael H. Warfield wrote:
> > > On Mon, 2014-04-28 at 22:26 +0100, Matt Saunders wrote:
> > > > Hi there,
> > > > 
> > > > I'm enjoying using the lxc-download template to get slimmed down
> > > > containers.  This works really well for me with the Ubuntu container.
> > > > 
> > > > However, I'm having a problem with the CentOS 6 amd64 one at
> > > > http://images.linuxcontainers.org/images/centos/6/amd64/default/20140426_02:16/
> > > > 
> > > > The post-create message says "The default root password is: root" but I
> > > > can't log in on the console with that password.  I have to edit
> > > > /etc/shadow manually to get into the container but it'd be much easier
> > > > to know what the password actually is.
> > > 
> > > Rather than editing /etc/shadow manually, the correct practice is to
> > > either run:
> > > 
> > > chroot /var/lib/lxc/{Container}/rootfs password
> > > 
> > > or
> > > 
> > > echo root:${Password_Hash} | chroot /var/lib/lxc/{Container}/rootfs setpasswd -e
> > > 
> > > The later is safer (no password exposure and no static password), if
> > > you're a security paranoid like I am, but more complicated.
> > > 
> > > > Can anyone help?
> > > 
> > > I see Stéphane is saying he is fixing that in git.  Can't say I agree
> > > with the practice of setting initial passwords to static values but the
> > > download template is his.
> > 
> > The download template is designed to be minimal, never run any code from
> > the downloaded files on the host and the actual images are updated
> > daily, so using a static password seemed like the obvious choice there
> > as changing it would be a problem (either missing commands or possibly
> > running code in a potentially unsafe way) and using your password
> > generator would have meant that anyone using an image made on the same
> > day would also get a shared password.
> > 
> > 
> > I have a vague plan to have lxc-download allow hooks provided by the
> > actual templates, those would be trusted in that they'd be shipped with
> 
> I do think we should have lxc.hook.create, and think we've discussed
> it before.  Just noone's implemented it yet.

Yeah, that'd be one way of doing it (and something we should be
implementing regardless), though I'd have to think about it some more to
make sure this would cover the things I want to support.

Basically in an ideal world, the hook mechanism used by lxc-download
would allow hooks to define extra options, create hooks may work for
this if lxc-download converts the extra parameters to environment
variables, however this wouldn't let us list those extra options in
--help.

So yeah, it's something that's on my todo and I hope to find a good
solution for this so we can regain some more control on the containers
generated using the download template.


> 
> > LXC and not as part of what's downloaded by the download template and
> > would be able to do things like locale configuration, password changes,
> > ssh key config, ...
> > 
> > However this is still a pretty vague plan and obviously not something
> > we'd ever backport to 1.0.x.
> > 
> > 
> > > 
> > > > Thanks!
> > > > Matt.
> > > > -- 
> > > >   Matt Saunders 
> > > >   07506 857125
> > > >   http://www.yoyo.org/matts/contacts/
> > > 
> > > Regards,
> > > Mike
> > > -- 
> > > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> > >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> > >    NIC whois: MHW9          | An optimist believes we live in the best of all
> > >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > > 
> > 
> > 
> > 
> > > _______________________________________________
> > > lxc-users mailing list
> > > lxc-users at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > 
> > 
> > -- 
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> 
> 
> 
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140429/dd4c4d99/attachment.sig>

More information about the lxc-users mailing list