[lxc-users] Problem with CentOS download from images.linuxcontainers.org

Michael H. Warfield mhw at WittsEnd.com
Tue Apr 29 14:26:04 UTC 2014 

On Tue, 2014-04-29 at 09:59 -0400, Stéphane Graber wrote:
> On Tue, Apr 29, 2014 at 01:17:25PM +0000, Serge Hallyn wrote:
> > Quoting Stéphane Graber (stgraber at ubuntu.com):
> > > On Mon, Apr 28, 2014 at 06:50:41PM -0400, Michael H. Warfield wrote:
> > > > On Mon, 2014-04-28 at 22:26 +0100, Matt Saunders wrote:
> > > > > Hi there,
> > > > > 
> > > > > I'm enjoying using the lxc-download template to get slimmed down
> > > > > containers.  This works really well for me with the Ubuntu container.
> > > > > 
> > > > > However, I'm having a problem with the CentOS 6 amd64 one at
> > > > > http://images.linuxcontainers.org/images/centos/6/amd64/default/20140426_02:16/
> > > > > 
> > > > > The post-create message says "The default root password is: root" but I
> > > > > can't log in on the console with that password.  I have to edit
> > > > > /etc/shadow manually to get into the container but it'd be much easier
> > > > > to know what the password actually is.
> > > > 
> > > > Rather than editing /etc/shadow manually, the correct practice is to
> > > > either run:
> > > > 
> > > > chroot /var/lib/lxc/{Container}/rootfs password
> > > > 
> > > > or
> > > > 
> > > > echo root:${Password_Hash} | chroot /var/lib/lxc/{Container}/rootfs setpasswd -e
> > > > 
> > > > The later is safer (no password exposure and no static password), if
> > > > you're a security paranoid like I am, but more complicated.
> > > > 
> > > > > Can anyone help?
> > > > 
> > > > I see Stéphane is saying he is fixing that in git.  Can't say I agree
> > > > with the practice of setting initial passwords to static values but the
> > > > download template is his.
> > > 
> > > The download template is designed to be minimal, never run any code from
> > > the downloaded files on the host and the actual images are updated
> > > daily, so using a static password seemed like the obvious choice there
> > > as changing it would be a problem (either missing commands or possibly
> > > running code in a potentially unsafe way) and using your password
> > > generator would have meant that anyone using an image made on the same
> > > day would also get a shared password.
> > > 
> > > 
> > > I have a vague plan to have lxc-download allow hooks provided by the
> > > actual templates, those would be trusted in that they'd be shipped with
> > 
> > I do think we should have lxc.hook.create, and think we've discussed
> > it before.  Just noone's implemented it yet.

> Yeah, that'd be one way of doing it (and something we should be
> implementing regardless), though I'd have to think about it some more to
> make sure this would cover the things I want to support.

> Basically in an ideal world, the hook mechanism used by lxc-download
> would allow hooks to define extra options, create hooks may work for
> this if lxc-download converts the extra parameters to environment
> variables, however this wouldn't let us list those extra options in
> --help.

It also creates a problem with getopt, since you don't have the options
defined.  OTOH, something driven by environment variables might be
possible, but equally difficult to list in the "help" section.

You could consider a function hook script where you source the hook
script and it defines a set of functions and variables which the
template could use.  I've been considering that sort of approach.

> So yeah, it's something that's on my todo and I hope to find a good
> solution for this so we can regain some more control on the containers
> generated using the download template.

> > 
> > > LXC and not as part of what's downloaded by the download template and
> > > would be able to do things like locale configuration, password changes,
> > > ssh key config, ...
> > > 
> > > However this is still a pretty vague plan and obviously not something
> > > we'd ever backport to 1.0.x.
> > > 
> > > 
> > > > 
> > > > > Thanks!
> > > > > Matt.
> > > > > -- 
> > > > >   Matt Saunders 
> > > > >   07506 857125
> > > > >   http://www.yoyo.org/matts/contacts/
> > > > 
> > > > Regards,
> > > > Mike
> > > > -- 
> > > > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> > > >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> > > >    NIC whois: MHW9          | An optimist believes we live in the best of all
> > > >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > > > 
> > > 
> > > 
> > > 
> > > > _______________________________________________
> > > > lxc-users mailing list
> > > > lxc-users at lists.linuxcontainers.org
> > > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > > 
> > > 
> > > -- 
> > > Stéphane Graber
> > > Ubuntu developer
> > > http://www.ubuntu.com
> > 
> > 
> > 
> > > _______________________________________________
> > > lxc-users mailing list
> > > lxc-users at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > 
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140429/e10dd21d/attachment.sig>

More information about the lxc-users mailing list