On Mon, Apr 28, 2014 at 06:50:41PM -0400, Michael H. Warfield wrote: > On Mon, 2014-04-28 at 22:26 +0100, Matt Saunders wrote: > > Hi there, > > > > I'm enjoying using the lxc-download template to get slimmed down > > containers. This works really well for me with the Ubuntu container. > > > > However, I'm having a problem with the CentOS 6 amd64 one at > > http://images.linuxcontainers.org/images/centos/6/amd64/default/20140426_02:16/ > > > > The post-create message says "The default root password is: root" but I > > can't log in on the console with that password. I have to edit > > /etc/shadow manually to get into the container but it'd be much easier > > to know what the password actually is. > > Rather than editing /etc/shadow manually, the correct practice is to > either run: > > chroot /var/lib/lxc/{Container}/rootfs password > > or > > echo root:${Password_Hash} | chroot /var/lib/lxc/{Container}/rootfs setpasswd > -e > > The later is safer (no password exposure and no static password), if > you're a security paranoid like I am, but more complicated. > > > Can anyone help? > > I see Stéphane is saying he is fixing that in git. Can't say I agree > with the practice of setting initial passwords to static values but the > download template is his.
The download template is designed to be minimal, never run any code from the downloaded files on the host and the actual images are updated daily, so using a static password seemed like the obvious choice there as changing it would be a problem (either missing commands or possibly running code in a potentially unsafe way) and using your password generator would have meant that anyone using an image made on the same day would also get a shared password. I have a vague plan to have lxc-download allow hooks provided by the actual templates, those would be trusted in that they'd be shipped with LXC and not as part of what's downloaded by the download template and would be able to do things like locale configuration, password changes, ssh key config, ... However this is still a pretty vague plan and obviously not something we'd ever backport to 1.0.x. > > > Thanks! > > Matt. > > -- > > Matt Saunders > > 07506 857125 > > http://www.yoyo.org/matts/contacts/ > > Regards, > Mike > -- > Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected] > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
