使用Cloud-init配置管理员密码
翻译:Configure Cloud-Init to Use Admin Pass
原文地址:http://www.madorn.com/cloud-init-admin-pass.html#.WYp51XV95UQ
当我们使用安装了Cloud-init的云镜像时,一般密码认证包括SSH等方法是被禁用的.这需要我们通过往instance里注入公钥的方式才能使用SSH.一种可以覆盖这种方式的方法就是使用下面的cloud-config 指令(对应的是cc_set_passwords.py模块)cloud-init启动的时候去设置密码(/etc/cloud/cloud.cfg)
- ssh_pwauth : 修改sshd配置可以使用密码或者无密码登陆ssh
- password : 为默认用户设置密码(默认用户在/etc/cloud/cloud.cfg中有定义,ubuntu云镜像进行上的是ubuntu,centos7云镜像上是centos.等)
- chpasswd: 允许你提供一个用户名和密码的列表,包括这个密码是否设置(expire)到期.如果expire没有设置为False,那么在下次登陆认证后会需要你重新修改密码.如果提供了RAMDOM或者R选项的话密码会被设置为自动生成的字符串.这个密码可以在console-log(nova console-log )或者在/var/log/cloudinit-output.log中查看.
#cloud-config
ssh_pwauth: True
password: passw0rd
chpasswd:
list: |
user1:password1
user2:password2
user3:RANDOM
expire: False你可以修改 cc_set_passwords.py模块来允许程序通过读取下图中metadata admin_pass来设置root的密码
+--------------------------------------+---------------------------------------------------+
| Property | Value |
+--------------------------------------+---------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | - |
| OS-EXT-SRV-ATTR:hypervisor_hostname | - |
| OS-EXT-SRV-ATTR:instance_name | instance-0000000e |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | AcSVqg3koaeS |
| config_drive | |
| created | 2016-05-04T01:05:46Z |
| flavor | m1.summit (8) |
| hostId | |
| id | ed7b97ef-cea9-4140-8cd0-d30d6abba802 |
| image | ubuntu1604 (ad673fbe-2402-462b-b29c-d10d49252310) |
| key_name | - |
| metadata | {} |
| name | myinstance |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | default |
| status | BUILD |
| tenant_id | 9d119a1e9de4498da818abe32124eb32 |
| updated | 2016-05-04T01:05:46Z |
| user_id | 3545fc68adb349828d3f98893fb0d47f |
+--------------------------------------+---------------------------------------------------+当然你也可以在启动时直接指定admin pass
nova boot --image ubuntu1604 --flavor m1.summit --admin-pass mypassword mycustomrootpasswordinstance这里是修改过的可以通过获取metadata中的admin_pass来设置root密码的 cc_set_passwords的链接.
Cloud-Init python模块:
- Ubuntu 14.04: /usr/lib/python2.7/dist-packages/cloudinit/config/
- Ubuntu 16.04: /usr/lib/python3/dist-packages/cloudinit/config/
(下面是私货)
配置nova强制使用config_driver启动虚拟机
#!/bin/bash
# use config_driver to set admin-password while booting
crudini --set /etc/nova/nova.conf DEFAULT force_config_drive True
crudini --set /etc/nova/nova.conf DEFAULT config_drive_format vfat
systemctl restart openstack-nova-compute之后使用之前已经安装了cloud-init的镜像启动
nova --debug boot --admin-pass myadminpass --flavor C1-M4-D50 --image be122066-b542-4218-afe4-dd96f9229a3d --nic net-id=032b0971-ff53-4eec-a208-34640b0ea693 createin_back+--------------------------------------+-----------------------------------------------------+
| Property | Value |
+--------------------------------------+-----------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | - |
| OS-EXT-SRV-ATTR:hostname | createin-back |
| OS-EXT-SRV-ATTR:hypervisor_hostname | - |
| OS-EXT-SRV-ATTR:instance_name | c63c1cfc-cfac-4837-ae57-fdd0c871fdf1 |
| OS-EXT-SRV-ATTR:kernel_id | |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | |
| OS-EXT-SRV-ATTR:reservation_id | r-p52hc4vk |
| OS-EXT-SRV-ATTR:root_device_name | - |
| OS-EXT-SRV-ATTR:user_data | - |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | myadminpass |
| config_drive | |
| created | 2017-08-09T03:52:15Z |
| description | - |
| flavor | C1-M4-D50 (C1-M4-D50) |
| hostId | |
| host_status | |
| id | c63c1cfc-cfac-4837-ae57-fdd0c871fdf1 |
| image | Cloud-init-e (be122066-b542-4218-afe4-dd96f9229a3d) |
| key_name | - |
| locked | False |
| metadata | {} |
| name | createin_back |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | default |
| status | BUILD |
| tenant_id | 0179389d3fae429bb9ef89d3f6e9529c |
| updated | 2017-08-09T03:52:15Z |
| user_id | 7af998f5f1aa48b284ce394a7590ed44 |
+--------------------------------------+-----------------------------------------------------+
登陆云主机输入指定的密码,会立刻要求更改掉密码,因为默认的expire是设置成True的
挂载config_driver可以查看到密码的metadata信息
