New Question

Revision history [back]

click to hide/show revision 1
initial version

Adrian,

Thanks for your response. This is an isolated environment for shared temporary test machines where speed and convenience are more desired by users than security. I did find an easy way to re-enable the local Administrator account via userdata script so thank you for supporting that.

Currently I am using 'cansetpassword' in horizon and can successfully deploy instances with configdrive and httpservice (by changing the order in metadata_services). However I'm running into these limitations:

  1. If configdrive is used, the password is properly taken from horizon and applied to the VM but is not posted to the metadata service (I believe this is expected) and thus cannot be retrieved if forgotten short of grepping the configdrive iso by an admin. If the user does not select a password in horizon a random one will be used which again cannot be retrieved from horizon.

  2. If httpserver is used, the user gets a random password which is properly posted to the metadata and can be retrieved with the keypair. Unfortunately if the user adds a password in horizon a random one is still used ... the desired password does not get applied to the VM. Interesting though the desired password will be in the configdrive file.

  3. If httpserver is used and the instance is booted on the command line with "--meta admin_pass=<password>" we get the desired behavior. The password input by the user is applied to the VM and is posted to the metadata meaning it can be retrieved & decrypted with the key. However end users cannot use this method as they are using horizon.

I understand #1 and #3 are probably working normally. So my question is on #2; when using httpserver, should cloudbase-init use the admin pass input to horizon or is it properly generating a random password?

Thanks again for your feedback