The parameter "--admin-pass" of the nova client does not work when an instance is launched using a bootable volume
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mirantis OpenStack |
Won't Fix
|
Medium
|
MOS Nova | ||
| 8.0.x |
Won't Fix
|
Medium
|
MOS Nova | ||
| 9.x |
Won't Fix
|
Medium
|
MOS Nova | ||
Bug Description
Detailed bug description:
The parameter --admin-pass is intended for injection of a root password to the newly launched machines. When a VM is launched from an image, root password is changed and an user can login to the machine using ssh and a root password. When a VM is launched from a bootable volume, the root's password is not changed.
Steps to reproduce:
root@node-7:~# nova boot --flavor m1.micro --image TestVM --nic net-id=
SKIPPED FLOATING IP ASSOCIATION
root@node-7:~# ssh root@172.16.100.171
The authenticity of host '172.16.100.171 (172.16.100.171)' can't be established.
RSA key fingerprint is 45:63:3e:
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.100.171' (RSA) to the list of known hosts.
root@172.
#
# Connection to 172.16.100.171 closed.
root@node-7:~# cinder create --image-id 2310a281-
root@node-7:~# nova boot --flavor m1.micro --block-device source=
SKIPPED FLOATING IP ASSOCIATION
root@node-7:~# ssh root@172.16.100.172
The authenticity of host '172.16.100.172 (172.16.100.172)' can't be established.
RSA key fingerprint is 93:cd:62:
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.100.172' (RSA) to the list of known hosts.
root@172.
Permission denied, please try again.
root@172.
Permission denied, please try again.
root@172.
root@node-7:~# nova list
+------
| ID | Name | Status | Task State | Power State | Networks |
+------
| 3764e98d-
| 3a71f426-
+------
root@node-7:~# cinder list
+------
| ID | Status | Migration Status | Name | Size | Volume Type | Bootable | Multiattach | Attached to |
+------
| 21f1597b-
+------
root@node-7:~# glance image-list
+------
| ID | Name |
+------
| 2310a281-
+------
root@node-7:~#
Expected results:
The password must be injected into the virtual machine, whether it is launched from an image or from a bootable volume.
Actual result:
User root cannot login to the newly launched VM.
Workaround:
To login as a different user or using ssh key and changing the root's password.
Description of the environment:
Mirantis OpenStack 8.0
Additional information:
| tags: |
added: area-nova removed: nova |
| Roman Podoliaka (rpodolyaka) wrote | #1 |
| Changed in mos: | |
| milestone: | none → 9.2 |
| assignee: | nobody → MOS Nova (mos-nova) |
| status: | New → Won't Fix |
Anatolii,
For this feature to work a few conditions must be met:
1) inject_password option in [libvirt] section of nova.conf must be set to True on compute nodes (False by default)
2-a) file injection must be enabled in nova.conf (note, that it does not work for ephemerals stored in Ceph and VMs *booted from volumes*)
or, alternatively
2-b) an instance must be booted with a config drive enabled (obviously, you'll need cloud-init inside a guest image)
Note, ^ is only about injecting a user password on boot. To change it via libvirt there are additional conditions to be met:
3) libvirt version must be 1.2.16+ (we ship 1.2.9 in 8.0 - http://
4) qemu agent must be running inside a guest OS (http://
^ currently (9.x) we ship libvirt 1.2.9 and this does not seem to be important enough to change that.
The preferred method of logging in to VMs is via public keys. Password injection must work if you enable it in the config file and make sure file injection is possible (e.g. via config drive for volume-backed instances + cloud-init inside guest images).
Having said that, I don't think it's worth it to change the defaults we have right now (i.e. inject_