search

cloudbase / cloudbase-init

Cross-platform instance initialization
http://openstack.org
Apache License 2.0
421 stars 149 forks source link

admin_pass via MAAS #32

Closed dacron closed 4 years ago

dacron commented 4 years ago

I can successfully use an SSL certificate and WinRM to set the Admin user password after a Windows image has been deployed by MAAS.

I understand that setting it via meta data is not really "secure", but that works in our trusted environment. I've tried with the following user data passed in to user_data as a base64 encoded string:

#cloud-config

cloudbase-config
admin_pass: password

with cloudbase-init.conf:

[DEFAULT]
username=Admin
groups=Administrators
inject_user_password=true
first_logon_behaviour=no
config_drive_raw_hhd=true
config_drive_cdrom=true
config_drive_vfat=true
bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
verbose=true
debug=true
logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
logfile=cloudbase-init.log
default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
logging_serial_port_settings=COM1,115200,N,8
mtu_use_dhcp_config=true
ntp_use_dhcp_config=true
local_scripts_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\

and cloudbase-init-unattend.conf:

[DEFAULT]
username=Admin
groups=Administrators
inject_user_password=true
first_logon_behaviour=no
config_drive_raw_hhd=true
config_drive_cdrom=true
config_drive_vfat=true
bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
verbose=true
debug=true
logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
logfile=cloudbase-init-unattend.log
default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
logging_serial_port_settings=COM1,115200,N,8
mtu_use_dhcp_config=true
ntp_use_dhcp_config=true
local_scripts_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\
metadata_services=cloudbaseinit.metadata.services.configdrive.ConfigDriveService,cloudbaseinit.metadata.services.httpservice.HttpService,cloudbaseinit.metadata.services.ec2service.EC2Service,cloudbaseinit.metadata.services.maasservice.MaaSHttpService
plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin,cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin
allow_reboot=false
stop_service_on_exit=false
check_latest_version=false

But each time I'm still prompted to change the password when host first boots. This is problematic for us as the devices are headless Intel NUCs with no IPMI (we are using a custom Eaton power driver to control power state - see: https://code.launchpad.net/~adacre/maas/+git/maas/+merge/377439)

ader1990 commented 4 years ago

MAAS does not support setting a password for the user in the metadata.

There are several ways you can achieve this:

  1. use a localscript (ps1 or cmd) to be run by cloudbase-init: https://cloudbase-init.readthedocs.io/en/latest/plugins.html#local-scripts-execution-main
  2. use a userdata script https://cloudbase-init.readthedocs.io/en/latest/plugins.html#cloudbaseinit.plugins.common.userdata.UserDataPlugin , basically replace the cloud-config one with something like: 
    #ps1
net user Admin Passw0rd
  3. cloud-config based one, but the code is not yet in cloudbase-init (work in progress though) https://review.opendev.org/#/c/379354 . It should land very soon, as the patch is in a working state.
dacron commented 4 years ago

Ok. That's awesome and seems super easy. Are there any configuration changes required to cloudbase-init{-unattend}.conf so that cloudbase-init will not stomp on the changes and require the password to be changed on first login?

ader1990 commented 4 years ago

Once https://review.opendev.org/#/c/379354 gets merged, there should not be any configuration change from your side. You just need to define the userdata in cloud=config format similar to:

Note that cloudbase-init beta installer gets rebuilt once a day.

#cloud-config
users:
  -
    name: Admin
    primary_group: Administrators
    passwd: StrongPassw0rd

After user/groups support for cloud-config gets merged, when a user gets created using the cloud-config information, its password does not expire.

ader1990 commented 4 years ago

@dacron I will notify you on this thread when the patch gets merged: https://review.opendev.org/#/c/379354

f-andrey commented 4 years ago

this run single for instanse?

ader1990 commented 4 years ago

@f-andrey the UserData plugin runs only once per instance.

@dacron the users/groups patch is merged, the cloudbase-init beta installer should have the new code.

ader1990 commented 4 years ago

Hello @dacron,

Did you manage to solve your requirements by using users/groups cloud-config directives?

Thank you, Adrian Vladu