search

sexibytes / sexigraf

SexiGraf is a vSphere centric Graphite appliance with a Grafana frontend.
http://www.sexigraf.fr
MIT License
126 stars 21 forks source link

VMware Appliance (OVA) enhancements #387

Open tsugliani opened 6 months ago

tsugliani commented 6 months ago

Hi gents,

It would be amazing to add to the available ovf properties, the ability to setup the appliance root password AND setup a ssh key too. (if those are not set, just use the current default password so it doesn't change the current behavior)

This feature is provided by many appliances these days, and would be a great addition :-)

I do this on my packer templates too for reference: https://github.com/tsugliani/packer-alpine

OVF properties: https://github.com/tsugliani/packer-alpine/blob/main/files/customization.sh#L32-L33 Related Code: https://github.com/tsugliani/packer-alpine/blob/main/files/customization.sh#L85-L96

Thanks in advance,

rschitz commented 6 months ago

Hi Timo, thanks for your feedback. We can add this feature for sure ;)

rschitz commented 6 months ago

@tsugliani i'm not confortable keeping password and ssh keys in the ovf props like in this exemple:

image

What's your feeling on this?

tsugliani commented 6 months ago

Password is not shown in vCenter UI/API, with the ovf:password="true" setting in the OVF envelope for this property (only way to fetch it would be to access the VC DB, but at that stage, you are already compromised pretty badly)

For the ssh public key, that is meant to be public, so not sure why that is a problem ?

You could use the same setting as the password above for the ssh key so it doesn't appear in the UI/API if that feels like an issue.

Even GitHub/GitLab shares your public keys, for example my registered one is here:

❯ curl https://api.github.com/users/tsugliani/keys
[
  {
    "id": 71752143,
    "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCkr56eYkjAN7cgXKHl65kismGjXEghO5ECb9vnmpoeer+1MpdpLI7DsPr76wDWTtRMcKWlJYJ3+tvXKSr5zAupWgyASPA2vaDA/H6HXicM8VjQSNsb3zsx8qVoXZCkbM3sTxjR2GMAXuiuihH3G2MY2qVaCWqea5RQ9QDnSiuRDlUXoGp/FKbhl+iEZ/rs5X2FDm84jU6VPNVzutgog/NE2CRn4S8pc6xWyFtd1jaezgUi7rbK+6NnkfUeQxsjPsexniagco97ZZNDwGVqxhe2uOMjbZcg6leEguwQgm7+Kj8+/nFfjH+senoM8B41dr9vpk32llgJEKIXv1a+3L7qz/FDZi+bYWIZPTr0d4mMF6Js24kBfhAx+T608603opWKma4sGu0eW/a7z3fptOBYpBQkEw8GVuDGQGyP3kOR68ObKEJkSFKZfHmiGIAJBXHUnN4Y5WVvKL7YpU3KpKakDe8o0aTuxFT7fanZt7o2aBtAkkaUAkDXNa52JJY9OZm9sX9yON4OeoM9H/H7so2M8liVQVC6DyAnRtX5fHDvP4sk9xMbJzjaBom9bCXp27Mj6DAh4VLTpxRx6/KEPKL/BjSbxYR00w4bIYNK0Xkf+kKBwsuSDz8D/opKGJQrjbFkpgMucxnMOpJ/ggj5L963GGoMFX7xpqtwjJU4eDNaQ=="
  },
  {
    "id": 84987101,
    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID5P8euZ0NGqx4xtaL/cV3f45KD2p5mbz29I8wUFAhUv"
  }
]

Hope this makes sense.

rschitz commented 6 months ago

Didn't know about the hidden password setting and you're right we dont care about public keys, i'm too paranoid :D Thanks