diskimage-builder/elements/dynamic-login/README.rst

=============
dynamic-login
=============

This element insert a helper script in the image that allows users to
dynamically configure credentials at boot time. This is specially useful
for troubleshooting.

Troubleshooting an image can be quite hard, specially if you can not get
a prompt you can enter commands to find out what went wrong. By default,
the images (specially ramdisks) doesn't have any SSH key or password for
any user. Of course one could use the ``devuser`` element to generate
an image with SSH keys and user/password in the image but that would be
a massive security hole and very it's discouraged to run in production
with a ramdisk like that.

This element allows the operator to inject a SSH key and/or change the
root password dynamically when the image boots. Two kernel command line
parameters are used to do it:

sshkey
  :Description: If the operator append sshkey="$PUBLIC_SSH_KEY" to the
                kernel command line on boot, the helper script will append
                this key to the root user authorized_keys.

rootpwd
  :Description: If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the
                kernel command line on boot, the helper script will set the
                root password to the one specified by this option. Note that
                this password must be **encrypted**. Encrypted passwords
                can be generated using the ``openssl`` command, e.g:
                *openssl passwd -1*.


.. note::
   The value of these parameters must be **quoted**, e.g: sshkey="ssh-rsa
   BBBA1NBzaC1yc2E ..."


.. warning::
    Some base operational systems might require selinux to be in
    **permissive** or **disabled** mode so that you can log in
    the image. This can be achieved by building the image with the
    ``selinux-permissive`` element for diskimage-builder or by passing
    ``selinux=0`` in the kernel command line. RHEL/CentOS are examples
    of OSs which this is true.
Add dynamic-login element Troubleshooting an image can be quite hard, specially if you can not get a prompt you can enter commands to find out what went wrong. By default, the images (specially ramdisks) doesn't have any SSH key or password for any user. Of course one could use the ``devuser`` element to generate an image with SSH keys and user/password in the image but that would be a massive security hole and very it's discouraged to run in production with a ramdisk like that. This commit is adding a new element called dynamic-login, which inserts a helper script into the image to allow operators to inject a SSH key and/or change the root password dynamically when it boots via parameters in the kernel command line. Those parameters are: sshkey = If the operator append sshkey="$PUBLIC_SSH_KEY" to the kernel command line on boot, the helper script will append this key to the root user authorized_keys. rootpwd = If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the kernel command line on boot, the helper script will set the root password to the one specified by this option. Note that this password should be an encrypted password. Change-Id: I6b87a1b90163d79745f30dfacd37516051fa0aea 2015-11-12 18:06:57 +00:00			`=============`
			`dynamic-login`
			`=============`

			`This element insert a helper script in the image that allows users to`
			`dynamically configure credentials at boot time. This is specially useful`
			`for troubleshooting.`

			`Troubleshooting an image can be quite hard, specially if you can not get`
			`a prompt you can enter commands to find out what went wrong. By default,`
			`the images (specially ramdisks) doesn't have any SSH key or password for`
			any user. Of course one could use the ``devuser`` element to generate
			`an image with SSH keys and user/password in the image but that would be`
			`a massive security hole and very it's discouraged to run in production`
			`with a ramdisk like that.`

			`This element allows the operator to inject a SSH key and/or change the`
			`root password dynamically when the image boots. Two kernel command line`
			`parameters are used to do it:`

			`sshkey`
			`:Description: If the operator append sshkey="$PUBLIC_SSH_KEY" to the`
			`kernel command line on boot, the helper script will append`
			`this key to the root user authorized_keys.`

			`rootpwd`
			`:Description: If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the`
			`kernel command line on boot, the helper script will set the`
			`root password to the one specified by this option. Note that`
Follow up patch for 25d3ee547176528e86d42eb026c99a134dff9452 This patch is a follow up patch fixing some nits left by the review 25d3ee547176528e86d42eb026c99a134dff9452. It does: * Fix the README file to say that the password must be encrypted and the option values must be quoted * Adds Type=oneshot in the upstart service config file so that upstart will not try to restart the service over and over. * Enable setu, sete and setpipefail in the dynamic-login script Change-Id: Iee5d75daef24469ccf47ca12de6ead37bf9d8d6f 2015-12-01 14:08:49 +00:00			`this password must be encrypted. Encrypted passwords`
Add dynamic-login element Troubleshooting an image can be quite hard, specially if you can not get a prompt you can enter commands to find out what went wrong. By default, the images (specially ramdisks) doesn't have any SSH key or password for any user. Of course one could use the ``devuser`` element to generate an image with SSH keys and user/password in the image but that would be a massive security hole and very it's discouraged to run in production with a ramdisk like that. This commit is adding a new element called dynamic-login, which inserts a helper script into the image to allow operators to inject a SSH key and/or change the root password dynamically when it boots via parameters in the kernel command line. Those parameters are: sshkey = If the operator append sshkey="$PUBLIC_SSH_KEY" to the kernel command line on boot, the helper script will append this key to the root user authorized_keys. rootpwd = If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the kernel command line on boot, the helper script will set the root password to the one specified by this option. Note that this password should be an encrypted password. Change-Id: I6b87a1b90163d79745f30dfacd37516051fa0aea 2015-11-12 18:06:57 +00:00			can be generated using the ``openssl`` command, e.g:
			`openssl passwd -1.`


			`.. note::`
Follow up patch for 25d3ee547176528e86d42eb026c99a134dff9452 This patch is a follow up patch fixing some nits left by the review 25d3ee547176528e86d42eb026c99a134dff9452. It does: * Fix the README file to say that the password must be encrypted and the option values must be quoted * Adds Type=oneshot in the upstart service config file so that upstart will not try to restart the service over and over. * Enable setu, sete and setpipefail in the dynamic-login script Change-Id: Iee5d75daef24469ccf47ca12de6ead37bf9d8d6f 2015-12-01 14:08:49 +00:00			`The value of these parameters must be quoted, e.g: sshkey="ssh-rsa`
Add dynamic-login element Troubleshooting an image can be quite hard, specially if you can not get a prompt you can enter commands to find out what went wrong. By default, the images (specially ramdisks) doesn't have any SSH key or password for any user. Of course one could use the ``devuser`` element to generate an image with SSH keys and user/password in the image but that would be a massive security hole and very it's discouraged to run in production with a ramdisk like that. This commit is adding a new element called dynamic-login, which inserts a helper script into the image to allow operators to inject a SSH key and/or change the root password dynamically when it boots via parameters in the kernel command line. Those parameters are: sshkey = If the operator append sshkey="$PUBLIC_SSH_KEY" to the kernel command line on boot, the helper script will append this key to the root user authorized_keys. rootpwd = If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the kernel command line on boot, the helper script will set the root password to the one specified by this option. Note that this password should be an encrypted password. Change-Id: I6b87a1b90163d79745f30dfacd37516051fa0aea 2015-11-12 18:06:57 +00:00			`BBBA1NBzaC1yc2E ..."`


			`.. warning::`
			`Some base operational systems might require selinux to be in`
			`permissive or disabled mode so that you can log in`
			`the image. This can be achieved by building the image with the`
			``selinux-permissive`` element for diskimage-builder or by passing
			``selinux=0`` in the kernel command line. RHEL/CentOS are examples
			`of OSs which this is true.`