[virt-tools-list] [virt-manager PATCH][v2][RFC] Introduction of cloud-init configuration in virt-install

Daniel P. Berrangé berrange at redhat.com
Mon Jun 24 16:40:40 UTC 2019


On Mon, Jun 24, 2019 at 12:12:16PM -0400, Cole Robinson wrote:
> On 6/21/19 1:18 PM, Athina Plaskasoviti wrote:
> > I am sending a v2 of the patch for cloud init basic configuration during cloud image installation, applying previous suggestions.
> > 
> > Fixed: 
> > 
> > -the way the installation is triggered (no_install is no longer required):
> > 	--install is_cloud=yes ... --import
> > 
> > -added tmpfile for the files that are being generated in the installation process 
> > (meta-data, user-data, config.iso)
> > 
> > -changed condition in installerinject.py from label='cloud' to cloudinit=True
> > 
> 
> 
> I did some digging into cloud-init behavior to try and get a better idea
> of what the minimal viable config is, and get ideas for future work.
> 
> 
> cloud-init behavior
> ===================
> 
> The patch generates an .iso with volume label 'cidata' which is the
> magic to make cloud-init search it for config data. cloud-init must find
> a 'meta-data' and 'user-data' file in order to consider the iso a valid
> data source. There isn't any requirements on the contents though. They
> can both basically be empty AFAICT.
> 
> This patch is setting meta-data 'instance-id' and 'hostname' fields but
> neither are required: instance-id seems to only be needed on real cloud
> providers (and cloud-init fills in a 'nocloud' value for us by default).
> hostname will predictably set the VM hostname but that's not something
> we need to set by default. So in fact meta-data is fine to leave empty
> and I think that should be our default behavior.
> 
> Every distro cloud image has some default config in
> /etc/cloud/cloud.cfg. This is generated from cloud-init.git
> tools/render-cloudcfg which generates cloud.cfg from
> config/cloud.cfg.tmpl. Basically the only input to the template is the
> distro name. For example fedora generates in in the RPM spec with simply:
> 
> python3 tools/render-cloudcfg --variant fedora >
> $RPM_BUILD_ROOT/%{_sysconfdir}/cloud/cloud.cfg
> 
> cloud images seem to have this default behavior:
> - ssh is enabled and running
> - root account is locked
> - cloud.cfg will explicitly disallow ssh to the root account, via
> disable_root. Attempts to ssh to root will print an error message
> pointing to the default account
> - cloud.cfg will create a default account, locked, with full sudo access.
> 
> The name of the default account depends on the value passed to the
> tools/render-cloudcfg script. For Fedora it's 'fedora', Ubuntu is
> 'ubuntu'. The openstack page here documents the common ones:
> https://docs.openstack.org/image-guide/obtain-images.html
> 
> An extra note: I was wrong when I said in other threads that fedora
> images have a default password, they just have a default account name
> which is locked by default.

That good, so I was in fact right in remembering that.

> virt-install cli
> ================
> 
> I think the virt-install entry point for requesting cloud-init stuff
> should actually be its own top level option, like --unattended, because
> we may want to add suboptions and I don't want to mix those in with
> --install. So I'm thinking:
> 
> # does whatever we choose for default behavior, like --install is_cloud
> virt-install --cloud-init ...
> 
> # User provides their own user-data file. Maybe for meta-data too?
> virt-install --cloud-init user-data=/path/to/user-data
> 
> # Specify password for the default user. Yeah I know this isn't
> # a good pattern to put a password on the cli but we could combine it
> # with immediate password expiration so the user has to change it
> # on first log in
> virt-install --cloud-init password=FOOBAR
> 
> # Something like this to inject an ssh key? But honestly I'm not
> # convinced we should go down that route and instead just make users
> # manually set this themselves like they would for any other VM
> virt-install --cloud-init sshkey=/path/to/key

I think ssh keys is the preferred way to setup cloud images in many
cases as no one sane should ever be using passwords for ssh auth these
days given the continual brute force attacks they face.

Saying users must set a password and then manually copy their ssh key
in afterwards is crazy when cloud init supports getting the ssh key
in straight away without needing passwords.

I would not be surprised to even find cloud images which have
explicitly disabled SSH passwords entirely leaving SSH keys as the
only option. Some organizations will have a complete ban on use of
passwords for login purposes too.

 
> --cloud-init default behavior
> =============================
> 
> This is the bit I'm not really sure about. We need to manipulate some
> password in some way for the user to be able to log in.
> 
> For starters I think no matter what option we choose we should set the
> password to expire on first log in, thus forcing the user to choose a
> password of their own.
> 
> The safest: generate a long random password for the default user. Print
> it to the virt-install console. 'virt-builder fedora-30' does this, for
> example, using what looks like 16 char [a-zA-Z0-9]. User has to
> transcribe it into the VM twice (once for initial login, once for
> immediate password expiration). We probably want to pause for a couple
> seconds after we print it to the console so the user actually notices it
> was there before we launch the graphical console and steal their
> attention. Having to hand type a password into a graphical console kinda
> sucks because copy/paste isn't going to work out of the box with the
> minimal cloud images. This interaction can be improved if we use 'virsh
> console' by default for cloud images, which for Fedora at least are
> smart enough to print to the serial console, I suspect others are as well.

I guess it depends how you expect the VM to be access. Typically cloud
images are deployed & accessed headless, with SSH being the primary access
point. While clouds provide graphical console, that's not normally used for
more than troubleshooting when it fails to boot such that SSH isn't working.

For virt-install deployed VMs I think expecting headless access via SSH
is a reasonable assumption & SSH keys are desirable.

For virt-manager though, you're directed straight to graphical console
for which you're going to want a password.

For virt-manager presumably there'll be some UI to enable cloud init
during new VM creation ?  In which case the user can simply enter a
password during initial create. Could let them select an SSH public
key as an option.

> The simplest: use the guest name as the default password. It's not
> hardcoded, it's simple to type. Less safe though because the VM is
> exposed to ssh for that first bootup with a possibly predictable password.

I would consider any use of a predictable default password to be a
security flaw. Guest name is predictable and visible to any process
on the host so is not safe.

> Some of the general downsides of the 'default user' approach is that we
> need to communicate the default user name to the user as well, which is
> different per distro image. This means we will need to track it in
> libosinfo. This seems worthwhile to do anyways. In the mean time we
> could just print a warning about looking it up, or take a guess.
> 
> Something involving root: Maybe we don't touch the default user at all
> and instead set a root password. The 'root' user is well known, and root
> is blocked from ssh by default so there isn't any fear of network
> access. but this kinda violates the intentions of the distro disk images
> which lock down root by default and want people to use an unprivileged
> user but with sudo access. It also means we invalidate some of the
> documentation out there about the image's default user name.
> 
> So I'm not really sure what to do, I'm interested in suggestions. We
> should also consider how this will could possibly be exposed in
> virt-manager as well. If we can ever detect that an image needs
> cloud-init, we will either need to force the user to provide a password,
> or inform them in some way what the default user/pass is

I don't think we need to be able to detect it. During new VM wizard
we simply need an checkbox option to enable cloud-init data source.
When ticked we let them either enter a password or select an SSH
key. We can prefill the password box with a randomly generated choice
which can be changed or deleted as desired.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




More information about the virt-tools-list mailing list