Injecting the administrator password¶
Compute can generate a random administrator (root) password and inject that password into an instance. If this feature is enabled, users can run ssh to an instance without an ssh keypair. The random password appears in the output of the openstack server create command. You can also view and set the admin password from the dashboard.
Password injection using the dashboard
By default, the dashboard will display the admin
password and allow the
user to modify it.
If you do not want to support password injection, disable the password fields
by editing the dashboard’s local_settings.py
file.
OPENSTACK_HYPERVISOR_FEATURES = {
...
'can_set_password': False,
}
Password injection on libvirt-based hypervisors
For hypervisors that use the libvirt back end (such as KVM, QEMU, and LXC),
admin password injection is disabled by default. To enable it, set this option
in /etc/nova/nova.conf
:
[libvirt]
inject_password=true
When enabled, Compute will modify the password of the admin account by editing
the /etc/shadow
file inside the virtual machine instance.
Note
Linux distribution guest only.
Note
Users can only use ssh to access the instance by using the admin password if the virtual machine image is a Linux distribution, and it has been configured to allow users to use ssh as the root user with password authorization. This is not the case for Ubuntu cloud images which, by default, does not allow users to use ssh to access the root account, or CentOS cloud images which, by default, does not allow ssh access to the instance with password.
Password injection and Windows images (all hypervisors)
For Windows virtual machines, configure the Windows image to retrieve the admin password on boot by installing an agent such as cloudbase-init.