You can configure Compute to generate a random administrator (root) password and
inject that password into the instance. If this feature is enabled, a user can
ssh to an instance without an ssh keypair. The
random password appears in the output of the nova boot command. You
can also view and set the admin
password from the dashboard.
The dashboard is configured by default to display the admin
password and allow the user to modify it.
If you do not want to support password injection, we
recommend disabling the password fields by editing
your Dashboard local_settings
file (file location will vary by Linux distribution,
on Fedora/RHEL/CentOS:
/etc/openstack-dashboard/local_settings
,
on Ubuntu and Debian:
/etc/openstack-dashboard/local_settings.py
and on openSUSE and SUSE Linux Enterprise Server:
/srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py
)
OPENSTACK_HYPERVISOR_FEATURE = { ... 'can_set_password': False, }
For hypervisors such as KVM that use the libvirt backend, admin
password injection is disabled by default. To enable it, set the following option in
/etc/nova/nova.conf
:
[libvirt] inject_password=true
When enabled, Compute will modify the password of
the root account by editing the
/etc/shadow
file inside of
the virtual machine instance.
Note | |
---|---|
Users can only ssh to the instance by using the admin password if:
|
Compute uses the XenAPI agent to inject passwords into guests when using the XenAPI hypervisor backend. The virtual-machine image must be configured with the agent for password injection to work.
To support the admin
password for Windows virtual machines, you
must configure the Windows image to retrieve the admin
password
on boot by installing an agent such as cloudbase-init.