nova/doc/source/admin/admin-password-injection.rst

====================================
Injecting the administrator password
====================================

Compute can generate a random administrator (root) password and inject that
password into an instance. If this feature is enabled, users can run
:command:`ssh` to an instance without an :command:`ssh` keypair.  The random
password appears in the output of the :command:`openstack server create`
command.  You can also view and set the admin password from the dashboard.

.. rubric:: Password injection using the dashboard

For password injection display in the dashboard, please refer to the setting of
``can_set_password`` in :horizon-doc:`Horizon doc
</configuration/settings.html#openstack-hypervisor-features>`

.. rubric:: Password injection on libvirt-based hypervisors

For hypervisors that use the libvirt back end (such as KVM, QEMU, and LXC),
admin password injection is disabled by default. To enable it, set this option
in ``/etc/nova/nova.conf``:

.. code-block:: ini

   [libvirt]
   inject_password=true

When enabled, Compute will modify the password of the admin account by editing
the ``/etc/shadow`` file inside the virtual machine instance.

.. note::

   Linux distribution guest only.

.. note::

   Users can only use :command:`ssh` to access the instance by using the admin
   password if the virtual machine image is a Linux distribution, and it has
   been configured to allow users to use :command:`ssh` as the root user with
   password authorization. This is not the case for
   `Ubuntu cloud images <http://uec-images.ubuntu.com>`_
   which, by default, does not allow users to use :command:`ssh` to access the
   root account, or
   `CentOS cloud images <http://cloud.centos.org/centos/>`_ which, by default,
   does not allow :command:`ssh` access to the instance with password.

.. rubric:: Password injection and Windows images (all hypervisors)

For Windows virtual machines, configure the Windows image to retrieve the admin
password on boot by installing an agent such as `cloudbase-init
<https://cloudbase.it/cloudbase-init>`_.
doc: Import administration guide Import all docs from openstack-manuals. Part of bp: doc-migration Change-Id: I28bb8ce1f4a8653f176a554d2e95b4423c437972 Co-Authored-By: Stephen Finucane <sfinucan@redhat.com> 2017-06-26 11:27:52 +00:00			`====================================`
			`Injecting the administrator password`
			`====================================`

			`Compute can generate a random administrator (root) password and inject that`
			`password into an instance. If this feature is enabled, users can run`
			:command:`ssh` to an instance without an :command:`ssh` keypair. The random
			password appears in the output of the :command:`openstack server create`
			`command. You can also view and set the admin password from the dashboard.`

			`.. rubric:: Password injection using the dashboard`

Docs: Correct ``Password injection using the dashboard`` Explanation During Icehouse release default value of 'can_set_password' sets to False for horizon(dashboard) but nova document is not updated yet and acc. to nova doc default value for above setting is True. So this patch correct the doc. For more info. please refer [1]. [1] https://docs.openstack.org/releasenotes/horizon/icehouse.html#default-hypervisor-settings-changes Change-Id: I3007e1f157e329f121b99ceaddd59625c86f428c 2021-02-11 09:11:26 +00:00			`For password injection display in the dashboard, please refer to the setting of`
			``can_set_password`` in :horizon-doc:`Horizon doc
			</configuration/settings.html#openstack-hypervisor-features>`
doc: Import administration guide Import all docs from openstack-manuals. Part of bp: doc-migration Change-Id: I28bb8ce1f4a8653f176a554d2e95b4423c437972 Co-Authored-By: Stephen Finucane <sfinucan@redhat.com> 2017-06-26 11:27:52 +00:00
			`.. rubric:: Password injection on libvirt-based hypervisors`

			`For hypervisors that use the libvirt back end (such as KVM, QEMU, and LXC),`
			`admin password injection is disabled by default. To enable it, set this option`
			in ``/etc/nova/nova.conf``:

			`.. code-block:: ini`

			`[libvirt]`
			`inject_password=true`

			`When enabled, Compute will modify the password of the admin account by editing`
			the ``/etc/shadow`` file inside the virtual machine instance.

libvirt: add Linux distribution guest only description for inject_xxx options Actually, inject_password, inject_key and inject_partition by libguestfs is only valid for linux guest. Add some descriptions for these. TrivialFix Change-Id: I5b2ef7d677a1d2d47052df5eaf8726cfc02eea1c Signed-off-by: Chen Hanxiao <chenhx@certusnet.com.cn> 2017-12-16 10:40:24 +08:00			`.. note::`

			`Linux distribution guest only.`

doc: Import administration guide Import all docs from openstack-manuals. Part of bp: doc-migration Change-Id: I28bb8ce1f4a8653f176a554d2e95b4423c437972 Co-Authored-By: Stephen Finucane <sfinucan@redhat.com> 2017-06-26 11:27:52 +00:00			`.. note::`

			Users can only use :command:`ssh` to access the instance by using the admin
			`password if the virtual machine image is a Linux distribution, and it has`
doc trivial: additional info to admin-password-injection Mention that image needs ssh password authorization configured in order to allow ssh login with admin password. Change-Id: I65a94b266dbef9863acc07306cbe2bd81c95c893 2018-09-18 22:59:49 +08:00			been configured to allow users to use :command:`ssh` as the root user with
			`password authorization. This is not the case for`
			`Ubuntu cloud images <http://uec-images.ubuntu.com>`_
doc: Import administration guide Import all docs from openstack-manuals. Part of bp: doc-migration Change-Id: I28bb8ce1f4a8653f176a554d2e95b4423c437972 Co-Authored-By: Stephen Finucane <sfinucan@redhat.com> 2017-06-26 11:27:52 +00:00			which, by default, does not allow users to use :command:`ssh` to access the
doc trivial: additional info to admin-password-injection Mention that image needs ssh password authorization configured in order to allow ssh login with admin password. Change-Id: I65a94b266dbef9863acc07306cbe2bd81c95c893 2018-09-18 22:59:49 +08:00			`root account, or`
			`CentOS cloud images <http://cloud.centos.org/centos/>`_ which, by default,
			does not allow :command:`ssh` access to the instance with password.
doc: Import administration guide Import all docs from openstack-manuals. Part of bp: doc-migration Change-Id: I28bb8ce1f4a8653f176a554d2e95b4423c437972 Co-Authored-By: Stephen Finucane <sfinucan@redhat.com> 2017-06-26 11:27:52 +00:00
			`.. rubric:: Password injection and Windows images (all hypervisors)`

			`For Windows virtual machines, configure the Windows image to retrieve the admin`
			password on boot by installing an agent such as `cloudbase-init
			<https://cloudbase.it/cloudbase-init>`_.