Bug 1225069 - [RFE] We need to let user to set root password for the controllers and computes.
Summary: [RFE] We need to let user to set root password for the controllers and computes.
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: Director
Hardware: Unspecified
OS: Unspecified
Target Milestone: Upstream M3
: 11.0 (Ocata)
Assignee: Emilien Macchi
QA Contact: Arik Chernetsky
: 1205444 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2015-05-26 13:56 UTC by Leonid Natapov
Modified: 2019-09-12 08:29 UTC (History)
18 users (show)

Fixed In Version: openstack-tripleo-heat-templates-6.0.0-0.20170130212245.el7ost
Doc Type: Known Issue
Doc Text:
For security reasons, the Overcloud only allows SSH key-based access by default. You can set a root password on the disk image for the overcloud using the virt-customize tool, which is found in the Red Hat Enterprise Linux Extras channel. After installing the tool and downloading the Overcloud images, use the following command to change the root password: $ virt-customize -a overcloud-full.qcow2 --root-password password:<my_root_password> Perform this operation prior to uploading the images into glance with the "openstack overcloud image upload" command.
Clone Of:
Last Closed: 2017-05-17 19:22:29 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
OpenStack gerrit 416697 0 'None' MERGED Add example showing how to set root password via cloud-init 2021-02-16 15:47:01 UTC
Red Hat Product Errata RHEA-2017:1245 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory 2017-05-17 23:01:50 UTC

Description Leonid Natapov 2015-05-26 13:56:36 UTC
Now user don't have root access to controller and compute.
Everything is done by using public key. If for some reason public key file got damaged,deleted,re-generated user will have no access to controllers and computes. Like in staypuft we asked from user to set root password ,the same manner we should do in RDO.

Comment 4 chris alfonso 2015-07-31 18:21:36 UTC
Mike, should we close this if we aren't going to implement it based upon the security concern?

Comment 5 chris alfonso 2015-07-31 18:22:07 UTC
*** Bug 1205444 has been marked as a duplicate of this bug. ***

Comment 11 Salman Khan 2016-06-07 14:20:57 UTC
Even though we set the root password we can't ssh login with root user. We would have to use the ssh key with "heat-admin" user to login and then use "su" to get the root access.

Comment 12 Stephen Gordon 2016-06-09 18:51:19 UTC
Bulk update to reflect scope of Red Hat OpenStack Platform 9 and Red Hat OpenStack Platform does not include this issue (No pm_ack+).

Comment 13 Steven Hardy 2017-01-04 18:13:47 UTC
This is already possible, by passing some custom userdata to cloud-init, I posted an example upstream:


Another option would be to use virt-customize to modify the image, but ref comment #8 I don't think we should enable either option by default, folks can chose either the cloud-init or image customization option depending on their requirements.

Comment 18 Gurenko Alex 2017-02-22 07:51:35 UTC
Verified. Just few notes here:

- If Comment 13's example is used, this will set password for all nodes
- If password in a yaml file is empty it will give the following error early in the deployment: CommandError: Could not fetch contents for file:///home/stack/path/to/userdata_root_password.yaml
- Changing password in a yaml will not update root password after the initial deployment

Comment 19 Gurenko Alex 2017-02-22 07:57:01 UTC
Forgot to mention:

rpm -q openstack-tripleo-heat-templates

Comment 21 errata-xmlrpc 2017-05-17 19:22:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.