StarCluster - Mailing List Archive

Re: problem modifying starcluster AMI - ubuntu password change does not persist

From: MacMullan, Hugh <no email>
Date: Wed, 18 Jun 2014 19:45:56 +0000

Super!

Another thing to consider is that the 'ubuntu' user on those AMIs has sudo w/o password access. Just one more reason to NOT use that account for the login bit, but create a separate (lesser-privileged) user for that. All of which probably doesn't matter much if you're restricting access with security groups, etc., but I thought I would mention it.

-Hugh

-----Original Message-----
From: Dan Tenenbaum [mailto:dtenenba_at_fhcrc.org]
Sent: Wednesday, June 18, 2014 3:05 PM
To: MacMullan, Hugh
Cc: starcluster_at_mit.edu
Subject: Re: [StarCluster] problem modifying starcluster AMI - ubuntu password change does not persist

Hi Hugh,

That's extremely helpful. And in fact changing lock_passwd to False did the trick. No need for crontab hacks.

Thank!
Dan


----- Original Message -----
> From: "Hugh MacMullan" <hughmac_at_wharton.upenn.edu>
> To: "Dan Tenenbaum" <dtenenba_at_fhcrc.org>
> Cc: starcluster_at_mit.edu
> Sent: Wednesday, June 18, 2014 11:46:36 AM
> Subject: RE: [StarCluster] problem modifying starcluster AMI - ubuntu password change does not persist
>
> Have a look at /etc/cloud/cloud.cfg, particularly the 'default_user'
> section. Notice the 'lock_passwd: True'. You could change that to
> False ... OR better would be to create a different user (say,
> rlogin), which will NOT be locked by default on init, so you should
> be good to go.
>
> -Hugh
>
> -----Original Message-----
> From: starcluster-bounces_at_mit.edu
> [mailto:starcluster-bounces_at_mit.edu] On Behalf Of Dan Tenenbaum
> Sent: Wednesday, June 18, 2014 1:17 PM
> To: Rayson Ho
> Cc: starcluster_at_mit.edu
> Subject: Re: [StarCluster] problem modifying starcluster AMI - ubuntu
> password change does not persist
>
> I tried attaching the console log output but the list rejected it as
> being too large. You can find it here:
>
> https://s3.amazonaws.com/bioc-misc/console-log.txt
>
> Thanks,
> Dan
>
>
> ----- Original Message -----
> > From: "Dan Tenenbaum" <dtenenba_at_fhcrc.org>
> > To: "Rayson Ho" <raysonlogin_at_gmail.com>
> > Cc: starcluster_at_mit.edu
> > Sent: Tuesday, June 17, 2014 4:37:20 PM
> > Subject: Re: [StarCluster] problem modifying starcluster AMI -
> > ubuntu password change does not persist
> >
> > Attached is the console log output. It doesn't explicitly say
> > anything about changing passwords (though I didn't read it super
> > carefully) but it does say things like "running script /whatever"
> > and I don't know what's in those scripts.
> >
> > Thanks,
> > Dan
> >
> >
> > ----- Original Message -----
> > > From: "Rayson Ho" <raysonlogin_at_gmail.com>
> > > To: "Dan Tenenbaum" <dtenenba_at_fhcrc.org>
> > > Cc: starcluster_at_mit.edu
> > > Sent: Tuesday, June 17, 2014 4:01:01 PM
> > > Subject: Re: [StarCluster] problem modifying starcluster AMI -
> > > ubuntu password change does not persist
> > >
> > >
> > >
> > > On Tue, Jun 17, 2014 at 6:57 PM, Dan Tenenbaum <
> > > dtenenba_at_fhcrc.org
> > > >
> > > wrote:
> > >
> > >
> > >
> > > Thanks. I booted up an instance but the Get System Log action did
> > > not
> > > show any output.
> > >
> > >
> > > It can take up to 10 mins (sometimes even more!) for the log to
> > > propagate to the web console.
> > >
> > > Rayson
> > >
> > > ==================================================
> > > Open Grid Scheduler - The Official Open Source Grid Engine
> > > http://gridscheduler.sourceforge.net/
> > > http://gridscheduler.sourceforge.net/GridEngine/GridEngineCloud.html
> > >
> > >
> > >
> > >
> > >
> > > Is this available in some other way, like with dmesg or
> > > something?
> > > (I
> > > looked briefly at the dmesg output but did not see anything
> > > suggesting the password was reset).
> > >
> > > I think I have come up with a workaround, which is to use
> > > something
> > > like this in root's crontab:
> > >
> > > _at_reboot echo "ubuntu:foobar" | /usr/sbin/chpasswd >
> > > /tmp/chpasswd.result 2>&1
> > >
> > > Of course, this is completely insecure. Luckily, in this context,
> > > I
> > > don't actually care about security, and in fact I want this
> > > password
> > > to be publicly known by users of the AMI. So this still might
> > > need
> > > to be fixed at the cloud-init level sometime down the line, when
> > > me
> > > or someone else runs across this and needs a secure solution.
> > >
> > >
> > > Dan
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Rayson Ho" < raysonlogin_at_gmail.com >
> > > > To: "Dan Tenenbaum" < dtenenba_at_fhcrc.org >
> > > > Cc: starcluster_at_mit.edu
> > >
> > >
> > > > Sent: Tuesday, June 17, 2014 3:19:01 PM
> > > > Subject: Re: [StarCluster] problem modifying starcluster AMI -
> > > > ubuntu password change does not persist
> > > >
> > > >
> > > > I believe it is cloud-init, which is installed by default on
> > > > all
> > > > the
> > > > Ubuntu AMI images, that is changing your password for the
> > > > ububtu
> > > > user.
> > > >
> > > >
> > > > So to verify, after you boot up an instance with your new AMI,
> > > > get
> > > > the instance's console output by using the "Get System Log"
> > > > action.
> > > > If there is a line like: Changing password for ubuntu, or
> > > > anything
> > > > related to password in the boot log, then we can fix that for
> > > > you
> > > > by
> > > > changing the cloud-init behavior.
> > > >
> > > >
> > > > Rayson
> > > >
> > > > ==================================================
> > > > Open Grid Scheduler - The Official Open Source Grid Engine
> > > > http://gridscheduler.sourceforge.net/
> > > > http://gridscheduler.sourceforge.net/GridEngine/GridEngineCloud.html
> > > >
> > > >
> > > > On Tue, Jun 17, 2014 at 5:16 PM, Dan Tenenbaum <
> > > > dtenenba_at_fhcrc.org
> > > > >
> > > > wrote:
> > > >
> > > >
> > > > However, I just reproduced the problem in a few simpler steps:
> > > >
> > > > - launched an instance of the sc ami ami-3393a45a (in the aws
> > > > console)
> > > > - ssh'd to it, changed ubuntu's password to foobar
> > > > - verified that the change worked by doing 'su - ubuntu'
> > > > - created an image (again in the console) based on that
> > > > instance
> > > > - started a new instance of the image from the last step
> > > > - ssh'd in as ubuntu
> > > > - 'su - ubuntu' with the password I set fails.
> > > >
> > > >
> > > > Dan
> > > >
> > > >
> > > > ----- Original Message -----
> > > >
> > > > > From: "Dan Tenenbaum" < dtenenba_at_fhcrc.org >
> > > > > To: "Rayson Ho" < raysonlogin_at_gmail.com >
> > > > > Cc: starcluster_at_mit.edu
> > > >
> > > >
> > > > > Sent: Tuesday, June 17, 2014 1:54:45 PM
> > > > > Subject: Re: [StarCluster] problem modifying starcluster AMI
> > > > > -
> > > > > ubuntu password change does not persist
> > > > >
> > > > > Hi Rayson,
> > > > >
> > > > > I went through a couple of iterations.
> > > > >
> > > > > I started by using launching the SC AMI with the command
> > > > > documented
> > > > > at
> > > > > http://star.mit.edu/cluster/docs/latest/manual/create_new_ami.html
> > > > > ( starcluster start -o -s 1 -I <INSTANCE-TYPE> -m
> > > > > <BASE-AMI-ID>
> > > > > imagehost)
> > > > >
> > > > > Then I added chef to the running instance (I did not change
> > > > > any
> > > > > passwords at this point).
> > > > >
> > > > > Then I created a new image from that using the starcluster
> > > > > ebimage
> > > > > command, and used vagrant (with the aws plugin) and chef to
> > > > > provision an instance of that image according to my needs and
> > > > > to
> > > > > change ubuntu's password.
> > > > >
> > > > > I'm wondering if there are startup daemons, or NFS, or
> > > > > something,
> > > > > that somehow resets the /etc/passwd file or explicitly resets
> > > > > ubuntu's password?
> > > > >
> > > > > Thanks,
> > > > > Dan
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Rayson Ho" < raysonlogin_at_gmail.com >
> > > > > > To: "Dan Tenenbaum" < dtenenba_at_fhcrc.org >
> > > > > > Cc: starcluster_at_mit.edu
> > > > > > Sent: Tuesday, June 17, 2014 1:31:07 PM
> > > > > > Subject: Re: [StarCluster] problem modifying starcluster
> > > > > > AMI
> > > > > > -
> > > > > > ubuntu password change does not persist
> > > > > >
> > > > > >
> > > > > > What tools did you use to create the AMI? Did you use the
> > > > > > web
> > > > > > console
> > > > > > or you use the StarCluster command?
> > > > > >
> > > > > >
> > > > > > If you use the SC ebsimage command, then did you change
> > > > > > your
> > > > > > password
> > > > > > on the image host?
> > > > > >
> > > > > >
> > > > > > Rayson
> > > > > >
> > > > > > ==================================================
> > > > > > Open Grid Scheduler - The Official Open Source Grid Engine
> > > > > > http://gridscheduler.sourceforge.net/
> > > > > > http://gridscheduler.sourceforge.net/GridEngine/GridEngineCloud.html
> > > > > >
> > > > > >
> > > > > > On Tue, Jun 17, 2014 at 3:17 PM, Dan Tenenbaum <
> > > > > > dtenenba_at_fhcrc.org
> > > > > > >
> > > > > > wrote:
> > > > > >
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > This might sound like an EC2 question that has nothing to
> > > > > > do
> > > > > > with
> > > > > > starcluster, and in fact I have asked it on some AWS forums
> > > > > > (there've been no answers). However, I have never
> > > > > > encountered
> > > > > > this
> > > > > > problem before until I started modifying a starcluster AMI,
> > > > > > so
> > > > > > I
> > > > > > wonder if it is related to what's on that AMI.
> > > > > >
> > > > > > I made a custom AMI based on the starcluster AMI
> > > > > > ami-3393a45a
> > > > > > (us-east-1 starcluster-base-ubuntu-13.04-x86_64 (EBS))).
> > > > > >
> > > > > > I installed a bunch of additional software and I also set
> > > > > > the
> > > > > > password of the ubuntu user to (let's say) 'foobar'.
> > > > > >
> > > > > > The reason I did that is that I installed a web app that
> > > > > > uses
> > > > > > unix
> > > > > > usernames and passwords for authentication. So I needed the
> > > > > > ubuntu
> > > > > > user to have a known password.
> > > > > >
> > > > > > I then made a new image based on my running instance. Then
> > > > > > I
> > > > > > started
> > > > > > a new instance from that image.
> > > > > > I ssh'd to that instance as the ubuntu user and typed
> > > > > > 'passwd'.
> > > > > > I
> > > > > > was
> > > > > > prompted for my existing password and entered 'foobar'. I
> > > > > > then
> > > > > > got:
> > > > > >
> > > > > > passwd: Authentication token manipulation error
> > > > > > passwd: password unchanged
> > > > > >
> > > > > > This tells me that the password for ubuntu is not 'foobar'.
> > > > > >
> > > > > > Another way to test this is to try 'su - ubuntu'. This
> > > > > > prompts
> > > > > > for
> > > > > > the password, I enter 'foobar' and it says "su:
> > > > > > Authentication
> > > > > > failure".
> > > > > >
> > > > > > So...in a nutshell, when I change the ubuntu password, this
> > > > > > change
> > > > > > does not survive the process of creating a new AMI.
> > > > > >
> > > > > > Could this be due to the way the starcluster AMI is
> > > > > > configured?
> > > > > > Is
> > > > > > there some script that runs when it boots that re-sets that
> > > > > > password? I'm not passing any user-data when I start the
> > > > > > instance.....(I also tried a crontab _at_reboot job that
> > > > > > changes
> > > > > > the
> > > > > > password and that didn't work either....so maybe whatever
> > > > > > is
> > > > > > messing
> > > > > > me up is happening after that job is run).
> > > > > >
> > > > > > Thanks,
> > > > > > Dan
> > > > > > _______________________________________________
> > > > > > StarCluster mailing list
> > > > > > StarCluster_at_mit.edu
> > > > > > http://mailman.mit.edu/mailman/listinfo/starcluster
> > > > > >
> > > > > >
> > > > > _______________________________________________
> > > > > StarCluster mailing list
> > > > > StarCluster_at_mit.edu
> > > > > http://mailman.mit.edu/mailman/listinfo/starcluster
> > > > >
> > > >
> > > >
> > >
> > >
> >
> _______________________________________________
> StarCluster mailing list
> StarCluster_at_mit.edu
> http://mailman.mit.edu/mailman/listinfo/starcluster
>
Received on Wed Jun 18 2014 - 15:46:01 EDT
This archive was generated by hypermail 2.3.0.

Search:

Sort all by:

Date

Month

Thread

Author

Subject