[Openstack-devel] openstack-debian-images_0.1_amd64.changes REJECTED

Sun Jun 9 15:30:22 UTC 2013

Hi Ansgar,

Thanks for this review.

On 06/09/2013 06:00 PM, Ansgar Burchardt wrote:
> 
> Hi,
> 
> I won't accept the package in the archive in its current state:
> 
>   kpartx -av ${AMI_NAME}
>   [...]
>   mkfs.ext2 /dev/mapper/loop0p1
> 
> Data loss is not good.

Indeed. This was on my TODO. I've fixed that by checking the output of
kpartx to tell what device is in use.

>   chroot ${MOUNT_DIR} sh -c "echo root:password | chpasswd"
> 
> Default root passwords are not good. There's no reason to do this.

Hum... Let me give you a bit of context here.

At the end, the image will be published possibly with the "--public"
flag, and everyone will be able to brute-force it. So setting-up a
random password doesn't really make sense.

It's also to be noted that root ssh logins are disabled (PermitRootLogin
without-password in sshd_config), and that in the context of such an
image, the "debian" user would be setup by cloud-init using the metadata
server provided ssh key (using the --key-name of "nova boot").

The only use of the default password is if the user of the image wants
to use the Horizon (the OpenStack dashboard) web interface to login as
root. In this context, the user is already authenticated through
keystone. And then, the user would need to know the root password, since
no other user has a password defined (the "debian" user is created with
the "--disabled-password" option of adduser). It could also be useful in
the case of a single user mode after a failed FSCK for example.

>   deb http://http.debian.net/debian wheezy main
>   [...]
>   deb http://security.debian.org/ squeeze/updates main
> 
> Maybe not.

Yeah, I saw that typo, and it was already fixed in my Git.

> And some minor things:
> 
>   mount -o loop /dev/mapper/loop0p1 ${MOUNT_DIR}
> 
> Why? That looks wrong.

I'm now using the output of kpartx as device name. Is that the bit that
you are still referring to? Or do you have more concerns?

> Why is build-openstack-debian-image in /usr/bin if regular users cannot use it?

Moved to /usr/sbin.

> I'm also not sure if a package targeted at jessie should only be able to
> install wheezy.
> 
> Ansgar

Well, I had Wheezy in mind, though you are right, I should address both.

I've added a mandatory option on the command line to select the release
name, plus added a few more options and clean-ups:
- added "blacklist pcspkr" in /etc/modprobe.d/blacklist.conf
- added loading of acpiphp and pci_hotplug kernel modules (required for
mounting Cinder volumes
- ...

Could you have a look again (I re-uploaded the package), and let me know
your thoughts about the default root password thing discussed above?

Cheers,

Thomas Goirand

P.S: How about the status of Nova?