Ask Your Question

nova get-password [closed]

asked 2014-06-16 04:13:49 -0500

sameer gravatar image

Suppose I want to do my own image customization (no cloud-init), including generating a password and posting it to the metadata password url. How do I encrypt it with the public key obtained from the instance metadata such that 'nova get-password' can decrypt it.


edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by koolhead17
close date 2014-06-17 06:48:26.126409

1 answer

Sort by ยป oldest newest most voted

answered 2014-06-16 20:45:33 -0500

sameer gravatar image

Answering my own question. The script below explains it. (

#!/usr/bin/env bash
if ! curl -s -f > $SSH_KEYFILE; then
  echo  "Failed to get key"
PASSWORD=`openssl rand -base64 48 | tr -d '/+' | cut -c1-16`
sudo usermod ubuntu -p `openssl passwd -1 $PASSWORD`

ssh-keygen -e -f $SSH_KEYFILE -m PKCS8 > $SSL_KEYFILE
ENCRYPTED=`echo "$PASSWORD" | openssl rsautl -encrypt -pubin -inkey $SSL_KEYFILE -keyform PEM | openssl base64 -e -A`
echo $'\n'"ENCRYPTED_PASSWORD:$ENCRYPTED" | sudo tee /dev/console
curl -X POST -d $ENCRYPTED || true
# get the script
# curl -sOL
# add keypair
# nova add-key --pub-key .ssh/ mykey
# boot instance
# nova boot --flavor <flavor-id> --image <image-uuid> --key-name mykey --user-data test
# Get the password on the client side:
# nova get-password test .ssh/id_rsa
# Or with an older nova install:
# nova console-log test | grep 'ENCRYPTED_PASSWORD' | cut -d':' -f2 | tail -n 1 | openssl base64 -d -A | openssl rsautl -decrypt -inkey .ssh/id_rsa
edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-06-16 04:13:49 -0500

Seen: 2,960 times

Last updated: Jun 16 '14