Re: [libvirt-jenkins-ci PATCH 1/5] ansible: Remove bootstrap phase

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 17, 2017 at 06:05:23PM +0200, Pavel Hrdina wrote:
> On Mon, Oct 16, 2017 at 06:02:04PM +0200, Andrea Bolognani wrote:
> > Having to bootstrap the guest as a separate phase is annoying and
> > can be avoided by assuming the root password is well-known.
> 
> I'm not sure about this.  Yes the password will be well known for us
> but I would rather have it generated and stored somewhere on the host.
> 
> The guests are hidden from internet but they are still connected to
> jenkins and are executing commands provided by jenkins.  Maybe I'm
> just too paranoid :).

Could we just generate a random root password, but install SSH public
keys and set SSH to only permit public key auth. 

That way if there is compromised code that we build for whatever
reasons, it can't use 'su' to escalate to root in the build VMs.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux