On Tue, Oct 17, 2017 at 06:05:23PM +0200, Pavel Hrdina wrote: > On Mon, Oct 16, 2017 at 06:02:04PM +0200, Andrea Bolognani wrote: > > Having to bootstrap the guest as a separate phase is annoying and > > can be avoided by assuming the root password is well-known. > > I'm not sure about this. Yes the password will be well known for us > but I would rather have it generated and stored somewhere on the host. > > The guests are hidden from internet but they are still connected to > jenkins and are executing commands provided by jenkins. Maybe I'm > just too paranoid :). Could we just generate a random root password, but install SSH public keys and set SSH to only permit public key auth. That way if there is compromised code that we build for whatever reasons, it can't use 'su' to escalate to root in the build VMs. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list