Merge ~daniel-thewatkins/cloud-init/+git/cloud-init:doc into cloud-init:master

Proposed by Dan Watkins on 2019-08-02
Status: Merged
Approved by: Dan Watkins on 2019-08-07
Approved revision: 96fc01bc5a61c900671cb162028642039c27b82c
Merge reported by: Server Team CI bot
Merged at revision: not available
Proposed branch: ~daniel-thewatkins/cloud-init/+git/cloud-init:doc
Merge into: cloud-init:master
Diff against target: 73 lines (+34/-19)
1 file modified
cloudinit/config/ (+34/-19)
Reviewer Review Type Date Requested Status
Server Team CI bot continuous-integration Approve on 2019-08-07
Ryan Harper 2019-08-02 Approve on 2019-08-06
Review via email:

Commit message

cc_set_passwords: rewrite documentation

What we had previously was inaccurate in a few respects.

LP: #1838794

To post a comment you must log in.

PASSED: Continuous integration, rev:abf57a42d03b52a6681756ab1b025351f7fd038b
Executed test runs:
    SUCCESS: Checkout
    SUCCESS: Unit & Style Tests
    SUCCESS: Ubuntu LTS: Build
    SUCCESS: Ubuntu LTS: Integration
    IN_PROGRESS: Declarative: Post Actions

Click here to trigger a rebuild:

review: Approve (continuous-integration)
Ryan Harper (raharper) wrote :

One question, otherwise happy to see the doc update.

Ryan Harper (raharper) wrote :


review: Approve

FAILED: Continuous integration, rev:721585f34f15330b3a47a5d3e9723317ee76cd0b
Executed test runs:
    SUCCESS: Checkout
    FAILED: Unit & Style Tests

Click here to trigger a rebuild:

review: Needs Fixing (continuous-integration)

PASSED: Continuous integration, rev:96fc01bc5a61c900671cb162028642039c27b82c
Executed test runs:
    SUCCESS: Checkout
    SUCCESS: Unit & Style Tests
    SUCCESS: Ubuntu LTS: Build
    SUCCESS: Ubuntu LTS: Integration
    IN_PROGRESS: Declarative: Post Actions

Click here to trigger a rebuild:

review: Approve (continuous-integration)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/cloudinit/config/ b/cloudinit/config/
2index 4585e4d..cf9b5ab 100755
3--- a/cloudinit/config/
4+++ b/cloudinit/config/
5@@ -9,27 +9,40 @@
6 """
7 Set Passwords
8 -------------
9-**Summary:** Set user passwords
11-Set system passwords and enable or disable ssh password authentication.
12-The ``chpasswd`` config key accepts a dictionary containing a single one of two
13-keys, either ``expire`` or ``list``. If ``expire`` is specified and is set to
14-``false``, then the ``password`` global config key is used as the password for
15-all user accounts. If the ``expire`` key is specified and is set to ``true``
16-then user passwords will be expired, preventing the default system passwords
17-from being used.
19-If the ``list`` key is provided, a list of
20-``username:password`` pairs can be specified. The usernames specified
21-must already exist on the system, or have been created using the
22-``cc_users_groups`` module. A password can be randomly generated using
23-``username:RANDOM`` or ``username:R``. A hashed password can be specified
24-using ``username:$6$salt$hash``. Password ssh authentication can be
25-enabled, disabled, or left to system defaults using ``ssh_pwauth``.
26+**Summary:** Set user passwords and enable/disable SSH password authentication
28+This module consumes three top-level config keys: ``ssh_pwauth``, ``chpasswd``
29+and ``password``.
31+The ``ssh_pwauth`` config key determines whether or not sshd will be configured
32+to accept password authentication. True values will enable password auth,
33+false values will disable password auth, and the literal string ``unchanged``
34+will leave it unchanged. Setting no value will also leave the current setting
35+on-disk unchanged.
37+The ``chpasswd`` config key accepts a dictionary containing either or both of
38+``expire`` and ``list``.
40+If the ``list`` key is provided, it should contain a list of
41+``username:password`` pairs. This can be either a YAML list (of strings), or a
42+multi-line string with one pair per line. Each user will have the
43+corresponding password set. A password can be randomly generated by specifying
44+``RANDOM`` or ``R`` as a user's password. A hashed password, created by a tool
45+like ``mkpasswd``, can be specified; a regex
46+(``r'\\$(1|2a|2y|5|6)(\\$.+){2}'``) is used to determine if a password value
47+should be treated as a hash.
49 .. note::
50- if using ``expire: true`` then a ssh authkey should be specified or it may
51- not be possible to login to the system
52+ The users specified must already exist on the system. Users will have been
53+ created by the ``cc_users_groups`` module at this point.
55+By default, all users on the system will have their passwords expired (meaning
56+that they will have to be reset the next time the user logs in). To disable
57+this behaviour, set ``expire`` under ``chpasswd`` to a false value.
59+If a ``list`` of user/password pairs is not specified under ``chpasswd``, then
60+the value of the ``password`` config key will be used to set the default user's
63 **Internal name:** ``cc_set_passwords``
65@@ -160,6 +173,8 @@ def handle(_name, cfg, cloud, log, args):
66 hashed_users = []
67 randlist = []
68 users = []
69+ # N.B. This regex is included in the documentation (i.e. the module
70+ # docstring), so any changes to it should be reflected there.
71 prog = re.compile(r'\$(1|2a|2y|5|6)(\$.+){2}')
72 for line in plist:
73 u, p = line.split(':', 1)


People subscribed via source and target branches