Generic cloud or qcow

the qcow booted fine for me. Maybe this is a silly question, but what are the creds?

@adamaze usually the image when boots uses cloud-init, which would inject the SSH key for you to be able to gain access. Assuming that you did provide your ssh key to do this when booting the image, then you should be able to ssh using rocky as the username, which should have your SSH key attached to it. This is the normal practice for example when booting instances with AWS, OpenStack, etc that use such images.

To be honest, I ended up here with a quick Google. I saw that there was a qcow file mentioned, so I literally just downloaded that and made a VM off of it… So I didn’t do anything custom to it. It seemed to good to be true, and it looks like it was. I have only ever used cloud images on AWS, and I was looking for something that simple for my home lab using libvirt/virt-manager.

Is there something I can do to this official image to inject my key in? Or am I asking the wrong question?

With libvirt/kvm I doubt very much that is possible. At best, boot from an ISO in rescue mode, mount the partition chroot into it and reset the password for the rocky user using passwd rocky you will have to do touch /.autorelabel so that selinux will fix the contexts on /etc/passwd and /etc/shadow after the password change. Then you exit chroot, and reboot and you should be able to gain access to the system.

Although probably easier download the minimal iso and do a Rocky install like I did in virt-manager with libvirt/kvm.

In centos 7 you can use ‘guestfish’ command to mount and make changes to qcow2 image, it should be part of libguestfs tools and it can be used to change the password or add a new user etc…

Hi,

Since these are cloud images they very likely run cloud-init.
All devs who use cloud-init take the following info for granted and assume you already know all this.
Hence the really poorly written documentation on this subject.

You probably need to provide user-data and meta-data to configure the pubkey for root and/or any other user
also the root account is default disabled and only pubkey auth is allowed.

So you either unlock the root account or add a user that is allowed to do sudo.
Also provide pubkeys or enable password auth.

I personally use the nocloud way to do this
ie: on an iso image with the label cidata (the label MUST be cidata or CIDATA)
containing two files: meta-data and user-data (when using redhat family distros the file network-config won’t work)

[root@home~]#cat meta-data
instance-id: 7fb51d52-b760-59f9-af13-eb63a61b0afb

network-interfaces: |
  auto eth0  
  iface eth0 inet static
  address 192.168.100.3
  network 192.168.100.0
  netmask 255.255.255.0
  broadcast 192.168.100.255
  gateway 192.168.100.1
  dns-nameservers 192.168.100.2
  dns-search linux.lab
[root@home~]#cat user-data
#cloud-config
preserve_hostname: false
hostname: rocky8
fqdn: rocky8.linux.lab
ssh_pwauth: True
users:
  - name: root
    hashed_passwd: $6$h1yH04xTmMdzeQoL$1CurwduV5JjozaxnrsHj/UaO7PIrnI89l0s.2/jdesNtHwf6tmUs5fK9HH38wikGXyzY2u1fOoBQ.TVTdTWEl/
    lock_passwd: false
    ssh_authorized_keys:
      - ssh-rsa <your pubkey here>
runcmd:
  - echo 'hello world 1'
  - echo 'hello world 2'
  - echo 'hello world 3'

then create the iso

genisoimage -volid cidata -joliet -rock -output /path/to/my_config.iso  /path/to/user-data /path/to/meta-data

this will create the iso
mount it in the cdrom of the vm running the qcow then (re)boot it.

some details
meta-data

  • when using redhat family distros, this depricated debian config is the only way to get it to work
    with a nocloud setup
    google for the interfaces man pages for details
    or try the ubuntu network config instructions for ubuntu 16.04 they kinda match
  • this is a yaml file, indenting is important
  • yaml … do NOT use tabs in yaml files
  • the ‘|’ is the last character on that line
  • if you want to use dhcp, only keep the line with instance-id:
    the instance-id needs to match that in the cloud of azure/aws/googlecompute/cubernetes/etc
    in your kvm/libvirt/virtualbox/vmware environment you can put anything in there that is a string without whitespace (I think)

user-data

  • Do NOT modify the line ‘#cloud-config
  • this is a yaml file ( or rather , what the devs of cloud-init think what a yaml file is supposed to look like)
  • the root password wil be reset to ‘rocky84’ ( it is a sha512sum hash of rocky84 in the user-data)
    I use ansible to hash this for me, as usual there are many ways to do this happy googling
    any hash that your distro accepts in the shadow file will do in this location
  • fill in whatever pub key you like and you can do passwordless login
    that is whatever is in your ~/.ssh/id_rsa.pub starting with ssh-rsa ( it will be added to the authorized_keys of the user)
  • ssh_pwauth: true enables password login ( leave it out or set to false if you don’t want that)
  • lock_password: false enables the account ( leave it out or set to true if you don’t want that)
  • runcmd: is a list of commands that will be run in the order mentioned
    runcmd is optional and only needed for stuff that needs to be done really early in the boot process
    there is also a more intelligent way to put scripts in there called write-files

details about everything can be found in the cloud-init docs
which are horrible to read (they really do take this stuff for granted), but they do contain an awfull lot detailed information.
Which you will realize after you googled for weeks on how to use them.

Rob

2 Likes

thanks everyone for the great responses!
I went with what seemed the simplest fix for what I needed.

grab cloud image
wget https://download.rockylinux.org/pub/rocky/8.4/images/Rocky-8-GenericCloud-8.4-20210620.0.x86_64.qcow2 -O /var/lib/libvirt/images/rocky_gold_template.qcow2
install libguestfs-tools to get guestfish
yum install -y libguestfs-tools
“mount” up image RW
guestfish --rw -a /var/lib/libvirt/images/rocky_gold_template.qcow2 -i
inside the guestfish prompt, run the following (i just paste in all at once)

mkdir /root/.ssh
touch /root/.ssh/authorized_keys
chmod 0700 /root/.ssh/
chmod 0600 /root/.ssh/authorized_keys
touch /.autorelabel
vi /root/.ssh/authorized_keys

paste your desired public key in and save/quit
exit guestfish shell:
quit

copy your new gold template to a new file for use by a new VM
cp /var/lib/libvirt/images/rocky_gold_template.qcow2 /var/lib/libvirt/images/rocky-test-vm.qcow2

and now you are ready to import a VM specifying the new rocky-test-vm.qcow2

feel free to tell me if this is a terrible way to do it, but it seemed to work just fine for me :slight_smile:

I also wanted to note here that virt-install and the like accept a --cloud-init argument which, by default, will generate a random root password for the host and display it to the user during installation. It’s also super simple to add a key using the --cloud-init argument using some simple userdata. If anyone needs a tutorial on that, I’d be happy to find some time to write something up, but I’m sure there are some online already too!

E.g., the auto-generation of a root pw

The command:

virt-install --name "your-vm-name" \
--virt-type kvm --import \
--memory 1024 --vcpus 2 \
--disk path=/tmp/cloud.qcow2,device=disk \
--os-type Linux --os-variant centos8 \
--network default \
--console pty,target_type=serial --graphics vnc \
--cloud-init root-password-generate=on,disable=on
2 Likes

This isn’t working for me, I’m getting the following error:

[root@util QCOWs]# guestfish --rw -a Rocky-8-GenericCloud-8.5-20211114.2.x86_64.qcow2 -i
libguestfs: error: mount: mount exited with status 32: mount: wrong fs type, bad option, bad superblock on /dev/sda1,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.

Do we have any workaround for this issue, Please

Hi neil,

I just tried this out, only to realize that the --cloud-init option was introduced in version 3.0.0, but rocky 8.5 uses version 2.2.1. Am I missing something, or gasp are you not using Rocky as your kvm server?

i ended up using virt-customize to replace my guestfish steps. Here is a tiny bash script I made:

# Set a few variables
hostname_to_build=rocky-forum-test
ram=4096
vcpu=4
disk_size=10
ssh_key=/var/lib/libvirt/images/cenmain_id_rsa.pub
rocky_image_url=https://download.rockylinux.org/pub/rocky/8.5/images/Rocky-8-GenericCloud-8.5-20211114.2.x86_64.qcow2 

# Grab Rocky 8.5 image if it doesnt already exist
if [[ ! -f /var/lib/libvirt/images/rocky_gold_template.qcow2 ]]; then
	wget $rocky_image_url -O /var/lib/libvirt/images/rocky_gold_template.qcow2
fi
# copy/rename image for use with new VM
cp /var/lib/libvirt/images/rocky8.5_gold.qcow2 /var/lib/libvirt/images/${hostname_to_build}.qcow2

# use virt-customize to set hostname and place ssh key
virt-customize -a /var/lib/libvirt/images/${hostname_to_build}.qcow2 --hostname $hostname_to_build --ssh-inject "root:file:$ssh_key" --uninstall cloud-init --selinux-relabel

# use virt-install to deploy customized VM image
virt-install -n $hostname_to_build --os-type=Linux --os-variant=centos8 --ram=$ram --vcpus=$vcpus --disk path=/var/lib/libvirt/images/${hostname_to_build}.qcow2,bus=virtio,size=$disk_size --network bridge:br0 --import --noautoconsole 


3 Likes

If you are still on this, I would suggest trying the other way I found (virt-customize)

Great point! My workstation here runs fedora :stuck_out_tongue:

I have a different question although somewhat related. Let me get to the question. Can you successfully install a Rocky 8.x image that is hardened using the Standard Red Hat Linux VM hardening?

I built my Rocky 8.x VM with hardening on Virtual Box (vmdk format) and then converted with qemu-img tools to qcow2. When I install on the Openstack cloud, it only triggers initramfs and when I run blkid, I do not pickup my hard drive partitions.

As you’ve posted a duplicate question, I will answer it in your other post. It’s best not to double-post to save people confusion.

1 Like

to @adamaze and @iwalker : walkthrough about how to authenticate a cloud image using virsh (so virt-manager should be easy to get to from there)

I also came here looking for said cloud images. any tar.xz for systemd? Will keep scouring …

Nice, glad you got it sorted … should have read the rest of the thread before posting :wink: anyway, hope the link helps, too …

Hi,
anyone tried to custom an image for Azure from Index of /vault/rocky/8.4/images/ (rockylinux.org)?
My purpose is to push custom Rocky image into Azure and create my VMs from generic qcow2 image.
I tried to use the cloud-init from az vm create cli as mentionned in the documentation: Tutorial - Customize a Linux VM with cloud-init in Azure - Azure Virtual Machines | Microsoft Docs but it did not create any user, launch any command (as a dummy echo commands) or push any ssh public key for a specific user.
In the generic qcow2 image, I don’t know what are the creds for the user root or what is installed within it. Someone has already tried to do it or has any idea?
Thanks in advance for your help.
Juilien

Thanks! worked on Proxmox

Has anyone tried this procedure on Rocky 9.0? My kvm is stuck at the boot screen saying “Booting from Hard Disk …”

edit: I was executing these commands, basically adamaze’s last 2 commands:

virt-customize \
  --add /var/lib/libvirt/images/x13.qcow2 \
  --hostname x13 \
  --ssh-inject "root:file:/root/.ssh/id_rsa" \
  --uninstall cloud-init \
  --selinux-relabel
virt-install -n x13 \
  --os-type=Linux  \
  --os-variant=centos8  \
  --ram=4  \
  --vcpus=2  \
  --disk path=/var/lib/libvirt/images/x13.qcow2,bus=virtio,size=20  \
  --network bridge:virbr0  \
  --graphics vnc,listen=0.0.0.0 \
  --import --noautoconsole

with version 8.6, the above definitely works.

The new rocky9 image uses UEFI, so you have to add “–boot uefi” to your command

1 Like