Stark & Wayne

Default Password for BOSH VMs

The default username for BOSH VMs is vcap.  We have two options when comes to the vcap password for BOSH and VMs that are deployed by BOSH. One is to harden the vcap password, and the other is to let BOSH generate random  vcap passwords for the VMs it deploys.

Harden Password in Manifest/Cloud Config

We can use env.bosh.password to set a password in resource pools or VM types in cloud configs.  All the VMs associated with the resource pool or VM type will use the same password. If we only want to set a password for a specific instance, we can set it in instance groups.

The password configured in the manifest has to be sha-512 HASH version. You can run mkpasswd -s -m sha-512 to generate one pair. You will need run apt install whois on a linux VM to run mkpasswd if you don't have it.

Example of setting a password in resource_pools:

resource_pools:
  - name: my-job
    cloud_properties: {}
    network: default
    env:
      bosh:
        password: sha-512 HASH

Example of setting a password in vm_types:

vm_types:
- name: medium
  cloud_properties: {}
  env:
    bosh:
      password: sha-512 HASH

Example of setting a password for a specific instance:

instance_groups:
name: my-instance-name
  env:
    bosh:
     password: HASH of the password

Let BOSH generate random Password for VMs it deploys

BOSH v255.4 and above support automatically generating random password for each VM that the BOSH deploys.  You can simply enable this feature in the BOSH manifest as below.

properties:
  director:
    generate_vm_passwords: true

How to Use Both Options in a Smart Way

Given these two options, I suggest that for bosh create-env, we should harden the password since there is no bosh ssh when you need to ssh into the BOSH director itself. For all other BOSH VMs we can let BOSH generate passwords randomly, most of the time we can use bosh ssh to access the deployed VMs when needed.

However, there are situations that you could not run bosh ssh successfully. For example, in AWS your deployment fails when you first try to deploy.  

You will need ssh to the VM to look at the agent logs. Unfortunately, VMs are terminated and deleted when a deployment fails thus you could not run bosh ssh. You can not ssh even you have the private key for the VM.

In order to keep the failed deployment VM alive, we can set it in the BOSH manifest as follows:

instance_groups:
- name: bosh
  properties:
    director:
      debug: 
        keep_unreachable_vms: true

Now the VM is not deleted even when the deployment fails. We can ssh to the VM as the vcap user using the private key you have, but we still can not sudo since we do not know vcap password, now the method in section one comes handy. We can just configure env.bosh.password in our instance group and redeploy.

I would like to point out that the same method above works for compilation VMs. And it is very helpful when we need debug compilation VMs.