Mission
This project's mission is to eliminate the use of predictable passwords in LXC templates. It all started with BZ 1132001 which attached bug reports to fedora-all, EPEL 7, and EPEL 6. The problem exists upstream and the upstream developers are welcoming fixes.
This is part of the Fedora Security Team's 90-day challenge.
Templates
The upstream templates are on Github. Each template will be documented here as it's reviewed.
Alpine
The template can't download an APK that passes verification. It also doesn't seem to set a root password anywhere during the container creation.
AltLinux
The password for root is set to rooter for all builds.
ArchLinux
The user can specify a root password but root's account is left without a password if a password isn't provided.
Busybox
Password for root is set to 'root' by default. Default ssh configuration allows root logins without a password as well.
CentOS
No changes needed as randomized root passwords are already applied during build.
Cirros
The password for root isn't set, but a user called cirros has the password cubswin:).
Debian
The upstream Debian template current sets root's password to root. There's a proposed fix waiting on feedback from Debian's LXC package maintainer.
Fedora
No changes needed as randomized root passwords are already applied during build.
Gentoo
If a root password isn't specified, the root password is set to toor.
OpenMandriva
The root password is set to root by default.
OpenSuse
The root password is set to root by default.
Ubuntu
The UBuntu template disables the root account but makes a regular user with sudo privileges that has ubuntu as a username and password (unless a user password is specified on the command line during build).