Rocky 8.7 official OpenStack Qcow2 image, what is the default account password?

The default account for the official Rocky Linux 8.7 OpenStack Qcow2 image provided by the Rocky Linux project is the user `rocky`. There is no default password set for this account, nor is password-based authentication enabled for console or SSH login by default. The standard and intended method for initial access is exclusively via SSH key injection through the cloud-init mechanism, which is a fundamental security and operational practice for cloud images. This design is consistent across major enterprise Linux distributions' cloud images, as pre-set passwords pose a significant security vulnerability in ephemeral, auto-scaling cloud environments.

The mechanism for access relies on the launching cloud platform (e.g., OpenStack, AWS, or a local libvirt setup with cloud-init support) providing an SSH public key during instance creation. This key is injected into the `~/.ssh/authorized_keys` file for the `rocky` user by the cloud-init service that runs on first boot. If a key is not provided or cloud-init fails to run, the instance will be effectively inaccessible via standard remote login methods. For console access, such as through a virtual serial console in OpenStack, login prompts will not accept a password. This necessitates either ensuring proper cloud-init configuration or resorting to offline modification of the image to alter authentication methods, which defeats the purpose of using a standard cloud-optimized image.

If one must gain access to an instance launched without key injection, the required procedure involves mounting the Qcow2 image on a separate host to directly modify the filesystem. This would entail setting a password for the `rocky` user by writing a new password hash to `/etc/shadow` and potentially enabling password authentication in `/etc/ssh/sshd_config` and `/etc/cloud/cloud.cfg` to prevent cloud-init from reverting the change on next boot. However, this is an operational workaround, not a feature of the image. The official project documentation and image metadata explicitly state that key-based authentication is required, and no password is documented or provided.

The implication for users and administrators is clear: successful deployment depends on understanding and correctly utilizing the cloud's key-pair management and instance metadata services. For OpenStack, this means assigning a key pair to the instance at launch. The absence of a fallback password is a deliberate security posture, eliminating a common attack vector. Therefore, inquiries about a default password stem from a misunderstanding of cloud image design principles. The correct focus is on verifying cloud-init logs (`/var/log/cloud-init-output.log`) and launch configuration when access fails, not seeking a non-existent credential.