create ostree user sudoers file

[ldjebran]

In the context of compatibility with edge-management when creating image ISO artifact.
When creating an ostree user, the user is created with username and ssh-key without a password, the user has no possibility to manage the system as has no password to enter when using sudo command.
Create a sudoer file at first boot stage.

FIXES: https://issues.redhat.com/browse/THEEDGE-3837

[cgwalters]

I don't see how this is conceptually specific to ostree. I think what's a bit confusing here is whether an image comes out of the box with passwordless sudo.

Fedora CoreOS derivatives hardcode this.

I think what happens on cloud-init systems is that cloud-init automatically adds this for the user configured.

Anyways, I think the other way to achieve this is to just document how to inject a drop-in into /etc/sudoers to have the effect you describe here.

[ldjebran]

@cgwalters many thanks for reviewing this PR,

How this is related to ostree?

For the moment only for OSTree that we are setting users in firstboot stage
https://github.com/osbuild/images/blob/main/pkg/manifest/os.go#L447

I think what's a bit confusing here is whether an image comes out of the box with passwordless sudo.

R: Because we do not set a user password for OSTree image and only an ssh-key, and we do not setup a root user.

I think the other way to achieve this is to just document how to inject a drop-in into /etc/sudoers

it's impossible to login as root, as we do not set a root password, and root password is locked at installation level.

At edge-management we are already downloading the ISO artifact generated by image-builder, injecting our kickstart file generated in our project from this template https://github.com/RedHatInsights/edge-api/blob/main/templates/templateKickstart.ks#L77
and then upload it again (the ISO artifact) to be lately downloaded by the user.

This PR is in the context to delegate edge-management functionality to image-builder as in the future image-builder has to build the ISO for edge image and save it directly to storage without any external intervention, the ISO generated has to provide the same installation experience as with edge-management ISO modifications (eg: without any user intervention at installation level).

Please let me know, if there is any idea how we can achieve this goal without this PR or by applying some modifications.

[achilleas-k]

Thanks. This looks good in general but I'd rather have it configurable for different image types (see my comment below).

[achilleas-k]

I don't see how this is conceptually specific to ostree. I think what's a bit confusing here is whether an image comes out of the box with passwordless sudo.

Fedora CoreOS derivatives hardcode this.

The RHEL for Edge ISO currently adds the NOPASSWD option to sudoers during installation through the kickstart file. This PR is part of a larger effort to bring the R4E ISO kickstart modifications into image builder itself, either as configuration options or as defaults. The teams (Edge Fleet and IB) agreed that including this as a first-boot action rather than install-time was an acceptable functionally equivalent change.

I think what happens on cloud-init systems is that cloud-init automatically adds this for the user configured.

It does but I'm not sure how that relates.

Anyways, I think the other way to achieve this is to just document how to inject a drop-in into /etc/sudoers to have the effect you describe here.

That's a decision for the Edge Fleet team to make to judge if that's an acceptable change for their users / customers. Though if it's not taken care of at build time, nor at install time, and there is no root user nor a password for the regular user, I don't see how the user would write the file after provisioning.

[ldjebran]

@achilleas-k made some changes created a CreateUsersSodoerFile option in ImageConfig and manifest OSCustomizations , thanks to revisit.

[achilleas-k]

Nice work thanks. One small change required as well for the base kickstart path.

[runcom]

I read the PR as no behavior change introduced with this on the normal edge artifacts as it's opt-in (and also just for anaconda). FWIW, lgtm

[achilleas-k]

I read the PR as no behavior change introduced with this on the normal edge artifacts as it's opt-in (and also just for anaconda). FWIW, lgtm

Thanks for taking a look. Yes, to confirm and ftr: This PR makes the Anaconda Edge installer put a sudoer file in /etc/sudoers.d that enables nopasswd for the wheel group.
The Edge fleet management ISO does something similar today, so for fleet management users, this is not a functional change. However, it will affect on-prem users of the Anaconda ISO.

[runcom]

However, it will affect on-prem users of the Anaconda ISO.

if they enable the option right? we're not building the edge anaconda iso with this new option by default right? (or we break backwards compatibility)

[achilleas-k]

However, it will affect on-prem users of the Anaconda ISO.

if they enable the option right? we're not building the edge anaconda iso with this new option by default right? (or we break backwards compatibility)

Yeah right now it's on by default and you're right. We should put it behind an option. I'll add that in a follow-up and expose it in composer.

[achilleas-k]

Thanks for the work, @ldjebran. LGTM!