-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
create ostree user sudoers file #417
Conversation
I don't see how this is conceptually specific to ostree. I think what's a bit confusing here is whether an image comes out of the box with passwordless sudo. Fedora CoreOS derivatives hardcode this. I think what happens on cloud-init systems is that cloud-init automatically adds this for the user configured. Anyways, I think the other way to achieve this is to just document how to inject a drop-in into |
@cgwalters many thanks for reviewing this PR,
For the moment only for OSTree that we are setting users in firstboot stage
R: Because we do not set a user password for OSTree image and only an ssh-key, and we do not setup a root user.
it's impossible to login as root, as we do not set a root password, and root password is locked at installation level. At edge-management we are already downloading the ISO artifact generated by image-builder, injecting our kickstart file generated in our project from this template https://github.com/RedHatInsights/edge-api/blob/main/templates/templateKickstart.ks#L77 This PR is in the context to delegate edge-management functionality to image-builder as in the future image-builder has to build the ISO for edge image and save it directly to storage without any external intervention, the ISO generated has to provide the same installation experience as with edge-management ISO modifications (eg: without any user intervention at installation level). Please let me know, if there is any idea how we can achieve this goal without this PR or by applying some modifications. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. This looks good in general but I'd rather have it configurable for different image types (see my comment below).
The RHEL for Edge ISO currently adds the NOPASSWD option to sudoers during installation through the kickstart file. This PR is part of a larger effort to bring the R4E ISO kickstart modifications into image builder itself, either as configuration options or as defaults. The teams (Edge Fleet and IB) agreed that including this as a first-boot action rather than install-time was an acceptable functionally equivalent change.
It does but I'm not sure how that relates.
That's a decision for the Edge Fleet team to make to judge if that's an acceptable change for their users / customers. Though if it's not taken care of at build time, nor at install time, and there is no root user nor a password for the regular user, I don't see how the user would write the file after provisioning. |
4056c5a
to
6cf17a4
Compare
@achilleas-k made some changes created a CreateUsersSodoerFile option in ImageConfig and manifest OSCustomizations , thanks to revisit. |
6cf17a4
to
5637c6e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work thanks. One small change required as well for the base kickstart path.
5637c6e
to
7710ab4
Compare
I read the PR as no behavior change introduced with this on the normal edge artifacts as it's opt-in (and also just for anaconda). FWIW, lgtm |
In the context of compatibility with edge-management when creating image ISO artifact. When creating an ostree user, the user is created with username and ssh-key without a password, the user has no possibility to manage the system as has no password to enter when using sudo command. Create a sudoer file at first boot stage. FIXES: https://issues.redhat.com/browse/THEEDGE-3837
7710ab4
to
97177b2
Compare
Thanks for taking a look. Yes, to confirm and ftr: This PR makes the Anaconda Edge installer put a sudoer file in |
if they enable the option right? we're not building the edge anaconda iso with this new option by default right? (or we break backwards compatibility) |
Yeah right now it's on by default and you're right. We should put it behind an option. I'll add that in a follow-up and expose it in composer. |
Thanks for the work, @ldjebran. LGTM! |
In the context of compatibility with edge-management when creating image ISO artifact.
When creating an ostree user, the user is created with username and ssh-key without a password, the user has no possibility to manage the system as has no password to enter when using sudo command.
Create a sudoer file at first boot stage.
FIXES: https://issues.redhat.com/browse/THEEDGE-3837