Granting sudo access with an ignition file?
1,091 views
Skip to first unread message
Matt Hickok
Nov 16, 2017, 3:15:39 PM11/16/17
to CoreOS User
Hello, I'll put my ignition file below. Keep in mind, I am completely new to Linux...so bear with me.
{
"ignition": {
"version": "2.0.0",
"config": {}
},
"storage": {
"files": [{
"filesystem": "root",
"path": "/etc/hostname",
"mode": 420,
"contents": { "source": "data:,myHostname" }
},
{
"filesystem": "root",
"path": "/etc/sudoers.d/matt",
"mode": 440,
"contents": { "source": "data:,matt%20ALL%3D%28ALL%29%20NOPASSWD%3A%20ALL" }
}
]
},
"systemd": {},
"networkd": {},
"passwd": {
"users": [
{
"name": "matt",
"sshAuthorizedKeys": [
"ssh-rsa long key"
],
"create": {
"groups": [
"sudo",
"docker"
]
}
}
]
}
}
This is the file I am providing to the installer. After reboot I am able to SSH into it, however, though I may be a might be a member of the sudoers group, it still prompts for a password. I am guessing this is because I need to specify that I do not require a password. I think I would do this with adding this "matt ALL=(ALL) NOPASSWD:ALL" to the end of my file, but that doesn't seem to be working (or I am doing it wrong in the Ignition configuration).
How do you guys go about making a user a sudoer with an Ignition file?
Thanks!
David Michael
Nov 16, 2017, 4:13:44 PM11/16/17
to Matt Hickok, CoreOS User
On Thu, Nov 16, 2017 at 3:15 PM, Matt Hickok <matthew...@gmail.com> wrote:
> however, though I may be a might be a member of the sudoers
> group, it still prompts for a password. I am guessing this is because I need
> to specify that I do not require a password. I think I would do this with
> adding this "matt ALL=(ALL) NOPASSWD:ALL" to the end of my file, but that
> doesn't seem to be working (or I am doing it wrong in the Ignition
> configuration).
You shouldn't need to modify sudoers, since
> however, though I may be a might be a member of the sudoers
> group, it still prompts for a password. I am guessing this is because I need
> to specify that I do not require a password. I think I would do this with
> adding this "matt ALL=(ALL) NOPASSWD:ALL" to the end of my file, but that
> doesn't seem to be working (or I am doing it wrong in the Ignition
> configuration).
/usr/share/baselayout/sudoers has "%sudo ALL=(ALL) NOPASSWD: ALL"
already. If the user is in the "sudo" group, no password should be
required. Are you able to verify it by running e.g. "useradd -G sudo
test"?
Thanks.
David
Matt Hickok
Nov 16, 2017, 4:28:21 PM11/16/17
to CoreOS User
I tried this:
useradd -G sudo matt
and got the message:
useradd: user 'matt' already exists
Which I'm assuming means I am in the sudoers group.
So then I tried running the command 'sudo reboot' and it prompted me for a password. I do not have a password since I created the user with the ignition file and did not provide a hashed password. So I'm not sure what to make of this.
Thank you for your help!
David Michael
Nov 16, 2017, 4:42:51 PM11/16/17
to Matt Hickok, CoreOS User
On Thu, Nov 16, 2017 at 4:28 PM, Matt Hickok <matthew...@gmail.com> wrote:
> I tried this:
>
> useradd -G sudo matt
>
> and got the message:
>
> useradd: user 'matt' already exists
>
> Which I'm assuming means I am in the sudoers group.
It means that your user account already exists. You could give it a
> I tried this:
>
> useradd -G sudo matt
>
> and got the message:
>
> useradd: user 'matt' already exists
>
> Which I'm assuming means I am in the sudoers group.
different name to create a new account for testing. Run the command
"groups" to see the list of groups your account is in for the current
session.
Thanks.
David
Matt Hickok
Nov 16, 2017, 5:30:21 PM11/16/17
to CoreOS User
All I get returned is 'matt'.
So for some reason the account isn't being added to the docker or sudo groups?
Seán C. McCord
Nov 16, 2017, 5:43:46 PM11/16/17
to Matt Hickok, CoreOS User
What you want is `gpasswd -a matt sudo`, since the account already exists. This means to "add matt to the sudo group". This can also be added to the ignition template (passwd.users.<user>.create.groups = []), as seen on the Adding users ignition doc page[1].
--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
David Michael
Nov 16, 2017, 5:49:47 PM11/16/17
to Matt Hickok, CoreOS User
On Thu, Nov 16, 2017 at 5:30 PM, Matt Hickok <matthew...@gmail.com> wrote:
> All I get returned is 'matt'.
>
> So for some reason the account isn't being added to the docker or sudo
> groups?
Yes, that is what it means.
> All I get returned is 'matt'.
>
> So for some reason the account isn't being added to the docker or sudo
> groups?
What version of the OS are you using? I booted the current alpha with
your exact Ignition configuration file, and the account was created
with the correct groups, and it was not prompted for a sudo password.
Note that Ignition only runs on the first boot, so if you are editing
the file and rebooting, no changes would take effect.
Thanks.
David
Reply all
Reply to author
Forward
0 new messages