Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue with user #176

Closed
anthonyra opened this issue Sep 19, 2024 · 11 comments
Closed

Issue with user #176

anthonyra opened this issue Sep 19, 2024 · 11 comments

Comments

@anthonyra
Copy link

anthonyra commented Sep 19, 2024

#cloud-config

users:
- name: name
  passwd: name
  groups: users,admin,wheel
  sudo: ALL=(ALL) NOPASSWD:ALL
  shell: /bin/bash
  ssh_authorized_keys:
    - github:name!

The above works giving this user sudo permissions but the following doesn't

#cloud-config

users:
- name: name
 passwd: notsameasname
 groups: users,admin,wheel
 sudo: ALL=(ALL) NOPASSWD:ALL
 shell: /bin/bash
 ssh_authorized_keys:
   - github:name!

At first I thought this was related to setting the authorized_key using github but that's not the case.

@anthonyra anthonyra changed the title Gracefully catch getRemotePubKey error Issue with user Sep 19, 2024
@jimmykarily jimmykarily moved this to Under review 🔍 in 🧙Issue tracking board Sep 23, 2024
@Itxaka
Copy link
Collaborator

Itxaka commented Sep 26, 2024

for me neither work:

first one

	* yaml: unmarshal errors:
  line 6: cannot unmarshal !!str `users,a...` into []string

second one:


FATA[0000] 1 error occurred:
	* yaml: line 2: did not find expected key

Second one format seems to be wrong, I changed it to be a proper yaml:

#cloud-config

users:
- name: name
  passwd: notsameasname
  groups: users,admin,wheel
  sudo: ALL=(ALL) NOPASSWD:ALL
  shell: /bin/bash
  ssh_authorized_keys:
    - github:name!

And that gave me the same error as the first one

@anthonyra
Copy link
Author

I'm not sure why the formatting got wonky with the second one but the indents are correct when I go to edit them. I would update the github:name! to use your github like the examples show github:mudler or mine github:anthonyra. Aside from that both of those don't error on me (or I just don't know where to look).. the problem comes from using that user with sudo passwordless-ly. Atleast when I was testing them

@jimmykarily
Copy link
Collaborator

I don't know what the problem is but you shouldn't need that sudo: setting. You can just add the admin group to the user and it will automatically have password-less sudo:
https://github.com/kairos-io/packages/blob/0ad384e9082da1090e814cac22148bc6202853de/packages/static/kairos-overlay-files/files/system/oem/10_accounting.yaml#L37

@anthonyra
Copy link
Author

I don't know what the problem is but you shouldn't need that sudo: setting. You can just add the admin group to the user and it will automatically have password-less sudo: https://github.com/kairos-io/packages/blob/0ad384e9082da1090e814cac22148bc6202853de/packages/static/kairos-overlay-files/files/system/oem/10_accounting.yaml#L37

After talking during office hours I would agree based on the code you shared. However, I still think there's an underlying issue here just haven't had time to circle back around to get more clarifying details about what it is. I'll probably need to strip it down to the bare minimum that causes the issue I'm seeing to rule out causes.

@bencorrado
Copy link

I don't know what the problem is but you shouldn't need that sudo: setting. You can just add the admin group to the user and it will automatically have password-less sudo:
https://github.com/kairos-io/packages/blob/0ad384e9082da1090e814cac22148bc6202853de/packages/static/kairos-overlay-files/files/system/oem/10_accounting.yaml#L37

I have tested this sudo access with admin group and it works as suggested by @jimmykarily

@jimmykarily
Copy link
Collaborator

closing?

@anthonyra
Copy link
Author

anthonyra commented Oct 16, 2024

A few things, it was apparent that setting the user to admin group would have made it's sudo passwordless which in essence is a documentation fix. However, I would feel better once I took the time to narrow it down to the actual issue because there was an issue/error I was running into with the configuration above. Which technically is a valid (a side from the github ssh key) cloud-init config so it shouldn't, even if unnecessary, cause any adverse effects if applied.

@jimmykarily
Copy link
Collaborator

jimmykarily commented Oct 16, 2024

on tumbleweed-standard-amd64-generic-v3.2.1-k3sv1.31.1-k3s1, with the config:

kairos@localhost:~> cat /oem/90_custom.yaml
#cloud-config

install:
    poweroff: false
    reboot: false
users:
    - groups:
        - users
        - admin
        - wheel
      name: kairos
      passwd: notkairos
      shell: /bin/bash
      ssh_authorized_keys:
        - github:jimmykarily
      sudo: ALL=(ALL) NOPASSWD:ALL

I get:

kairos@localhost:~> groups
kairos admin
kairos@localhost:~> sudo whoami
root
kairos@localhost:~> whoami
kairos

(I assume the user didn't get the wheel group because that doesn't exist)

The above config fixes the error Itxaka was getting by making groups and array. I don't know why it works for you @anthonyra, maybe different version or something? Maybe it takes the whole string (with commas) as one group, which doesn't exist and thus the user is not part of the admin group in the end? Keep in mind, the error Itxaka and me are seeing doesn't stop the installation. It's just printed out in the logs.

@anthonyra
Copy link
Author

@jimmykarily That very well could be the issue, this bug never stopped the installation just resulted in an OS that had a user but no passwordless sudo.

I'm curious if the goal for yip is to be closely tied to cloud-init? Because I bet I simply copypasta'd that from a cloud-init that I already use. https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups Since it allows ([‘string’, ‘object’, ‘array’] of string/object)

@Itxaka
Copy link
Collaborator

Itxaka commented Oct 16, 2024

on tumbleweed-standard-amd64-generic-v3.2.1-k3sv1.31.1-k3s1, with the config:

kairos@localhost:~> cat /oem/90_custom.yaml
#cloud-config

install:
    poweroff: false
    reboot: false
users:
    - groups:
        - users
        - admin
        - wheel
      name: kairos
      passwd: notkairos
      shell: /bin/bash
      ssh_authorized_keys:
        - github:jimmykarily
      sudo: ALL=(ALL) NOPASSWD:ALL

I get:

kairos@localhost:~> groups
kairos admin
kairos@localhost:~> sudo whoami
root
kairos@localhost:~> whoami
kairos

(I assume the user didn't get the wheel group because that doesn't exist)

The above config fixes the error Itxaka was getting by making groups and array. I don't know why it works for you @anthonyra, maybe different version or something? Maybe it takes the whole string (with commas) as one group, which doesn't exist and thus the user is not part of the admin group in the end? Keep in mind, the error Itxaka and me are seeing doesn't stop the installation. It's just printed out in the logs.

cloud-config format VS yip format? we parse them differently IIRC so maybe one accepts the string format and one the list?

@jimmykarily
Copy link
Collaborator

There isn't enough data to find what actually went wrong. I'll close this but feel free to re-open if there something more that allows us to reproduce and debug.

@github-project-automation github-project-automation bot moved this from Under review 🔍 to Done ✅ in 🧙Issue tracking board Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants