coreos-base/common-oem-files: Enable flatcar.autologin for OpenStack

[pothos]

So far the console in OpenStack (or Brightbox which shares the image) was not usable well until one issues a reboot to add the autologin in the GRUB menu.
Add it by default so that one doesn't need this reboot trick.

How to use

Testing done

# Flatcar GRUB settings

set oem_id="openstack"
set linux_append="flatcar.autologin"

• Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
• Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

[github-actions]

Build action triggered: https://github.com/flatcar/scripts/actions/runs/10786051476

[databus23]

I'm bit baffled by this change. How is it justifiable to enable autologin by default for OpenStack all of a sudden? We were completely surprised by this change when suddenly all our production machine have an open console after a reboot. From a security perspective this is not acceptable.

[tormath1]

I'm bit baffled by this change. How is it justifiable to enable autologin by default for OpenStack all of a sudden? We were completely surprised by this change when suddenly all our production machine have an open console after a reboot. From a security perspective this is not acceptable.

Hi @databus23, this change is motivated by two reasons:

• the console access might be set from the provider (e.g OpenStack or Brightbox) point of view
• even without this change, one can still reboot the instance, press e at the grub menu, edit the grub command line manually to append the flatcar.autologin kernel argument, Ctrl+x and result in the same situation

That said, if you still want to revert this change here's a Butane / Ignition configuration¹:

variant: flatcar
version: 1.0.0
kernel_arguments:
  should_not_exist:
    - flatcar.autologin

Lastly, this change is not "sudden" as it was in Beta since May 2024 (https://www.flatcar.org/releases#release-3941.1.0) and we often recommend to users to run a few Beta nodes (when possible) to identify any regression or this kind of changes that might affect a workload.

Footnotes

1. https://www.flatcar.org/docs/latest/installing/cloud/vmware/#disablingenabling-autologin ↩

[jepio]

I'm bit baffled by this change. How is it justifiable to enable autologin by default for OpenStack all of a sudden? We were completely surprised by this change when suddenly all our production machine have an open console after a reboot. From a security perspective this is not acceptable.

@databus23 we don't automatically update the oem/grub.cfg on existing systems, only nodes provisioned with a newer image would have this change. How were your production machines aftected after a reboot?

[databus23]

@jepio You are right. I was mistaken. This did not happen with a simple reboot. In our infrastructure we replace a lot of machines on a constant basis while also performing in-place updates for others. The difference was not immideatly clear to me as usually there is not much different to replacing nodes instead of updating them as long as we don't change the ignition. When reading through the changeling I then jumped to the wrong conclusion that this happening with a simple reboot.
I'm sorry for drawing the wrong conclusions initially.