No sudoers groups exist with NOPASSWD

[arithx]

By default it doesn't seem like any groups exist in /etc/sudoers. On Container Linux both the %sudo group & the core user have NOPASSWD.

The default sudoers for CL (from /usr/share/baselayout/sudoers):

## Default sudoers for CoreOS

## Pass LESSCHARSET through for systemd commands run through sudo that call less.
## See https://github.com/coreos/bugs/issues/365.
Defaults env_keep += "LESSCHARSET"

## enable root and wheel
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL

## enable passwordless access for sudo
%sudo ALL=(ALL) NOPASSWD: ALL

## the core user has no password by default
core ALL=(ALL) NOPASSWD: ALL

## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

[cgwalters]

This is definitely going to be one of numerous origCL/newCL transition points. Now on Fedora/Atomic classically there are no predefined users for humans to log in other than root. One can add them with kickstart or cloud-init. And while cloud-init does have a hardcoded default user (fedora on fedora, cloud-user on RHEL) - if one e.g. does specify a user (personal example) then the "default" cloud-init user won't be created.

I'd lean a bit towards doing the same in our built-in ignition schema - it feels aesthetically cleaner. Having a truly reserved user might be problematic in network-login scenarios etc.

[cgwalters]

Strawman: something like:

diff --git a/dracut/30ignition/ignition-quench.clc b/dracut/30ignition/ignition-quench.clc
index 7fd4e82..ed57380 100644
--- a/dracut/30ignition/ignition-quench.clc
+++ b/dracut/30ignition/ignition-quench.clc
@@ -1,11 +1,15 @@
-# This file contains the source for ignition-quench.ign. This file becomes the
-# base system Ignition config, which makes Ignition install a oneshot systemd
-# unit that only runs on first boot to remove `coreos.first_boot` from the
-# kernel command line in /boot/grub2/grub.cfg.
+# This file contains the source for the base system Ignition config.  It
+# does a few things such as adding the `core` user if no users were specified,
+# and also adds oneshot systemd unit to mark the system as having been booted.
 #
 # Can be regenerated with:
 #
 #     ct <ignition-quench.clc --pretty >ignition-quench.ign
+passwd:
+  users:
+    - name: core
+      groups:
+        - wheel
 systemd:
   units:
     - name: ignition-quench.service

plus changing our default sudo config to %wheel ALL=(ALL) NOPASSWD: ALL ?

[cgwalters]

@bgilbert Any opinions on ⬆️

[bgilbert]

@cgwalters It seems I'm missing some context; I can't immediately locate the repo containing the file above. Why is ignition-quench.service being written from a CLC? In CL, we've kept default configs as small as possible; they're primarily a hook for OEM customization.

In any event, if we're going to unconditionally create the core user, I think it'd be better to do from systemd-sysusers rather than Ignition.

[cgwalters]

It looks like this changed for rhcos, see commits in the dusty branch of bootengine.

[cgwalters]

In any event, if we're going to unconditionally create the core user, I think it'd be better to do from systemd-sysusers rather than Ignition.

My argument is to do it conditionally; if no other users are specified, then we create the core user - the semantics of cloud-init today. I was hopeful that Ignition was doing "overrides" - if the user specifies a users section that overrides rather than unions. If that's not the case today, then we could e.g. have a systemd unit that runs at boot that adds the user iff no other human users exist, etc.

[dustymabe]

Why is ignition-quench.service being written from a CLC?

Derek added that to remove the coreos first boot line from grub.

[cgwalters]

Updated assembler build here https://api.ci.openshift.org/console/project/coreos/browse/builds/coreos-assembler/coreos-assembler-18?tab=details

[cgwalters]

OK, so there is no sudo group by default in Fedora-derived systems. Traditionally wheel is equivalent, except...cloud-init basically defaults to granting the default user NOPASSWD because passwords are a bad idea in general (particularly for things Internet-accessible).

My strawman here is to add a sudo group by default as well to RHCOS, and also the %sudo ALL=(ALL) NOPASSWD: ALL in /etc/sudoers.d/fedora-coreos.conf or so.

This would increase compatibility with the first CLC from this CL users page.

[arithx]

Following up on that example it also recommends the docker group which is also not present in RHCOS.

[bgilbert]

I was hopeful that Ignition was doing "overrides" - if the user specifies a users section that overrides rather than unions.

It doesn't.

Why is ignition-quench.service being written from a CLC?

Derek added that to remove the coreos first boot line from grub.

Shouldn't that unit just ship with the OS instead?

[dustymabe]

Why is ignition-quench.service being written from a CLC?

Derek added that to remove the coreos first boot line from grub.

Shouldn't that unit just ship with the OS instead?

I think the work rahul is doing to "detect first boot a different way" will make the need for this go away so I anticipate removing it soon.

[ashcrow]

@Rahuls0720 can you confirm ⬆️

[cgwalters]

This issue is a mess of stuff (partially my fault), let's keep it focused on sudo since that's the title.

Following up on that example it also recommends the docker group which is also not present in RHCOS.

Split to #121

re Ignition boot once, any objections to reopening #73 ?