Administration Tasks

Additional tasks mimic any other Linux administration tasks and use available utilities included in the Fedora distribution. Some tasks are described below with specific links to other Fedora Documentation or upstream documentation.

General Resources:

User Management

The initial image includes a locked root account without a password, a ssh key is provisioned via the provisioning service using ignition.

$ id testuser
uid=1000(testuser) gid=1000(testuser) groups=1000(testuser),10(wheel)
$ getent passwd testuser
testuser:x:1000:1000::/home/testuser:/bin/bash

Package installation may add additional users to own files and processes on the system. For example the httpd package installation scripts will create a user apache if one does not already exist.

$ id apache
uid=48(apache) gid=48(apache) groups=48(apache)
$ getent passwd apache
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin

This account is typically a system account with a UID below 1000, no password, and a shell of /sbin/nologin. Accounts with a nologin shell cannot be used interactively. These accounts also do not have a home directory created in /home

To manually create a system account for your application use the useradd command:

$ sudo useradd -r -s /sbin/nologin appuser
$ getent passwd appuser
appuser:x:992:981::/var/home/appuser:/sbin/nologin

Centralized users accounts (LDAP, Kerberos) can be configured with authconfig after the client packages, including sssd, have been installed. The /etc/nsswitch.conf file is already configured to look for sss as well as files and altfiles for account information.

User accounts which are members of the wheel group automatically have full privileges with the sudo command. This is from the following lines in the sudo configuration file:

$ sudo grep wheel /etc/sudoers
## Allows people in group wheel to run all commands
%wheel	ALL=(ALL)	ALL
# %wheel	ALL=(ALL)	NOPASSWD: ALL

Edits to this configuration file should be made with the visudo command so that syntax is checked on exit. Instead of editing the main configuration file, grant other users the ability to issue specific commands as a different user by adding a configuration file to the /etc/sudoers.d/ directory.

Use ssh-keygen to generate an ssh key pair then add the public key to the user account on your Fedora IoT device:

$ ssh-copy-id testuser@10.11.12.13

Replace the username and IP address with that of your device. Use the -i option to specify a key file other than the default of the most recently modified ~/.ssh/id_*pub file. The ssh-copy-id command will append the public key to the user’s authorized keys file on the device. It will create the ~/.ssh directory if it does not already exist and ensure the permission on the files are correct.

Group Management

Due to how rpm-ostree handles user + group entries, it may not be possible to use usermod -a -G to add a user to a group successfully. Until rpm-ostree moves to using systemd sysusers, users will have to populate the /etc/group file from the /usr/lib/group file before they can add themselves to the group.

For example, if you wanted to add a user to the libvirt group:

$ grep -E '^libvirt:' /usr/lib/group | sudo tee -a /etc/group
$ sudo usermod -aG libvirt $USER
You will need to log off and log back in to apply these changes.

This issue is tracked in rpm-ostree#29 and rpm-ostree#49.

(Text copied from the Fedora Silverblue documentation)

Network Configuration

List the network devices:

$ nmcli dev
DEVICE  TYPE      STATE      CONNECTION
eth0    ethernet  connected  System eth0
lo      loopback  unmanaged  --

Show details of a device:

$ nmcli dev show eth0
GENERAL.DEVICE:                         eth0
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         B8:27:EB:B4:93:D8
GENERAL.MTU:                            1500
...Output Omitted...

List the connection configurations:

$ nmcli con
NAME         UUID                                  TYPE      DEVICE
System eth0  5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  ethernet  eth0
enp1s0       8a6006ff-a1b5-4048-be93-258087a1853f  ethernet  --

Only one connection per device can be UP but multiple connections can be defined.

Show connection information:

$ nmcli con show enp1s0
connection.id:                          enp1s0
connection.uuid:                        8a6006ff-a1b5-4048-be93-258087a1853f
connection.stable-id:                   --
connection.type:                        802-3-ethernet
... Output Omitted ...

The nmcli conn command has a variety of options including edit, modify, up, down, add, and delete. Use the nmcli conn help command to view the syntax.

The default configurations will try to obtain connection information from a DHCP service on your network. If no DHCP service is available on your network, you can add a static connection:

$ nmcli connection add con-name cable ipv4.addresses \
192.168.0.10/24 ipv4.gateway 192.168.0.1 \
connection.autoconnect true ipv4.dns "8.8.8.8,1.1.1.1" \
type ethernet ifname eth0 ipv4.method manual

Connect a device to a wifi SSID, prompting for the password:

$ sudo nmcli –ask device wifi connect SSID-Name

For more wifi options look at:

$ nmcli device wifi help

Securing remote access

The root account is locked by default with no password set. The SSH daemon is configured with password authentication disabled for the root account and only allows access remotely if an ssh key has been added.

Disable remote ssh access for root by editing the following line in the /etc/ssh/sshd_config file:

PermitRootLogin no

To disable password authentication for all users, edit /etc/ssh/sshd_config file and add the following:

PasswordAuthentication no
  • For additional information, visit the Fedora Administration Guide: OpenSSH

View the default firewall configuration:

$ sudo firewall-cmd --list-all

The firewalld services are different than systemd services. To see what configuration a firewalld service includes use:

$ sudo firewall-cmd --info-service=mdns
mdns
  ports: 5353/udp
  protocols:
  source-ports:
  modules:
  destination: ipv4:224.0.0.251 ipv6:ff02::fb

Use the --add-service or --add-port options to open ports in the firewall:

$ sudo firewall-cmd --add-port=8080/tcp --add-port=8081/tcp --permanent
$ sudo firewall-cmd --reload

The --permanent option saves the setting to files so that they will be loaded the next time firewalld is loaded. The --reload option reloads the configuration from the saved files. If you add a port or service without the --permanent option, it will modify the runtime firewalld settings but it will not save your changes to survive a reboot of the system.

Service Management

Services are managed by systemd and they can be started and enabled with systemctl.

The Fedora IoT image boots to a multi-user target by default.

$ systemctl get-default
multi-user.target

A small number of services are enabled:

$ systemctl list-unit-files  --state enabled

Package installation does not usually start or enable a service:

$ systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabl>
   Active: inactive (dead)
     Docs: man:httpd.service(8)

The --now option allows you to start a service on the enable command:

$ sudo systemctl enable httpd --now
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.

Viewing Logs

Log files are generally located in the /var/log directory. System logs can be viewed and searched with journalctl.

Accurate time and date stamps help find the correct event when troubleshooting or auditing.

Editing Kernel Command Line Arguments

Sometimes it’s useful to be able to edit the kernel command line arguments, whether to add a serial console or some options for debugging.

View the current kernel command line:

$ sudo rpm-ostree kargs

Edit the kernel command line arguments with the default editor (the default for editor is vim) to adjust such as adding a serial console:

$ sudo rpm-ostree kargs --editor

Reboot the system:

$ sudo systemctl reboot

Remote Administration with Ansible

The Fedora IoT image includes python3 and Ansible versions 2.5 and above have support for Python 3 (python 3.5 and above only). To use Ansible to configure your Fedora IoT device, set the ansible_python_interpreter configuration option use the python3 binary /usr/bin/python3. This is done with an inventory variable as described in the Ansible Python 3 Support documentation.

The Ansible User Guide covers how to work with Ansible. Some useful modules include:

  • Networks: nmcli

  • Users: user, authorized_key, htpasswd

  • Packages, services and ports: yum_repository, service, firewalld

  • Files and directories: file, copy, template, get_url, unarchive

  • Interact with HTTP and HTTPS web services: uri

  • System: timezone, reboot

There is a community supported module for rpm-ostree, community.general.rpm_ostree_pkg, which can be used to add and remove overlays. You must install the community.general collection to use this module.

$ ansible-galaxy collection install community.general

Then the module can be used like so:

- name: install cockpit
  community.general.rpm_ostree_pkg:
    name:
    - cockpit
    - cockpit-podman
    - cockpit-storaged
    - cockpit-ostree
    state: present
  register: result

- name: reboot if new stuff was installed
  reboot:
    reboot_timeout: 300
  when: result.changed

- name: start and enable cockpit
  service:
    name: cockpit.socket
    state: started
    enabled: true

- name: allow cockpit through firewall
  firewalld:
    service: cockpit
    permanent: yes
    immediate: yes
    state: enabled