Administration Tasks

Additional tasks mimic any other Linux administration tasks and use available utilities included in the Fedora distribution. Some tasks are described below with specific links to other Fedora Documentation or upstream documentation.

General Resources:

User Management

The initial image includes a locked root account without a password, a ssh key is provisioned via the provisioning service using ignition.

$ id testuser
uid=1000(testuser) gid=1000(testuser) groups=1000(testuser),10(wheel)
$ getent passwd testuser
testuser:x:1000:1000::/home/testuser:/bin/bash

Package installation may add additional users to own files and processes on the system. For example the httpd package installation scripts will create a user apache if one does not already exist.

$ id apache
uid=48(apache) gid=48(apache) groups=48(apache)
$ getent passwd apache
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin

This account is typically a system account with a UID below 1000, no password, and a shell of /sbin/nologin. Accounts with a nologin shell cannot be used interactively. These accounts also do not have a home directory created in /home

To manually create a system account for your application use the useradd command:

$ sudo useradd -r -s /sbin/nologin appuser
$ getent passwd appuser
appuser:x:992:981::/var/home/appuser:/sbin/nologin

Centralized users accounts (LDAP, Kerberos) can be configured with authconfig after the client packages, including sssd, have been installed. The /etc/nsswitch.conf file is already configured to look for sss as well as files and altfiles for account information.

User accounts which are members of the wheel group automatically have full privileges with the sudo command. This is from the following lines in the sudo configuration file:

$ sudo grep wheel /etc/sudoers
## Allows people in group wheel to run all commands
%wheel	ALL=(ALL)	ALL
# %wheel	ALL=(ALL)	NOPASSWD: ALL

Edits to this configuration file should be made with the visudo command so that syntax is checked on exit. Instead of editing the main configuration file, grant other users the ability to issue specific commands as a different user by adding a configuration file to the /etc/sudoers.d/ directory.

Use ssh-keygen to generate an ssh key pair then add the public key to the user account on your Fedora IoT device:

$ ssh-copy-id testuser@10.11.12.13

Replace the username and IP address with that of your device. Use the -i option to specify a key file other than the default of the most recently modified ~/.ssh/id_*pub file. The ssh-copy-id command will append the public key to the user’s authorized keys file on the device. It will create the ~/.ssh directory if it does not already exist and ensure the permission on the files are correct.

Network Configuration

List the network devices:

$ nmcli dev
DEVICE  TYPE      STATE      CONNECTION
eth0    ethernet  connected  System eth0
lo      loopback  unmanaged  --

Show details of a device:

$ nmcli dev show eth0
GENERAL.DEVICE:                         eth0
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         B8:27:EB:B4:93:D8
GENERAL.MTU:                            1500
...Output Omitted...

List the connection configurations:

$ nmcli con
NAME         UUID                                  TYPE      DEVICE
System eth0  5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  ethernet  eth0
enp1s0       8a6006ff-a1b5-4048-be93-258087a1853f  ethernet  --

Only one connection per device can be UP but multiple connections can be defined.

Show connection information:

$ nmcli con show enp1s0
connection.id:                          enp1s0
connection.uuid:                        8a6006ff-a1b5-4048-be93-258087a1853f
connection.stable-id:                   --
connection.type:                        802-3-ethernet
... Output Omitted ...

The nmcli conn command has a variety of options including edit, modify, up, down, add, and delete. Use the nmcli conn help command to view the syntax.

The default configurations will try to obtain connection information from a DHCP service on your network. If no DHCP service is available on your network, you can add a static connection:

$ nmcli connection add con-name cable ipv4.addresses \
192.168.0.10/24 ipv4.gateway 192.168.0.1 \
connection.autoconnect true ipv4.dns "8.8.8.8,1.1.1.1" \
type ethernet ifname eth0 ipv4.method manual

Connect a device to a wifi SSID, prompting for the password:

$ sudo nmcli –ask device wifi connect SSID-Name

For more wifi options look at:

$ nmcli device wifi help

Securing remote access

The root account is locked by default with no password set. The SSH daemon is configured to allow root access so if the image was created with an ssh key added, or if a password is set for the root account, then root can still access the system remotely.

Disable remote ssh access for root by editing the following line in the /etc/ssh/sshd_config file:

PermitRootLogin no
  • Fedora 29 Administration Guide: OpenSSH

View the default firewall configuration:

$ sudo firewall-cmd --list-all

The firewalld services are different than systemd services. To see what configuration a firewalld service includes use:

$ sudo firewall-cmd --info-service=mdns
mdns
  ports: 5353/udp
  protocols:
  source-ports:
  modules:
  destination: ipv4:224.0.0.251 ipv6:ff02::fb

Use the --add-service or --add-port options to open ports in the firewall:

$ sudo firewall-cmd --add-port=8080/tcp --add-port=8081/tcp --permanent
$ sudo firewall-cmd --reload

The --permanent option saves the setting to files so that they will be loaded the next time firewalld is loaded. The --reload option reloads the configuration from the saved files. If you add a port or service without the --permanent option, it will modify the runtime firewalld settings but it will not save your changes to survive a reboot of the system.

Service Management

Services are managed by systemd and they can be started and enabled with systemctl.

The Fedora IoT image boots to a multi-user target by default.

$ systemctl get-default
multi-user.target

A small number of services are enabled:

$ systemctl list-unit-files  --state enabled

Package installation does not usually start or enable a service:

$ systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabl>
   Active: inactive (dead)
     Docs: man:httpd.service(8)

The --now option allows you to start a service on the enable command:

$ sudo systemctl enable httpd --now
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.

Viewing Logs

Log files are generally located in the /var/log directory. System logs can be viewed and searched with journalctl.

Accurate time and date stamps help find the correct event when troubleshooting or auditing.

Editing Kernel Command Line Arguments

Sometimes it’s useful to be able to edit the kernel command line arguements, whether to add a serial console or some options for debugging.

View the current kernel command line:

$ sudo rpm-ostree kargs

Edit the kerenl command line arguements with the default editor (the default for editor is vim) to adjust such as adding a serial console:

$ sudo rpm-ostree kargs --editor

Reboot the system:

$ sudo systemctl reboot

Remote Administration with Ansible

The Fedora IoT image includes python3 and Ansible versions 2.5 and above have support for Python 3 (python 3.5 and above only). To use Ansible to configure your Fedora IoT device, set the ansible_python_interpreter configuration option use the python3 binary /usr/bin/python3. This is done with an inventory variable as described in the Ansible Python 3 Support documentation.

The Ansible User Guide covers how to work with Ansible. Some useful modules include:

  • Networks: nmcli

  • Users: user, authorized_key, htpasswd

  • Packages, services and ports: yum_repository, service, firewalld

  • Files and directories: file, copy, template, get_url, unarchive

  • Interact with HTTP and HTTPS web services: uri

  • System: timezone, reboot

There is no current activity on a request for an rpm-ostree module so for now, you will have to use the command module to run rpm-ostree commands. Use the creates argument to see if it needs to be run:

- name: install cockpit
  command: >-
    rpm-ostree install --idempotent --unchanged-exit-77
      cockpit
      cockpit-podman
      cockpit-storaged
      cockpit-dashboard
      cockpit-ostree
  register: ostree
  failed_when: not ( ostree.rc == 77 or ostree.rc == 0 )
  changed_when: ostree.rc != 77

- name: reboot if new stuff was installed
  reboot:
    reboot_timeout: 300
  when: ostree.rc != 77

- name: start and enable cockpit
  service:
    name: cockpit.socket
    state: started
    enabled: true

- name: allow cockpit through firewall
  firewalld:
    service: cockpit
    permanent: yes
    immediate: yes
    state: enabled