Additional tasks mimic any other Linux administration tasks and use available utilities included in the Fedora distribution. Some tasks are described below with specific links to other Fedora Documentation or upstream documentation.
The initial image includes a locked root account without a password, a ssh key is provisioned via the provisioning service using ignition.
$ id testuser uid=1000(testuser) gid=1000(testuser) groups=1000(testuser),10(wheel) $ getent passwd testuser testuser:x:1000:1000::/home/testuser:/bin/bash
Package installation may add additional users to own files and processes on the system. For example the httpd package installation scripts will create a user apache if one does not already exist.
$ id apache uid=48(apache) gid=48(apache) groups=48(apache) $ getent passwd apache apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
This account is typically a system account with a UID below 1000, no password, and a shell of
Accounts with a nologin shell cannot be used interactively.
These accounts also do not have a home directory created in
To manually create a system account for your application use the useradd command:
$ sudo useradd -r -s /sbin/nologin appuser $ getent passwd appuser appuser:x:992:981::/var/home/appuser:/sbin/nologin
Centralized users accounts (LDAP, Kerberos) can be configured with
authconfig after the client packages, including
sssd, have been installed.
/etc/nsswitch.conf file is already configured to look for sss as well as files and altfiles for account information.
Fedora 29 Administration Guide: Managing Users and Groups
User accounts which are members of the wheel group automatically have full privileges with the
This is from the following lines in the sudo configuration file:
$ sudo grep wheel /etc/sudoers ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheel ALL=(ALL) NOPASSWD: ALL
Edits to this configuration file should be made with the
visudo command so that syntax is checked on exit.
Instead of editing the main configuration file, grant other users the ability to issue specific commands as a different user by adding a configuration file to the
Fedora 29 Administration Guide: Gaining Privileges
ssh-keygen to generate an ssh key pair then add the public key to the user account on your Fedora IoT device:
$ ssh-copy-id email@example.com
Replace the username and IP address with that of your device.
-i option to specify a key file other than the default of the most recently modified
ssh-copy-id command will append the public key to the user’s authorized keys file on the device. It will create the
~/.ssh directory if it does not already exist and ensure the permission on the files are correct.
Fedora 29 Administration Guide: Generating Key Pairs
List the network devices:
$ nmcli dev DEVICE TYPE STATE CONNECTION eth0 ethernet connected System eth0 lo loopback unmanaged --
Show details of a device:
$ nmcli dev show eth0 GENERAL.DEVICE: eth0 GENERAL.TYPE: ethernet GENERAL.HWADDR: B8:27:EB:B4:93:D8 GENERAL.MTU: 1500 ...Output Omitted...
List the connection configurations:
$ nmcli con NAME UUID TYPE DEVICE System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0 enp1s0 8a6006ff-a1b5-4048-be93-258087a1853f ethernet --
Only one connection per device can be UP but multiple connections can be defined.
Show connection information:
$ nmcli con show enp1s0 connection.id: enp1s0 connection.uuid: 8a6006ff-a1b5-4048-be93-258087a1853f connection.stable-id: -- connection.type: 802-3-ethernet ... Output Omitted ...
nmcli conn command has a variety of options including edit, modify, up, down, add, and delete.
nmcli conn help command to view the syntax.
The default configurations will try to obtain connection information from a DHCP service on your network. If no DHCP service is available on your network, you can add a static connection:
$ nmcli connection add con-name cable ipv4.addresses \ 192.168.0.10/24 ipv4.gateway 192.168.0.1 \ connection.autoconnect true ipv4.dns "188.8.131.52,184.108.40.206" \ type ethernet ifname eth0 ipv4.method manual
Connect a device to a wifi SSID, prompting for the password:
$ sudo nmcli –ask device wifi connect SSID-Name
For more wifi options look at:
$ nmcli device wifi help
Fedora Quick Docs: Configuring ip networking with nmcli
The root account is locked by default with no password set. The SSH daemon is configured to allow root access so if the image was created with an ssh key added, or if a password is set for the root account, then root can still access the system remotely.
Disable remote ssh access for root by editing the following line in the
Fedora 29 Administration Guide: OpenSSH
View the default firewall configuration:
$ sudo firewall-cmd --list-all
firewalld services are different than
To see what configuration a
firewalld service includes use:
$ sudo firewall-cmd --info-service=mdns mdns ports: 5353/udp protocols: source-ports: modules: destination: ipv4:220.127.116.11 ipv6:ff02::fb
--add-port options to open ports in the firewall:
$ sudo firewall-cmd --add-port=8080/tcp --add-port=8081/tcp --permanent $ sudo firewall-cmd --reload
--permanent option saves the setting to files so that they will be loaded the next time
firewalld is loaded.
--reload option reloads the configuration from the saved files.
If you add a port or service without the
--permanent option, it will modify the runtime firewalld settings but it will not save your changes to survive a reboot of the system.
Fedora Quick Docs: Using firewalld
Services are managed by
systemd and they can be started and enabled with
The Fedora IoT image boots to a multi-user target by default.
$ systemctl get-default multi-user.target
A small number of services are enabled:
$ systemctl list-unit-files --state enabled
Package installation does not usually start or enable a service:
$ systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabl> Active: inactive (dead) Docs: man:httpd.service(8)
--now option allows you to start a service on the enable command:
$ sudo systemctl enable httpd --now Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
Fedora 29 Administration Guide: Services and Daemons
Log files are generally located in the
System logs can be viewed and searched with
Accurate time and date stamps help find the correct event when troubleshooting or auditing.
Sometimes it’s useful to be able to edit the kernel command line arguements, whether to add a serial console or some options for debugging.
View the current kernel command line:
$ sudo rpm-ostree kargs
Edit the kerenl command line arguements with the default editor (the default for editor is vim) to adjust such as adding a serial console:
$ sudo rpm-ostree kargs --editor
Reboot the system:
$ sudo systemctl reboot
The Fedora IoT image includes python3 and Ansible versions 2.5 and above have support for Python 3 (python 3.5 and above only).
To use Ansible to configure your Fedora IoT device, set the ansible_python_interpreter configuration option use the python3 binary
This is done with an inventory variable as described in the
Ansible Python 3 Support documentation.
Users: user, authorized_key, htpasswd
Packages, services and ports: yum_repository, service, firewalld
Files and directories: file, copy, template, get_url, unarchive
Interact with HTTP and HTTPS web services: uri
System: timezone, reboot
There is no current activity on a request for an rpm-ostree module so for now, you will have to use the command module to run rpm-ostree commands. Use the creates argument to see if it needs to be run:
- name: install cockpit command: >- rpm-ostree install --idempotent --unchanged-exit-77 cockpit cockpit-podman cockpit-storaged cockpit-dashboard cockpit-ostree register: ostree failed_when: not ( ostree.rc == 77 or ostree.rc == 0 ) changed_when: ostree.rc != 77 - name: reboot if new stuff was installed reboot: reboot_timeout: 300 when: ostree.rc != 77 - name: start and enable cockpit service: name: cockpit.socket state: started enabled: true - name: allow cockpit through firewall firewalld: service: cockpit permanent: yes immediate: yes state: enabled