Additional tasks mimic any other Linux administration tasks and use available utilities included in the Fedora distribution. Some tasks are described below with specific links to other Fedora Documentation or upstream documentation.
The initial image includes a locked root account without a password, a ssh key is provisioned via the provisioning service using ignition.
$ id testuser uid=1000(testuser) gid=1000(testuser) groups=1000(testuser),10(wheel) $ getent passwd testuser testuser:x:1000:1000::/home/testuser:/bin/bash
Package installation may add additional users to own files and processes on the system. For example the httpd package installation scripts will create a user apache if one does not already exist.
$ id apache uid=48(apache) gid=48(apache) groups=48(apache) $ getent passwd apache apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
This account is typically a system account with a UID below 1000, no
password, and a shell of
/sbin/nologin. Accounts with a nologin shell
cannot be used interactively. These accounts also do not have a home
directory created in
To manually create a system account for your application use the useradd command:
$ sudo useradd -r -s /sbin/nologin appuser $ getent passwd appuser appuser:x:992:981::/var/home/appuser:/sbin/nologin
Centralized users accounts (LDAP, Kerberos) can be configured with
authconfig after the client packages, including
sssd, have been
/etc/nsswitch.conf file is already configured to look for
sss as well as files and altfiles for account information.
Fedora 29 Administration Guide: Managing Users and Groups
User accounts which are members of the wheel group automatically have full
privileges with the
sudo command. This is from the following lines in the
sudo configuration file:
$ sudo grep wheel /etc/sudoers ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheel ALL=(ALL) NOPASSWD: ALL
Edits to this configuration file should be made with the
visudo command so
that syntax is checked on exit. Instead of editing the main configuration
file, grant other users the ability to issue specific commands as a
different user by adding a configuration file to the
Fedora 29 Administration Guide: Gaining Privileges
ssh-keygen to generate an ssh key pair then add the public key to the
user account on your Fedora IoT device:
$ ssh-copy-id email@example.com
Replace the username and IP address with that of your device. Use the
option to specify a key file other than the default of the most recently
~/.ssh/id_*pub file. The
ssh-copy-id command will append the
public key to the user’s authorized keys file on the device. It will create
~/.ssh directory if it does not already exist and ensure the
permission on the files are correct.
Fedora 29 Administration Guide: Generating Key Pairs
List the network devices:
$ nmcli dev DEVICE TYPE STATE CONNECTION eth0 ethernet connected System eth0 lo loopback unmanaged --
Show details of a device:
$ nmcli dev show eth0 GENERAL.DEVICE: eth0 GENERAL.TYPE: ethernet GENERAL.HWADDR: B8:27:EB:B4:93:D8 GENERAL.MTU: 1500 ...Output Omitted...
List the connection configurations:
$ nmcli con NAME UUID TYPE DEVICE System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0 enp1s0 8a6006ff-a1b5-4048-be93-258087a1853f ethernet --
Only one connection per device can be UP but multiple connections can be defined.
Show connection information:
$ nmcli con show enp1s0 connection.id: enp1s0 connection.uuid: 8a6006ff-a1b5-4048-be93-258087a1853f connection.stable-id: -- connection.type: 802-3-ethernet ... Output Omitted ...
nmcli conn command has a variety of options including edit, modify,
up, down, add, and delete. Use the
nmcli conn help command to view the
The default configurations will try to obtain connection information from a DHCP service on your network. If no DHCP service is available on your network, you can add a static connection:
$ nmcli connection add con-name cable ipv4.addresses \ 192.168.0.10/24 ipv4.gateway 192.168.0.1 \ connection.autoconnect true ipv4.dns "184.108.40.206,220.127.116.11" \ type ethernet ifname eth0 ipv4.method manual
Connect a device to a wifi SSID, prompting for the password:
$ sudo nmcli –ask device wifi connect SSID-Name
For more wifi options look at:
$ nmcli device wifi help
Fedora Quick Docs: Configuring ip networking with nmcli
The root account is locked by default with no password set. The SSH daemon is configured to allow root access so if the image was created with an ssh key added, or if a password is set for the root account, then root can still access the system remotely.
Disable remote ssh access for root by editing the following line in the
Fedora 29 Administration Guide: OpenSSH
View the default firewall configuration:
$ sudo firewall-cmd --list-all
firewalld services are different than
systemd services. To see what
firewalld service includes use:
$ sudo firewall-cmd --info-service=mdns mdns ports: 5353/udp protocols: source-ports: modules: destination: ipv4:18.104.22.168 ipv6:ff02::fb
--add-port options to open ports in the
$ sudo firewall-cmd --add-port=8080/tcp --add-port=8081/tcp --permanent $ sudo firewall-cmd --reload
--permanent option saves the setting to files so that they will be
loaded the next time
firewalld is loaded. The
--reload option reloads
the configuration from the saved files. If you add a port or service
--permanent option, it will modify the runtime firewalld
settings but it will not save your changes to survive a reboot of the
Fedora Quick Docs: Using firewalld
Services are managed by
systemd and they can be started and enabled with
The Fedora IoT image boots to a multi-user target by default.
$ systemctl get-default multi-user.target
A small number of services are enabled:
$ systemctl list-unit-files --state enabled
Package installation does not usually start or enable a service:
$ systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabl> Active: inactive (dead) Docs: man:httpd.service(8)
--now option allows you to start a service on the enable command:
$ sudo systemctl enable httpd --now Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
Fedora 29 Administration Guide: Services and Daemons
Log files are generally located in the
/var/log directory. System logs
can be viewed and searched with
Accurate time and date stamps help find the correct event when troubleshooting or auditing.
Sometimes it’s useful to be able to edit the kernel command line arguements, whether to add a serial console or some options for debugging.
View the current kernel command line:
$ sudo rpm-ostree kargs
Edit the kerenl command line arguements with the default editor (the default for editor is vim) to adjust such as adding a serial console:
$ sudo rpm-ostree kargs --editor
Reboot the system:
$ sudo systemctl reboot
The Fedora IoT image includes python3 and Ansible versions 2.5 and above
have support for Python 3 (python 3.5 and above only). To use Ansible to
configure your Fedora IoT device, set the ansible_python_interpreter
configuration option use the python3 binary
/usr/bin/python3. This is
done with an inventory variable as described in the
Python 3 Support documentation.
Users: user, authorized_key, htpasswd
Packages, services and ports: yum_repository, service, firewalld
Files and directories: file, copy, template, get_url, unarchive
Interact with HTTP and HTTPS web services: uri
System: timezone, reboot
There is no current activity on a request for an rpm-ostree module so for now, you will have to use the command module to run rpm-ostree commands. Use the creates argument to see if it needs to be run:
- name: install cockpit command: >- rpm-ostree install --idempotent --unchanged-exit-77 cockpit cockpit-podman cockpit-storaged cockpit-dashboard cockpit-ostree register: ostree failed_when: not ( ostree.rc == 77 or ostree.rc == 0 ) changed_when: ostree.rc != 77 - name: reboot if new stuff was installed reboot: reboot_timeout: 300 when: ostree.rc != 77 - name: start and enable cockpit service: name: cockpit.socket state: started enabled: true - name: allow cockpit through firewall firewalld: service: cockpit permanent: yes immediate: yes state: enabled