Administration Tasks
Additional tasks mimic any other Linux administration tasks and use available utilities included in the Fedora distribution. Some tasks are described below with specific links to other Fedora Documentation or upstream documentation.
General Resources:
User Management
The initial image includes a locked root account without a password, a ssh key is provisioned via the provisioning service using ignition.
$ id testuser uid=1000(testuser) gid=1000(testuser) groups=1000(testuser),10(wheel) $ getent passwd testuser testuser:x:1000:1000::/home/testuser:/bin/bash
Package installation may add additional users to own files and processes on the system. For example the httpd package installation scripts will create a user apache if one does not already exist.
$ id apache uid=48(apache) gid=48(apache) groups=48(apache) $ getent passwd apache apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
This account is typically a system account with a UID below 1000, no password, and a shell of /sbin/nologin.
Accounts with a nologin shell cannot be used interactively.
These accounts also do not have a home directory created in /home
To manually create a system account for your application use the useradd command:
$ sudo useradd -r -s /sbin/nologin appuser $ getent passwd appuser appuser:x:992:981::/var/home/appuser:/sbin/nologin
Centralized users accounts (LDAP, Kerberos) can be configured with authconfig after the client packages, including sssd, have been installed.
The /etc/nsswitch.conf file is already configured to look for sss as well as files and altfiles for account information.
-
Fedora Administration Guide: Managing Users and Groups
User accounts which are members of the wheel group automatically have full privileges with the sudo command.
This is from the following lines in the sudo configuration file:
$ sudo grep wheel /etc/sudoers ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheel ALL=(ALL) NOPASSWD: ALL
Edits to this configuration file should be made with the visudo command so that syntax is checked on exit.
Instead of editing the main configuration file, grant other users the ability to issue specific commands as a different user by adding a configuration file to the /etc/sudoers.d/ directory.
-
Fedora Administration Guide: Gaining Privileges
Use ssh-keygen to generate an ssh key pair then add the public key to the user account on your Fedora IoT device:
$ ssh-copy-id testuser@10.11.12.13
Replace the username and IP address with that of your device.
Use the -i option to specify a key file other than the default of the most recently modified ~/.ssh/id_*pub file.
The ssh-copy-id command will append the public key to the user’s authorized keys file on the device. It will create the ~/.ssh directory if it does not already exist and ensure the permission on the files are correct.
-
Fedora Administration Guide: Generating Key Pairs
Group Management
Due to how rpm-ostree handles user + group entries, it may not be possible to use usermod -a -G to add a user to a group successfully.
Until rpm-ostree moves to using systemd sysusers, users will have to populate the /etc/group file from the /usr/lib/group file before they can add themselves to the group.
For example, if you wanted to add a user to the libvirt group:
$ grep -E '^libvirt:' /usr/lib/group | sudo tee -a /etc/group $ sudo usermod -aG libvirt $USER
| You will need to log off and log back in to apply these changes. |
This issue is tracked in rpm-ostree#29 and rpm-ostree#49.
(Text copied from the Fedora Silverblue documentation)
Network Configuration
List the network devices:
$ nmcli dev DEVICE TYPE STATE CONNECTION eth0 ethernet connected System eth0 lo loopback unmanaged --
Show details of a device:
$ nmcli dev show eth0 GENERAL.DEVICE: eth0 GENERAL.TYPE: ethernet GENERAL.HWADDR: B8:27:EB:B4:93:D8 GENERAL.MTU: 1500 ...Output Omitted...
List the connection configurations:
$ nmcli con NAME UUID TYPE DEVICE System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet eth0 enp1s0 8a6006ff-a1b5-4048-be93-258087a1853f ethernet --
Only one connection per device can be UP but multiple connections can be defined.
Show connection information:
$ nmcli con show enp1s0 connection.id: enp1s0 connection.uuid: 8a6006ff-a1b5-4048-be93-258087a1853f connection.stable-id: -- connection.type: 802-3-ethernet ... Output Omitted ...
The nmcli conn command has a variety of options including edit, modify, up, down, add, and delete.
Use the nmcli conn help command to view the syntax.
The default configurations will try to obtain connection information from a DHCP service on your network. If no DHCP service is available on your network, you can add a static connection:
$ nmcli connection add con-name cable ipv4.addresses \ 192.168.0.10/24 ipv4.gateway 192.168.0.1 \ connection.autoconnect true ipv4.dns "8.8.8.8,1.1.1.1" \ type ethernet ifname eth0 ipv4.method manual
Connect a device to a wifi SSID, prompting for the password:
$ sudo nmcli –ask device wifi connect SSID-Name
For more wifi options look at:
$ nmcli device wifi help
-
Fedora Quick Docs: Configuring ip networking with nmcli
Securing remote access
The root account is locked by default with no password set. The SSH daemon is configured with password authentication disabled for the root account and only allows access remotely if an ssh key has been added.
Disable remote ssh access for root by editing the following line in the /etc/ssh/sshd_config file:
PermitRootLogin no
To disable password authentication for all users, edit /etc/ssh/sshd_config file and add the following:
PasswordAuthentication no
-
For additional information, visit the Fedora Administration Guide: OpenSSH
View the default firewall configuration:
$ sudo firewall-cmd --list-all
The firewalld services are different than systemd services.
To see what configuration a firewalld service includes use:
$ sudo firewall-cmd --info-service=mdns mdns ports: 5353/udp protocols: source-ports: modules: destination: ipv4:224.0.0.251 ipv6:ff02::fb
Use the --add-service or --add-port options to open ports in the firewall:
$ sudo firewall-cmd --add-port=8080/tcp --add-port=8081/tcp --permanent $ sudo firewall-cmd --reload
The --permanent option saves the setting to files so that they will be loaded the next time firewalld is loaded.
The --reload option reloads the configuration from the saved files.
If you add a port or service without the --permanent option, it will modify the runtime firewalld settings but it will not save your changes to survive a reboot of the system.
-
Fedora Quick Docs: Using firewalld
Service Management
Services are managed by systemd and they can be started and enabled with systemctl.
The Fedora IoT image boots to a multi-user target by default.
$ systemctl get-default multi-user.target
A small number of services are enabled:
$ systemctl list-unit-files --state enabled
Package installation does not usually start or enable a service:
$ systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabl>
Active: inactive (dead)
Docs: man:httpd.service(8)
The --now option allows you to start a service on the enable command:
$ sudo systemctl enable httpd --now Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
-
Fedora Administration Guide: Services and Daemons
Viewing Logs
Log files are generally located in the /var/log directory.
System logs can be viewed and searched with journalctl.
-
Fedora Administration Guide: Viewing and Managing Log Files
-
Fedora Quick Docs: Viewing logs in Fedora
Accurate time and date stamps help find the correct event when troubleshooting or auditing.
-
Fedora Administration Guide: Configuring the Date and Time
-
Fedora Administration Guide: Configuring NTP Using the chrony Suite
Editing Kernel Command Line Arguments
Sometimes it’s useful to be able to edit the kernel command line arguments, whether to add a serial console or some options for debugging.
View the current kernel command line:
$ sudo rpm-ostree kargs
Edit the kernel command line arguments with the default editor (the default for editor is vim) to adjust such as adding a serial console:
$ sudo rpm-ostree kargs --editor
Reboot the system:
$ sudo systemctl reboot
Remote Administration with Ansible
The Fedora IoT image includes python3 and Ansible versions 2.5 and above have support for Python 3 (python 3.5 and above only).
To use Ansible to configure your Fedora IoT device, set the ansible_python_interpreter configuration option use the python3 binary /usr/bin/python3.
This is done with an inventory variable as described in the
Ansible Python 3 Support documentation.
The Ansible User Guide covers how to work with Ansible. Some useful modules include:
-
Networks: nmcli
-
Users: user, authorized_key, htpasswd
-
Packages, services and ports: yum_repository, service, firewalld
-
Files and directories: file, copy, template, get_url, unarchive
-
Interact with HTTP and HTTPS web services: uri
-
System: timezone, reboot
There is a community supported module for rpm-ostree, community.general.rpm_ostree_pkg, which can be used to add and remove overlays. You must install the community.general collection to use this module.
$ ansible-galaxy collection install community.general
Then the module can be used like so:
- name: install cockpit
community.general.rpm_ostree_pkg:
name:
- cockpit
- cockpit-podman
- cockpit-storaged
- cockpit-ostree
state: present
register: result
- name: reboot if new stuff was installed
reboot:
reboot_timeout: 300
when: result.changed
- name: start and enable cockpit
service:
name: cockpit.socket
state: started
enabled: true
- name: allow cockpit through firewall
firewalld:
service: cockpit
permanent: yes
immediate: yes
state: enabled
Want to help? Learn how to contribute to Fedora Docs ›