Configure default user for the seed device and test cloud-init config (#273)

Author: ferrarimarco

.editorconfig

@@ -20,7 +20,7 @@ trim_trailing_whitespace = true
 spaces_around_operators = true
 spaces_around_brackets = false
 
-[*.{hcl.tpl,lock.hcl,sh,tf,tfvars,yml,yaml}]
+[*.{hcl.tpl,lock.hcl,sh,tf,tfvars,yml,yaml,yaml.jinja}]
 indent_size = 2
 
 [{Makefile,**.mk,go.mod,go.sum,*.go,.gitmodules}]

.github/dependabot.yaml

@@ -7,7 +7,19 @@ updates:
     schedule:
       interval: "daily"
   - package-ecosystem: "docker"
-    directory: "/provisioning/os-images/docker"
+    directory: "/docker/os-image-builder"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "docker"
+    directory: "/docker/cloud-init"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "docker"
+    directory: "/docker/template-renderer"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "pip"
+    directory: "/docker/template-renderer"
     schedule:
       interval: "daily"
 ...

.github/workflows/build-os-images.yaml

@@ -8,10 +8,12 @@ on:
   push:
     paths:
       - ".github/workflows/build-os-images.yaml"
+      - "docker/os-image-builder/**"
       - "provisioning/os-images/**"
   pull_request:
     paths:
       - ".github/workflows/build-os-images.yaml"
+      - "docker/os-image-builder/**"
       - "provisioning/os-images/**"
 
 jobs:
@@ -50,7 +52,7 @@ jobs:
         with:
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          context: provisioning/os-images/docker
+          context: docker/os-image-builder
           load: true
           push: false
           tags: "${{ env.OS_BUILDER_CONTAINER_IMAGE_ID }}"
@@ -99,7 +101,7 @@ jobs:
     strategy:
       matrix:
         build-configuration-file-path:
-          - "${GITHUB_WORKSPACE}/provisioning/os-images/config/builds/seed-device/ubuntu-20.04-cidata-iso-seed-device.conf"
+          - "${GITHUB_WORKSPACE}/config/seed-device/os-images/ubuntu-20.04-cidata-iso-seed-device.conf"
   update-release-draft:
     if: ${{ github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' }}
     outputs:

.yaml-lint.yml

@@ -11,6 +11,7 @@ rules:
     # See https://yamllint.readthedocs.io/en/stable/rules.html#module-yamllint.rules.comments
     ignore: |
       **/cloud-init/**/user-data.yaml
+      **/cloud-init/**/user-data-autoinstall.yaml
   comments-indentation:
     level: error
   document-end:

provisioning/os-images/config/builds/seed-device/cloud-init/meta-data.yaml renamed to config/seed-device/os-images/cloud-init/meta-data.yaml

@@ -1,6 +1,8 @@
 #cloud-config
+# This file is autogenerated from a template. Don't apply changes manually.
 ---
 autoinstall:
+  version: 1
 
   keyboard:
     layout: us
@@ -23,20 +25,27 @@ autoinstall:
             - edge.lab.ferrari.how
         optional: true
 
-  ssh:
-    allow-pw: false
-    install-server: true
-
   storage:
     layout:
       name: lvm
 
   user-data:
+
+    # Set the password to a known value, and expire it right after the first login,
+    # so that the user is forced to change it.
+    chpasswd:
+      expire: true
+      list:
+        - "marco:marco"
+
+    groups:
+      - microk8s
+
     hostname: home-lab-1
 
-    locale: "en_US.UTF-8"
+    locale: en_US.UTF-8
 
-    # update the contents of /etc/hosts based on the hostname/fqdn specified
+    # Update the contents of /etc/hosts based on the hostname/fqdn specified
     manage_etc_hosts: true
 
     # Set up the NTP client with default configuration and client
@@ -67,16 +76,26 @@ autoinstall:
 
     snap:
       commands:
-        "001": "snap install microk8s --classic --channel=1.23/stable"
+        "1": "snap install microk8s --classic --channel=1.23/stable"
 
-    # Disable password authentication with the SSH daemon
-    # for the default user
-    ssh_pwauth: false
+    # Enable SSH password authentication. We use for the first authentication,
+    # then we switch to key-based authentication later in the setup process.
+    ssh_pwauth: true
 
     # Remove default host keys if any
     ssh_deletekeys: true
 
-    timezone: "Etc/UTC"
-
-  version: 1
+    timezone: Etc/UTC
+
+    # Create users and don't preserve the default user,
+    # so that we've full control on which accounts we expect to be there.
+    users:
+      - name: marco
+        gecos: Marco
+        groups: [adm, audio, cdrom, dialout, dip, floppy, lxd, microk8s, netdev, plugdev, sudo, video]
+        # Don't lock the user to allow the first login with a password,
+        # so that we initialize key-based authentication later.
+        lock_passwd: false
+        shell: /usr/bin/bash
+        sudo: ["ALL=(ALL) NOPASSWD:ALL"]
 ...

provisioning/os-images/config/builds/seed-device/cloud-init/user-data.yaml renamed to config/seed-device/os-images/cloud-init/user-data-autoinstall.yaml

@@ -0,0 +1,72 @@
+#cloud-config
+# This file is autogenerated from a template. Don't apply changes manually.
+---
+
+# Set the password to a known value, and expire it right after the first login,
+# so that the user is forced to change it.
+chpasswd:
+  expire: true
+  list:
+    - "marco:marco"
+
+groups:
+  - microk8s
+
+hostname: home-lab-1
+
+locale: en_US.UTF-8
+
+# Update the contents of /etc/hosts based on the hostname/fqdn specified
+manage_etc_hosts: true
+
+# Set up the NTP client with default configuration and client
+ntp:
+  enabled: true
+  ntp_client: auto
+
+packages:
+  - openssh-server
+
+package_update: true
+package_upgrade: true
+package_reboot_if_required: true
+
+random_seed:
+  file: /dev/urandom
+  command: ["pollinate", "-r", "-s", "https://entropy.ubuntu.com"]
+  command_required: true
+
+resize_rootfs: true
+
+# We don't use a script because Ubuntu autoinstall doesn't support generating
+# a user-data file that includes scripts that are not in autoinstall.user-data
+runcmd:
+  - /snap/bin/microk8s status --wait-ready
+  - /snap/bin/microk8s enable dashboard dns gpu ingress storage
+  - /snap/bin/microk8s status --wait-ready
+
+snap:
+  commands:
+    "1": "snap install microk8s --classic --channel=1.23/stable"
+
+# Enable SSH password authentication. We use for the first authentication,
+# then we switch to key-based authentication later in the setup process.
+ssh_pwauth: true
+
+# Remove default host keys if any
+ssh_deletekeys: true
+
+timezone: Etc/UTC
+
+# Create users and don't preserve the default user,
+# so that we've full control on which accounts we expect to be there.
+users:
+  - name: marco
+    gecos: Marco
+    groups: [adm, audio, cdrom, dialout, dip, floppy, lxd, microk8s, netdev, plugdev, sudo, video]
+    # Don't lock the user to allow the first login with a password,
+    # so that we initialize key-based authentication later.
+    lock_passwd: false
+    shell: /usr/bin/bash
+    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+...

config/seed-device/os-images/cloud-init/user-data.yaml

@@ -3,3 +3,5 @@ OS_IMAGE_FILE_TAG="seed-device"
 
 OS_IMAGE_URL="https://releases.ubuntu.com/focal/ubuntu-20.04.3-live-server-amd64.iso"
 OS_IMAGE_CHECKSUM_FILE_URL="https://releases.ubuntu.com/focal/SHA256SUMS"
+
+UBUNTU_AUTOINSTALL="true"

provisioning/os-images/config/builds/seed-device/ubuntu-20.04-cidata-iso-seed-device.conf renamed to config/seed-device/os-images/ubuntu-20.04-cidata-iso-seed-device.conf

@@ -0,0 +1,53 @@
+FROM ubuntu:20.04
+
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
+
+RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections \
+    && apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    TERM=linux \
+    TZ=Etc/UTC \
+    apt-get \
+    --no-install-recommends --yes install \
+    ca-certificates \
+    cloud-init \
+    dbus \
+    fuse \
+    kmod \
+    locales \
+    lsb-release \
+    ntp \
+    openssh-client \
+    openssh-server \
+    pollinate \
+    snap-confine \
+    snapd \
+    squashfuse \
+    sudo \
+    systemd \
+    udev \
+    && rm -rf /var/lib/apt/lists/* \
+    && ln -s "$(command -v systemd)" /sbin/init \
+    && dpkg-divert --local --rename --add /sbin/udevadm \
+    && ln -s /bin/true /sbin/udevadm \
+    && systemctl enable snapd
+
+# Don't clean up apt cache
+RUN rm /etc/apt/apt.conf.d/docker-clean
+
+# tell systemd that it is in docker
+# https://www.freedesktop.org/software/systemd/man/systemd-detect-virt.html
+ENV container docker
+# systemd exits on SIGRTMIN+3, not SIGTERM
+# https://www.freedesktop.org/software/systemd/man/systemd.html#SIGRTMIN+3
+STOPSIGNAL SIGRTMIN+3
+ENTRYPOINT [ "/sbin/init" ]
+
+# Set the root user password to a known value that we can use to login as needed
+RUN echo 'root:root' | chpasswd
+
+COPY etc/ /etc/
+
+# Cloud-init supplemental configuration file are written in YAML, but require a
+# .cfg extension. Rename them after copying in the image.
+RUN for f in /etc/cloud/cloud.cfg.d/*.cfg.yaml; do mv -- "${f}" "${f%.yaml}"; done

docker/cloud-init/Dockerfile

@@ -0,0 +1,16 @@
+---
+# Only allow the NoCloud datasource
+datasource_list: [NoCloud, None]
+
+# Explicitly set the datasource path because we can't rely on filesystem labels
+datasource:
+  NoCloud:
+    seedfrom: "file:///etc/cloud/datasources/NoCloud/"
+
+# Don't disable the root account because we use that account to login to the system
+disable_root: false
+
+# Don't configure the network. Docker takes care of this
+network:
+  config: disabled
+...