There's a high probability we won't plan to use the default root account, or even the default user account from our distribution (those ubuntu or centos users). There's an even higher probability we'll need a Unix account very early in the process, even before the proper configuration management tool enters the game.
Let's say our IT security policy wants us to have an emergency
user account in a group named infosec
for the IT security team with passwordless sudo
rights and the simple /bin/sh
shell. This account has one authorized public key automatically populated. The policy is also to remove the default ubuntu
account.
To step through this recipe, you will need:
To create a group, we use a directive simply named groups
, taking a list of groups. Any group can have a sublist of users to put in that group:
#cloud-config groups: - infosec: [emergency]
To create a user, let's use a directive named users
, taking a list of users. This list of users has a set of keys, such as groups
the user is a member of, sudo
rights, which shell
to default to, or an SSH public key to authorize. Here's how it looks for our user emergency
:
users: - name: emergency groups: sudo shell: /bin/sh sudo: ['ALL=(ALL) NOPASSWD:ALL'] ssh-authorized-keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+fAfzjw5+mUZ7nGokB0tzO9fOLKrjHGVlabpRUxvsIN/dRRmiBA9NDh5YRZ/ThAhn+RvPKGTBrXmuv3qWd/iWc3nie0fc2zDX1/Dc8EAIF9ybXfSxT2DXOWWLOvNdUVOZNifmsmCQ1z0p9hg3bo65c0ZEBpXHIk+l75uFWAIYZ/4jnXyFWz1ptmQR7gnAk2KBK19sj1Ii0pNjGyVbl5bNitWb3ulaviIT3FCswZoOsYvcLpOwQrMA3k12kEAb30CYpesGcq6WDHAZSpWkFvc3Cd/AET4/SjtyYpQVEhUn84v106WbNeDyJpUX6cz2WG2UaEqZc0VqZVhI63jG7wUR emergency@host
Once logged in as emergency
using the private key, let's verify cloud-init did the job:
$ whoami emergency $ groups emergency emergency : emergency sudo $ echo $SHELL /bin/sh $ sudo whoami root
However, if we wanted to keep the default user from our Linux distribution, we'd just have to add the following default
user to the users
directive:
users: - default
3.16.76.237