Adding users

    You can create user accounts on a Flatcar Container Linux machine manually with useradd or via a [Butane Config][butane-config] when the machine is created.

    Add Users via Butane Configs

    In your Butane Config, you can specify many different parameters for each user. Here’s an example:

    variant: flatcar
    version: 1.0.0
    passwd:
      users:
        - name: core
          ssh_authorized_keys:
            - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGdByTgSVHq......."
        - name: elroy
          password_hash: "$6$5s2u6/jR$un0AvWnqilcgaNB3Mkxd5yYv6mTlWfOoCYHZmfi3LDKVltj.E8XNKEcwWm..."
          ssh_authorized_keys:
            - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGdByTgSVHq......."
          groups: [ sudo, docker ]
    

    Because usermod does not work to add a user to a predefined system group, you can use systemd-userdb to define membership. Here’s the same example with userdb:

    variant: flatcar
    version: 1.0.0
    passwd:
      users:
        - name: elroy
          password_hash: "$6$5s2u6/jR$un0AvWnqilcgaNB3Mkxd5yYv6mTlWfOoCYHZmfi3LDKVltj.E8XNKEcwWm..."
          ssh_authorized_keys:
            - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGdByTgSVHq......."
    storage:
      files:
        - path: /etc/userdb/elroy:sudo.membership
          contents:
            inline: " "
        - path: /etc/userdb/elroy:docker.membership
          contents:
            inline: " "
    

    Add user manually

    If you’d like to add a user manually, SSH to the machine and use the useradd tool. To create the user user, run:

    sudo useradd -p "*" -U -m user1 -G sudo
    

    The "*" creates a user that cannot login with a password but can log in via SSH key. -U creates a group for the user, -G adds the user to the existing sudo group and -m creates a home directory. If you’d like to add a password for the user, run:

    $ sudo passwd user1
    New password:
    Re-enter new password:
    passwd: password changed.
    

    To assign an SSH key, run:

    update-ssh-keys -u user1 -a user1 user1.pem
    

    Grant sudo Access

    If you trust the user, you can grant administrative privileges using visudovisudo checks the file syntax before actually overwriting the sudoers file. This command should be run as root to avoid losing sudo access in the event of a failure. Instead of editing /etc/sudo.conf directly you will create a new file under the /etc/sudoers.d/ directory. When you run visudo, it is required that you specify which file you are attempting to edit with the -f argument:

    # visudo -f /etc/sudoers.d/user1
    

    Add a the line:

    user1 ALL=(ALL) NOPASSWD: ALL
    

    Check that sudo has been granted:

    # su user1
    $ cat /etc/sudoers.d/user1
    cat: /etc/sudoers.d/user1: Permission denied
    
    $ sudo cat /etc/sudoers.d/user1
    user1 ALL=(ALL) NOPASSWD: ALL