In the previous post we had a quick look at the user-data configuration file for cloud-init. In this post, we’ll have a more extensive look at some of the other options for configuring users in this file.
We’ve seen how cloud-init is told to set the initial user password, but there’s a few more possibilities there we haven’t seen yet. Have a look at the following example:
chpasswd: expire: false list: - ubuntu:ubuntu - root:$1$1dE3dcLz$8iWGkDxx9SCWdQfkPXbCE/ - pi:RANDOM
Here, as last time, “expire” is false so you won’t be prompted to change the password on first login. We’ve also specified a password for a pre-existing user (root, not that this is necessarily encouraged on a system with “sudo”). Finally, the special value “RANDOM” tells cloud-init to generate a completely random password for the “pi” user. This will be output on the console, and in the /var/log/cloud-init-output.log file.
You may want to erase (or at least restrict access to) the cloud-init-output.log file if you choose to use RANDOM passwords.
It is also worth noting (as the cloud-init docs do) that providing hashes of passwords is not necessarily secure. You may want to try running the hash above through something like John the Ripper to convince yourself of this!
We’ve already seen how cloud-init creates a default “ubuntu” user, and for many purposes that’s enough. What would you do if you wanted to create other users besides this, and can we import different sets of SSH keys to each user? Here’s another example user-data:
groups: - robot: [robot] - robotics: [robot] - pi users: - default - name: robot gecos: Mr. Robot primary_group: robot groups: [users] ssh_import_id: gh:example passwd: $5$hkui88$nvZgIle31cNpryjRfO9uArF7DYiBcWEnjqq7L1AQNN3
The “groups” value lists the groups to create, and optionally the members they should have. Here we set up three groups named “robot”, “robotics”, and “pi”. The “robot” and “robotics” groups will each have a single member, the “robot” user, while the “pi” group will start off with no members.
The “users” value lists all the users to create, along with their details. Here we create two users: the default “ubuntu” user which is simply represented by the “default” entry at the top. You can remove this if you don’t want the default user.
Then there’s the aforementioned “robot” user. Various fields give this user an initial password (in the form of a hash under “passwd”), tell the ssh-import-id utility to import SSH keys from the “example” user on GitHub, and additionally places the user in the “users” group.
There’s an absolute pile of options that be specified for users; have a look at the Users and Groups section of the cloud-init docs for more information.
Next, we’ll take a break from user-data to look at the other important configuration file for cloud-init: network-config.