|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * post_installation_configuration/machine-configuration-tasks.adoc |
| 4 | + |
| 5 | +:_content-type: PROCEDURE |
| 6 | +[id="core-user-password_{context}"] |
| 7 | += Changing the core user password for node access |
| 8 | + |
| 9 | +By default, {op-system-first} creates a user named `core` on the nodes in your cluster. You can use the `core` user to access the node through a cloud provider serial console or a bare metal baseboard controller manager (BMC). This can be helpful, for example, if a node is down and you cannot access that node by using SSH or the `oc debug node` command. However, by default, there is no password for this user, so you cannot log in without creating one. |
| 10 | + |
| 11 | +You can create a password for the `core` user by using a machine config. The Machine Config Operator (MCO) assigns the password and injects the password into the `/etc/shadow` file, allowing you to log in with the `core` user. The MCO does not examine the password hash. As such, the MCO cannot report if there is a problem with the password. |
| 12 | + |
| 13 | +[NOTE] |
| 14 | +==== |
| 15 | +* The password works only through a cloud provider serial console or a BMC. It does not work with SSH. |
| 16 | +
|
| 17 | +* If you have a machine config that includes an `/etc/shadow` file or a systemd unit that sets a password, it takes precedence over the password hash. |
| 18 | +==== |
| 19 | + |
| 20 | +You can change the password, if needed, by editing the machine config you used to create the password. Also, you can remove the password by deleting the machine config. Deleting the machine config does not remove the user account. |
| 21 | + |
| 22 | +.Prerequisites |
| 23 | + |
| 24 | +* Create a hashed password by using a tool that is supported by your operating system. |
| 25 | +
|
| 26 | +.Procedure |
| 27 | + |
| 28 | +. Create a machine config file that contains the `core` username and the hashed password: |
| 29 | ++ |
| 30 | +[source,terminal] |
| 31 | +---- |
| 32 | +apiVersion: machineconfiguration.openshift.io/v1 |
| 33 | +kind: MachineConfig |
| 34 | +metadata: |
| 35 | + labels: |
| 36 | + machineconfiguration.openshift.io/role: worker |
| 37 | + name: set-core-user-password |
| 38 | +spec: |
| 39 | + config: |
| 40 | + ignition: |
| 41 | + version: 3.2.0 |
| 42 | + passwd: |
| 43 | + users: |
| 44 | + - name: core <1> |
| 45 | + passwordHash: $6$2sE/010goDuRSxxv$o18K52wor.wIwZp <2> |
| 46 | +---- |
| 47 | +<1> This must be `core`. |
| 48 | +<2> The hashed password to use with the `core` account. |
| 49 | + |
| 50 | +. Create the machine config by running the following command: |
| 51 | ++ |
| 52 | +[source,yaml] |
| 53 | +---- |
| 54 | +$ oc create -f <file-name>.yaml |
| 55 | +---- |
| 56 | ++ |
| 57 | +The nodes do not reboot and should become available in a few moments. You can use the `oc get mcp` to watch for the machine config pools to be updated, as shown in the following example: |
| 58 | ++ |
| 59 | +---- |
| 60 | +NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE |
| 61 | +master rendered-master-d686a3ffc8fdec47280afec446fce8dd True False False 3 3 3 0 64m |
| 62 | +worker rendered-worker-4605605a5b1f9de1d061e9d350f251e5 False True False 3 0 0 0 64m |
| 63 | +---- |
| 64 | + |
| 65 | +.Verification |
| 66 | + |
| 67 | +. After the nodes return to the `UPDATED=True` state, start a debug session for a node by running the following command: |
| 68 | ++ |
| 69 | +[source,terminal] |
| 70 | +---- |
| 71 | +$ oc debug node/<node_name> |
| 72 | +---- |
| 73 | + |
| 74 | +. Set `/host` as the root directory within the debug shell by running the following command: |
| 75 | ++ |
| 76 | +[source,terminal] |
| 77 | +---- |
| 78 | +sh-4.4# chroot /host |
| 79 | +---- |
| 80 | + |
| 81 | +. Check the contents of the `/etc/shadow` file: |
| 82 | ++ |
| 83 | +.Example output |
| 84 | +[source,terminal] |
| 85 | +---- |
| 86 | +... |
| 87 | +core:$6$2sE/010goDuRSxxv$o18K52wor.wIwZp:19418:0:99999:7::: |
| 88 | +... |
| 89 | +---- |
| 90 | ++ |
| 91 | +The hashed password is assigned to the `core` user. |
| 92 | + |
0 commit comments