A simple CoreOS config for beginners with password login
In constrast to other Linux-based systems, CoreOS requires quite a large learning curve to get installed properly - for example, you have to create the right ignition file for . This is a huge obstacle to overcome especially for first-time users.
This posts attempts to alleviate the steep learning curve by providing a basic config that is suitable for most practical (and especially small-scale) usecases and provides a good starting point for custom configs.
Simple install
First, boot up the VM from the CoreOS Live CD. We assume that you have a DHCP network connected to eth0
. You will see a shell immediately.
The VM will automatically acquire an IP address over DHCP.
You can use TechOverflow’s hosted ignition file for the installation. You need to use the correct disk instead of /dev/xvda
depending on your hardware/hypervisor. If in doubt, use lsblk
to find the correct disk name.
Now run the installation command:
sudo coreos-installer install /dev/xvda --copy-network --ignition-url https://techoverflow.net/coreos.ign
After the installation is finished, reboot using
reboot
and the machine has rebooted, you can use the default login credentials:
Username:admin
Password: coreos
The hostnameis CoreOS
.
You absolutely need to change the password after the installation! If you create another user, remember that you still need to change the password of the admin user using
sudo passwd admin
Build your own config file
This is the Ignition YAML we used to create the correct config file. Use our online transpiler at https://fcct.techoverflow.net to compile the YAML to the JSON file. In order to create a new password hash, use TechOverflow’s docker-based mkpasswd approach.
variant: fcos
version: 1.0.0
passwd:
users:
- name: admin
groups:
- "sudo"
- "docker"
password_hash: $y$j9T$n6h8P2ik8tfoNUFBBoly00$7bnrMF8oFrB25Fc3NqigqEH/MI5YXIJwtCG/iEsns.2
systemd:
units:
- name: docker.service
enabled: true
- name: containerd.service
enabled: true
- name: [email protected]
dropins:
- name: autologin-core.conf
contents: |
[Service]
# Override Execstart in main unit
ExecStart=
# Add new Execstart with `-` prefix to ignore failure
ExecStart=-/usr/sbin/agetty --autologin admin --noclear %I $TERM
TTYVTDisallocate=no
storage:
files:
- path: /etc/hostname
mode: 0644
contents:
inline: |
CoreOS
- path: /etc/profile.d/systemd-pager.sh
mode: 0644
contents:
inline: |
# Tell systemd to not use a pager when printing information
export SYSTEMD_PAGER=cat
- path: /etc/sysctl.d/20-silence-audit.conf
mode: 0644
contents:
inline: |
# Raise console message logging level from DEBUG (7) to WARNING (4)
# to hide audit messages from the interactive console
kernel.printk=4
- path: /etc/ssh/sshd_config.d/20-enable-passwords.conf
mode: 0644
contents:
inline: |
# Enable SSH password login
PasswordAuthentication yes
which results in the following transpiled JSON:
{
"ignition": {
"version": "3.0.0"
},
"passwd": {
"users": [
{
"groups": [
"sudo",
"docker"
],
"name": "admin",
"passwordHash": "$y$j9T$n6h8P2ik8tfoNUFBBoly00$7bnrMF8oFrB25Fc3NqigqEH/MI5YXIJwtCG/iEsns.2"
}
]
},
"storage": {
"files": [
{
"contents": {
"source": "data:,CoreOS%0A"
},
"mode": 420,
"path": "/etc/hostname"
},
{
"contents": {
"source": "data:,%23%20Tell%20systemd%20to%20not%20use%20a%20pager%20when%20printing%20information%0Aexport%20SYSTEMD_PAGER%3Dcat%0A"
},
"mode": 420,
"path": "/etc/profile.d/systemd-pager.sh"
},
{
"contents": {
"source": "data:,%23%20Raise%20console%20message%20logging%20level%20from%20DEBUG%20(7)%20to%20WARNING%20(4)%0A%23%20to%20hide%20audit%20messages%20from%20the%20interactive%20console%0Akernel.printk%3D4%0A"
},
"mode": 420,
"path": "/etc/sysctl.d/20-silence-audit.conf"
},
{
"contents": {
"source": "data:,%23%20Enable%20SSH%20password%20login%0APasswordAuthentication%20yes%0A"
},
"mode": 420,
"path": "/etc/ssh/sshd_config.d/20-enable-passwords.conf"
}
]
},
"systemd": {
"units": [
{
"enabled": true,
"name": "docker.service"
},
{
"enabled": true,
"name": "containerd.service"
},
{
"dropins": [
{
"contents": "[Service]\n# Override Execstart in main unit\nExecStart=\n# Add new Execstart with `-` prefix to ignore failure\nExecStart=-/usr/sbin/agetty --autologin admin --noclear %I $TERM\nTTYVTDisallocate=no\n",
"name": "autologin-core.conf"
}
],
"name": "[email protected]"
}
]
}
}