Hi,
I already use groupadd command to create a new group.
sudo groupadd --extrausers test_g
but how to add a extra user to this group? thanks.
i fear you have to edit /var/lib/extrauser/group manually currently to add the user to that group…
Is adduser included in Core devices? If it is then we could try:
sudo adduser --extrausers $user $group
I haven’t tested whether this actually works though, so please be kind if I’m way off base :-p
not sure it works like this (last time i checked, adduser didnt support additional groups with the extrausers setting) … but yes if it would work, you could indeed use it on development images …
but that wont help with production, there is no way beyond manually via ssh login to call adduser, the only properly usable interface for adding a user to core is via snapd and its snap create-user command or via system-user assertions …
also note that core is by design not really created for multi-user setups.
I was just going to file a new thread about this issue, after speaking with @jamesh about it - I was wondering if this recent thread was a similar problem, but I think it’s not, and this is a “pure” tooling issue.
Here’s how it comes up for me in practice
- Deploy an Ubuntu core machine, interactively set up a user via my Ubuntu SSO account
- SSH in, install the LXD snap
- This creates the
lxdgroup inextragroupssuccessfully.
- This creates the
- How do I add my initial user to this group?
As far as I can tell there’s no way to do this beyond actually editing extragroups myself. Neither usermod nor adduser can do it. In Ubuntu (therefore core) we have some patches to useradd to support extra{users,groups}, but they 're incomplete; usermod does not support extragroup. (There is no call to gr_setdbname for usermod.) I guess that is simply work that needs to be done.
Now that’s for the interactive case. What about when deploying using cloud-init or using a model (required-snaps) & a system-user assertion as @ogra was getting at 1 year ago? Can someone else comment - is there a declarative way here to achieve this same thing? Create user, install lxd snap, add user to lxd group. Or is it direct file modification there too?
Unfortunately this is correct.
Well, tbh if you are deploying using cloud-init, sky’s the limit as to what you can do with cloud-init, so we’re not going to add support for specific cloud-init things. Presumably the language that cloud-init supports for configuring groups when used in practice simply just doesn’t work on Core, and if the patches you mention are expanded to make usermod, etc. work then probably it will work but cloud-init has always been a bit weird on an ubuntu core system anyways so fixing this specific scenario is pretty low on our priority list just as an FYI.
We have started design discussions about how to do this, probably adding users to groups will be done in the following ways (probably roughly in order):
- The patches you mention will probably be expanded by someone who is somewhat familiar with them
- Through the snapd REST API when creating a user (what console-conf drives and internally kinda what system-user assertions use) there will be options to specify what groups a user should be put in. We currently just have the “Sudoer” option which is a boolean to control whether the user gets put into the sudo group or not. This will be most useful to brand store customers right now who have snaps that use snapd-control.
- Then probably through the
snap create-usercommand there will be some kind of option too, since this is just driving the REST API mentioned above. - Then through the system-user assertion there will probably be a language to specify the groups that user should be put in as well, again this ends up driving the REST API internally.
- Then after support for snap create-user options, probably there will be support for configuring this through console-conf with that flow.
After that, we have not yet discussed at all how to add an existing user to a group, again probably that will be a “snap usermod” command or some such that maps back to a REST API, but this case is more complicated than the case of “create a user and put them in these groups”.
So the current patches mostly revolve around adding an option to switch the utility from dealing with databases in /etc to databases in /var/lib/extrausers. That works reasonably well for creating new users, or new groups to act as a primary for a new user.
Having the usermod command work on the extrausers group database would probably handle your case for adding an extrausers user to an extrausers group. That still leaves a bunch of other problems though:
- adding
/etc/passwdusers to an extrausers group. - refusing to add a user to extrausers whose name is taken by an
/etc/passwduser. - as above but for groups.
Ideally you want all the commands to act on the two sets of databases as one, rather than being able to switch between them.
I don’t really want to care about this implementation detail when
mainpulating users, that much is true. I would rather in the final
implementation that it’s all transparent as far as
extrausers/extragroups is concerned - that goes for all of the discussed
ways of managing users/groups.