Set up Ubuntu Core after a firewall

Ubuntu Core disables the physical console by default, so we need to SSH to the device with Ubuntu SSO account while setting up a Ubuntu Core device. However, my testing Ubuntu Core device is behind a firewall, and it looks like the SSH doesn’t go through the firewall. Is there a configuration like https_proxy we can specify while building the Ubuntu Core image, so that the device setup can be done behind a firewall? or, how do we set up a Ubuntu Core device behind a firewall? Thanks.

If you create a custom image using your own model definition. You can reuse the same kernel and gadget snaps as the standard model definition, so you won’t miss out on the standard updates by doing this. You can then create a system-user assertion signed with the same authority key as the model definition.

Once you’ve made and signed your assertions, you need to do:

  1. Build your custom image using ubuntu-image snap.
  2. write the disk image to your computer/device.
  3. Copy the signed system-user assertion to a USB thumb drive (or other removable storage device), calling the file auto-import.assert in the root directory of the drive.
  4. Plug the USB drive into the device, and boot it up. Once the system installs itself, it will load the assertion and create the user account with the requested password. At this point, you can unplug the USB drive.

You should now be able to log in as the user you created using the encrypted password from the assertion.

You can reuse the USB drive on multiple systems if you want the same user account. Alternatively, you can load different system-user assertions on different devices flashed with the same custom Ubuntu Core image if you want different user accounts.

1 Like

alternatively, if you can ssh in once after setup (i.e. do the setup procedure at your desk):

sudo passwd $USER

will allow you to set a password and should then automatically switch the physical console to a login prompt right afterwards

@jamesh, thanks for coaching. Though I still fail to specify the encoded password in my system-user assertion, but the auto-import.assert generated using the make-system-user snap works as you described. We should be able to provision our devices behind a firewall, thank you!

Though the use of make-system-user snap is straight forward, would you also educate me how to generate the encoded password to generate the auto-import.assert manually? Thanks.


Thank you @ogra! The problem for us is that our development and validation are all behind the company firewall. In our lab, testing devices don’t have direct Internet connections to log in to Ubuntu SSO. The system-user approach mentioned by @jamesh seems the only one solution for now. Thanks for comments, anyway!


I also need to know how to hash the password.

snapcraft login is broken and make-system-user is not working (asking for login each time and not running). I decided to go the manual route with signing my own assertions since I do this with my gadget and model assertions. It would work well into my existing build process if I could hash pass myself.

The nice thing about this stuff is some of this stuff is open source. Fortunately, the make-system-user is, and is on github.

Here is a link to the code that hashes the password. You can implement this in your language of choice:

Oh, and if you want to just run a hash from python form bash or something… Just do this:

In python…

import crypt; exit(crypt.crypt("yourTestPasswordHere", crypt.mksalt(crypt.METHOD_SHA512)))

Or right in bash:

python3 -c 'import crypt; exit(crypt.crypt("yourTestPasswordHere", crypt.mksalt(crypt.METHOD_SHA512)))'

That won’t work from windows because of the crypt library, but any ubuntu python container or dev environment will work.

Hope this helps.