2.6 KiB
Firstboot
Firstboot is a tui that runs on the device's getty interfaces when a system has not yet been configured. It displays the current network configuration and allows user to modify that. It also collects user information used to create a local user and import ssh public keys
Getting Started
Install pre-reqs:
% sudo apt-get update && sudo apt-get install qemu-system-x86 cloud-image-utils
Download the firstboot image and startup script
% wget http://people.canonical.com/~rharper/firstboot/firstboot.sh % chmod +x ./firstboot.sh % wget http://people.canonical.com/~rharper/firstboot/firstboot.raw.xz % unxz firstboot.raw.xz % ./firstboot.sh
This will launch the firstboot image under KVM using userspace networking The main console will open in a new window, the serial console is available via telnet session (telnet localhost 2447).
When firstboot displays the ssh URL, in the demo, since we're using qemu user networking, we can't ssh directly to the VM, instead we redirect the guest's ssh port 22 to host port 2222; this is a limitation of the demo. When ssh'ing to the guest, use:
ssh -p 2222 @localhost
How it works
The firstboot program is launched after the getty service is available, and disables getty on any tty and instead spawns the firstboot program. It will remain available until one of the firstboot instances successfully completes. After completion, firstboot will disable itself and re-enable getty services.
firstboot is based on subiquity, just pulling out a few of the panels and
reusing certain parts. The networking information is probed from the host
and allows user configuration. After completion of configuration, firstboot
uses the ip
command to apply the new network config to the network devices
present. Long term, we'll supply network-config yaml to snappy or whatever
network configuration tool will be present and be responsible for bringing
networking up to the desired state.
For identity, we collect realname, username, password (and crypt it), and a
"ssh_import_id" URL. The ssh-import-id
binary already supports both
launchpad (lp:) and github (gh:). In the demo, I added mock SSO support (sso:)
and this would trigger a call out to snappy login or what ever the right tool
to initiate a connection to the SSO for authentication and retrieval of the
user's ssh keys.
After collecting the input, we run ip
, useradd
and ssh-import-id
and display the current config, including ssh url. After selecting "Finish"
We restore the normal getty prompt from which the newly created user can login.