SPDX-License-Identifier: Apache-2.0
Copyright (c) 2021 Intel Corporation
The non-root user on the Smart Edge Open Platform
Overview
Smart Edge Open provides a possibility to install all required files on a Kubernetes control plane and nodes with or without root user. From security perspective it is advised to use non-root user installation of the Smart Edge Open platform where all tasks are executed with non-root user’s permissions. Tasks that require root privileges use privilege escalation property “become”.
- name: Run a command as root
command: whoami
become: yes
NOTE: For more about privileges escalation in Ansible please refer to https://docs.ansible.com/ansible/latest/user_guide/become.html#
Steps on K8s nodes
Before Ansible installation is started a non-root user needs to be created on the machines defined in inventory.yml. To create a user openness execute command:
adduser "openness"
A password for the given user is required.
passwd "openness"
As some tasks require root privileges the non-root user needs to have a possibility to become a root. For the user openness the following command must be performed:
echo "openness ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/openness
Repository modification
To run Ansible as a non-root user a modification in inventory.yml is required. Setting a user in variable ansible_user to already created non-root user will cause an execution of all tasks as non-root user specified.
Example:
---
all:
vars:
cluster_name: minimal_cluster
flavor: minimal
single_node_deployment: false
limit:
controller_group:
hosts:
ctrl.openness.org:
ansible_host: 172.16.0.1
ansible_user: openness
edgenode_group:
hosts:
node01.openness.org:
ansible_host: 172.16.0.2
ansible_user: openness