Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2001265

Summary: modify RHCOS user password or add new user failed
Product: OpenShift Container Platform Reporter: kevin <welin>
Component: Machine Config OperatorAssignee: Yu Qi Zhang <jerzhang>
Machine Config Operator sub component: Machine Config Operator QA Contact: Jian Zhang <jiazha>
Status: CLOSED NOTABUG Docs Contact:
Severity: unspecified    
Priority: unspecified CC: aos-bugs, dornelas, jligon, mkrejci, mrussell, nstielau, skumari, travier
Version: 4.7   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-21 18:50:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description kevin 2021-09-05 02:01:57 UTC 
OCP Version at Install Time:
OCP 4.7.11

RHCOS Version at Install Time:
RHCOS 4.7.7

OCP Version after Upgrade (if applicable):
OCP 4.7.22

RHCOS Version after Upgrade (if applicable):
hostnamectl
   Static hostname: cluster2-b5qf6-master-0
         Icon name: computer-vm
           Chassis: vm
        Machine ID: ae6b95c8e7a442ea9293d8a6d735a99c
           Boot ID: 39283a8c90e9424b916e75bc69c07eac
    Virtualization: vmware
  Operating System: Red Hat Enterprise Linux CoreOS 48.84.202107271439-0 (Ootpa)
       CPE OS Name: cpe:/o:redhat:enterprise_linux:8::coreos
            Kernel: Linux 4.18.0-305.10.2.el8_4.x86_64
      Architecture: x86-64
Platform: vSphere
Architecture: x86_64


What are you trying to do? What is your use case?


I want to use machineconfig to modify user core password failed
I have also want to create a user with password ans ssh key also failed

What happened? What went wrong or what did you expect?

I want to modify the core user's password so that I can login into RHCOS in Console
I also want to add a new user for RHCOS with password

What are the steps to reproduce your issue? Please try to reduce these steps to something that can be reproduced with a single RHCOS node.

I create machineconfig as following

Modify User Core Password

cat << EOF | oc apply -f -
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 99-master-user-core-passwd
spec:
  config:
    ignition:
      version: 3.2.0
    passwd:
      users:
      - name: core
        password_hash: $1$h7NYO6BB$DRl3tQwkn67ERQsF5iolR/
        sshAuthorizedKeys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuOEwqATRgQqXieMfrx89+VWNa8BlaqstrHN1vzuejiZVKG+ms9hvmakDY6UFSntUFiR80pJ9TyZBEtFFZPPQ8GJkorxVan75yr8aeOy5FKISPc3lWOe4cfzNt86xpUzJ2ucpg/0klTcSrlJydJoe6brOosEHhKKS80g45K+tE9XBNWumJzSA3rlrmaSwZh5w2tWvh+e11tHh5r4lqxFaFUuAJ+EQl0bHx5quoSuw21vfM+HiNjuP50E6GCfquLu9cKM0yWPBvFweh9SJCdVY1IJBmZRn1DV0NAUYMEuNuNyUKGjAwdtO0Ag22qEIdBQYpQLe7Mcmu4C4wyhTlGLp7 root@support
  extensions: null
  fips: false
  kernelArguments: null
  kernelType: ""
  osImageURL: ""
EOF


Create a new User ocp-admin with Password

cat << EOF | oc apply -f -
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 99-master-user-newuser-passwd
spec:
  config:
    ignition:
      version: 3.2.0
    passwd:
      users:
      - name: ocp-admin
        password_hash: $1$h7NYO6BB$DRl3tQwkn67ERQsF5iolR/
        sshAuthorizedKeys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuOEwqATRgQqXieMfrx89+VWNa8BlaqstrHN1vzuejiZVKG+ms9hvmakDY6UFSntUFiR80pJ9TyZBEtFFZPPQ8GJkorxVan75yr8aeOy5FKISPc3lWOe4cfzNt86xpUzJ2ucpg/0klTcSrlJydJoe6brOosEHhKKS80g45K+tE9XBNWumJzSA3rlrmaSwZh5w2tWvh+e11tHh5r4lqxFaFUuAJ+EQl0bHx5quoSuw21vfM+HiNjuP50E6GCfquLu9cKM0yWPBvFweh9SJCdVY1IJBmZRn1DV0NAUYMEuNuNyUKGjAwdtO0Ag22qEIdBQYpQLe7Mcmu4C4wyhTlGLp7 root@support
  extensions: null
  fips: false
  kernelArguments: null
  kernelType: ""
  osImageURL: ""
EOF

You can see the master mcp have beed degraded

# oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-a70e73019b10154783b39fb76cb54ec3   False     True       True       1              0                   0                     1                      36h
worker   rendered-worker-ae103ff75e732aa6711a05de119cba6b   True      False      False      0              0                   0                     0                      36h

# oc get nodes
NAME                      STATUS   ROLES           AGE   VERSION
cluster2-b5qf6-master-0   Ready    master,worker   36h   v1.21.1+051ac4f
Comment 1 Timothée Ravier 2021-09-06 09:55:18 UTC 
We would need a must-gather and MCO logs from the failing nodes.
You mention 4.7.22 as last version but your hostnamectl says it's an 4.8 RHCOS. Which one is correct?
This is also most probably for the MCO instead of RHCOS.
Comment 2 Yu Qi Zhang 2021-09-07 22:48:19 UTC 
password_hash is not supported in any way on OCP4. The MCO failing here is expected behaviour.

You also cannot create new users. Only "core" user is supported, and the only supported operation here is modifications to the SSH keys.

Is there a reason you are trying unsupported operations?
Comment 3 kevin 2021-09-08 15:15:11 UTC 
have any method to let we can use core or other user login into RHCOS console to troubleshooting?
Comment 4 Sinny Kumari 2021-09-08 17:02:13 UTC 
Is just adding ssh key not enough?
Currently, your machineconfig failed failed because password_hash has been supplied as well (which is not supported by MC). Try applying the MachineCOnfig with only ssh-key.
Comment 5 Yu Qi Zhang 2021-09-08 21:33:23 UTC 
Hi Kevin,

As we discussed on slack, RHCOS images themselves can handle passwords, but you cannot do so if they are part of a cluster, since the MCO does not allow it.

If you would like to add a password in a test environment, I would recommend doing so via the injected ignition directly. Depending on your environment, you would have to do so differently, and only via UPI methods. Effectively, you would have to put your customizations in the stub ignition used to boot the nodes, which normally looks something like:

{
  "ignition": {
    "config": {
      "merge": [
        {
          "source": "https://api-int.$cluster.openshift.com:22623/config/worker"
        }
      ]
    },
    "security": {
      "tls": {
        "certificateAuthorities": [
          {
            "source": "data:text/plain;charset=utf-8;base64,xxxxxxx"
          }
        ]
      }
    },
    "version": "3.2.0"
  },
}

And you would add a "password" section to it.

This is not parsed as part of the machineconfigs and thus will not fail. I would recommend against doing this in general, though, and if your use case can be handled via ssh keys, I strongly recommend doing that instead. If the boot fails in the initramfs, it should drop you into emergency shell via console directly without the need of a password.
Comment 6 Yu Qi Zhang 2021-09-21 18:50:42 UTC 
Closing this as Notabug