How to set password for user "core" in RHCOS after OpenShift 4 cluster deployment
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4
- Red Hat Enterprise Linux CoreOS (RHCOS)
Issue
- On baremetal clusters, sometimes it is necessary to access a node remotely using an out-of-band terminal console (eg.: BMC/iDRAC/iLO/etc.) in order to troubleshoot networking issues or anything else that could be impacting the node and preventing access to the OS via a debug pod or directly via SSH. This access could be done using the
coreuser with password authentication. - How to access a node via RHCOS Console using the
coreuser with password authentication.
Resolution
Starting with OpenShift 4.13, it is now possible to set the core user password. Refer to changing the core user password for node access for additinal information.
Workaround for OpenShift 4.7 to 4.12
Starting with OpenShift 4.7, the following workaround can be used (while the above one is the recommended):
-
Create a base64-encoded string in the format
username:password, with the username ascoreand the password being hashed with SHA512 (openssl passwd -6) in order to avoid storing cleartext passwords. ReplaceMYPASSWORDin the command below with the password of your choice:$ MYBASE64STRING=$(echo core:$(printf "MYPASSWORD" | openssl passwd -6 --stdin) | base64 -w0) -
Using the template below as an example, create a
MachineConfigobject that accomplishes two tasks:
a. Writes the base64-encoded string generated above on the desired nodes' filesystem as the file /etc/core.passwd;
b. Sets up a new systemd unit on the desired nodes to run the chpasswd command during the boot process using the file written above as input (The -e flag is used to tell chpasswd to expect an encrypted/hashed password).
```
$ cat << EOF > 99-set-core-passwd.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: 99-worker-set-core-passwd
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- contents:
source: data:text/plain;charset=utf-8;base64,$MYBASE64STRING
mode: 420
overwrite: true
path: /etc/core.passwd
systemd:
units:
- name: set-core-passwd.service
enabled: true
contents: |
[Unit]
Description=Set 'core' user password for out-of-band login
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'chpasswd -e < /etc/core.passwd'
[Install]
WantedBy=multi-user.target
EOF
$ oc create -f 99-set-core-passwd.yaml
```
- As the
MachineConfigis applied, the file containing the hashed password will be created and a new systemd unit will be configured to run thechpasswdcommand on the nodes' next boot process, setting a password for thecoreuser and thus allowing terminal login via virtual console.
Note: be aware that SSH password-based login would not be possible still as it is disabled by default on RHCOS
sshdconfiguration, allowing only key-based authentication. Also, these steps could be taken before the issue arises, as a safeguard.
Root Cause
The default core user does not come with a password configured, so it is required to set one in order to be able to login over the interfaces mentioned above for troubleshooting purposes.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.