🐛 validate that kairos user is present

[mauromorales]

We currently validate cloud-configs to create at least one user, but the validation should actually be, to create the kairos user as a minimum because without the kairos user it's not possible to use the system atm

[anthonyra]

I bet this is related to my issue I thought I was having with YIP.

mudler/yip#176

Is the recommended work around to create two users as a minimum? The kairos and a custom one if desired?

[mauromorales]

@anthonyra indeed, atm if you plan to architect your node with additional N users, your config your have N+1 including the kairos user

[jimmykarily]

The kairos user will be created either you create it or not, but won't have a password (nor authorized ssh keys) unless you specify that in your cloud config.
You don't have to worry about the kairos user then, just create the one you want.

[mauromorales]

@jimmykarily yeah I remember we talked about this. I'm not sure what's the most user friendly way to address this problem. For those new in Kairos land, they think that they can create their own user, e.g. mauro without the need of making it an admin and without adding a password to the kairos user. So they end up with a system with 2 users but not able to log in.

For those more advanced, I can see how they may want to have only the kairos user without a password and in such scenarios the validation could be problematic.

Some ideas:

• do the validation and have an extra field for "kairos_user_without_password: true" or so
• do the validation but only trigger a warning (but probably will be ignored because atm we only do warnings anyways
• add a kairos user page to the documentation

[jimmykarily]

I tend to believe it's only a matter of documentation. If they add a user without a password, how would they expect to login? The only thing they need to know, is that additional users, don't become admins by default and they need to explicitly add them to the admin group in the cloud config. We tried to explain that here: kairos-io/kairos-docs@be9bc62 but maybe we need to add it to more places (?).

[Itxaka]

do we really need a kairos user? Why? Like we dont really need to rigth? We do, but maybe we could have a config during install to either enable or disable that based on a sentinel file or something? To me it makes no sense, is there anything in the system that needs the kairos user for some reason? Just to not block users from ending up with a system that they cant log in?

Then we should drop the kairos user and have a validation to make sure users dont shoot themselves in the foot, i.e a config that says enable_no_user and that would let you install without any users in the yip config files, otherwise we parse the files and fail if no users are created as part of the config.

• By default no users shipped with system config files
• Fail install if no users are set in the config files. A minimum of 1 users is required for install
• Allow skipping that check for systems that we dont want to be logged in, i.e. fully automated (k8s cluster for example? all is done via the k8s apis, including upgrade, reset, etc..)

[jimmykarily]

What @Itxaka said ^. If we required a kairos user anywhere, then that needs fixing. Maybe that's too big of a change for a patch release though? Push it to the next minor?

[mauromorales]

nicely put @Itxaka. yup that should be the ideal case, and indeed it can be a minor version not a patch

[jimmykarily]

I created a new ticket for this: #2921