User Management
Create and configure system users as part of your build.
User Configuration
Basic User
{
"username": "deploy",
"shell": "/bin/bash"
}User with Groups
{
"username": "admin",
"shell": "/bin/bash",
"groups": ["sudo", "docker", "adm"]
}Full Configuration
{
"username": "operator",
"shell": "/bin/bash",
"groups": ["sudo", "docker"],
"home": "/home/operator",
"comment": "System operator account",
"vyattaLevel": "admin"
}Configuration Options
| Option | Type | Required | Description |
|---|---|---|---|
username | string | Yes | Login username |
shell | string | No | Login shell (default: /bin/bash) |
groups | array | No | Additional group memberships |
home | string | No | Home directory path |
comment | string | No | User description (GECOS) |
vyattaLevel | string | No | Vyatta access level (Elster OS only) |
Common Groups
| Group | Purpose |
|---|---|
sudo | Administrative privileges |
docker | Docker access without sudo |
adm | System log access |
wheel | Alternative admin group (Fedora) |
libvirt | VM management access |
kvm | KVM virtualization access |
Vyatta Levels (Elster OS)
Elster OS uses Vyatta configuration levels:
| Level | Access |
|---|---|
admin | Full configuration access |
operator | Operational commands only |
user | Limited read-only access |
Example:
{
"username": "netadmin",
"groups": ["vyattacfg"],
"vyattaLevel": "admin"
}Natural Language Examples
Single User
Create a user called "deploy" with sudo and docker accessMultiple Users
Create these users:
- admin: sudo access, bash shell
- deploy: docker group only
- monitor: read-only, no shell (/usr/sbin/nologin)Service Account
Create a system user "appservice" for running the application
with no login shell and home directory at /opt/appPassword Management
For security, OpenFactory does not set passwords in the build. Instead:
SSH Key Authentication
Create user "admin" with SSH key authentication onlyKeys can be:
- Added during first boot
- Managed via cloud-init
- Configured via startup script
First-Boot Password
User should set password on first loginThis creates the user with an expired password, forcing a change.
Default Users
Some base images include default users:
| Base Image | Default User | Purpose |
|---|---|---|
| Elster OS | vyos | Vyatta configuration |
| Ubuntu | ubuntu | Cloud-init default |
You can modify or remove these default users in your configuration.
User Verification
OpenFactory tests user configuration:
{
"type": "user_exists",
"params": {
"username": "deploy",
"groups": ["docker"]
}
}This verifies:
- User account exists
- Correct group memberships
- Shell configuration
- Home directory created
Best Practices
- Minimal privileges - Only add necessary groups
- No shared accounts - Create individual users
- Service accounts - Use nologin shell for services
- Document users - Use comment field for descriptions
- Key-based auth - Disable password authentication