User SSH authorized keys are not added by ignition

[mlout]

This issue tracker is intended only for IoT specific issues. Please try to reproduce the issue on a relevant Fedora release to determine if the issue is specific to IoT or a general issue in Fedora. If is a general issue in Fedora, please report it in Red Hat Bugzilla (see How to file a bug) or in an upstream project and not in this issue tracker.

Describe the bug
When using the following ignition config (generated from a Butane file), with the image Fedora-IoT-raw-41-20241027.0.aarch64.raw.xz on a Raspberry Pi CM4:

{
  "ignition": {
    "version": "3.4.0"
  },
  "passwd": {
    "users": [
      {
        "groups": [
          "wheel"
        ],
        "name": "firmware",
        "passwordHash": "redacted",
        "sshAuthorizedKeys": [
          "ssh-ed25519 redacted"
        ]
      }
    ]
  },
  "storage": {
    "files": [
      {
        "path": "/etc/hostname",
        "contents": {
          "compression": "",
          "source": "data:,redacted"
        },
        "mode": 420
      }
    ]
  }
}

The hostname is set, the firmware user is created with the desired password, but the SSH key does not seem to be added anywhere. When trying to login I see my SSH client offering the public key, but then I still get asked for the password. So I think the public key was never deployed to the device.

When logging in to the device (with password) I get the following message:
Could not chdir to home directory /var/home/firmware: No such file or directory
Maybe this is related, since the authorized_keys file is usually placed inside the users home directory.

To Reproduce
Please describe the steps needed to reproduce the bug:

1. Serve the ignition file above as fiot.ign using a webserver on a different device
2. Modify the Fedora-IoT-raw-41-20241027.0.aarch64.raw.xz image, adding "ip=dhcp rd.neednet=1 ignition.config.url=http://192.168.37.54/fiot.ign" to ignition.firstboot
3. Flash the device using arm-image-installer on a Fedora workstation host with the following command: sudo ./arm-image-installer --image=../Fedora-IoT-raw-41-20241027.0.aarch64.raw.xz --media=/dev/sda --resizefs --target=rpi4 --selinux off
4. Boot the device

Expected behavior
When provisioning is finished, I am able to login as the firmware user with the SSH key

Screenshots
If applicable, add screenshots to help explain your problem.

OS version:
Fedora-IoT-raw-41-20241027.0.aarch64.raw.xz

Additional context
redacted SSH client output:

debug1: Offering public key: redacted agent
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/user/.ssh/id_rsa
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug1: Trying private key: /home/user/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/user/.ssh/id_ed25519
debug1: Trying private key: /home/user/.ssh/id_ed25519_sk
debug1: Trying private key: /home/user/.ssh/id_xmss
debug1: Trying private key: /home/user/.ssh/id_dsa
debug1: Next authentication method: password
[email protected]'s password:

[mlout]

I have the same results when using Fedora-IoT-raw-41-20241027.0.x86_64.raw.xz image inside a VM.

[fdesjardins]

I ran into this issue as well with a non-root user. It worked fine for root.

I haven't tested this yet, but I think you may need to mount /home in the ignition file for non-root users. See https://opensuse.github.io/fuel-ignition/edit in the Add user and Mount /home sections. Granted that's for SUSE but I suspect it's a similar issue.

[miabbott]

I was able to reproduce this with the Fedora 40 (Fedora-IoT-raw-40-20240422.3.x86_64.raw) raw disk image, as well.

And to be honest, I don't think we have ever tested using Ignition with the raw disk, nor have we ever supported that combination.

We have only supporte/tested Ignition with the use of the simplified-provisioner - https://docs.fedoraproject.org/en-US/iot/ignition-device-setup/

@runcom can you weigh in here?

[nullr0ute]

With the raw image we don't have a separate /home directory, is that something that ignition "expects"?

[miabbott]

With the raw image we don't have a separate /home directory, is that something that ignition "expects"?

Not sure. It eventually shells out to useradd and usermod:

Nov 01 12:08:03 localhost.localdomain ignition[709]: files: ensureUsers: op(1): [started]  creating or modifying user "core"
Nov 01 12:08:03 localhost.localdomain ignition[709]: files: ensureUsers: op(1): executing: "useradd" "--root" "/sysroot" "--create-home" "--password" "$y$j9T$HsJiToYGxDpKaKlkV1ai9.$ypj54d7KIKYSUMAFRBQ9SRoacZ6ZHc5f0Baobybz.iA" "--groups" "wheel" "core"
Nov 01 12:08:03 localhost.localdomain ignition[709]: files: ensureUsers: op(1): [finished] creating or modifying user "core"
Nov 01 12:08:03 localhost.localdomain ignition[709]: files: ensureUsers: op(2): [started]  setting password for "core"
Nov 01 12:08:03 localhost.localdomain ignition[709]: files: ensureUsers: op(2): executing: "usermod" "--root" "/sysroot" "--password" "$y$j9T$HsJiToYGxDpKaKlkV1ai9.$ypj54d7KIKYSUMAFRBQ9SRoacZ6ZHc5f0Baobybz.iA" "core"
Nov 01 12:08:03 localhost.localdomain ignition[709]: files: ensureUsers: op(2): [finished] setting password for "core"
Nov 01 12:08:03 localhost.localdomain ignition[709]: files: ensureUsers: op(3): [started]  adding ssh keys to user "core"
Nov 01 12:08:03 localhost.localdomain (ignition)[709]: wrote ssh authorized keys file for user: core

I would have expected useradd to create the necessary directories, but I may be mistaken.

Adding to this, zezere-ignition also runs after switching into the real root and tries to create the user, but fails:

Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: INFO     : Ignition 2.19.0
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: INFO     : Stage: fetch
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: INFO     : no config dir at "/usr/lib/ignition/base.d"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: INFO     : no config dir at "/usr/lib/ignition/base.platform.d/file"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: DEBUG    : parsed url from cmdline: "http://192.168.122.147/ignition.json"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: INFO     : GET http://192.168.122.147/ignition.json: attempt #1
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: INFO     : GET result: OK
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: DEBUG    : parsing config with SHA512: f8bcfd621e49b3d11a61df6b4858cc83ec590c3dc6df7345711132d25c353b17cdc9c46371ec3500160796e5a62b6c9eac55bff07c7b301ee52d6c5216441e84
Nov 01 12:08:18 localhost.localdomain ignition[1456]: fetched base config from "system"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: INFO     : fetch: fetch complete
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: INFO     : fetch: fetch passed
Nov 01 12:08:18 localhost.localdomain ignition[1456]: fetched base config from "system"
Nov 01 12:08:18 localhost.localdomain ignition[1456]: fetched user config from "cmdline"
Nov 01 12:08:18 localhost.localdomain ignition[1456]: fetched base config from "system"
Nov 01 12:08:18 localhost.localdomain ignition[1456]: fetched base config from "system"
Nov 01 12:08:18 localhost.localdomain ignition[1456]: fetched base config from "system"
Nov 01 12:08:18 localhost.localdomain ignition[1456]: fetched base config from "system"
Nov 01 12:08:18 localhost.localdomain ignition[1456]: fetched base config from "system"
Nov 01 12:08:18 localhost.localdomain ignition[1456]: fetched base config from "system"
Nov 01 12:08:18 localhost.localdomain ignition[1456]: fetched user config from "cmdline"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1456]: INFO     : Ignition finished successfully
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1462]: INFO     : Ignition 2.19.0
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1462]: INFO     : Stage: disks
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1462]: INFO     : no config dir at "/usr/lib/ignition/base.d"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1462]: INFO     : no config dir at "/usr/lib/ignition/base.platform.d/file"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1462]: INFO     : disks: disks passed
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1462]: INFO     : Ignition finished successfully
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1468]: INFO     : Ignition 2.19.0
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1468]: INFO     : Stage: mount
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1468]: INFO     : no config dir at "/usr/lib/ignition/base.d"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1468]: INFO     : no config dir at "/usr/lib/ignition/base.platform.d/file"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1468]: INFO     : mount: mount passed
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1468]: INFO     : Ignition finished successfully
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: INFO     : Ignition 2.19.0
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: INFO     : Stage: files
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: INFO     : no config dir at "/usr/lib/ignition/base.d"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: INFO     : no config dir at "/usr/lib/ignition/base.platform.d/file"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: INFO     : files: ensureUsers: op(1): [started]  creating or modifying user "core"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: DEBUG    : files: ensureUsers: op(1): executing: "usermod" "--root" "/" "--password" "$y$j9T$HsJiToYGxDpKaKlkV1ai9.$ypj54d7KIKYSUMAFRBQ9SRoacZ6ZHc5f0Baobybz.iA" "--groups" "wheel" "core"
Nov 01 12:08:18 localhost.localdomain usermod[1479]: change user 'core' password
Nov 01 12:08:18 localhost.localdomain audit[1479]: USER_CHAUTHTOK pid=1479 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=updating-password id=1000 exe="/usr/sbin/usermod" hostname=? addr=? terminal=? res=success'
Nov 01 12:08:18 localhost.localdomain kernel: audit: type=1108 audit(1730462898.608:144): pid=1479 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=updating-password id=1000 exe="/usr/sbin/usermod" hostname=? addr=? terminal=? res=success'
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: INFO     : files: ensureUsers: op(1): [finished] creating or modifying user "core"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: INFO     : files: ensureUsers: op(2): [started]  setting password for "core"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: DEBUG    : files: ensureUsers: op(2): executing: "usermod" "--root" "/" "--password" "$y$j9T$HsJiToYGxDpKaKlkV1ai9.$ypj54d7KIKYSUMAFRBQ9SRoacZ6ZHc5f0Baobybz.iA" "core"
Nov 01 12:08:18 localhost.localdomain audit[1483]: USER_CHAUTHTOK pid=1483 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=updating-password id=1000 exe="/usr/sbin/usermod" hostname=? addr=? terminal=? res=success'
Nov 01 12:08:18 localhost.localdomain kernel: audit: type=1108 audit(1730462898.659:145): pid=1483 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=updating-password id=1000 exe="/usr/sbin/usermod" hostname=? addr=? terminal=? res=success'
Nov 01 12:08:18 localhost.localdomain usermod[1483]: change user 'core' password
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: INFO     : files: ensureUsers: op(2): [finished] setting password for "core"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: INFO     : files: ensureUsers: op(3): [started]  adding ssh keys to user "core"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: CRITICAL : files: ensureUsers: op(3): [failed]   adding ssh keys to user "core": failed to set SSH key: creating parent dirs for "/var/home/core/.ssh/authorized_keys": permission denied
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: files failed
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: Full config:
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: {
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:   "ignition": {
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:     "config": {
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:       "replace": {
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:         "verification": {}
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:       }
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:     },
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:     "proxy": {},
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:     "security": {
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:       "tls": {}
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:     },
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:     "timeouts": {},
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:     "version": "3.5.0-experimental"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:   },
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:   "kernelArguments": {},
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:   "passwd": {
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:     "users": [
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:       {
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:         "groups": [
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:           "wheel"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:         ],
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:         "name": "core",
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:         "passwordHash": "$y$j9T$HsJiToYGxDpKaKlkV1ai9.$ypj54d7KIKYSUMAFRBQ9SRoacZ6ZHc5f0Baobybz.iA",
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:         "sshAuthorizedKeys": [
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOuo7lOZH5bi6yPYN2xVYbzq+334ouzWfFBi7XB7DFf"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:         ]
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:       }
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:     ]
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:   },
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:   "storage": {},
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]:   "systemd": {}
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: }
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1473]: CRITICAL : Ignition failed: failed to create users/groups: failed to configure users: failed to add keys to user "core": failed to set SSH key: creating parent dirs for "/var/home/core/.ssh/authorized_keys": permission denied
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1486]: INFO     : Ignition 2.19.0
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1486]: INFO     : Stage: umount
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1486]: INFO     : no config dir at "/usr/lib/ignition/base.d"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1486]: INFO     : no config dir at "/usr/lib/ignition/base.platform.d/file"
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1486]: INFO     : umount: umount passed
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1486]: INFO     : Ignition finished successfully
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1455]: Running stage fetch with config file /tmp/zezere-ignition-config-xyfogyzc.ign
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1455]: Running stage disks with config file /tmp/zezere-ignition-config-xyfogyzc.ign
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1455]: Running stage mount with config file /tmp/zezere-ignition-config-xyfogyzc.ign
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1455]: Running stage files with config file /tmp/zezere-ignition-config-xyfogyzc.ign
Nov 01 12:08:18 localhost.localdomain zezere-ignition[1455]: Running stage umount with config file /tmp/zezere-ignition-config-xyfogyzc.ign
Nov 01 12:08:18 localhost.localdomain systemd[1]: zezere_ignition.service: Deactivated successfully.
Nov 01 12:08:18 localhost.localdomain systemd[1]: Finished zezere_ignition.service - Run Ignition for Zezere.

No SELinux denials, /var/ is mounted as rw, and /var/home exists, so I'm fairly confused...

$ findmnt /var
TARGET SOURCE                                   FSTYPE OPTIONS
/var   /dev/vda3[/ostree/deploy/fedora-iot/var] ext4   rw,relatime,seclabel
$ ls -laZ /var
total 96
drwxr-xr-x. 23 root root system_u:object_r:var_t:s0            4096 Nov  1 12:08 .
drwxr-xr-x. 12 root root system_u:object_r:root_t:s0           4096 Oct 27 21:58 ..
-rw-r--r--.  1 root root system_u:object_r:var_t:s0               0 Oct 27 21:58 .ostree-selabeled
-rw-r--r--.  1 root root system_u:object_r:etc_runtime_t:s0     190 Jan  1  1970 .updated
drwxr-xr-x.  2 root root system_u:object_r:var_t:s0            4096 Nov  1 12:08 adm
drwxr-xr-x.  7 root root system_u:object_r:var_t:s0            4096 Nov  1 12:08 cache
drwxr-xr-x.  3 root root system_u:object_r:system_db_t:s0      4096 Nov  1 12:08 db
drwxr-xr-x.  2 root root system_u:object_r:var_t:s0            4096 Nov  1 12:08 empty
drwxr-xr-x.  2 root root system_u:object_r:public_content_t:s0 4096 Nov  1 12:08 ftp
drwxr-xr-x.  2 root root system_u:object_r:games_data_t:s0     4096 Nov  1 12:08 games
drwxr-xr-x.  2 root root system_u:object_r:home_root_t:s0      4096 Oct 27 21:58 home
drwxr-xr-x.  3 root root system_u:object_r:var_t:s0            4096 Nov  1 12:08 kerberos
drwxr-xr-x. 21 root root system_u:object_r:var_lib_t:s0        4096 Nov  1 12:08 lib
drwxr-xr-x.  2 root root system_u:object_r:var_t:s0            4096 Nov  1 12:08 local
lrwxrwxrwx.  1 root root system_u:object_r:var_lock_t:s0         11 Nov  1 12:08 lock -> ../run/lock
drwxr-xr-x.  6 root root system_u:object_r:var_log_t:s0        4096 Nov  1 12:08 log
lrwxrwxrwx.  1 root root system_u:object_r:mail_spool_t:s0       10 Nov  1 12:08 mail -> spool/mail
drwxr-xr-x.  2 root root system_u:object_r:mnt_t:s0            4096 Oct 27 21:58 mnt
drwxr-xr-x.  2 root root system_u:object_r:var_t:s0            4096 Nov  1 12:08 nis
drwxr-xr-x.  2 root root system_u:object_r:var_t:s0            4096 Oct 27 21:58 opt
drwxr-xr-x.  2 root root system_u:object_r:var_t:s0            4096 Nov  1 12:08 preserve
drwx------.  3 root root system_u:object_r:admin_home_t:s0     4096 Nov  1 12:08 roothome
lrwxrwxrwx.  1 root root system_u:object_r:var_run_t:s0           6 Nov  1 12:08 run -> ../run
drwxr-xr-x.  4 root root system_u:object_r:var_spool_t:s0      4096 Oct 27 21:58 spool
drwxr-xr-x.  2 root root system_u:object_r:var_t:s0            4096 Oct 27 21:58 srv
drwxrwxrwt.  9 root root system_u:object_r:tmp_t:s0            4096 Nov  1 12:09 tmp
drwxr-xr-x. 11 root root system_u:object_r:usr_t:s0            4096 Nov  1 12:08 usrlocal
drwxr-xr-x.  2 root root system_u:object_r:var_yp_t:s0         4096 Nov  1 12:08 yp
$ ls -laZ /var/home
total 8
drwxr-xr-x.  2 root root system_u:object_r:home_root_t:s0 4096 Oct 27 21:58 .
drwxr-xr-x. 23 root root system_u:object_r:var_t:s0       4096 Nov  1 12:08 ..

[miabbott]

I'm seeing similar problems using the IoT 41 simplified-provisioner as well.

[fdesjardins]

Confirming the same for Fedora-IoT-raw-41-20241027.0.x86_64.raw, ignition won't create the user's home directory:

Nov 01 19:28:57 localhost.localdomain ignition[688]: files: ensureUsers: op(4): executing: "useradd" "--root" "/sysroot" "--create-home" "--password" "$2a$10$kfEn0Uog0xFT0C2BTzd0YuCHSyA4KO9rkqICzkdBRRDjyxuExzTE6" "user1"
Nov 01 19:28:58 localhost.localdomain ignition[688]: files: ensureUsers: op(4): [finished] creating or modifying user "user1"
Nov 01 19:28:58 localhost.localdomain ignition[688]: files: ensureUsers: op(5): [started]  setting password for "user1"
Nov 01 19:28:58 localhost.localdomain ignition[688]: files: ensureUsers: op(5): executing: "usermod" "--root" "/sysroot" "--password" "$2a$10$kfEn0Uog0xFT0C2BTzd0YuCHSyA4KO9rkqICzkdBRRDjyxuExzTE6" "user1"
Nov 01 19:28:58 localhost.localdomain ignition[688]: files: ensureUsers: op(5): [finished] setting password for "user1"
Nov 01 19:28:58 localhost.localdomain ignition[688]: files: ensureUsers: op(6): [started]  adding ssh keys to user "user1"
Nov 01 19:28:58 localhost.localdomain (ignition)[688]: wrote ssh authorized keys file for user: user1

Nov 01 19:29:12 localhost.localdomain zezere-ignition[1461]: CRITICAL : Ignition failed: failed to create users/groups: failed to configure users: failed to add keys to user "user1": failed to set SSH key: creating parent dirs for "/var/home/user1/.ssh/authorized_keys": permission denied

Interestingly, I logged in as root and manually created the /var/home/user1/.ssh directory and set the owner, zezere-ignition actually did create the authorized_keys file.

I tried to add a storage.directories section in the ignition file to do the same but no luck.

[djach7]

Started investigating this, I was able to reproduce it and I found/learned a couple things:

• ssh keys should be written to /.ssh/authorized_keys.d/
• Moving the ssh keys should be handled by the ssh-key-dir rpm during boot (https://github.com/coreos/ssh-key-dir)
• The ignition-edge rpm is needed to make it all work (https://github.com/fedora-iot/ignition-edge)
• Both the ssh-key-dir rpm and the ignition-edge rpm are missing from the Fedora IoT 41 raw image

I'll continue with trying to figure out where these rpms got lost along the way and if they're the only issue.

Also a big thanks to @runcom for helping me get started on this, your help was much appreciated!

[miabbott]

https://github.com/osbuild/images/blob/0584c20b0c14a89e833b875252114ceff61805e8/pkg/distro/fedora/package_sets.go#L123

https://github.com/osbuild/images/blob/0584c20b0c14a89e833b875252114ceff61805e8/pkg/distro/fedora/package_sets.go#L157

Both packages are present in the iot-commit code of osbuild 🤔

[pcdubs]

Neither is included in the commit created in koji - https://pagure.io/fedora-iot/ostree/blob/main/f/fedora-iot-base.yaml

We should check for other discrepancies.

[runcom]

Neither is included in the commit created in koji

this is indeed the issue with this and #49

[djach7]

Submitted a pr to add the packages necessary to fix this here: https://pagure.io/fedora-iot/ostree/pull-request/66

I was able to login with ssh successfully and both a home directory and a .ssh directory were created, so I believe this is sorted out. Going to wait to close until the pr is merged.

[djach7]

Closing now that PR is merged.

[miabbott]

Let's keep this open until we get a working compose with the fix.