Local Users
Local Cluster Users
When deploying a cluster with an OS image labeled beta, the environment includes a dedicated virtual machine running an identity management platform called Kanidm. This allows you to manage local users, groups and SSH keys centrally across the cluster.
To get that OS image enabled for your user, please contact support.
Setup details
The identity management service is reacahable on address auth.cluster.verda.internal from within the cluster.
It runs inside a docker container called kanidm and the service node has the kanidm CLI tool installed that you will use to manage:
Groups
Local users with or without root access
SSH public keys per user
Important Note on Groups: If you use the suggested group name cluster_users, members are automatically added to the docker group on the nodes. If you choose a different group name, you must manually update the kanidm-unixd and sshd configurations on your jumphost and worker nodes.
Groups and User Creation
Login to the service node by using the jumphost as an SSH jumphost:
Recover the initial password for user idm_admin:
docker exec -i -t kanidm kanidmd recover-account idm_adminInitialize the kanidm CLI using the password found in the above recover-account:
Create groups with GIDs great than 65536:
Creating an example user and add it to the cluster_users group:
Accessing the Cluster
One configured, users can login to the jumphost directly:
Internal SSH & Node Access
Home Directories: These are stored on a shared NFS mount and are available across all nodes.
SSH Agent Forwarding: For security reasons, we recommend leaving agent forwarding disabled.
Internal Keys: To allow your user to SSH from the jumphost to worker nodes, generate an internal key pair:
To avoid "Host Verification" prompts when moving between nodes, update your known_hosts file:
Elevated Privileges
If you wish to grant sudo access to the cluster_admins group across the compute nodes, run the following command from the jumphost:
Last updated
Was this helpful?