[Feature Req] System user for hardened RKE2

[jiwonhu]

Got a customer requiring to CIS-harden RKE2. This requires to create etcd user as system user and humans should not be allowed to log in: https://docs.rke2.io/security/hardening_guide#etcd-is-configured-properly

sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

AFAIK there is no way to specify -r and -s /sbin/nologin in user section of EIB yaml.

[e-minguez]

In the meantime, can you try creating your own script? The user definition on EIB is translated to the following script https://github.com/suse-edge/edge-image-builder/blob/main/pkg%2Fcombustion%2Ftemplates%2F13b-add-users.sh.tpl so you are right those flags are not there. You can see there it calls useradd so you can write a 13c-etcd-user.sh or something similar script with the syntax you need.

[atanasdinov]

This is perhaps a duplicate of #221. There are various steps that are needed to enable CIS hardening but we never got to integrate this in our definition.

[jiwonhu]

I am already using a script to harden RKE2. So it's not a blocker.

What I am asking is more simpler :). Although it will improve user experience if EIB could support CIS profile, I believe it will introduce some maintenance effort. For example, RKE2 introduced new prerequisite from v1.29 for CIS hardening. This did not exist previously.