Ghaf user accounts

[mbssrc]

The changes address the separation between declarative and runtime users.Non-declarative users are introduced that allow changes without re-building the configuration, and are purely device specific.

For more consistent declarative user management, 'userborn' is introduced, which increases consistency by managing user parameter changes across re-builds. It is enabled for host and all VMs by default. The NixOS configuration users.mutableUsers is set to false, thus the generic user tools cannot be used at runtime (passwd, useradd, etc.). Further, a new user configuration file allows to conveniently override and set user attributes across the system (e.g., password updates).

To manage non-declarative users, systemd-homed is used. It offers a variety of concepts that are in line with our requirements such as on-the-fly user creation, encryption, CIFS-integration, and more. For the login-user, password
change with passwd should work.

Code structure

common.nix - common settings
admin.nix - admin account settings
desktop.nix - user accounts for desktop setup
managed.nix - declarative users
reference/personalize/accounts.nix - entry point for user/password management

Accounts

Admin account

The 'ghaf' user account is now the admin account (+wheel), and enabled by default in host and all VMs. As this account is for administrative purposes, it should not run a desktop session.

Login/desktop user account

The 'loginUser' account can be enabled and sets up a non-declarative user with a reserved UID. It is a self-contained account, bootstrapped via the home folder, that currently runs the user desktop session. Files in /var/lib/systemd/home bind the home folder to the machine.

Auxiliary accounts

Two auxiliary accounts are available that share the login users UID to
keep these UIDs consistent across VMs:

1. Proxy user
   This user is used in system VMs that provide services. These services
   are currently accessible via the dbus proxy, and require the same UID.
2. App user
   This user is used in app VMs to run the user sessions (including applications).
   The shared UID is helpful to map access rights across machines and support
   legacy functionality.

Other (declarative/managed) user accounts

While any additional user accounts may be freely created and administered, a template for configuration managed users is provided.

Future work

This patch introduces new account management on Ghaf. Based on the changes, future work is required to extend it.

Extending login-user functionality

Currently, a minimalistic setup script runs on first GUI-VM boot. The login
user setup may be extended with:

• Improvement of user creation script

• Graphical interface for user creation

• Feature integration: (supported by homed)

  • CIFS/remote user storage integration
  • FIDO token integration
  • User ssh keys
  • Avatar/Background/Locale/Timezone/Location
  • External home support (e.g., USB or network storage)

• Potential re-work to run graphical session as static user

• Potential multi-user system with migratable data

Further user account improvements

• removing (hardcoded) ssh dependencies
• removing ssh root access, e.g., update user (PoC available)
• password policies, considering declarative users passwords are in nix store

User data implications

While the login user setup provides some containment, currently user data is still
spread across the system, such as

• Persistent user-related platform data (e.g., wifi passwords)
• Persistent user data in app VMs (e.g., browser profiles/passwords)
• File sharing between VMs

Respective mechanisms are currently under investigation.

Implementation notes

• VMs now run with stage1 systemd
• VM storage shares have been re-named for consistency (-vm)
• impermanence flake input pinned to userborn patch
• /etc/machine-id (gui-vm) is currently hardcoded as login user identity file depends on it.
  It should be generated on first boot and persistet. Workaround is available upstream (after
  userborn patch) in impermanence but does not seem to work with our setup, investigation required
• reverts .face patch. There is an avatar setting, but afaik file needs to be present during setup
• known login inconveniences: wrong password entry on lock-screen results in multiple errors, user needs to click
  login if fprint is enabled (only for new login, not lock)
• security warning about systemd-generators being writable
• VM shares have been renamed - if not flashed all previous user data is inaccessible

Checklist for things done

• Summary of the proposed changes in the PR description
• More detailed description in the commit message(s)
• Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• PR linked to architecture documentation and requirement(s) (ticket id)
• Test procedure described (or includes tests). Select one or more:
  • Tested on Lenovo X1 x86_64
  • Tested on Jetson Orin NX or AGX aarch64
  • Tested on Polarfire riscv64
• Author has run make-checks and it passes
• All automatic Github Action checks pass - see actions
• Author has added reviewers and removed PR draft status
• Change requires full re-installation
• Change can be updated with nixos-rebuild ... switch

Instructions for Testing

As this PR affects all of Ghaf, extensive testing is required. All desktop functionality should
be tested, and all targets verified. All VMs are running with systemd stage1 boot, and
all cross-vm functionality that previously used ssh + ghaf user is affected.

As this patch also re-names VM shares, target should be flashed before testing.

• List all targets that this applies to: Lenovo x1, all targets may be affected

• Is this a new feature

  • Verify user setup script works properly at first boot
  • Verify all desktop functionality works as before
  • Verify all targets build and run
  • Verify known errors/inconveniences as stated in 'Implementation Notes'
  • Verify passwd can be used to change user password

• If it is an improvement how does it impact existing functionality?

[mbssrc]

Updates with b8a9aef:

• Can not open images or pdf files from File Manager: Bug fixed.

• Integrated camera does not work in business-vm.

• USB camera does not work in chrome-vm.

  Seems unrelated to this patch - disabling apparmor will allow camera access in both. Was this working before?

• Mounted USB sticks are not shown in File Manager, user can't access the files.

  Code is fine, but default UID is incompatible. This causes devices with ext2/3/4 not being accessible.
  To increase usability, default UID for login user is now changed to 1000, which is the default UID on
  most linux systems.

• Support for test automation

  • New service to automatically setup test user. Procedure:
    1. Ssh to gui-vm
    2. Issue (sudo) systemctl start setup-test-user.service. This will create a new user testuser with password testpw as per test-automation patch
  • Host service to remove current user setup. Note this currently does NOT delete data in appvms. Usage (on host): systemctl start remove-users.service

[johannarautanen]

Checked with native NX and AGX.

Issues:

• cannot open the application-menu from up-left.
  just.txt

With ghaf-open -l you can the open application list
With `ghaf-open 'appname' : Terminal, PDF reader, Windows opened. Firefox and element didn't open.

• cannot open the application-menu with Win-button either. With main native-builds, there is the old bug that you cannot open the application menu with WIN-keyboard button, so cannot say if this issues is because of that old bug or not.
• The screen selections in up-left failed, there is 1,2,3,4-options, only "1" is used no matter what other number you choose.
• when you select "sudo su" the terminal path is:
  

Checked with cross compile AGX:

Issues:

• cannot open the application-menu from up-left.
• cannot open the application-menu with Win-button either. With main croosscompile-builds, is possible to open the application menu with win-keyboard button
• The screen selections in up-left failed, there is 1,2,3,4-options, only "1" is used no matter what other number you choose.
• • when you select "sudo su" the terminal path is the same as with native builds: /var/empty

Working with native and crosscompile:

• the power menu-options works: Lock, suspend etc works and calendar comes visible when tap the day.
• with mouse right button can open the Terminal-menu and terminal itself

[kajusnau]

Checked with native NX and AGX.

• The screen selections in up-left failed, there is 1,2,3,4-options, only "1" is used no matter what other number you choose.

This is not necessarily an indication of whether or not desktop switching is working. To confirm, testing should include opening any window in the active workspace/desktop, then switching desktops by any means and seeing if the window disappears and reappears as expected. If yes, then the issue is related to the workspace tracking file.

By default, the workspace tracking file is located in ~/.config/labwc/current-workspace. If the file is not available or cannot be created, the described behavior is expected.
The file should be initially created by labwc-autostart script located in modules/desktop/graphics/labwc.config.nix.

Edit: checking logs of ewwbar service might also be beneficial - journalctl --user-unit ewwbar --no-pager --no-hostname

[johannarautanen]

Checked with native NX and AGX.

• The screen selections in up-left failed, there is 1,2,3,4-options, only "1" is used no matter what other number you choose.

This is not necessarily an indication of whether or not desktop switching is working. To confirm, testing should include opening any window in the active workspace/desktop, then switching desktops by any means and seeing if the window disappears and reappears as expected. If yes, then the issue is related to the workspace tracking file.

By default, the workspace tracking file is located in ~/.config/labwc/current-workspace. If the file is not available or cannot be created, the described behavior is expected. The file should be initially created by labwc-autostart script located in modules/desktop/graphics/labwc.config.nix.

Edit: checking logs of ewwbar service might also be beneficial - journalctl --user-unit ewwbar --no-pager --no-hostname

When you tried to choose another desktop, the chosen desktop is not selected, stay still in "1" desktop:

[kajusnau]

When you tried to choose another desktop, the chosen desktop is not selected, stay still in "1" desktop:

Looks like home directory is not set correctly, it's defaulting to /var/empty instead. Hopefully this is helpful info to fix the bug for @mbssrc

[mbssrc]

Update a66f5eb

• Desktop & admin home issue:

  • create home for admin user conditionally (set to true for AGX/NX)
    This should fix most/all issues on AGX. Tested and seems to work fine.

• Prevent admin login:

  • add "desktop" group; added for admin in AGX/NX, loginuser for laptop target
  • add dependency for ghaf-session.target, add requires attribute for ewwbar.service to prevent starting it and
    any subsequent services if target fails

• Other: changed btrfs in home image to ext4, seen crashes (transaction issues)

[johannarautanen]

Checked with native and crosscompile NX and AGX.

Notes:

• when you select in net-vm "sudo su" the terminal path is:
  

Working:

• application menu can be open from the up left

• application menu open also with win-keyboard button

• desktops can be changed successfully

• applications can be launched

• the power menu-options works: Lock, suspend etc works and calendar comes visible when tap the day.

• with mouse right button can open the Terminal-menu and terminal itself

• "sudo su" in host, terminal path now:
  

• automation tests: there is one issue, but that will be fixed in test-automation "setup" side. Other cases were ok.

[milva-unikie]

Tested on Lenovo-X1 (full re-installation)

Working:

• Test-automation mostly passes when Adapt to changes introduced by ghaf PR827 ci-test-automation#192 and Fix iperf tests ci-test-automation#191 are applied. Still some work needed in the test-automation side to get the rest of the tests to pass.
• Usb stick works.
• Opening files from File Manager works.

Issues:

• Can still login to desktop with ghaf/ghaf. That desktop does not work properly and can be quite confusing for the users.
• If you login to ghaf, logout and then try to login to your own account, the login does not work. /run/current-system/sw/bin/ghaf-session: line 8: /tmp/session.labwc.log: Permission denied After a reboot login works again.

I can create a bug about the issues if this pr gets merged with them.

[johannarautanen]

Checked with Risc-V

Working:

• able to boot up the Risc-V
• able to login to ghaf-host and check ghaf-and nixos-versions
• able to reboot via command line
• ethernet connection worked

No new issue found in manual testing.