Local user management

zCX instance Docker administrator

The zCX instance Docker administrator is responsible for managing Docker users within a zCX instance. The user information for the Docker administrator must be given during provisioning. The Docker administrator does not necessarily need to be a z/OS user or zCX appliance administrator.

The Docker administrator user ID is represented by z/OSMF workflow variable ZCX_DOCKER_ADMIN. The Docker administrator user ID's ssh key must be give during provisioning and is represented by z/OSMF workflow variable ZCX_DOCKER_ADMIN_SSH_KEY. You can use ssh-keygen utility to generate public/private rsa key pairs. By default, the keys are stored in your home directory under the .ssh directory. You can cut and paste the contents of public ssh key (id_rsa.pub) in the ZCX_DOCKER_ADMIN_SSH_KEY variable field.

For example, you can use the following command to generate a private/public key pair on your client system:
```
ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"
```
You can optionally provide a passphrase to further secure private/public key access.

If you experience login issues from ssh client, then use ssh -v option for additional debugging information.

If you have previously used a different private/public key pair or a deprecated password authentication option with the same zCX appliance instance IP address, then you must remove the entry from the known_hosts file under the .ssh directory.

Adding Docker Users

We suggest allowing the administrator to create Docker users. These Docker users have their own home directories, user names, and passwords.

Docker users have only the ability to run Docker commands. This is because they are added to the Docker user group. Docker users do not have Sudo, the program that allows users to use elevated privileges. Therefore, they cannot create or modify other Docker users.

The useradd and usermod commands are not supported on by zCX.

To create a new Docker user with user name username and add the new user to the existing group Docker, the administrator runs the command:

sudo adduser --ingroup docker username

and receives the following output:

Adding user 'username' ...
Adding new user 'username' (1004) with group `docker' ...
Creating home directory /home/username' ...
Copying files from `/etc/skel' ...

The administrator is then prompted with the following:

Enter new UNIX password: 
Retype new UNIX password:

Here, the administrator assigns the new user a password. The new user can change the password if desired. Once the password is entered, the administrator receives the output:

passwd: password updated successfully
Changing the user information for username

The administrator is then prompted to provide the following information about the new user. This is typical requested information for creating a new user on a system:

Enter the new value, or press ENTER for the default
    Full Name []: 
    Room Number []: 
    Work Phone []: 
    Home Phone []: 
    Other []: 
Is the information correct? [Y/n] y

The administrator can force a new Docker user to change the user password at log in using the following command:

$sudo passwd -e username

Once created, the new Docker user can SSH into the container and use Docker with the command:

ssh username@ip_address -p 8022

If the administrator forces the new Docker user to set a new password, the new Docker user will be prompted to do so after login in. A Docker user can also change his or her password at any time with the following command:

username@6c279b325214:~$ passwd

Which will give the output:

Changing password for username.
(current) UNIX password:
Enter new UNIX password: 
Retype new UNIX password:

Followed by:

passwd: password updated successfully

Adding Docker administrators

Additional Docker administrators can be created by an existing Docker administrator adding the users to the groups "Docker" and "sudo". Begin by issuing the following command to add a new Docker user:

$ sudo adduser --ingroup docker username

Then add the user to the "sudo" group to grant administrative access:

sudo adduser username sudo

The administrator can then switch to the new user using the command:

$ su username

And confirm the user is in the appropriate 'docker' and 'sudo' groups:

 username@host:/home/username$ groups

Which should provide the output:

docker sudo

Removing users from groups

A user can be removed from a group by issuing the following command:

sudo deluser username groupname

Administrator privileges can be revoked by removing a user from the "sudo" group.

Deleting Docker users

A user and the corresponding home directory can be deleted by issuing the following command:

sudo userdel -r username

To view additional options, use:

$ sudo userdel -h