Krishna Neupane

How to Manage User Password Expiration and Aging in Linux

Krishna Neupane — Fri, 29 Dec 2023 13:32:52 GMT

System administration involves numerous tasks, including managing users and groups and under-user management. Some of the minor tasks involved are adding, modifying, suspending, or deactivating user accounts, among many others.

This article will explain one of the critical user account management functions: how to set or change user password expiration and aging in Linux using the change command.

The change command is used to modify user password expiration information. It enables you to view user account aging information and change the number of days between password changes and the date of the last password change.

Once you have set password expiry and aging information, this information is used by the system to determine when a user must change his or her password. Normally, companies or organizations have certain security policies that demand users change passwords regularly; this can be a simple way to enforce such policies as we explained below.

To view a user account aging information, use the -l flag as shown.

# chage -l ravi

View User Password Aging Information

To set the date or number of days (since January 1, 1970) when the password was last changed, use the -d flag as follows.

# chage -d 2018-02-11 ravi

Next, you can also set the date or number of days (since January 1, 1970) on which the user’s account will no longer be accessible by using the -E switch as shown in the following command.

In this case, once a user’s account is locked, he/she is required to contact the system administrator before being able to use the system again.

# chage -E 2018-02-16 ravi

Then, the -W option allows you to set the number of days of warning before a password change is required. Considering the command below, the user ravi will be warned 10 days before his password expires.

# chage -W 10 ravi

In addition, you can set the number of days of inactivity after a password has expired before the account is locked. This example means that after user ravi’s password expires, his account will be inactive for 2 days before it is locked.

When the account becomes inactive, he must contact the system administrator before being able to use the system again.

# chage -I 2 ravi

For more information, refer to the change man page.

# man chage

Note that you can also change a user’s password expiration and aging information using the usermod command, which is intended for modifying a user account.

That’s it for now. Hoping you find this article informative and useful.

Automatic Bitbucket Pipeline-To-Kubernetes

Krishna Neupane — Thu, 28 Dec 2023 15:24:48 GMT

Automating the deployment process from Bitbucket Pipelines to Kubernetes involves setting up a continuous integration/continuous deployment (CI/CD) pipeline. Below is a general guide on how you can achieve this using Bitbucket Pipelines and Kubernetes. This example assumes you are using AWS EKS for your Kubernetes cluster, but you can adjust the steps according to your specific setup.

Prerequisites:
1. Bitbucket Repository:
Make sure you have your project hosted on Bitbucket.

2. Kubernetes Cluster:
Set up your Kubernetes cluster. This example assumes you are using AWS EKS.

Code Link: https://github.com/krishna-commits/automation-bitbucket-to-kubernetes-deployment

Folder Structure:

Step-by-Step Guide:

Configure Kubernetes Credentials in Bitbucket:
Set up environment variables in your Bitbucket repository settings (Settings > Repository settings > Pipeline > Repository settings).

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_DEFAULT_REGION
EKS_CLUSTER_NAME
ACCOUNT_ID
#Add other variable

2. Define Bitbucket Pipelines:
Set up your Bitbucket Pipelines configuration (bitbucket-pipelines.yml). Below is a simple example using Docker and Kubernetes for deployment:

image: atlassian/pipelines-awscli
clone:
  depth: full
options:
  size: 2x
pipelines:
  branches:
    '*':
      - step:
          name: Deploy to ECR and Selection to Branch
          services:
            - docker
          script:
            - echo $BITBUCKET_BRANCH
            - apk add --no-cache yq
            - DOMAIN=$(yq eval ".branches[\"$BITBUCKET_BRANCH\"]" k8s/staging/branch_domain_mapping.yml)
            - echo $DOMAIN
            - |
              if [ "$BITBUCKET_BRANCH" != "production" ]; then
                  export AWS_ACCOUNT_ID=$ACCOUNT_ID
                  export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
                  export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
                  export AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION
                  export K8S_CLUSTER=$K8S_CLUSTER
                else
                  export AWS_ACCOUNT_ID=$ACCOUNT_ID_PROD
                  export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID_PROD
                  export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY_PROD
                  export AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION_PROD
                  export K8S_CLUSTER=$K8S_CLUSTER_PROD
                fi
            - export APP=$(echo $BITBUCKET_REPO_FULL_NAME-$BITBUCKET_BRANCH | awk -F'/' '{print tolower($2)}')
            - export BITBUCKET_COMMIT_SHORT=$(echo $BITBUCKET_COMMIT | cut -c1-7)
            - export IMAGE_TAG=$BITBUCKET_COMMIT_SHORT 
            - export DOCKER_REPO=$(echo "$APP" | tr '[:upper:]' '[:lower:]') 
            - export IMAGE_URL=$(echo $ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$DOCKER_REPO:$IMAGE_TAG | awk -F'/' '{print tolower($2)}')
            - pip install --upgrade awscli    
            - |
              repository_exists=$(aws ecr describe-repositories --repository-names $APP --region $AWS_DEFAULT_REGION --output json | jq -r '.repositories | length')

              if [ -z "$repository_exists" ]; then
                # ECR repository does not exist, create it
                echo "Creating ECR repository: $APP"
                aws ecr create-repository --repository-name $APP --region $AWS_DEFAULT_REGION --image-tag-mutability IMMUTABLE
              fi
            - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
            - IMAGE_URL=$ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$DOCKER_REPO:$IMAGE_TAG
            - docker build -t "$IMAGE_URL" .
            - docker tag "$IMAGE_URL" "$IMAGE_URL"
            - docker push "$IMAGE_URL"
          variables:
            IMAGE_URL: $ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$DOCKER_REPO:$IMAGE_TAG
            DOMAIN: $DOMAIN
      - step:
          name: Deploy to Kubernetes
          script:
            - wget -O kubectl "https://dl.k8s.io/release/$(wget -qO- https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
            - chmod +x kubectl  
            - mv kubectl /usr/local/bin/ 
            - kubectl version --client  
            - apk add --no-cache yq
            - DOMAIN=$(yq eval ".branches[\"$BITBUCKET_BRANCH\"]" k8s/staging/branch_domain_mapping.yml)
            - export ACCOUNT_ID=$ACCOUNT_ID
            - export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
            - export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
            - export AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION
            - export K8S_CLUSTER=$K8S_CLUSTER
            - export BITBUCKET_COMMIT_SHORT=$(echo $BITBUCKET_COMMIT | cut -c1-7)
            - export IMAGE_TAG=$BITBUCKET_COMMIT_SHORT 
            - echo $IMAGE_TAG
            - export DOMAIN=$DOMAIN
            - aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
            - aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
            - aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $K8S_CLUSTER
            - export APP=$(echo $BITBUCKET_REPO_FULL_NAME-$BITBUCKET_BRANCH | awk -F'/' '{print tolower($2)}')
            - export DOCKER_REPO=$(echo "$APP" | tr '[:upper:]' '[:lower:]') 
            - |
              namespace_exists=$(kubectl get namespace "$APP" --ignore-not-found=true -o jsonpath='{.metadata.name}')

              if [ -z "$namespace_exists" ]; then
                # Namespace does not exist, create it
                echo "Creating Kubernetes namespace: $APP"
                kubectl create namespace "$APP"
              fi

            - export IMAGE_URL="$ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$DOCKER_REPO:$IMAGE_TAG"
            - sed -i 's/{{APP}}/'"$APP"'/g' k8s/staging/deployment.yaml
            - sed -i 's~{{IMAGE_URL}}~'"$IMAGE_URL"'~' k8s/staging/deployment.yaml
            - sed -i 's/{{DOMAIN}}/'"$DOMAIN"'/g' k8s/staging/deployment.yaml
            - cat k8s/staging/deployment.yaml 
            - |
              if ! kubectl get deployment "${APP}-deployment" --namespace="${APP}" &> /dev/null; then
                echo "Deploying initial Kubernetes resources..."
                kubectl apply -f k8s/staging/deployment.yaml --namespace="${APP}"
              else
                echo "Restarting deployment..."
                kubectl apply -f k8s/staging/deployment.yaml --namespace="${APP}"
                kubectl rollout restart deployment "${APP}-deployment" --namespace="${APP}"
              fi
            - echo $DOMAIN
definitions:
  services:
    docker:
      memory: 7168

This pipeline builds and pushes a Docker image to ECR, then deploys the Kubernetes manifests in the k8s/ directory.

3. Cert-manager:
Note: If you don’t have any certificate you can used this step. This Cert-Manager is Code for the Kubernetes Cluster , If you have already Cert-manager install on the Kubernetes Cluster, Skipped this point 3.

Cert-manager is a Kubernetes tool that issues certificates from various certificate providers, including Let’s Encrypt.

To install cert-manager using helm:

Step 1: Install the Custom Resource Definition resources.

$ kubectl apply --validate=false \-f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml

Note: Currently I am using 1.5.3 Version of Jetstack cert manager

Step 2: Create a namespace for cert-manager

$ kubectl create ns cert-manager

Step 3. Add the Jetstack Helm repository and update your local Helm chart repo cache.

$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update

Step 4. Install the cert-manager Helm chart

$ helm install --name cert-manager --namespace cert-manager --version v1.5.3 jetstack\cert-manager

Now verify the installation:

$ kubectl get pods --namespace cert-manager
NAME                                       
cert-manager-66b6d6bf59-tmlgw
cert-manager-cainjector-856d4df858-z4k5s
cert-manager-webhook-5fd7d458f7-zwbnc

The certificates provided by Let’s Encrypt are valid for 90 days at no charge, and you can renewal at any time.

The certificate generation and renewal can be automated using cert-bot and cert-manager (for k8's).

4. Kubernetes Manifests:

Organize Kubernetes deployment manifests (k8s/). Adjust these files based on your application and requirements.
In this Deployment.yaml file it Contain Deployment, Service, Certificate Issuer and Ingress. You can make the different file for different Kind.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{APP}}-deployment
  labels:
    app: {{APP}}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: {{APP}}
  template:
    metadata:
      labels:
        app: {{APP}}
    spec:
      containers:
        - name: {{APP}}
          image: {{IMAGE_URL}}
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: {{APP}}-service
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
  selector:
    app: {{APP}}
  type: ClusterIP
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: neupane.krishna33@gmail.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: {{APP}}-ingress
  labels:
    app: {{APP}}
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
spec:
  tls:
    - hosts:
        - {{DOMAIN}}
      secretName: {{APP}}-tls
  rules:
    - host: {{DOMAIN}}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: {{APP}}-service
                port:
                  number: 80

Note: Provide a valid email address. You will receive email notifications on certificate renewals.

Breakdown the above code:

Below set of YAML manifests is designed to deploy an application to Kubernetes, expose it via a Service, configure TLS using Let’s Encrypt through cert-manager, and define Ingress rules for routing traffic.
Deployment and Service: Defines the deployment of your application with one replica and a corresponding service.
Cert-Manager Issuer: Configures the issuer for Let’s Encrypt to obtain TLS certificates.
Ingress: Specifies the Ingress resource with TLS configuration, rules for routing, and annotations for cert-manager and Ingress class.

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{APP}}-deployment
  labels:
    app: {{APP}}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: {{APP}}
  template:
    metadata:
      labels:
        app: {{APP}}
    spec:
      containers:
        - name: {{APP}}
          image: {{IMAGE_URL}}
          ports:
            - containerPort: 80

##what each line does:

apiVersion and kind:
Specifies the API version and kind of the Kubernetes resource. In this case, it's a Deployment in the apps/v1 API version.

metadata:
name: The name of the Deployment is set to {{APP}}-deployment.
labels: Labels are used to identify and organize resources. The app label is set to {{APP}}.

spec:
replicas: Defines the desired number of replicas for the pods managed by this Deployment. In this case, it's set to 1.
selector: Specifies how the Deployment identifies which pods to manage. It matches pods with the app: {{APP}} label.
template: Describes the pod template used to create new pods.
metadata: Specifies labels for the pods.
spec: Defines the pod specification, including the container.
containers: Describes the containers within the pod.
name: The name of the container is set to {{APP}}.
image: Specifies the Docker image for the container, set to {{IMAGE_URL}}.
ports: Specifies the ports the container exposes.

Service:

apiVersion: v1
kind: Service
metadata:
  name: {{APP}}-service
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
  selector:
    app: {{APP}}
  type: ClusterIP

##what each line does:
apiVersion and kind:
Specifies the API version and kind of the Kubernetes resource. In this case, it's a Service in the v1 API version.

metadata:
name: The name of the Service is set to {{APP}}-service.

spec:
ports: Defines the ports that the Service exposes.
name: The name of the port is set to http.
protocol: Specifies the protocol as TCP.
port: The port on which the Service is exposed externally is set to 80.
targetPort: Specifies the port to which traffic is forwarded, set to 80.
selector: Matches pods with the app: {{APP}} label.
type: Specifies the type of Service. In this case, it's set to ClusterIP.

Cert-Manager Issuer:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: neupane.krishna33@gmail.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx

##what each line does:

apiVersion and kind:
Specifies the API version and kind of the Kubernetes resource. In this case, it's an Issuer in the cert-manager.io/v1 API version.

metadata:
name: The name of the Issuer is set to letsencrypt-prod.

spec:
acme: Configures the issuer for the ACME protocol used by Let's Encrypt.
server: The ACME server URL.
email: The email address for the Let's Encrypt account.
privateKeySecretRef: The secret that contains the private key.
solvers: Configures the challenges used for validation. In this case, it's HTTP01.

Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: {{APP}}-ingress
  labels:
    app: {{APP}}
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
spec:
  tls:
    - hosts:
        - {{DOMAIN}}
      secretName: {{APP}}-tls
  rules:
    - host: {{DOMAIN}}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: {{APP}}-service
                port:
                  number: 80

##what each line does:

apiVersion and kind:
Specifies the API version and kind of the Kubernetes resource. In this case, it's an Ingress in the networking.k8s.io/v1 API version.

metadata:
name: The name of the Ingress is set to {{APP}}-ingress.
labels: Labels are used to identify and organize resources. The app label is set to {{APP}}.

annotations:
Annotations provide additional configuration. In this case:
cert-manager.io/cluster-issuer: Specifies the cluster issuer for TLS certificates.
kubernetes.io/ingress.class: Specifies the Ingress class.

spec:
tls: Configures TLS for the Ingress.
hosts: Specifies the hosts for which TLS certificates should be issued.
secretName: Specifies the name of the secret where the TLS certificate is stored.
rules: Defines routing rules based on the host.
host: Specifies the domain for which the Ingress rules apply.
http: Configures HTTP routing rules.
paths: Defines paths and their corresponding backends.
path: Specifies the path for the rule.
backend: Specifies the backend service.

5. Branch wise Domain Mapping: Currently, Here i used static way to map domain using bitbucket branches , but we can passed the values using the dynamic ways

branch_domain_mapping.yml

branches:
  master: neupanekrishna.com.np
  dev: neupanekrishna.com.np
  staging: neupanekrishna.com.np
  production: neupanekrishna.com.np
  feature_branch_1: custom1
  feature_branch_2: custom2
  # ... add mappings for all branches

##what each line does:

branches:: This is the key indicating the start of the branch mappings section.

master: neupanekrishna.com.np: For the master branch, the associated domain is set to neupanekrishna.com.np. This means that when you are on the master branch, the pipeline will deploy to the domain neupanekrishna.com.np.
dev: neupanekrishna.com.np: Similarly, for the dev branch, the associated domain is set to neupanekrishna.com.np.
staging: neupanekrishna.com.np: The staging branch also maps to the same domain.
production: neupanekrishna.com.np: The production branch maps to the same domain.
feature_branch_1: custom1: For the feature_branch_1 branch, the associated domain is set to custom1. This allows you to have a different domain for this specific feature branch.
feature_branch_2: custom2: Similarly, for the feature_branch_2 branch, the associated domain is set to custom2.

6. Execute Pipelines:
Push changes to your repository, and Bitbucket Pipelines will automatically trigger the pipeline. Monitor the pipeline execution in the Bitbucket Pipelines dashboard.

How to centralize logs with rsyslog logstash elasticsearch and kibana on Ubuntu 20.04

Krishna Neupane — Thu, 28 Dec 2023 14:38:55 GMT

To install Elasticsearch on Ubuntu 20.04, follow these steps:

sudo apt update
sudo apt install openjdk-11-jre-headless
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo sh -c 'echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list'
sudo apt install elasticsearch
sudo service elasticsearch start
sudo systemctl enable elasticsearch

Test Elasticsearch:

Verify that Elasticsearch is up and running.

curl -X GET "localhost:9200/"

Install Logstash:

sudo apt update
sudo apt install openjdk-11-jre-headless
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo sh -c 'echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list'
sudo apt update
sudo apt install logstash

Now Install Rsyslog on Ubuntu

apt list -a rsyslog
sudo systemctl enable --now rsyslog

Configure rsyslog:

rsyslog configuration (/etc/rsyslog.conf or /etc/rsyslog.d/your-config-file.conf):

# Load the imuxsock module for local log reception
$ModLoad imuxsock

# Send messages to Logstash
*.* action(type="omfwd" target="logstash_server_ip" port="514" protocol="tcp")

Restart Services:

sudo service rsyslog restart

Configure Logstash for rsyslog:

Create a Logstash configuration file for rsyslog by creating a new file (e.g., /etc/logstash/conf.d/10-rsyslog.conf) with the following content:

input {
  tcp {
    port => 514
    type => syslog
  }
  udp {
    port => 514
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "rsyslog-%{+YYYY.MM.dd}"
  }
}

Note: If the 514 port will not work or give an error use higher port 5514

input {
  tcp {
    port => 5514
    type => "syslog"
  }
}

Restart Logstash:

sudo service logstash restart

Install and Configure Kibana:

sudo apt update
sudo apt install kibana
sudo service kibana start

If you’re unsure about the correct service name, you can list available services:

sudo service --status-all

Check Systemd Status:

systemctl status kibana

If it’s not recognized, you might need to reload the systemd daemon or manually enable the service:

sudo systemctl daemon-reload
sudo systemctl enable kibana

Check Kibana Configuration:

Verify that Kibana is configured to listen on all network interfaces (0.0.0.0) so that it can accept connections from external machines. Open the Kibana configuration file (/etc/kibana/kibana.yml) and ensure that the server.host option is set to:

server.host: "0.0.0.0"

Verify Elasticsearch Connection:

Kibana requires a functional connection to Elasticsearch. Ensure that Elasticsearch is running and properly configured. Verify that the Elasticsearch URL is correctly set in the Kibana configuration file (/etc/kibana/kibana.yml):

elasticsearch.hosts: ["http://localhost:9200"]

After making changes, restart the Kibana service:

sudo service kibana restart

Access via Browser:

http://kibana-server-ip:5601

Remember that this is a basic setup to get you started. Depending on your requirements and environment, you might need to adjust configurations, add security, and handle high availability for the ELK stack.

Docker Password Authentication

Krishna Neupane — Thu, 28 Dec 2023 14:20:57 GMT

The below Docker file creates an image with the customization you described, such as enforcing password authentication for the ls command and setting up a custom sudoers file. However, it's important to note that modifying system commands ls and using unconventional security practices might have unintended consequences and potentially introduce security vulnerabilities.

# Use the official Ubuntu base image
FROM ubuntu:latest

# Set environment variables for the new user and password
ENV USER_NAME=myuser
ENV USER_PASS=mypassword

# Create a new user and set the password
RUN useradd -m $USER_NAME && \
    echo "$USER_NAME:$USER_PASS" | chpasswd

# Install sudo and create a custom sudoers file to require password authentication
RUN apt-get update && \
    apt-get install -y sudo && \
    rm -rf /var/lib/apt/lists/* && \
    echo "$USER_NAME ALL=(ALL:ALL) ALL, !/bin/bash" > /etc/sudoers.d/custom_sudoers && \
    chmod 0440 /etc/sudoers.d/custom_sudoers

# Create a custom shell script to enforce password authentication for ls
RUN echo '#!/bin/bash\nsudo /bin/ls "$@"' > /usr/local/bin/ls && \
    chmod +x /usr/local/bin/ls

# Add /usr/local/bin to the beginning of PATH
ENV PATH="/usr/local/bin:${PATH}"

# Set the default user to the newly created user
USER $USER_NAME

# Set the working directory to the user's home directory
WORKDIR /home/$USER_NAME

# Start a shell when running the container
CMD ["/bin/bash"]

The provided Docker file describes the steps to create a custom Docker image based on the official Ubuntu image. It creates a new user, sets a password, installs sudo, and customizes sudoers and the ls command. Let’s break down the Docker file step by step:

FROM ubuntu:latestThis sets the base image to the latest version of Ubuntu.
Setting environment variables for the new user and password:

ENV USER_NAME=myuser
ENV USER_PASS=mypassword

3. Creating a new user and setting the password:

RUN useradd -m $USER_NAME && \
    echo "$USER_NAME:$USER_PASS" | chpasswd

4. Installing sudo and creating a custom sudoers file:

RUN apt-get update && \
    apt-get install -y sudo && \
    rm -rf /var/lib/apt/lists/* && \
    echo "$USER_NAME ALL=(ALL:ALL) ALL, !/bin/bash" > /etc/sudoers.d/custom_sudoers && \
    chmod 0440 /etc/sudoers.d/custom_sudoers

5. Creating a custom shell script to enforce password authentication for the ls command:

RUN echo '#!/bin/bash\nsudo /bin/ls "$@"' > /usr/local/bin/ls && \
    chmod +x /usr/local/bin/ls

6. Adding /usr/local/bin to the beginning of the PATH:

ENV PATH="/usr/local/bin:${PATH}"

7. Setting the default user to the newly created user:

USER $USER_NAME

8. Setting the working directory to the user’s home directory:

WORKDIR /home/$USER_NAME

9. Starting a shell when running the container:

CMD ["/bin/bash"]

This Docker file creates an image with the customization you described, such as enforcing password authentication for the ls command and setting up a custom sudoers file. However, it's important to note that modifying system commands ls and using unconventional security practices might have unintended consequences and potentially introduce security vulnerabilities.