use static uid/gid in images

This centralizes all user and group creation into a single source. This
will fix any current and furture uid/gid mismatches (such as with
nova-libvirt).

In the process, we also unify users between the distros in a standard
way. The users in the following containers change from thier defaults:

Ubuntu: _chrony user is now chrony
Ubuntu: memcache user is now memcached
All: qemu user is used for ownership and socket permissions

All uid and gid numbers are customizable via kolla-build.conf

Co-Authored-By: Kris Lindgren <klindgren@godaddy.com>
Change-Id: I120f26ab0683dc87d69727c3df8d4707e52a4543
Partially-Implements: blueprint static-uid-gid

docker/aodh/aodh-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='aodh') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -34,7 +36,7 @@ RUN mkdir -p /var/www/cgi-bin/aodh \
     && cp -a /usr/lib/python2.7/dist-packages/aodh/api/app.wsgi /var/www/cgi-bin/aodh/ \
     && echo > /etc/apache2/ports.conf
     {% endif %}
-   
+
 {% elif install_type == 'source' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -63,21 +65,18 @@ RUN mkdir -p /var/www/cgi-bin/aodh \
 ADD aodh-base-archive /aodh-base-source
 
 RUN ln -s aodh-base-source/* aodh \
-    && useradd --user-group aodh \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt pymongo /aodh \
-    && mkdir -p /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh /home/aodh \
+    && mkdir -p /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh \
     && cp -r /aodh/etc/aodh/* /etc/aodh/  \
     && cp /aodh/aodh/api/app.wsgi /var/www/cgi-bin/aodh \
-    && chown -R aodh: /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh /home/aodh
+    && chown -R aodh: /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh
 
 {% endif %}
 
-RUN usermod -a -G kolla aodh
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 COPY aodh_sudoers /etc/sudoers.d/kolla_aodh_sudoers
 
-RUN usermod -a -G kolla aodh \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 640 /etc/sudoers.d/kolla_aodh_sudoers \
     && chmod 755 /var/www/cgi-bin/aodh \
     && touch /usr/local/bin/kolla_aodh_extend_start \

docker/barbican/barbican-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='barbican') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set barbican_base_packages = ['openstack-barbican-common'] %}
@@ -25,19 +27,17 @@ MAINTAINER {{ maintainer }}
 
 ADD barbican-base-archive /barbican-base-source
 RUN ln -s barbican-base-source/* barbican \
-    && useradd --user-group barbican \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt  pastedeploy uwsgi MySQL-python python-barbicanclient /barbican \
-    && mkdir -p /etc/barbican /var/log/barbican /home/barbican /var/lib/barbican \
+    && mkdir -p /etc/barbican /var/log/barbican \
     && cp -r /barbican/etc/barbican/* /etc/barbican/ \
-    && chown -R barbican: /etc/barbican /var/log/barbican /home/barbican /var/lib/barbican
+    && chown -R barbican: /etc/barbican /var/log/barbican
 
 {% endif %}
 
 COPY barbican_sudoers /etc/sudoers.d/kolla_barbican_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla barbican \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 640 /etc/sudoers.d/kolla_barbican_sudoers \
     && touch /usr/local/bin/kolla_barbican_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_barbican_extend_start

docker/base/Dockerfile.j2

@@ -1,6 +1,15 @@
 FROM {{ base_image }}:{{ base_distro_tag }}
 MAINTAINER {{ maintainer }}
 
+{# NOTE(SamYaple): Avoid uid/gid conflicts by creating each user/group up front. #}
+{# Specifics required such as homedir or shell are configured within the service specific image #}
+{%- for name, user in users | dictsort() %}
+{% if loop.first -%}RUN {% else %}    && {% endif -%}
+    groupadd --force --gid {{ user.gid }} {{ name }} \
+    && useradd -M --shell /usr/sbin/nologin --uid {{ user.uid }} --gid {{ user.gid }} {{ name }}
+        {%- if not loop.last %} \{% endif -%}
+{%- endfor %}
+
 LABEL kolla_version="{{ kolla_version }}"
 
 {% import "macros.j2" as macros with context %}
@@ -294,7 +303,6 @@ COPY curlrc /root/.curlrc
 RUN touch /usr/local/bin/kolla_extend_start \
     && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs \
     && chmod 440 /etc/sudoers \
-    && groupadd kolla \
     && mkdir -p /var/log/kolla \
     && chown :kolla /var/log/kolla \
     && chmod 2775 /var/log/kolla \

docker/bifrost/bifrost-base/Dockerfile.j2

@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 
 {% block bifrost_base_header %}{% endblock %}
 
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='bifrost') }}
+
 {% if install_type == 'binary' %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' && /bin/false
@@ -14,7 +18,6 @@ ENV ANSIBLE_FROM_PYPI True
 ADD bifrost-base-archive /bifrost-base-source
 COPY build_arg.yml /tmp/build_arg.yml
 RUN ln -s bifrost-base-source/* bifrost \
-    && useradd --user-group bifrost \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /bifrost
 
 WORKDIR /bifrost
@@ -23,7 +26,6 @@ WORKDIR /bifrost
 RUN sed -e "s/.*mariadb.*//Ig" -i /etc/apt/sources.list && apt-get purge -y mariadb* mysql*
 {% endif %}
 
-
 RUN bash -c './scripts/env-setup.sh && source ./env-vars && \
     ansible-playbook -vvvv -i /bifrost/playbooks/inventory/localhost /bifrost/playbooks/install.yaml \
     -e @/tmp/build_arg.yml && \
@@ -32,15 +34,11 @@ RUN bash -c './scripts/env-setup.sh && source ./env-vars && \
 {% else %}
     yum clean all'
 {% endif %}
-
-
 {% endif %}
 
-
 COPY bifrost_sudoers /etc/sudoers.d/kolla_bifrost_sudoers
 
-RUN usermod -a -G kolla bifrost \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_bifrost_sudoers \
     && chown -R bifrost:bifrost /bifrost
 

docker/ceilometer/ceilometer-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='ceilometer') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set ceilometer_base_packages = [
@@ -27,11 +29,10 @@ MAINTAINER {{ maintainer }}
 
 ADD ceilometer-base-archive /ceilometer-base-source
 RUN ln -s ceilometer-base-source/* ceilometer \
-    && useradd --user-group ceilometer \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /ceilometer[gnocchi,mongo,mysql] \
-    && mkdir -p /etc/ceilometer /var/lib/ceilometer /home/ceilometer \
+    && mkdir -p /etc/ceilometer \
     && cp -r /ceilometer/etc/ceilometer/* /etc/ceilometer/ \
-    && chown -R ceilometer: /etc/ceilometer /var/lib/ceilometer /home/ceilometer \
+    && chown -R ceilometer: /etc/ceilometer \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ceilometer/rootwrap.conf
 
 {% endif %}
@@ -39,8 +40,7 @@ RUN ln -s ceilometer-base-source/* ceilometer \
 COPY ceilometer_sudoers /etc/sudoers.d/kolla_ceilometer_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla ceilometer \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_ceilometer_sudoers \
     && touch /usr/local/bin/kolla_ceilometer_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_ceilometer_extend_start

docker/ceph/ceph-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='ceph') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set ceph_base_packages = [
         'ceph',
@@ -29,7 +31,6 @@ MAINTAINER {{ maintainer }}
 {{ macros.install_packages(ceph_base_packages | customizable("packages")) }}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla ceph
+RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {% block ceph_base_footer %}{% endblock %}

docker/chrony/Dockerfile.j2

@@ -5,18 +5,14 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
-{% set chrony_packages = ['chrony'] %}
+{{ macros.configure_user(name='chrony') }}
 
-{% if base_distro in ['ubuntu', 'debian'] %}
-# Ubuntu use _chrony username to use unified running user with RHEL system
-RUN useradd --user-group --create-home --home-dir /var/lib/chrony chrony
-{% endif %}
+{% set chrony_packages = ['chrony'] %}
 
 {{ macros.install_packages(chrony_packages | customizable("packages")) }}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla chrony
+RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {% block chrony_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/cinder/cinder-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='cinder') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -50,11 +52,10 @@ MAINTAINER {{ maintainer }}
 
 ADD cinder-base-archive /cinder-base-source
 RUN ln -s cinder-base-source/* cinder \
-    && useradd --user-group cinder \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /cinder \
-    && mkdir -p /etc/cinder /var/lib/cinder /home/cinder \
+    && mkdir -p /etc/cinder \
     && cp -r /cinder/etc/cinder/* /etc/cinder/ \
-    && chown -R cinder: /etc/cinder /var/lib/cinder /home/cinder \
+    && chown -R cinder: /etc/cinder \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/cinder/rootwrap.conf
 
 {% endif %}
@@ -62,9 +63,7 @@ RUN ln -s cinder-base-source/* cinder \
 COPY cinder_sudoers /etc/sudoers.d/kolla_cinder_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla cinder \
-    && mkdir -p /etc/ceph \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_cinder_sudoers \
     && touch /usr/local/bin/kolla_cinder_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_cinder_extend_start

docker/cloudkitty/cloudkitty-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='cloudkitty') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -25,18 +27,16 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 ADD cloudkitty-base-archive /cloudkitty-base-source
 RUN ln -s cloudkitty-base-source/* cloudkitty \
-    && useradd --user-group cloudkitty \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /cloudkitty \
-    && mkdir -p /etc/cloudkitty /var/lib/cloudkitty /home/cloudkitty \
+    && mkdir -p /etc/cloudkitty  \
     && cp -r /cloudkitty/etc/cloudkitty/* /etc/cloudkitty/ \
-    && chown -R cloudkitty: /etc/cloudkitty /var/lib/cloudkitty /home/cloudkitty
+    && chown -R cloudkitty: /etc/cloudkitty
 
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla cloudkitty \
-    && touch /usr/local/bin/kolla_cloudkitty_extend_start \
+RUN touch /usr/local/bin/kolla_cloudkitty_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_cloudkitty_extend_start
 
 {% block cloudkitty_base_footer %}{% endblock %}

docker/collectd/Dockerfile.j2

@@ -2,17 +2,18 @@ FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
 MAINTAINER {{ maintainer }}
 
 {% block collectd_header %}{% endblock %}
+
 {% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='collectd') }}
+
 {% set collectd_packages = [
     'collectd'
 ] %}
-
 {{ macros.install_packages(collectd_packages | customizable("packages")) }}
-COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN useradd -r -m collectd \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla collectd \
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
     && chown -R collectd /var/lib/collectd \
     && chown -R collectd /etc/collectd* \
     && chown -R collectd /var/run/

docker/congress/congress-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='congress') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['ubuntu'] %}
         {% set congress_base_packages = [
@@ -27,18 +29,16 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 ADD congress-base-archive /congress-base-source
 RUN ln -s congress-base-source/* congress \
-    && useradd --user-group congress \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /congress \
-    && mkdir -p /etc/congress /home/congress \
+    && mkdir -p /etc/congress \
     && cp -r /congress/etc/* /etc/congress/ \
-    && chown -R congress: /etc/congress /home/congress
+    && chown -R congress: /etc/congress
 
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla congress \
-    && touch /usr/local/bin/kolla_congress_extend_start \
+RUN touch /usr/local/bin/kolla_congress_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_congress_extend_start
 
 {% block congress_base_footer %}{% endblock %}

docker/designate/designate-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='designate') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -39,12 +41,11 @@ RUN cp /etc/designate/policy.json /tmp/ \
 
 ADD designate-base-archive /designate-base-source
 RUN ln -s designate-base-source/* designate \
-    && useradd --user-group designate \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /designate \
-    && mkdir -p /etc/designate /var/log/designate /home/designate \
+    && mkdir -p /etc/designate /var/log/designate \
     && cp -r /designate/etc/designate/* /etc/designate/ \
     && mv /etc/designate/rootwrap.conf.sample /etc/designate/rootwrap.conf \
-    && chown -R designate: /etc/designate /var/log/designate /home/designate \
+    && chown -R designate: /etc/designate /var/log/designate \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/designate/rootwrap.conf
 {% endif %}
 

docker/elasticsearch/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='elasticsearch', shell='/bin/bash', homedir='/usr/share/elasticsearch') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
     {% set elasticsearch_packages = [
         'java-1.7.0-openjdk',
@@ -34,9 +36,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
 RUN chmod 755 /usr/local/bin/kolla_extend_start \
     && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_elasticsearch_sudoers \
-    && usermod -a -G kolla elasticsearch \
-    && usermod -s /bin/bash elasticsearch -d /usr/share/elasticsearch
+    && chmod 440 /etc/sudoers.d/kolla_elasticsearch_sudoers
 
 {% block elasticsearch_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/etcd/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='etcd') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
     {% set etcd_packages = ['etcd'] %}
 {% elif base_distro in ['ubuntu', 'debian'] %}
@@ -17,8 +19,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
 RUN chmod 755 /usr/local/bin/kolla_extend_start \
     && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_etcd_sudoers \
-    && usermod -a -G kolla etcd
+    && chmod 440 /etc/sudoers.d/kolla_etcd_sudoers
 
 {% block etcd_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/fluentd/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='td-agent') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
 RUN rpm --import https://packages.treasuredata.com/GPG-KEY-td-agent
@@ -40,12 +42,9 @@ RUN ulimit -n 65536 \
 COPY fluentd_sudoers /etc/sudoers.d/kolla_fluentd_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla td-agent \
-    && chmod 440 /etc/sudoers.d/kolla_fluentd_sudoers \
+RUN chmod 440 /etc/sudoers.d/kolla_fluentd_sudoers \
     && chmod 755 /usr/local/bin/kolla_extend_start \
-    && chown -R td-agent: /etc/td-agent \
-    && mkdir /var/lib/td-agent \
-    && chown -R td-agent: /var/lib/td-agent
+    && chown -R td-agent: /etc/td-agent
 
 {% block fluentd_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/freezer/freezer-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='freezer') }}
+
 {% if install_type == 'binary' %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -14,9 +16,8 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 ADD freezer-base-archive /freezer-base-source
 RUN ln -s freezer-base-source/* freezer \
-    && useradd --user-group freezer \
-    && mkdir -p /etc/freezer /home/freezer \
-    && chown -R freezer: /etc/freezer /home/freezer \
+    && mkdir -p /etc/freezer \
+    && chown -R freezer: /etc/freezer \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /freezer \
     && cp -r /freezer/etc/* /etc/freezer
 
@@ -25,8 +26,7 @@ RUN ln -s freezer-base-source/* freezer \
 COPY freezer_sudoers /etc/sudoers.d/kolla_freezer_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla freezer \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 640 /etc/sudoers.d/kolla_freezer_sudoers \
     && touch /usr/local/bin/kolla_freezer_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_freezer_extend_start

docker/glance/glance-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='glance') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set glance_base_packages = [
@@ -32,19 +34,17 @@ MAINTAINER {{ maintainer }}
 
 ADD glance-base-archive /glance-base-source
 RUN ln -s glance-base-source/* glance \
-    && useradd --user-group glance \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /glance[cinder] \
-    && mkdir -p /etc/glance /var/lib/glance /home/glance \
+    && mkdir -p /etc/glance \
     && cp -r /glance/etc/* /etc/glance/ \
-    && chown -R glance: /etc/glance /var/lib/glance /home/glance
+    && chown -R glance: /etc/glance
 
 {% endif %}
 
 COPY glance_sudoers /etc/sudoers.d/kolla_glance_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla glance \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_glance_sudoers \
     && touch /usr/local/bin/kolla_glance_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_glance_extend_start

docker/gnocchi/gnocchi-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='gnocchi') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -61,9 +63,8 @@ RUN truncate -s 0 /etc/apache2/ports.conf
 ADD gnocchi-base-archive /gnocchi-base-source
 
 RUN ln -s gnocchi-base-source/* gnocchi \
-    && useradd --user-group gnocchi \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt gnocchiclient /gnocchi[keystone,mysql,file,ceph] \
-    && mkdir -p /etc/gnocchi /var/log/kolla/gnocchi /home/gnocchi \
+    && mkdir -p /etc/gnocchi /var/log/kolla/gnocchi \
     && chown -R gnocchi: /etc/gnocchi /var/log/kolla/gnocchi
 
 {% endif %}
@@ -71,8 +72,7 @@ RUN ln -s gnocchi-base-source/* gnocchi \
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 COPY gnocchi_sudoers /etc/sudoers.d/kolla_gnocchi_sudoers
 
-RUN usermod -a -G kolla gnocchi \
-    && mkdir -p /var/lib/gnocchi \
+RUN mkdir -p /var/lib/gnocchi \
     && chown -R gnocchi: /var/lib/gnocchi \
     && chmod 750 /etc/sudoers.d \
     && chmod 640 /etc/sudoers.d/kolla_gnocchi_sudoers \

docker/grafana/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='grafana', homedir='/usr/share/grafana') }}
+
 {% set grafana_packages = ['grafana'] %}
 {{ macros.install_packages(grafana_packages | customizable("packages")) }}
 
@@ -16,8 +18,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN grafana-cli plugins install sileht-gnocchi-datasource \
     && chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_grafana_sudoers \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla grafana
+    && chmod 755 /usr/local/bin/kolla_extend_start
 
 {% block grafana_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/haproxy/Dockerfile.j2

@@ -5,14 +5,19 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='haproxy') }}
+
+{% if base_distro in ['ubuntu', 'debian'] %}
+{{ macros.debian_haproxy_existing_user_fix() }}
+{% endif %}
+
 {% set haproxy_packages = [
     'haproxy',
     'socat'
 ] %}
 {{ macros.install_packages(haproxy_packages | customizable("packages")) }}
 
-RUN usermod -a -G kolla haproxy \
-    && mkdir -p /var/lib/kolla/haproxy \
+RUN mkdir -p /var/lib/kolla/haproxy \
     && chown -R haproxy: /var/lib /run
 
 COPY ensure_latest_config.sh /usr/local/bin/kolla_ensure_haproxy_latest_config

docker/heat/heat-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='heat') }}
+
 {% if install_type == 'binary' %}
 
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -18,18 +20,16 @@ MAINTAINER {{ maintainer }}
 
 ADD heat-base-archive /heat-base-source
 RUN ln -s heat-base-source/* heat \
-    && useradd --user-group heat \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /heat \
-    && mkdir -p /etc/heat /home/heat \
+    && mkdir -p /etc/heat \
     && cp -r /heat/etc/heat/* /etc/heat/ \
-    && chown -R heat: /etc/heat /home/heat
+    && chown -R heat: /etc/heat
 
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla heat \
-    && touch /usr/local/bin/kolla_heat_extend_start \
+RUN touch /usr/local/bin/kolla_heat_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_heat_extend_start
 
 {% block heat_base_footer %}{% endblock %}

docker/heka/Dockerfile.j2

@@ -5,12 +5,13 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='heka', homedir='/var/cache/hekad') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
     {% set heka_packages = [
         'https://github.com/mozilla-services/heka/releases/download/v0.10.0/heka-0_10_0-linux-amd64.rpm'
     ] %}
-RUN useradd --user-group heka \
-    && mkdir /etc/heka
+RUN mkdir /etc/heka
 
 {% elif base_distro in ['ubuntu', 'debian'] %}
     {% set heka_packages = [
@@ -27,8 +28,7 @@ COPY plugins/encoders /usr/share/heka/lua_encoders/
 COPY heka_sudoers /etc/sudoers.d/kolla_heka_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla heka \
-    && chmod 440 /etc/sudoers.d/kolla_heka_sudoers \
+RUN chmod 440 /etc/sudoers.d/kolla_heka_sudoers \
     && chmod 755 /usr/local/bin/kolla_extend_start \
     && chown -R heka: /usr/share/heka /etc/heka
 

docker/horizon/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='horizon') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -24,8 +26,7 @@ MAINTAINER {{ maintainer }}
 {{ macros.install_packages(horizon_packages | customizable("packages")) }}
 
 {% block horizon_redhat_binary_setup %}
-RUN useradd --user-group horizon \
-    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
     && ln -s /usr/share/openstack-dashboard/openstack_dashboard /usr/lib/python2.7/site-packages/openstack_dashboard \
     && ln -s /usr/share/openstack-dashboard/static /usr/lib/python2.7/site-packages/static \
     && chown -R horizon: /etc/openstack-dashboard /usr/share/openstack-dashboard \
@@ -108,8 +109,7 @@ ADD horizon-archive /horizon-source
 ADD plugins-archive /
 RUN ln -s horizon-source/* horizon \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /horizon \
-    && useradd --user-group horizon \
-    && mkdir -p /etc/openstack-dashboard /home/horizon \
+    && mkdir -p /etc/openstack-dashboard \
     && ln -s /etc/openstack-dashboard/local_settings /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard/local/local_settings.py \
     && cp -r /horizon/openstack_dashboard/conf/* /etc/openstack-dashboard/ \
     && cp /horizon/openstack_dashboard/local/local_settings.py.example /etc/openstack-dashboard/local_settings \
@@ -119,7 +119,7 @@ RUN ln -s horizon-source/* horizon \
        fi \
     && (cd /var/lib/kolla/venv/lib/python2.7/site-packages/horizon && /var/lib/kolla/venv/bin/python /var/lib/kolla/venv/bin/manage.py compilemessages) \
     && (cd /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard && /var/lib/kolla/venv/bin/python /var/lib/kolla/venv/bin/manage.py compilemessages) \
-    && chown -R horizon: /etc/openstack-dashboard /home/horizon /var/lib/kolla/venv/lib/python2.7/site-packages/static
+    && chown -R horizon: /etc/openstack-dashboard /var/lib/kolla/venv/lib/python2.7/site-packages/static
 
 {% endif %}
 

docker/influxdb/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='influxdb') }}
+
 {% set influxdb_packages = ['influxdb'] %}
 {{ macros.install_packages(influxdb_packages | customizable("packages")) }}
 
@@ -13,8 +15,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
 RUN chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_influxdb_sudoers \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla influxdb
+    && chmod 755 /usr/local/bin/kolla_extend_start
 
 {% block influxdb_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/ironic/ironic-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='ironic') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set ironic_base_packages = ['openstack-ironic-common'] %}
@@ -18,11 +20,10 @@ MAINTAINER {{ maintainer }}
 
 ADD ironic-base-archive /ironic-base-source
 RUN ln -s ironic-base-source/* ironic \
-    && useradd --user-group --create-home --home-dir /var/lib/ironic ironic \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /ironic \
-    && mkdir -p /etc/ironic /var/lib/ironic \
+    && mkdir -p /etc/ironic \
     && cp -r /ironic/etc/ironic/* /etc/ironic/ \
-    && chown -R ironic: /etc/ironic /var/lib/ironic \
+    && chown -R ironic: /etc/ironic \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic/rootwrap.conf
 
 ADD ironic_sudoers /etc/sudoers.d/kolla_ironic_sudoers
@@ -35,7 +36,6 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
 RUN touch /usr/local/bin/kolla_ironic_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_ironic_extend_start \
-    && usermod -a -G kolla ironic \
     && chown -R ironic: /etc/ironic
 
 {% block ironic_base_footer %}{% endblock %}

docker/kafka/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='kafka', homedir='/kafka') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -26,9 +28,7 @@ RUN curl -o kafka.tgz http://apache.osuosl.org/kafka/0.10.1.0/kafka_2.11-0.10.1.
 {% endblock %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN useradd --user-group --home-dir /kafka kafka \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla kafka \
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
     && chown -R kafka: /kafka
 
 {% block kafka_footer %}{% endblock %}

docker/karbor/karbor-base/Dockerfile.j2

@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 
 {% block karbor_base_header %}{% endblock %}
 
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='karbor') }}
+
 {% if install_type == 'binary' %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 ADD karbor-base-archive /karbor-base-source
 RUN ln -s karbor-base-source/* karbor \
-    && useradd --user-group --create-home --home-dir /var/lib/karbor karbor \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /karbor \
     && mkdir -p /etc/karbor \
     && cp -r /karbor/etc/* /etc/karbor/ \
@@ -22,8 +25,7 @@ RUN ln -s karbor-base-source/* karbor \
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla karbor \
-    && touch /usr/local/bin/kolla_karbor_extend_start \
+RUN touch /usr/local/bin/kolla_karbor_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_karbor_extend_start
 
 {% block karbor_base_footer %}{% endblock %}

docker/keystone/keystone-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='keystone') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set keystone_base_packages = [
@@ -61,7 +63,6 @@ RUN echo > /etc/apache2/ports.conf
 {% block keystone_source_install %}
 ADD keystone-base-archive /keystone-base-source
 RUN ln -s keystone-base-source/* keystone \
-    && useradd --user-group --create-home --home-dir /var/lib/keystone keystone \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /keystone \
     && mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 \
     && cp -r /keystone/etc/* /etc/keystone/ \
@@ -72,8 +73,7 @@ RUN ln -s keystone-base-source/* keystone \
 
 {% endif %}
 
-RUN usermod -a -G kolla keystone \
-    && chown -R keystone: /var/www/cgi-bin/keystone \
+RUN chown -R keystone: /var/www/cgi-bin/keystone \
     && chmod 755 /var/www/cgi-bin/keystone/*
 
 {% block keystone_base_footer %}{% endblock %}

docker/kibana/Dockerfile.j2

@@ -5,10 +5,10 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='kibana') }}
+
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN useradd -r -m --user-group kibana \
-    && usermod -a -G kolla kibana \
-    && chmod 755 /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {% set kibana_packages = ['kibana'] %}
 {{ macros.install_packages(kibana_packages | customizable("packages")) }}

docker/kolla-toolbox/Dockerfile.j2

@@ -7,6 +7,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='ansible') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
     {% set kolla_toolbox_packages = [
         'crudini',
@@ -62,13 +64,12 @@ RUN pip --no-cache-dir install \
     pyudev \
     shade==1.5.0
 
-RUN useradd -m --user-group ansible --groups kolla \
-    && mkdir -p /etc/ansible /usr/share/ansible \
+RUN mkdir -p /etc/ansible /usr/share/ansible \
     && echo 'localhost ansible_connection=local' > /etc/ansible/hosts \
     && sed -i 's|  "identity_api_version": "2.0",|  "identity_api_version": "3",|' {{ os_client_config }}
 
 COPY find_disks.py kolla_keystone_service.py kolla_keystone_user.py kolla_sanity.py /usr/share/ansible/
-COPY ansible.cfg /home/ansible/.ansible.cfg
+COPY ansible.cfg /var/lib/ansible/.ansible.cfg
 
 COPY ansible_sudoers /etc/sudoers.d/kolla_ansible_sudoers
 RUN chmod 440 /etc/sudoers.d/kolla_ansible_sudoers

docker/macros.j2

@@ -17,3 +17,39 @@
 {% macro install_pip(packages) %}
 RUN /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt {% for package in packages %}{{ package }} {% endfor %}
 {% endmacro %}
+
+
+{% macro configure_user(name, groups=None, shell=None, homedir=None) %}
+{% set user=users[name] %}
+{%- if not homedir %}
+{% set homedir='/var/lib/' + name %}
+{%- endif %}
+RUN usermod --append --home {{ homedir }} --groups kolla {{ name }} \
+    {%- if groups %}
+    && usermod --append --groups {{ groups }} {{ name }} \
+    {%- endif %}
+    {%- if shell %}
+    && chsh --shell {{ shell }} {{ name }} \
+    {%- endif %}
+    && mkdir -p {{ homedir }} \
+    && chown -R {{ user.uid }}:{{ user.gid }} {{ homedir }}
+{% endmacro %}
+
+
+{% macro ubuntu_trove_bug_1651852() %}
+{# NOTE(SamYaple): The postinst script breaks because it calls getenv instead of getent #}
+{# TODO(SamYaple): Remove once issue is fixed -- https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/1651852 #}
+RUN apt-get -y install --no-install-recommends trove-common \
+    || sed -i 's/getenv/getent/g' /var/lib/dpkg/info/trove-common.postinst \
+    && apt-get -y install -f \
+    && apt-get clean
+{% endmacro %}
+
+
+{% macro debian_haproxy_existing_user_fix() %}
+{# NOTE(SamYaple): The postinst script breaks if the user 'haproxy' already exists #}
+RUN apt-get -y install --no-install-recommends haproxy \
+    || sed -i '/^adduser/,+1 d' /var/lib/dpkg/info/haproxy.postinst \
+    && apt-get -y install -f \
+    && apt-get clean
+{% endmacro %}

docker/magnum/magnum-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='magnum') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux'] %}
        {% set magnum_base_packages = ['openstack-magnum-common'] %}
@@ -17,16 +19,14 @@ MAINTAINER {{ maintainer }}
 
 ADD magnum-base-archive /magnum-base-source
 RUN ln -s magnum-base-source/* magnum \
-    && useradd --user-group magnum \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /magnum \
-    && mkdir -p /etc/magnum /home/magnum /var/lib/magnum \
+    && mkdir -p /etc/magnum \
     && cp -r /magnum/etc/magnum/* /etc/magnum \
-    && chown -R magnum: /etc/magnum /home/magnum /var/lib/magnum
+    && chown -R magnum: /etc/magnum
 
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla magnum \
-    && touch /usr/local/bin/kolla_magnum_extend_start \
+RUN touch /usr/local/bin/kolla_magnum_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_magnum_extend_start

docker/manila/manila-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='manila') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -39,11 +41,10 @@ MAINTAINER {{ maintainer }}
 
 ADD manila-base-archive /manila-base-source
 RUN ln -s manila-base-source/* manila \
-    && useradd --user-group manila \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /manila \
-    && mkdir -p /etc/manila /var/lib/manila /var/cache/manila /home/manila \
+    && mkdir -p /etc/manila /var/cache/manila \
     && cp -r /manila/etc/manila/* /etc/manila/ \
-    && chown -R manila: /etc/manila /var/lib/manila /var/cache/manila /home/manila \
+    && chown -R manila: /etc/manila /var/cache/manila \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/manila/rootwrap.conf
 
 COPY manila_sudoers /etc/sudoers.d/kolla_manila_sudoers
@@ -57,6 +58,4 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN touch /usr/local/bin/kolla_manila_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_manila_extend_start
 
-RUN usermod -a -G kolla manila
-
 {% block manila_base_footer %}{% endblock %}

docker/mariadb/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='mysql') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
     {% set mariadb_packages = [
         'MariaDB-Galera-server',
@@ -35,7 +37,6 @@ RUN chmod 755 /usr/local/bin/kolla_extend_start \
     && chmod 755 /usr/local/bin/kolla_security_reset \
     && chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_mariadb_sudoers \
-    && usermod -a -G kolla mysql \
     && rm -rf /var/lib/mysql/*
 
 {% block mariadb_footer %}{% endblock %}

docker/memcached/Dockerfile.j2

@@ -5,24 +5,13 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
-{% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
+{{ macros.configure_user(name='memcached', homedir='/run/memcache') }}
 
-{% set user = 'memcached' %}
-    {% set memcached_packages = ['memcached']  %}
-{{ macros.install_packages(memcached_packages | customizable("packages")) }} \
-    && usermod -a -G kolla {{ user }}
-
-{% elif base_distro in ['ubuntu', 'debian'] %}
-
-{% set user = 'memcache' %}
-    {% set memcached_packages = ['memcached'] %}
-{{ macros.install_packages(memcached_packages | customizable("packages")) }} \
-    && usermod -a -G kolla {{ user }}
-
-{% endif %}
+{% set memcached_packages = ['memcached'] %}
+{{ macros.install_packages(memcached_packages | customizable("packages")) }}
 
 {% block memcached_footer %}{% endblock %}
 {% block footer %}{% endblock %}
 {{ include_footer }}
 
-USER {{ user }}
+USER memcached

docker/mistral/mistral-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='mistral') }}
+
 {% if install_type == 'binary' %}
 
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -18,16 +20,14 @@ MAINTAINER {{ maintainer }}
 
 ADD mistral-base-archive /mistral-base-source
 RUN ln -s mistral-base-source/* mistral \
-    && useradd --user-group mistral \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install /mistral \
-    && mkdir -p /etc/mistral /home/mistral \
+    && mkdir -p /etc/mistral \
     && cp -r /mistral/etc/* /etc/mistral/ \
-    && chown -R mistral: /etc/mistral /home/mistral
+    && chown -R mistral: /etc/mistral
 
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla mistral \
-    && touch /usr/local/bin/kolla_mistral_extend_start \
+RUN touch /usr/local/bin/kolla_mistral_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_mistral_extend_start

docker/monasca/monasca-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='monasca') }}
+
 {% if install_type == 'binary' %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,17 +14,14 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 {% elif install_type == 'source' %}
 
-RUN useradd --user-group --create-home --home-dir /var/lib/monasca monasca \
-    && chmod 755 /var/lib/monasca \
-    && mkdir -p /etc/monasca /var/lib/monasca \
-    && chown -R monasca: /etc/monasca /var/lib/monasca
+RUN mkdir -p /etc/monasca \
+    && chown -R monasca: /etc/monasca
 
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
 RUN touch /usr/local/bin/kolla_monasca_extend_start \
-    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_monasca_extend_start \
-    && usermod -a -G kolla monasca
+    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_monasca_extend_start
 
 {% block monasca_base_footer %}{% endblock %}

docker/mongodb/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='mongodb') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
     {% set mongodb_packages = [
             'mongodb',
@@ -18,14 +20,10 @@ MAINTAINER {{ maintainer }}
 
 {{ macros.install_packages(mongodb_packages | customizable("packages")) }}
 
-RUN mkdir -p /var/lib/mongodb /home/mongodb \
-    && chown -R mongodb: /var/lib/mongodb /home/mongodb
-
 COPY mongodb_sudoers /etc/sudoers.d/kolla_mongodb_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla mongodb \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
     && chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_mongodb_sudoers
 

docker/murano/murano-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='murano') }}
+
 {% if install_type == 'binary' %}
 
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -19,11 +21,10 @@ MAINTAINER {{ maintainer }}
 
 ADD murano-base-archive /murano-base-source
 RUN ln -s murano-base-source/* murano \
-    && useradd --user-group murano \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /murano \
-    && mkdir -p /etc/murano /home/murano \
+    && mkdir -p /etc/murano \
     && cp -r /murano/etc/murano/* /etc/murano/ \
-    && chown -R murano: /etc/murano /home/murano \
+    && chown -R murano: /etc/murano \
     && cd murano/meta/io.murano \
     && zip -r /io.murano.zip *
 
@@ -31,8 +32,7 @@ RUN ln -s murano-base-source/* murano \
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla murano \
-    && touch /usr/local/bin/kolla_murano_extend_start \
+RUN touch /usr/local/bin/kolla_murano_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_murano_extend_start
 
 {% block murano_base_footer %}{% endblock %}

docker/neutron/neutron-base/Dockerfile.j2

@@ -5,6 +5,12 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='neutron') }}
+
+{% if base_distro in ['ubuntu', 'debian'] %}
+{{ macros.debian_haproxy_existing_user_fix() }}
+{% endif %}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -77,14 +83,13 @@ RUN mkdir -p /usr/share/neutron \
 ADD neutron-base-archive /neutron-base-source
 ADD plugins-archive /
 RUN ln -s neutron-base-source/* neutron \
-    && useradd --user-group neutron \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /neutron \
-    && mkdir -p /etc/neutron /usr/share/neutron /var/lib/neutron /home/neutron \
+    && mkdir -p /etc/neutron /usr/share/neutron \
     && cp -r /neutron/etc/* /etc/neutron/ \
     && cp -r /neutron/etc/neutron/* /etc/neutron/ \
     && cp /neutron/etc/api-paste.ini /usr/share/neutron \
     && mv /etc/neutron/neutron/ /etc/neutron/plugins/ \
-    && chown -R neutron: /etc/neutron /usr/share/neutron /var/lib/neutron /home/neutron \
+    && chown -R neutron: /etc/neutron /usr/share/neutron \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/neutron/rootwrap.conf \
     && if [ "$(ls /plugins)" ]; then \
         pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /plugins/*; \
@@ -95,8 +100,7 @@ RUN ln -s neutron-base-source/* neutron \
 COPY neutron_sudoers /etc/sudoers.d/kolla_neutron_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla neutron \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_neutron_sudoers \
     && touch /usr/local/bin/kolla_neutron_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_neutron_extend_start

docker/neutron/neutron-metadata-agent/Dockerfile.j2

@@ -21,8 +21,7 @@ COPY neutron_sudoers /etc/sudoers.d/kolla_neutron_metadata_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_neutron_extend_start
 RUN chmod 755 /usr/local/bin/kolla_neutron_extend_start \
     && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_neutron_metadata_sudoers \
-    && usermod -a -G kolla neutron
+    && chmod 440 /etc/sudoers.d/kolla_neutron_metadata_sudoers
 
 {% block neutron_metadata_agent_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/nova/nova-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='nova', groups='qemu') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -56,12 +58,10 @@ MAINTAINER {{ maintainer }}
 
 ADD nova-base-archive /nova-base-source
 RUN ln -s nova-base-source/* nova \
-    && useradd --user-group --create-home --home-dir /var/lib/nova nova \
-    && chmod 755 /var/lib/nova \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /nova \
-    && mkdir -p /etc/nova /var/lib/nova \
+    && mkdir -p /etc/nova/ \
     && cp -r /nova/etc/nova/* /etc/nova/ \
-    && chown -R nova: /etc/nova /var/lib/nova \
+    && chown -R nova: /etc/nova/ \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/nova/rootwrap.conf
 
 COPY nova_sudoers /etc/sudoers.d/kolla_nova_sudoers
@@ -75,6 +75,4 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN touch /usr/local/bin/kolla_nova_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_nova_extend_start
 
-RUN usermod -a -G kolla nova
-
 {% block nova_base_footer %}{% endblock %}

docker/nova/nova-libvirt/Dockerfile.j2

@@ -1,10 +1,12 @@
-FROM {{ namespace }}/{{ image_prefix }}nova-base:{{ tag }}
+FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
 MAINTAINER {{ maintainer }}
 
 {% block nova_libvirt_header %}{% endblock %}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='nova', groups='qemu') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
     {% set nova_libvirt_packages = [
@@ -30,8 +32,6 @@ MAINTAINER {{ maintainer }}
         'xen-utils-4.6'
     ] %}
 
-    {% set libvirt_group = 'libvirtd' %}
-
 {% elif base_distro == 'debian' %}
 
     {% set nova_libvirt_packages = [
@@ -46,22 +46,13 @@ MAINTAINER {{ maintainer }}
         'usermode'
     ] %}
 
-    {% set libvirt_group = 'libvirt' %}
-
 {% endif %}
 
 {{ macros.install_packages(nova_libvirt_packages | customizable("packages")) }}
 
-{% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
+{% if base_distro in ['ubuntu', 'debian'] %}
 
-RUN usermod -a -G qemu nova
-
-{% elif base_distro in ['ubuntu', 'debian'] %}
-
-RUN mkdir -p /etc/ceph \
-    && rm -f /etc/libvirt/qemu/networks/default.xml \
-        /etc/libvirt/qemu/networks/autostart/default.xml \
-    && usermod -a -G {{ libvirt_group }} nova
+RUN rm -f /etc/libvirt/qemu/networks/default.xml /etc/libvirt/qemu/networks/autostart/default.xml
 
 {% endif %}
 

docker/nova/nova-libvirt/extend_start.sh

@@ -5,7 +5,7 @@
 # Do not remove unless CentOS has been validated
 if [[ -c /dev/kvm ]]; then
     chmod 660 /dev/kvm
-    chown root:kvm /dev/kvm
+    chown root:qemu /dev/kvm
 fi
 
 # Mount xenfs for libxl to work

docker/octavia/octavia-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='octavia') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set octavia_base_packages = [
@@ -20,18 +22,15 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 {% elif install_type == 'source' %}
 ADD octavia-base-archive /octavia-base-source
 RUN ln -s /octavia-base-source/* octavia \
-    && useradd --user-group --create-home --home-dir /var/lib/octavia octavia \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /octavia \
     && mkdir -p /etc/octavia \
     && cp -r /octavia/etc/* /etc/octavia/ \
     && chown -R octavia: /etc/octavia
 {% endif %}
 
-
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
 RUN touch /usr/local/bin/kolla_octavia_extend_start \
-    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_octavia_extend_start \
-    && usermod -a -G kolla octavia
+    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_octavia_extend_start
 
 {% block octavia_base_footer %}{% endblock %}

docker/panko/panko-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='panko') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 
@@ -49,20 +51,16 @@ RUN truncate -s 0 /etc/apache2/ports.conf
 ADD panko-base-archive /panko-base-source
 
 RUN ln -s panko-base-source/* panko \
-    && useradd --user-group panko \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /panko \
-    && mkdir -p /etc/panko /home/panko  \
+    && mkdir -p /etc/panko \
     && cp -r /panko/etc/panko/* /etc/panko/ \
-    && chown -R panko: /etc/panko /home/panko
+    && chown -R panko: /etc/panko
 
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla panko \
-    && mkdir -p /var/lib/panko \
-    && chown -R panko: /var/lib/panko \
-    && touch /usr/local/bin/kolla_panko_extend_start \
+RUN touch /usr/local/bin/kolla_panko_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_panko_extend_start
 
 {% block panko_base_footer %}{% endblock %}

docker/rabbitmq/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='rabbitmq') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
     {% set rabbitmq_packages = [
         'hostname',
@@ -54,8 +56,7 @@ COPY rabbitmq_sudoers /etc/sudoers.d/kolla_rabbitmq_sudoers
 COPY rabbitmq_get_gospel_node.py /usr/local/bin/rabbitmq_get_gospel_node
 RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/rabbitmq_get_gospel_node \
     && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_rabbitmq_sudoers \
-    && usermod -a -G kolla rabbitmq
+    && chmod 440 /etc/sudoers.d/kolla_rabbitmq_sudoers
 
 {% block rabbitmq_footer %}{% endblock %}
 {{ include_footer }}

docker/rally/Dockerfile.j2

@@ -5,12 +5,12 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='rally') }}
+
 {% if install_type == 'binary' %}
 
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
     {% set rally_packages = ['openstack-rally'] %}
-RUN useradd --user-group rally
-
 {% elif base_distro in ['ubuntu'] %}
     {% set rally_packages = ['rally'] %}
 {% endif %}
@@ -19,18 +19,15 @@ RUN useradd --user-group rally
 
 ADD rally-archive /rally-source
 RUN ln -s rally-source/* rally \
-    && useradd --user-group rally \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /rally \
-    && mkdir -p /etc/rally /var/log/rally /home/rally \
-    && chown -R rally: /etc/rally /var/log/rally /home/rally
+    && mkdir -p /etc/rally /var/log/rally \
+    && chown -R rally: /etc/rally /var/log/rally
 
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla rally
-
 {% block rally_footer %}{% endblock %}
 {% block footer %}{% endblock %}
 {{ include_footer }}

docker/sahara/sahara-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='sahara') }}
+
 {% if install_type == 'binary' %}
 
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -18,22 +20,18 @@ MAINTAINER {{ maintainer }}
 
 ADD sahara-base-archive /sahara-base-source
 RUN ln -s sahara-base-source/* sahara \
-    && useradd --user-group sahara \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /sahara \
-    && mkdir -p /etc/sahara /home/sahara \
+    && mkdir -p /etc/sahara \
     && cp -r /sahara/etc/sahara/* /etc/sahara/ \
-    && chown -R sahara: /etc/sahara /home/sahara \
+    && chown -R sahara: /etc/sahara \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/sahara/rootwrap.conf
 
 {% endif %}
 
-RUN usermod -a -G kolla sahara
-
 COPY sahara_sudoers /etc/sudoers.d/kolla_sahara_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla sahara \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
     && chmod 640 /etc/sudoers.d/kolla_sahara_sudoers \
     && touch /usr/local/bin/kolla_sahara_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_sahara_extend_start

docker/searchlight/searchlight-base/Dockerfile.j2

@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 
 {% block searchlight_base_header %}{% endblock %}
 
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='searchlight') }}
+
 {% if install_type == 'binary' %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 ADD searchlight-base-archive /searchlight-base-source
 RUN ln -s searchlight-base-source/* searchlight \
-    && useradd --user-group searchlight \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /searchlight \
     && mkdir -p /etc/searchlight \
     && cp -r /searchlight/etc/* /etc/searchlight \
@@ -22,8 +25,7 @@ RUN ln -s searchlight-base-source/* searchlight \
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla searchlight \
-    && touch /usr/local/bin/kolla_searchlight_extend_start \
+RUN touch /usr/local/bin/kolla_searchlight_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_searchlight_extend_start
 
 {% block searchlight_base_footer %}{% endblock %}

docker/senlin/senlin-base/Dockerfile.j2

@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 
 {% block senlin_base_header %}{% endblock %}
 
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='senlin') }}
+
 {% if install_type == 'binary' %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 ADD senlin-base-archive /senlin-base-source
 RUN ln -s senlin-base-source/* senlin \
-    && useradd --user-group senlin \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /senlin \
     && mkdir -p /etc/senlin \
     && cp -r /senlin/etc/senlin/* /etc/senlin \
@@ -22,8 +25,7 @@ RUN ln -s senlin-base-source/* senlin \
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla senlin \
-    && touch /usr/local/bin/kolla_senlin_extend_start \
+RUN touch /usr/local/bin/kolla_senlin_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_senlin_extend_start
 
 {% block senlin_base_footer %}{% endblock %}

docker/solum/solum-base/Dockerfile.j2

@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 
 {% block solum_base_header %}{% endblock %}
 
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='solum') }}
+
 {% if install_type == 'binary' %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,18 +16,16 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 ADD solum-base-archive /solum-base-source
 RUN ln -s solum-base-source/* solum \
-    && useradd --user-group solum \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /solum \
-    && mkdir -p /etc/solum /home/solum \
+    && mkdir -p /etc/solum \
     && cp -r /solum/etc/solum/* /etc/solum/ \
-    && chown -R solum: /etc/solum /home/solum
+    && chown -R solum: /etc/solum
 
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla solum \
-    && touch /usr/local/bin/kolla_solum_extend_start \
+RUN touch /usr/local/bin/kolla_solum_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_solum_extend_start
 
 {% block solum_base_footer %}{% endblock %}

docker/swift/swift-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='swift') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set swift_base_packages = [
@@ -30,11 +32,10 @@ MAINTAINER {{ maintainer }}
 
 ADD swift-base-archive /swift-base-source
 RUN ln -s swift-base-source/* swift \
-    && useradd --user-group swift \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /swift \
-    && mkdir -p /etc/swift /var/cache/swift /var/log/swift /home/swift \
+    && mkdir -p /etc/swift /var/cache/swift /var/log/swift \
     && cp -r /swift/etc/* /etc/swift/ \
-    && chown -R swift: /etc/swift /var/cache/swift /var/log/swift /home/swift
+    && chown -R swift: /etc/swift /var/cache/swift /var/log/swift
 {% endif %}
 
 COPY swift-rootwrap /var/lib/kolla/venv/bin/swift-rootwrap
@@ -50,6 +51,4 @@ RUN chmod 750 /etc/sudoers.d \
 COPY build-swift-ring.py /usr/local/bin/kolla_build_swift_ring
 RUN mkdir -p /opt/swift
 
-RUN usermod -a -G kolla swift
-
 {% block swift_base_footer %}{% endblock %}

docker/tacker/Dockerfile.j2

@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 
 {% block tacker_header %}{% endblock %}
 
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='tacker') }}
+
 {% if install_type == 'binary' %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 ADD tacker-archive /tacker-source
 RUN ln -s tacker-source/* tacker \
-    && useradd --user-group --create-home --home-dir /var/lib/tacker tacker \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /tacker \
     && mkdir -p /etc/tacker \
     && cp -r /tacker/etc/tacker/* /etc/tacker \
@@ -22,8 +25,7 @@ RUN ln -s tacker-source/* tacker \
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla tacker \
-    && chmod 755 /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {% block tacker_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/telegraf/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='telegraf', homedir='/etc/telegraf') }}
+
 {% set telegraf_packages = ['telegraf'] %}
 {{ macros.install_packages(telegraf_packages | customizable("packages")) }}
 
@@ -13,8 +15,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
 RUN chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_telegraf_sudoers \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla telegraf
+    && chmod 755 /usr/local/bin/kolla_extend_start
 
 {% block telegraf_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/trove/trove-base/Dockerfile.j2

@@ -5,12 +5,15 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='trove') }}
+
 {% if install_type == 'binary' %}
 
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set trove_base_packages = ['openstack-trove-common'] %}
     {% elif base_distro in ['ubuntu'] %}
-        {% set trove_base_packages = ['trove-common'] %}
+        {{ macros.ubuntu_trove_bug_1651852() }}
+        {% set trove_base_packages = [] %}
     {% endif %}
 
 {{ macros.install_packages(trove_base_packages | customizable("packages")) }}
@@ -19,18 +22,16 @@ MAINTAINER {{ maintainer }}
 
 ADD trove-base-archive /trove-base-source
 RUN ln -s trove-base-source/* trove \
-    && useradd --user-group trove \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /trove \
-    && mkdir -p /etc/trove /var/log/trove /home/trove \
+    && mkdir -p /etc/trove /var/log/trove \
     && cp -r /trove/etc/trove/* /etc/trove/ \
-    && chown -R trove: /etc/trove /var/log/trove /home/trove
+    && chown -R trove: /etc/trove /var/log/trove
 
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla trove \
-    && touch /usr/local/bin/kolla_trove_extend_start \
+RUN touch /usr/local/bin/kolla_trove_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_trove_extend_start
 
 {% block trove_base_footer %}{% endblock %}

docker/vmtp/Dockerfile.j2

@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 
 {% block vmtp_header %}{% endblock %}
 
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='vmtp') }}
+
 {% if install_type == 'binary' %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -10,15 +14,13 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 {% elif install_type == 'source' %}
 
-RUN pip install vmtp \
-    && useradd --user-group vmtp
+RUN pip install vmtp
 
 {% endif %}
 
 COPY vmtp_sudoers /etc/sudoers.d/kolla_vmtp_sudoers
 RUN chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_vmtp_sudoers \
-    && usermod -a -G kolla vmtp
+    && chmod 440 /etc/sudoers.d/kolla_vmtp_sudoers
 
 {% block vmtp_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/watcher/watcher-base/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='watcher') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set watcher_base_packages = ['openstack-watcher-common'] %}
@@ -17,20 +19,16 @@ MAINTAINER {{ maintainer }}
 
 ADD watcher-base-archive /watcher-base-source
 RUN ln -s watcher-base-source/* watcher \
-    && useradd --user-group watcher \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /watcher \
-    && mkdir -p /etc/watcher /home/watcher \
+    && mkdir -p /etc/watcher \
     && cp -r /watcher/etc/watcher/* /etc/watcher/ \
-    && chown -R watcher: /etc/watcher /home/watcher
+    && chown -R watcher: /etc/watcher
 
 {% endif %}
 
-RUN usermod -a -G kolla watcher
-
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN usermod -a -G kolla watcher \
-    && touch /usr/local/bin/kolla_watcher_extend_start \
+RUN touch /usr/local/bin/kolla_watcher_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_watcher_extend_start
 
 {% block watcher_base_footer %}{% endblock %}

docker/zaqar/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='zaqar') }}
+
 {% if install_type == 'binary' %}
 
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -20,7 +22,6 @@ MAINTAINER {{ maintainer }}
 {% elif install_type == 'source' %}
 ADD zaqar-archive /zaqar-source
 RUN ln -s zaqar-source/* zaqar \
-    && useradd --user-group --create-home --home-dir /var/lib/zaqar zaqar \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt pymongo /zaqar \
     && mkdir -p /etc/zaqar \
     && cp -r /zaqar/etc/* /etc/zaqar/ \
@@ -30,8 +31,7 @@ RUN ln -s zaqar-source/* zaqar \
 {% endif %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla zaqar
+RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {% block zaqar_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/zookeeper/Dockerfile.j2

@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='zookeeper') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
     {% set zookeeper_packages = [
         'zookeeper',
@@ -18,8 +20,7 @@ MAINTAINER {{ maintainer }}
 {{ macros.install_packages(zookeeper_packages | customizable("packages")) }}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla zookeeper
+RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {% block zookeeper_footer %}{% endblock %}
 {% block footer %}{% endblock %}

kolla/common/config.py

@@ -500,6 +500,240 @@ SOURCES = {
 }
 
 
+# NOTE(SamYaple): Only increment the UID. Never reuse old or removed UIDs.
+#     Starting point 42400+ was choosen arbitrarily to ensure no conflicts
+USERS = {
+    'kolla-user': {
+        'uid': 42400,
+        'gid': 42400,
+    },
+    'ansible-user': {
+        'uid': 42401,
+        'gid': 42401,
+    },
+    'aodh-user': {
+        'uid': 42402,
+        'gid': 42402,
+    },
+    'barbican-user': {
+        'uid': 42403,
+        'gid': 42403,
+    },
+    'bifrost-user': {
+        'uid': 42404,
+        'gid': 42404,
+    },
+    'ceilometer-user': {
+        'uid': 42405,
+        'gid': 42405,
+    },
+    'chrony-user': {
+        'uid': 42406,
+        'gid': 42406,
+    },
+    'cinder-user': {
+        'uid': 42407,
+        'gid': 42407,
+    },
+    'cloudkitty-user': {
+        'uid': 42408,
+        'gid': 42408,
+    },
+    'collectd-user': {
+        'uid': 42409,
+        'gid': 42409,
+    },
+    'congress-user': {
+        'uid': 42410,
+        'gid': 42410,
+    },
+    'designate-user': {
+        'uid': 42411,
+        'gid': 42411,
+    },
+    'elasticsearch-user': {
+        'uid': 42412,
+        'gid': 42412,
+    },
+    'etcd-user': {
+        'uid': 42413,
+        'gid': 42413,
+    },
+    'freezer-user': {
+        'uid': 42414,
+        'gid': 42414,
+    },
+    'glance-user': {
+        'uid': 42415,
+        'gid': 42415,
+    },
+    'gnocchi-user': {
+        'uid': 42416,
+        'gid': 42416,
+    },
+    'grafana-user': {
+        'uid': 42417,
+        'gid': 42417,
+    },
+    'heat-user': {
+        'uid': 42418,
+        'gid': 42418,
+    },
+    'heka-user': {
+        'uid': 42419,
+        'gid': 42419,
+    },
+    'horizon-user': {
+        'uid': 42420,
+        'gid': 42420,
+    },
+    'influxdb-user': {
+        'uid': 42421,
+        'gid': 42421,
+    },
+    'ironic-user': {
+        'uid': 42422,
+        'gid': 42422,
+    },
+    'kafka-user': {
+        'uid': 42423,
+        'gid': 42423,
+    },
+    'keystone-user': {
+        'uid': 42425,
+        'gid': 42425,
+    },
+    'kibana-user': {
+        'uid': 42426,
+        'gid': 42426,
+    },
+    'qemu-user': {
+        'uid': 42427,
+        'gid': 42427,
+    },
+    'magnum-user': {
+        'uid': 42428,
+        'gid': 42428,
+    },
+    'manila-user': {
+        'uid': 42429,
+        'gid': 42429,
+    },
+    'mistral-user': {
+        'uid': 42430,
+        'gid': 42430,
+    },
+    'monasca-user': {
+        'uid': 42431,
+        'gid': 42431,
+    },
+    'mongodb-user': {
+        'uid': 42432,
+        'gid': 65534,
+    },
+    'murano-user': {
+        'uid': 42433,
+        'gid': 42433,
+    },
+    'mysql-user': {
+        'uid': 42434,
+        'gid': 42434,
+    },
+    'neutron-user': {
+        'uid': 42435,
+        'gid': 42435,
+    },
+    'nova-user': {
+        'uid': 42436,
+        'gid': 42436,
+    },
+    'octavia-user': {
+        'uid': 42437,
+        'gid': 42437,
+    },
+    'panko-user': {
+        'uid': 42438,
+        'gid': 42438,
+    },
+    'rabbitmq-user': {
+        'uid': 42439,
+        'gid': 42439,
+    },
+    'rally-user': {
+        'uid': 42440,
+        'gid': 42440,
+    },
+    'sahara-user': {
+        'uid': 42441,
+        'gid': 42441,
+    },
+    'searchlight-user': {
+        'uid': 42442,
+        'gid': 42442,
+    },
+    'senlin-user': {
+        'uid': 42443,
+        'gid': 42443,
+    },
+    'solum-user': {
+        'uid': 42444,
+        'gid': 42444,
+    },
+    'swift-user': {
+        'uid': 42445,
+        'gid': 42445,
+    },
+    'tacker-user': {
+        'uid': 42446,
+        'gid': 42446,
+    },
+    'td-agent-user': {
+        'uid': 42447,
+        'gid': 42447,
+    },
+    'telegraf-user': {
+        'uid': 42448,
+        'gid': 42448,
+    },
+    'trove-user': {
+        'uid': 42449,
+        'gid': 42449,
+    },
+    'vmtp-user': {
+        'uid': 42450,
+        'gid': 42450,
+    },
+    'watcher-user': {
+        'uid': 42451,
+        'gid': 42451,
+    },
+    'zaqar-user': {
+        'uid': 42452,
+        'gid': 42452,
+    },
+    'zookeeper-user': {
+        'uid': 42453,
+        'gid': 42453,
+    },
+    'haproxy-user': {
+        'uid': 42454,
+        'gid': 42454,
+    },
+    'ceph-user': {
+        'uid': 64045,
+        'gid': 64045,
+    },
+    'memcached-user': {
+        'uid': 42457,
+        'gid': 42457,
+    },
+    'karbor-user': {
+        'uid': 42458,
+        'gid': 42458,
+    },
+}
+
+
 def get_source_opts(type_=None, location=None, reference=None):
     return [cfg.StrOpt('type', choices=['local', 'git', 'url'],
                        default=type_,
@@ -511,6 +745,20 @@ def get_source_opts(type_=None, location=None, reference=None):
                              'or branch name'))]
 
 
+def get_user_opts(uid, gid):
+    return [
+        cfg.StrOpt('uid', default=uid, help='The user id'),
+        cfg.StrOpt('gid', default=gid, help='The group id'),
+    ]
+
+
+def gen_all_user_opts():
+    for name, params in USERS.items():
+        uid = params['uid']
+        gid = params['gid']
+        yield name, get_user_opts(uid, gid)
+
+
 def gen_all_source_opts():
     for name, params in SOURCES.items():
         type_ = params['type']
@@ -524,6 +772,7 @@ def list_opts():
                             (None, _BASE_OPTS),
                             ('profiles', _PROFILE_OPTS)],
                            gen_all_source_opts(),
+                           gen_all_user_opts(),
                            )
 
 
@@ -534,6 +783,8 @@ def parse(conf, args, usage=None, prog=None,
     conf.register_opts(_PROFILE_OPTS, group='profiles')
     for name, opts in gen_all_source_opts():
         conf.register_opts(opts, name)
+    for name, opts in gen_all_user_opts():
+        conf.register_opts(opts, name)
 
     conf(args=args,
          project='kolla',

kolla/image/build.py

@@ -631,6 +631,20 @@ class KollaWorker(object):
             'debian_package_install': jinja_methods.debian_package_install,
         }
 
+    def get_users(self):
+        all_sections = (set(six.iterkeys(self.conf._groups)) |
+                        set(self.conf.list_all_sections()))
+        ret = dict()
+        for section in all_sections:
+            match = re.search('^.*-user$', section)
+            if match:
+                user = self.conf[match.group(0)]
+                ret[match.group(0)[:-5]] = {
+                    'uid': user.uid,
+                    'gid': user.gid,
+                }
+        return ret
+
     def create_dockerfiles(self):
         kolla_version = version.version_info.cached_version_string()
         supported_distro_release = common_config.DISTRO_RELEASE.get(
@@ -650,6 +664,7 @@ class KollaWorker(object):
                       'maintainer': self.maintainer,
                       'kolla_version': kolla_version,
                       'image_name': image_name,
+                      'users': self.get_users(),
                       'rpm_setup': self.rpm_setup}
             env = jinja2.Environment(  # nosec: not used to render HTML
                 loader=jinja2.FileSystemLoader(self.working_dir))

releasenotes/notes/static-uid-gid-b90800f2947e656d.yaml

@@ -0,0 +1,10 @@
+---
+features:
+  - Static uid and gid are now set in container images.
+    This ensures the numbers do not change and mess up
+    upgrades from one image to another. These values are
+    customizable in the kolla-build.conf if someone
+    should wish to change the default values. By default,
+    the uid and gid are set to 42400+, with the exception
+    of Ceph, which is set to the static 64045 which
+    matches the static uid that the package already uses.