use static uid/gid in images

This centralizes all user and group creation into a single source. This will fix any current and furture uid/gid mismatches (such as with nova-libvirt). In the process, we also unify users between the distros in a standard way. The users in the following containers change from thier defaults: Ubuntu: _chrony user is now chrony Ubuntu: memcache user is now memcached All: qemu user is used for ownership and socket permissions All uid and gid numbers are customizable via kolla-build.conf Co-Authored-By: Kris Lindgren <klindgren@godaddy.com> Change-Id: I120f26ab0683dc87d69727c3df8d4707e52a4543 Partially-Implements: blueprint static-uid-gid
2016-12-18 19:11:47 +00:00 · 2016-12-18 19:11:47 +00:00 · 58eee09c15
parent 3671d860af
commit 58eee09c15
63 changed files with 572 additions and 266 deletions
--- a/docker/aodh/aodh-base/Dockerfile.j2
+++ b/docker/aodh/aodh-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='aodh') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -34,7 +36,7 @@ RUN mkdir -p /var/www/cgi-bin/aodh \
    && cp -a /usr/lib/python2.7/dist-packages/aodh/api/app.wsgi /var/www/cgi-bin/aodh/ \
    && echo > /etc/apache2/ports.conf
    {% endif %}
-   
+
 {% elif install_type == 'source' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -63,21 +65,18 @@ RUN mkdir -p /var/www/cgi-bin/aodh \
 ADD aodh-base-archive /aodh-base-source

 RUN ln -s aodh-base-source/* aodh \
-    && useradd --user-group aodh \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt pymongo /aodh \
-    && mkdir -p /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh /home/aodh \
+    && mkdir -p /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh \
    && cp -r /aodh/etc/aodh/* /etc/aodh/  \
    && cp /aodh/aodh/api/app.wsgi /var/www/cgi-bin/aodh \
-    && chown -R aodh: /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh /home/aodh
+    && chown -R aodh: /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh

 {% endif %}

-RUN usermod -a -G kolla aodh
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 COPY aodh_sudoers /etc/sudoers.d/kolla_aodh_sudoers

-RUN usermod -a -G kolla aodh \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 640 /etc/sudoers.d/kolla_aodh_sudoers \
    && chmod 755 /var/www/cgi-bin/aodh \
    && touch /usr/local/bin/kolla_aodh_extend_start \
--- a/docker/barbican/barbican-base/Dockerfile.j2
+++ b/docker/barbican/barbican-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='barbican') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set barbican_base_packages = ['openstack-barbican-common'] %}
@ -25,19 +27,17 @@ MAINTAINER {{ maintainer }}

 ADD barbican-base-archive /barbican-base-source
 RUN ln -s barbican-base-source/* barbican \
-    && useradd --user-group barbican \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt  pastedeploy uwsgi MySQL-python python-barbicanclient /barbican \
-    && mkdir -p /etc/barbican /var/log/barbican /home/barbican /var/lib/barbican \
+    && mkdir -p /etc/barbican /var/log/barbican \
    && cp -r /barbican/etc/barbican/* /etc/barbican/ \
-    && chown -R barbican: /etc/barbican /var/log/barbican /home/barbican /var/lib/barbican
+    && chown -R barbican: /etc/barbican /var/log/barbican

 {% endif %}

 COPY barbican_sudoers /etc/sudoers.d/kolla_barbican_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla barbican \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 640 /etc/sudoers.d/kolla_barbican_sudoers \
    && touch /usr/local/bin/kolla_barbican_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_barbican_extend_start
--- a/docker/base/Dockerfile.j2
+++ b/docker/base/Dockerfile.j2
@ -1,6 +1,15 @@
 FROM {{ base_image }}:{{ base_distro_tag }}
 MAINTAINER {{ maintainer }}

+{# NOTE(SamYaple): Avoid uid/gid conflicts by creating each user/group up front. #}
+{# Specifics required such as homedir or shell are configured within the service specific image #}
+{%- for name, user in users | dictsort() %}
+{% if loop.first -%}RUN {% else %}    && {% endif -%}
+    groupadd --force --gid {{ user.gid }} {{ name }} \
+    && useradd -M --shell /usr/sbin/nologin --uid {{ user.uid }} --gid {{ user.gid }} {{ name }}
+        {%- if not loop.last %} \{% endif -%}
+{%- endfor %}
+
 LABEL kolla_version="{{ kolla_version }}"

 {% import "macros.j2" as macros with context %}
@ -294,7 +303,6 @@ COPY curlrc /root/.curlrc
 RUN touch /usr/local/bin/kolla_extend_start \
    && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs \
    && chmod 440 /etc/sudoers \
-    && groupadd kolla \
    && mkdir -p /var/log/kolla \
    && chown :kolla /var/log/kolla \
    && chmod 2775 /var/log/kolla \
--- a/docker/bifrost/bifrost-base/Dockerfile.j2
+++ b/docker/bifrost/bifrost-base/Dockerfile.j2
@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}

 {% block bifrost_base_header %}{% endblock %}

+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='bifrost') }}
+
 {% if install_type == 'binary' %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' && /bin/false
@ -14,7 +18,6 @@ ENV ANSIBLE_FROM_PYPI True
 ADD bifrost-base-archive /bifrost-base-source
 COPY build_arg.yml /tmp/build_arg.yml
 RUN ln -s bifrost-base-source/* bifrost \
-    && useradd --user-group bifrost \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /bifrost

 WORKDIR /bifrost
@ -23,7 +26,6 @@ WORKDIR /bifrost
 RUN sed -e "s/.*mariadb.*//Ig" -i /etc/apt/sources.list && apt-get purge -y mariadb* mysql*
 {% endif %}

-
 RUN bash -c './scripts/env-setup.sh && source ./env-vars && \
    ansible-playbook -vvvv -i /bifrost/playbooks/inventory/localhost /bifrost/playbooks/install.yaml \
    -e @/tmp/build_arg.yml && \
@ -32,15 +34,11 @@ RUN bash -c './scripts/env-setup.sh && source ./env-vars && \
 {% else %}
    yum clean all'
 {% endif %}
-
-
 {% endif %}

-
 COPY bifrost_sudoers /etc/sudoers.d/kolla_bifrost_sudoers

-RUN usermod -a -G kolla bifrost \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_bifrost_sudoers \
    && chown -R bifrost:bifrost /bifrost

--- a/docker/ceilometer/ceilometer-base/Dockerfile.j2
+++ b/docker/ceilometer/ceilometer-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='ceilometer') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set ceilometer_base_packages = [
@ -27,11 +29,10 @@ MAINTAINER {{ maintainer }}

 ADD ceilometer-base-archive /ceilometer-base-source
 RUN ln -s ceilometer-base-source/* ceilometer \
-    && useradd --user-group ceilometer \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /ceilometer[gnocchi,mongo,mysql] \
-    && mkdir -p /etc/ceilometer /var/lib/ceilometer /home/ceilometer \
+    && mkdir -p /etc/ceilometer \
    && cp -r /ceilometer/etc/ceilometer/* /etc/ceilometer/ \
-    && chown -R ceilometer: /etc/ceilometer /var/lib/ceilometer /home/ceilometer \
+    && chown -R ceilometer: /etc/ceilometer \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ceilometer/rootwrap.conf

 {% endif %}
@ -39,8 +40,7 @@ RUN ln -s ceilometer-base-source/* ceilometer \
 COPY ceilometer_sudoers /etc/sudoers.d/kolla_ceilometer_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla ceilometer \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_ceilometer_sudoers \
    && touch /usr/local/bin/kolla_ceilometer_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_ceilometer_extend_start
--- a/docker/ceph/ceph-base/Dockerfile.j2
+++ b/docker/ceph/ceph-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='ceph') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
   {% set ceph_base_packages = [
        'ceph',
@ -29,7 +31,6 @@ MAINTAINER {{ maintainer }}
 {{ macros.install_packages(ceph_base_packages | customizable("packages")) }}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla ceph
+RUN chmod 755 /usr/local/bin/kolla_extend_start

 {% block ceph_base_footer %}{% endblock %}
--- a/docker/chrony/Dockerfile.j2
+++ b/docker/chrony/Dockerfile.j2
@ -5,18 +5,14 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

-{% set chrony_packages = ['chrony'] %}
+{{ macros.configure_user(name='chrony') }}

-{% if base_distro in ['ubuntu', 'debian'] %}
-# Ubuntu use _chrony username to use unified running user with RHEL system
-RUN useradd --user-group --create-home --home-dir /var/lib/chrony chrony
-{% endif %}
+{% set chrony_packages = ['chrony'] %}

 {{ macros.install_packages(chrony_packages | customizable("packages")) }}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla chrony
+RUN chmod 755 /usr/local/bin/kolla_extend_start

 {% block chrony_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/cinder/cinder-base/Dockerfile.j2
+++ b/docker/cinder/cinder-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='cinder') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -50,11 +52,10 @@ MAINTAINER {{ maintainer }}

 ADD cinder-base-archive /cinder-base-source
 RUN ln -s cinder-base-source/* cinder \
-    && useradd --user-group cinder \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /cinder \
-    && mkdir -p /etc/cinder /var/lib/cinder /home/cinder \
+    && mkdir -p /etc/cinder \
    && cp -r /cinder/etc/cinder/* /etc/cinder/ \
-    && chown -R cinder: /etc/cinder /var/lib/cinder /home/cinder \
+    && chown -R cinder: /etc/cinder \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/cinder/rootwrap.conf

 {% endif %}
@ -62,9 +63,7 @@ RUN ln -s cinder-base-source/* cinder \
 COPY cinder_sudoers /etc/sudoers.d/kolla_cinder_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla cinder \
-    && mkdir -p /etc/ceph \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_cinder_sudoers \
    && touch /usr/local/bin/kolla_cinder_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_cinder_extend_start
--- a/docker/cloudkitty/cloudkitty-base/Dockerfile.j2
+++ b/docker/cloudkitty/cloudkitty-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='cloudkitty') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -25,18 +27,16 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \

 ADD cloudkitty-base-archive /cloudkitty-base-source
 RUN ln -s cloudkitty-base-source/* cloudkitty \
-    && useradd --user-group cloudkitty \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /cloudkitty \
-    && mkdir -p /etc/cloudkitty /var/lib/cloudkitty /home/cloudkitty \
+    && mkdir -p /etc/cloudkitty  \
    && cp -r /cloudkitty/etc/cloudkitty/* /etc/cloudkitty/ \
-    && chown -R cloudkitty: /etc/cloudkitty /var/lib/cloudkitty /home/cloudkitty
+    && chown -R cloudkitty: /etc/cloudkitty

 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla cloudkitty \
-    && touch /usr/local/bin/kolla_cloudkitty_extend_start \
+RUN touch /usr/local/bin/kolla_cloudkitty_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_cloudkitty_extend_start

 {% block cloudkitty_base_footer %}{% endblock %}
--- a/docker/collectd/Dockerfile.j2
+++ b/docker/collectd/Dockerfile.j2
@ -2,17 +2,18 @@ FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
 MAINTAINER {{ maintainer }}

 {% block collectd_header %}{% endblock %}
+
 {% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='collectd') }}
+
 {% set collectd_packages = [
    'collectd'
 ] %}
-
 {{ macros.install_packages(collectd_packages | customizable("packages")) }}
-COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN useradd -r -m collectd \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla collectd \
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chown -R collectd /var/lib/collectd \
    && chown -R collectd /etc/collectd* \
    && chown -R collectd /var/run/
--- a/docker/congress/congress-base/Dockerfile.j2
+++ b/docker/congress/congress-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='congress') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['ubuntu'] %}
        {% set congress_base_packages = [
@ -27,18 +29,16 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \

 ADD congress-base-archive /congress-base-source
 RUN ln -s congress-base-source/* congress \
-    && useradd --user-group congress \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /congress \
-    && mkdir -p /etc/congress /home/congress \
+    && mkdir -p /etc/congress \
    && cp -r /congress/etc/* /etc/congress/ \
-    && chown -R congress: /etc/congress /home/congress
+    && chown -R congress: /etc/congress

 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla congress \
-    && touch /usr/local/bin/kolla_congress_extend_start \
+RUN touch /usr/local/bin/kolla_congress_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_congress_extend_start

 {% block congress_base_footer %}{% endblock %}
--- a/docker/designate/designate-base/Dockerfile.j2
+++ b/docker/designate/designate-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='designate') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -39,12 +41,11 @@ RUN cp /etc/designate/policy.json /tmp/ \

 ADD designate-base-archive /designate-base-source
 RUN ln -s designate-base-source/* designate \
-    && useradd --user-group designate \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /designate \
-    && mkdir -p /etc/designate /var/log/designate /home/designate \
+    && mkdir -p /etc/designate /var/log/designate \
    && cp -r /designate/etc/designate/* /etc/designate/ \
    && mv /etc/designate/rootwrap.conf.sample /etc/designate/rootwrap.conf \
-    && chown -R designate: /etc/designate /var/log/designate /home/designate \
+    && chown -R designate: /etc/designate /var/log/designate \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/designate/rootwrap.conf
 {% endif %}

--- a/docker/elasticsearch/Dockerfile.j2
+++ b/docker/elasticsearch/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='elasticsearch', shell='/bin/bash', homedir='/usr/share/elasticsearch') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set elasticsearch_packages = [
        'java-1.7.0-openjdk',
@ -34,9 +36,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start

 RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_elasticsearch_sudoers \
-    && usermod -a -G kolla elasticsearch \
-    && usermod -s /bin/bash elasticsearch -d /usr/share/elasticsearch
+    && chmod 440 /etc/sudoers.d/kolla_elasticsearch_sudoers

 {% block elasticsearch_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/etcd/Dockerfile.j2
+++ b/docker/etcd/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='etcd') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set etcd_packages = ['etcd'] %}
 {% elif base_distro in ['ubuntu', 'debian'] %}
@ -17,8 +19,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start

 RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_etcd_sudoers \
-    && usermod -a -G kolla etcd
+    && chmod 440 /etc/sudoers.d/kolla_etcd_sudoers

 {% block etcd_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/fluentd/Dockerfile.j2
+++ b/docker/fluentd/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='td-agent') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

 RUN rpm --import https://packages.treasuredata.com/GPG-KEY-td-agent
@ -40,12 +42,9 @@ RUN ulimit -n 65536 \
 COPY fluentd_sudoers /etc/sudoers.d/kolla_fluentd_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla td-agent \
-    && chmod 440 /etc/sudoers.d/kolla_fluentd_sudoers \
+RUN chmod 440 /etc/sudoers.d/kolla_fluentd_sudoers \
    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && chown -R td-agent: /etc/td-agent \
-    && mkdir /var/lib/td-agent \
-    && chown -R td-agent: /var/lib/td-agent
+    && chown -R td-agent: /etc/td-agent

 {% block fluentd_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/freezer/freezer-base/Dockerfile.j2
+++ b/docker/freezer/freezer-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='freezer') }}
+
 {% if install_type == 'binary' %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@ -14,9 +16,8 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \

 ADD freezer-base-archive /freezer-base-source
 RUN ln -s freezer-base-source/* freezer \
-    && useradd --user-group freezer \
-    && mkdir -p /etc/freezer /home/freezer \
-    && chown -R freezer: /etc/freezer /home/freezer \
+    && mkdir -p /etc/freezer \
+    && chown -R freezer: /etc/freezer \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /freezer \
    && cp -r /freezer/etc/* /etc/freezer

@ -25,8 +26,7 @@ RUN ln -s freezer-base-source/* freezer \
 COPY freezer_sudoers /etc/sudoers.d/kolla_freezer_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla freezer \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 640 /etc/sudoers.d/kolla_freezer_sudoers \
    && touch /usr/local/bin/kolla_freezer_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_freezer_extend_start
--- a/docker/glance/glance-base/Dockerfile.j2
+++ b/docker/glance/glance-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='glance') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set glance_base_packages = [
@ -32,19 +34,17 @@ MAINTAINER {{ maintainer }}

 ADD glance-base-archive /glance-base-source
 RUN ln -s glance-base-source/* glance \
-    && useradd --user-group glance \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /glance[cinder] \
-    && mkdir -p /etc/glance /var/lib/glance /home/glance \
+    && mkdir -p /etc/glance \
    && cp -r /glance/etc/* /etc/glance/ \
-    && chown -R glance: /etc/glance /var/lib/glance /home/glance
+    && chown -R glance: /etc/glance

 {% endif %}

 COPY glance_sudoers /etc/sudoers.d/kolla_glance_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla glance \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_glance_sudoers \
    && touch /usr/local/bin/kolla_glance_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_glance_extend_start
--- a/docker/gnocchi/gnocchi-base/Dockerfile.j2
+++ b/docker/gnocchi/gnocchi-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='gnocchi') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -61,9 +63,8 @@ RUN truncate -s 0 /etc/apache2/ports.conf
 ADD gnocchi-base-archive /gnocchi-base-source

 RUN ln -s gnocchi-base-source/* gnocchi \
-    && useradd --user-group gnocchi \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt gnocchiclient /gnocchi[keystone,mysql,file,ceph] \
-    && mkdir -p /etc/gnocchi /var/log/kolla/gnocchi /home/gnocchi \
+    && mkdir -p /etc/gnocchi /var/log/kolla/gnocchi \
    && chown -R gnocchi: /etc/gnocchi /var/log/kolla/gnocchi

 {% endif %}
@ -71,8 +72,7 @@ RUN ln -s gnocchi-base-source/* gnocchi \
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 COPY gnocchi_sudoers /etc/sudoers.d/kolla_gnocchi_sudoers

-RUN usermod -a -G kolla gnocchi \
-    && mkdir -p /var/lib/gnocchi \
+RUN mkdir -p /var/lib/gnocchi \
    && chown -R gnocchi: /var/lib/gnocchi \
    && chmod 750 /etc/sudoers.d \
    && chmod 640 /etc/sudoers.d/kolla_gnocchi_sudoers \
--- a/docker/grafana/Dockerfile.j2
+++ b/docker/grafana/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='grafana', homedir='/usr/share/grafana') }}
+
 {% set grafana_packages = ['grafana'] %}
 {{ macros.install_packages(grafana_packages | customizable("packages")) }}

@ -16,8 +18,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN grafana-cli plugins install sileht-gnocchi-datasource \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_grafana_sudoers \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla grafana
+    && chmod 755 /usr/local/bin/kolla_extend_start

 {% block grafana_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/haproxy/Dockerfile.j2
+++ b/docker/haproxy/Dockerfile.j2
@ -5,14 +5,19 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='haproxy') }}
+
+{% if base_distro in ['ubuntu', 'debian'] %}
+{{ macros.debian_haproxy_existing_user_fix() }}
+{% endif %}
+
 {% set haproxy_packages = [
    'haproxy',
    'socat'
 ] %}
 {{ macros.install_packages(haproxy_packages | customizable("packages")) }}

-RUN usermod -a -G kolla haproxy \
-    && mkdir -p /var/lib/kolla/haproxy \
+RUN mkdir -p /var/lib/kolla/haproxy \
    && chown -R haproxy: /var/lib /run

 COPY ensure_latest_config.sh /usr/local/bin/kolla_ensure_haproxy_latest_config
--- a/docker/heat/heat-base/Dockerfile.j2
+++ b/docker/heat/heat-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='heat') }}
+
 {% if install_type == 'binary' %}

 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@ -18,18 +20,16 @@ MAINTAINER {{ maintainer }}

 ADD heat-base-archive /heat-base-source
 RUN ln -s heat-base-source/* heat \
-    && useradd --user-group heat \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /heat \
-    && mkdir -p /etc/heat /home/heat \
+    && mkdir -p /etc/heat \
    && cp -r /heat/etc/heat/* /etc/heat/ \
-    && chown -R heat: /etc/heat /home/heat
+    && chown -R heat: /etc/heat

 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla heat \
-    && touch /usr/local/bin/kolla_heat_extend_start \
+RUN touch /usr/local/bin/kolla_heat_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_heat_extend_start

 {% block heat_base_footer %}{% endblock %}
--- a/docker/heka/Dockerfile.j2
+++ b/docker/heka/Dockerfile.j2
@ -5,12 +5,13 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='heka', homedir='/var/cache/hekad') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set heka_packages = [
        'https://github.com/mozilla-services/heka/releases/download/v0.10.0/heka-0_10_0-linux-amd64.rpm'
    ] %}
-RUN useradd --user-group heka \
-    && mkdir /etc/heka
+RUN mkdir /etc/heka

 {% elif base_distro in ['ubuntu', 'debian'] %}
    {% set heka_packages = [
@ -27,8 +28,7 @@ COPY plugins/encoders /usr/share/heka/lua_encoders/
 COPY heka_sudoers /etc/sudoers.d/kolla_heka_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla heka \
-    && chmod 440 /etc/sudoers.d/kolla_heka_sudoers \
+RUN chmod 440 /etc/sudoers.d/kolla_heka_sudoers \
    && chmod 755 /usr/local/bin/kolla_extend_start \
    && chown -R heka: /usr/share/heka /etc/heka

--- a/docker/horizon/Dockerfile.j2
+++ b/docker/horizon/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='horizon') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -24,8 +26,7 @@ MAINTAINER {{ maintainer }}
 {{ macros.install_packages(horizon_packages | customizable("packages")) }}

 {% block horizon_redhat_binary_setup %}
-RUN useradd --user-group horizon \
-    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
    && ln -s /usr/share/openstack-dashboard/openstack_dashboard /usr/lib/python2.7/site-packages/openstack_dashboard \
    && ln -s /usr/share/openstack-dashboard/static /usr/lib/python2.7/site-packages/static \
    && chown -R horizon: /etc/openstack-dashboard /usr/share/openstack-dashboard \
@ -108,8 +109,7 @@ ADD horizon-archive /horizon-source
 ADD plugins-archive /
 RUN ln -s horizon-source/* horizon \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /horizon \
-    && useradd --user-group horizon \
-    && mkdir -p /etc/openstack-dashboard /home/horizon \
+    && mkdir -p /etc/openstack-dashboard \
    && ln -s /etc/openstack-dashboard/local_settings /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard/local/local_settings.py \
    && cp -r /horizon/openstack_dashboard/conf/* /etc/openstack-dashboard/ \
    && cp /horizon/openstack_dashboard/local/local_settings.py.example /etc/openstack-dashboard/local_settings \
@ -119,7 +119,7 @@ RUN ln -s horizon-source/* horizon \
       fi \
    && (cd /var/lib/kolla/venv/lib/python2.7/site-packages/horizon && /var/lib/kolla/venv/bin/python /var/lib/kolla/venv/bin/manage.py compilemessages) \
    && (cd /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard && /var/lib/kolla/venv/bin/python /var/lib/kolla/venv/bin/manage.py compilemessages) \
-    && chown -R horizon: /etc/openstack-dashboard /home/horizon /var/lib/kolla/venv/lib/python2.7/site-packages/static
+    && chown -R horizon: /etc/openstack-dashboard /var/lib/kolla/venv/lib/python2.7/site-packages/static

 {% endif %}

--- a/docker/influxdb/Dockerfile.j2
+++ b/docker/influxdb/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='influxdb') }}
+
 {% set influxdb_packages = ['influxdb'] %}
 {{ macros.install_packages(influxdb_packages | customizable("packages")) }}

@ -13,8 +15,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start

 RUN chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_influxdb_sudoers \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla influxdb
+    && chmod 755 /usr/local/bin/kolla_extend_start

 {% block influxdb_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/ironic/ironic-base/Dockerfile.j2
+++ b/docker/ironic/ironic-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='ironic') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set ironic_base_packages = ['openstack-ironic-common'] %}
@ -18,11 +20,10 @@ MAINTAINER {{ maintainer }}

 ADD ironic-base-archive /ironic-base-source
 RUN ln -s ironic-base-source/* ironic \
-    && useradd --user-group --create-home --home-dir /var/lib/ironic ironic \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /ironic \
-    && mkdir -p /etc/ironic /var/lib/ironic \
+    && mkdir -p /etc/ironic \
    && cp -r /ironic/etc/ironic/* /etc/ironic/ \
-    && chown -R ironic: /etc/ironic /var/lib/ironic \
+    && chown -R ironic: /etc/ironic \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic/rootwrap.conf

 ADD ironic_sudoers /etc/sudoers.d/kolla_ironic_sudoers
@ -35,7 +36,6 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start

 RUN touch /usr/local/bin/kolla_ironic_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_ironic_extend_start \
-    && usermod -a -G kolla ironic \
    && chown -R ironic: /etc/ironic

 {% block ironic_base_footer %}{% endblock %}
--- a/docker/kafka/Dockerfile.j2
+++ b/docker/kafka/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='kafka', homedir='/kafka') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@ -26,9 +28,7 @@ RUN curl -o kafka.tgz http://apache.osuosl.org/kafka/0.10.1.0/kafka_2.11-0.10.1.
 {% endblock %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN useradd --user-group --home-dir /kafka kafka \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla kafka \
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chown -R kafka: /kafka

 {% block kafka_footer %}{% endblock %}
--- a/docker/karbor/karbor-base/Dockerfile.j2
+++ b/docker/karbor/karbor-base/Dockerfile.j2
@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}

 {% block karbor_base_header %}{% endblock %}

+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='karbor') }}
+
 {% if install_type == 'binary' %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \

 ADD karbor-base-archive /karbor-base-source
 RUN ln -s karbor-base-source/* karbor \
-    && useradd --user-group --create-home --home-dir /var/lib/karbor karbor \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /karbor \
    && mkdir -p /etc/karbor \
    && cp -r /karbor/etc/* /etc/karbor/ \
@ -22,8 +25,7 @@ RUN ln -s karbor-base-source/* karbor \

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla karbor \
-    && touch /usr/local/bin/kolla_karbor_extend_start \
+RUN touch /usr/local/bin/kolla_karbor_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_karbor_extend_start

 {% block karbor_base_footer %}{% endblock %}
--- a/docker/keystone/keystone-base/Dockerfile.j2
+++ b/docker/keystone/keystone-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='keystone') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set keystone_base_packages = [
@ -61,7 +63,6 @@ RUN echo > /etc/apache2/ports.conf
 {% block keystone_source_install %}
 ADD keystone-base-archive /keystone-base-source
 RUN ln -s keystone-base-source/* keystone \
-    && useradd --user-group --create-home --home-dir /var/lib/keystone keystone \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /keystone \
    && mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 \
    && cp -r /keystone/etc/* /etc/keystone/ \
@ -72,8 +73,7 @@ RUN ln -s keystone-base-source/* keystone \

 {% endif %}

-RUN usermod -a -G kolla keystone \
-    && chown -R keystone: /var/www/cgi-bin/keystone \
+RUN chown -R keystone: /var/www/cgi-bin/keystone \
    && chmod 755 /var/www/cgi-bin/keystone/*

 {% block keystone_base_footer %}{% endblock %}
--- a/docker/kibana/Dockerfile.j2
+++ b/docker/kibana/Dockerfile.j2
@ -5,10 +5,10 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='kibana') }}
+
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN useradd -r -m --user-group kibana \
-    && usermod -a -G kolla kibana \
-    && chmod 755 /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start

 {% set kibana_packages = ['kibana'] %}
 {{ macros.install_packages(kibana_packages | customizable("packages")) }}
--- a/docker/kolla-toolbox/Dockerfile.j2
+++ b/docker/kolla-toolbox/Dockerfile.j2
@ -7,6 +7,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='ansible') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set kolla_toolbox_packages = [
        'crudini',
@ -62,13 +64,12 @@ RUN pip --no-cache-dir install \
    pyudev \
    shade==1.5.0

-RUN useradd -m --user-group ansible --groups kolla \
-    && mkdir -p /etc/ansible /usr/share/ansible \
+RUN mkdir -p /etc/ansible /usr/share/ansible \
    && echo 'localhost ansible_connection=local' > /etc/ansible/hosts \
    && sed -i 's|  "identity_api_version": "2.0",|  "identity_api_version": "3",|' {{ os_client_config }}

 COPY find_disks.py kolla_keystone_service.py kolla_keystone_user.py kolla_sanity.py /usr/share/ansible/
-COPY ansible.cfg /home/ansible/.ansible.cfg
+COPY ansible.cfg /var/lib/ansible/.ansible.cfg

 COPY ansible_sudoers /etc/sudoers.d/kolla_ansible_sudoers
 RUN chmod 440 /etc/sudoers.d/kolla_ansible_sudoers
--- a/docker/macros.j2
+++ b/docker/macros.j2
@ -17,3 +17,39 @@
 {% macro install_pip(packages) %}
 RUN /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt {% for package in packages %}{{ package }} {% endfor %}
 {% endmacro %}
+
+
+{% macro configure_user(name, groups=None, shell=None, homedir=None) %}
+{% set user=users[name] %}
+{%- if not homedir %}
+{% set homedir='/var/lib/' + name %}
+{%- endif %}
+RUN usermod --append --home {{ homedir }} --groups kolla {{ name }} \
+    {%- if groups %}
+    && usermod --append --groups {{ groups }} {{ name }} \
+    {%- endif %}
+    {%- if shell %}
+    && chsh --shell {{ shell }} {{ name }} \
+    {%- endif %}
+    && mkdir -p {{ homedir }} \
+    && chown -R {{ user.uid }}:{{ user.gid }} {{ homedir }}
+{% endmacro %}
+
+
+{% macro ubuntu_trove_bug_1651852() %}
+{# NOTE(SamYaple): The postinst script breaks because it calls getenv instead of getent #}
+{# TODO(SamYaple): Remove once issue is fixed -- https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/1651852 #}
+RUN apt-get -y install --no-install-recommends trove-common \
+    || sed -i 's/getenv/getent/g' /var/lib/dpkg/info/trove-common.postinst \
+    && apt-get -y install -f \
+    && apt-get clean
+{% endmacro %}
+
+
+{% macro debian_haproxy_existing_user_fix() %}
+{# NOTE(SamYaple): The postinst script breaks if the user 'haproxy' already exists #}
+RUN apt-get -y install --no-install-recommends haproxy \
+    || sed -i '/^adduser/,+1 d' /var/lib/dpkg/info/haproxy.postinst \
+    && apt-get -y install -f \
+    && apt-get clean
+{% endmacro %}
--- a/docker/magnum/magnum-base/Dockerfile.j2
+++ b/docker/magnum/magnum-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='magnum') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux'] %}
       {% set magnum_base_packages = ['openstack-magnum-common'] %}
@ -17,16 +19,14 @@ MAINTAINER {{ maintainer }}

 ADD magnum-base-archive /magnum-base-source
 RUN ln -s magnum-base-source/* magnum \
-    && useradd --user-group magnum \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /magnum \
-    && mkdir -p /etc/magnum /home/magnum /var/lib/magnum \
+    && mkdir -p /etc/magnum \
    && cp -r /magnum/etc/magnum/* /etc/magnum \
-    && chown -R magnum: /etc/magnum /home/magnum /var/lib/magnum
+    && chown -R magnum: /etc/magnum

 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla magnum \
-    && touch /usr/local/bin/kolla_magnum_extend_start \
+RUN touch /usr/local/bin/kolla_magnum_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_magnum_extend_start
--- a/docker/manila/manila-base/Dockerfile.j2
+++ b/docker/manila/manila-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='manila') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -39,11 +41,10 @@ MAINTAINER {{ maintainer }}

 ADD manila-base-archive /manila-base-source
 RUN ln -s manila-base-source/* manila \
-    && useradd --user-group manila \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /manila \
-    && mkdir -p /etc/manila /var/lib/manila /var/cache/manila /home/manila \
+    && mkdir -p /etc/manila /var/cache/manila \
    && cp -r /manila/etc/manila/* /etc/manila/ \
-    && chown -R manila: /etc/manila /var/lib/manila /var/cache/manila /home/manila \
+    && chown -R manila: /etc/manila /var/cache/manila \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/manila/rootwrap.conf

 COPY manila_sudoers /etc/sudoers.d/kolla_manila_sudoers
@ -57,6 +58,4 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN touch /usr/local/bin/kolla_manila_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_manila_extend_start

-RUN usermod -a -G kolla manila
-
 {% block manila_base_footer %}{% endblock %}
--- a/docker/mariadb/Dockerfile.j2
+++ b/docker/mariadb/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='mysql') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set mariadb_packages = [
        'MariaDB-Galera-server',
@ -35,7 +37,6 @@ RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chmod 755 /usr/local/bin/kolla_security_reset \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_mariadb_sudoers \
-    && usermod -a -G kolla mysql \
    && rm -rf /var/lib/mysql/*

 {% block mariadb_footer %}{% endblock %}
--- a/docker/memcached/Dockerfile.j2
+++ b/docker/memcached/Dockerfile.j2
@ -5,24 +5,13 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

-{% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
+{{ macros.configure_user(name='memcached', homedir='/run/memcache') }}

-{% set user = 'memcached' %}
-    {% set memcached_packages = ['memcached']  %}
-{{ macros.install_packages(memcached_packages | customizable("packages")) }} \
-    && usermod -a -G kolla {{ user }}
-
-{% elif base_distro in ['ubuntu', 'debian'] %}
-
-{% set user = 'memcache' %}
-    {% set memcached_packages = ['memcached'] %}
-{{ macros.install_packages(memcached_packages | customizable("packages")) }} \
-    && usermod -a -G kolla {{ user }}
-
-{% endif %}
+{% set memcached_packages = ['memcached'] %}
+{{ macros.install_packages(memcached_packages | customizable("packages")) }}

 {% block memcached_footer %}{% endblock %}
 {% block footer %}{% endblock %}
 {{ include_footer }}

-USER {{ user }}
+USER memcached
--- a/docker/mistral/mistral-base/Dockerfile.j2
+++ b/docker/mistral/mistral-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='mistral') }}
+
 {% if install_type == 'binary' %}

    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@ -18,16 +20,14 @@ MAINTAINER {{ maintainer }}

 ADD mistral-base-archive /mistral-base-source
 RUN ln -s mistral-base-source/* mistral \
-    && useradd --user-group mistral \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install /mistral \
-    && mkdir -p /etc/mistral /home/mistral \
+    && mkdir -p /etc/mistral \
    && cp -r /mistral/etc/* /etc/mistral/ \
-    && chown -R mistral: /etc/mistral /home/mistral
+    && chown -R mistral: /etc/mistral

 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla mistral \
-    && touch /usr/local/bin/kolla_mistral_extend_start \
+RUN touch /usr/local/bin/kolla_mistral_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_mistral_extend_start
--- a/docker/monasca/monasca-base/Dockerfile.j2
+++ b/docker/monasca/monasca-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='monasca') }}
+
 {% if install_type == 'binary' %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@ -12,17 +14,14 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \

 {% elif install_type == 'source' %}

-RUN useradd --user-group --create-home --home-dir /var/lib/monasca monasca \
-    && chmod 755 /var/lib/monasca \
-    && mkdir -p /etc/monasca /var/lib/monasca \
-    && chown -R monasca: /etc/monasca /var/lib/monasca
+RUN mkdir -p /etc/monasca \
+    && chown -R monasca: /etc/monasca

 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

 RUN touch /usr/local/bin/kolla_monasca_extend_start \
-    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_monasca_extend_start \
-    && usermod -a -G kolla monasca
+    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_monasca_extend_start

 {% block monasca_base_footer %}{% endblock %}
--- a/docker/mongodb/Dockerfile.j2
+++ b/docker/mongodb/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='mongodb') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set mongodb_packages = [
            'mongodb',
@ -18,14 +20,10 @@ MAINTAINER {{ maintainer }}

 {{ macros.install_packages(mongodb_packages | customizable("packages")) }}

-RUN mkdir -p /var/lib/mongodb /home/mongodb \
-    && chown -R mongodb: /var/lib/mongodb /home/mongodb
-
 COPY mongodb_sudoers /etc/sudoers.d/kolla_mongodb_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla mongodb \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_mongodb_sudoers

--- a/docker/murano/murano-base/Dockerfile.j2
+++ b/docker/murano/murano-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='murano') }}
+
 {% if install_type == 'binary' %}

    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@ -19,11 +21,10 @@ MAINTAINER {{ maintainer }}

 ADD murano-base-archive /murano-base-source
 RUN ln -s murano-base-source/* murano \
-    && useradd --user-group murano \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /murano \
-    && mkdir -p /etc/murano /home/murano \
+    && mkdir -p /etc/murano \
    && cp -r /murano/etc/murano/* /etc/murano/ \
-    && chown -R murano: /etc/murano /home/murano \
+    && chown -R murano: /etc/murano \
    && cd murano/meta/io.murano \
    && zip -r /io.murano.zip *

@ -31,8 +32,7 @@ RUN ln -s murano-base-source/* murano \

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla murano \
-    && touch /usr/local/bin/kolla_murano_extend_start \
+RUN touch /usr/local/bin/kolla_murano_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_murano_extend_start

 {% block murano_base_footer %}{% endblock %}
--- a/docker/neutron/neutron-base/Dockerfile.j2
+++ b/docker/neutron/neutron-base/Dockerfile.j2
@ -5,6 +5,12 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='neutron') }}
+
+{% if base_distro in ['ubuntu', 'debian'] %}
+{{ macros.debian_haproxy_existing_user_fix() }}
+{% endif %}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -77,14 +83,13 @@ RUN mkdir -p /usr/share/neutron \
 ADD neutron-base-archive /neutron-base-source
 ADD plugins-archive /
 RUN ln -s neutron-base-source/* neutron \
-    && useradd --user-group neutron \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /neutron \
-    && mkdir -p /etc/neutron /usr/share/neutron /var/lib/neutron /home/neutron \
+    && mkdir -p /etc/neutron /usr/share/neutron \
    && cp -r /neutron/etc/* /etc/neutron/ \
    && cp -r /neutron/etc/neutron/* /etc/neutron/ \
    && cp /neutron/etc/api-paste.ini /usr/share/neutron \
    && mv /etc/neutron/neutron/ /etc/neutron/plugins/ \
-    && chown -R neutron: /etc/neutron /usr/share/neutron /var/lib/neutron /home/neutron \
+    && chown -R neutron: /etc/neutron /usr/share/neutron \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/neutron/rootwrap.conf \
    && if [ "$(ls /plugins)" ]; then \
        pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /plugins/*; \
@ -95,8 +100,7 @@ RUN ln -s neutron-base-source/* neutron \
 COPY neutron_sudoers /etc/sudoers.d/kolla_neutron_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla neutron \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_neutron_sudoers \
    && touch /usr/local/bin/kolla_neutron_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_neutron_extend_start
--- a/docker/neutron/neutron-metadata-agent/Dockerfile.j2
+++ b/docker/neutron/neutron-metadata-agent/Dockerfile.j2
@ -21,8 +21,7 @@ COPY neutron_sudoers /etc/sudoers.d/kolla_neutron_metadata_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_neutron_extend_start
 RUN chmod 755 /usr/local/bin/kolla_neutron_extend_start \
    && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_neutron_metadata_sudoers \
-    && usermod -a -G kolla neutron
+    && chmod 440 /etc/sudoers.d/kolla_neutron_metadata_sudoers

 {% block neutron_metadata_agent_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/nova/nova-base/Dockerfile.j2
+++ b/docker/nova/nova-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='nova', groups='qemu') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -56,12 +58,10 @@ MAINTAINER {{ maintainer }}

 ADD nova-base-archive /nova-base-source
 RUN ln -s nova-base-source/* nova \
-    && useradd --user-group --create-home --home-dir /var/lib/nova nova \
-    && chmod 755 /var/lib/nova \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /nova \
-    && mkdir -p /etc/nova /var/lib/nova \
+    && mkdir -p /etc/nova/ \
    && cp -r /nova/etc/nova/* /etc/nova/ \
-    && chown -R nova: /etc/nova /var/lib/nova \
+    && chown -R nova: /etc/nova/ \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/nova/rootwrap.conf

 COPY nova_sudoers /etc/sudoers.d/kolla_nova_sudoers
@ -75,6 +75,4 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN touch /usr/local/bin/kolla_nova_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_nova_extend_start

-RUN usermod -a -G kolla nova
-
 {% block nova_base_footer %}{% endblock %}
--- a/docker/nova/nova-libvirt/Dockerfile.j2
+++ b/docker/nova/nova-libvirt/Dockerfile.j2
@ -1,10 +1,12 @@
-FROM {{ namespace }}/{{ image_prefix }}nova-base:{{ tag }}
+FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
 MAINTAINER {{ maintainer }}

 {% block nova_libvirt_header %}{% endblock %}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='nova', groups='qemu') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

    {% set nova_libvirt_packages = [
@ -30,8 +32,6 @@ MAINTAINER {{ maintainer }}
        'xen-utils-4.6'
    ] %}

-    {% set libvirt_group = 'libvirtd' %}
-
 {% elif base_distro == 'debian' %}

    {% set nova_libvirt_packages = [
@ -46,22 +46,13 @@ MAINTAINER {{ maintainer }}
        'usermode'
    ] %}

-    {% set libvirt_group = 'libvirt' %}
-
 {% endif %}

 {{ macros.install_packages(nova_libvirt_packages | customizable("packages")) }}

-{% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
+{% if base_distro in ['ubuntu', 'debian'] %}

-RUN usermod -a -G qemu nova
-
-{% elif base_distro in ['ubuntu', 'debian'] %}
-
-RUN mkdir -p /etc/ceph \
-    && rm -f /etc/libvirt/qemu/networks/default.xml \
-        /etc/libvirt/qemu/networks/autostart/default.xml \
-    && usermod -a -G {{ libvirt_group }} nova
+RUN rm -f /etc/libvirt/qemu/networks/default.xml /etc/libvirt/qemu/networks/autostart/default.xml

 {% endif %}

--- a/docker/nova/nova-libvirt/extend_start.sh
+++ b/docker/nova/nova-libvirt/extend_start.sh
@ -5,7 +5,7 @@
 # Do not remove unless CentOS has been validated
 if [[ -c /dev/kvm ]]; then
    chmod 660 /dev/kvm
-    chown root:kvm /dev/kvm
+    chown root:qemu /dev/kvm
 fi

 # Mount xenfs for libxl to work
--- a/docker/octavia/octavia-base/Dockerfile.j2
+++ b/docker/octavia/octavia-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='octavia') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set octavia_base_packages = [
@ -20,18 +22,15 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 {% elif install_type == 'source' %}
 ADD octavia-base-archive /octavia-base-source
 RUN ln -s /octavia-base-source/* octavia \
-    && useradd --user-group --create-home --home-dir /var/lib/octavia octavia \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /octavia \
    && mkdir -p /etc/octavia \
    && cp -r /octavia/etc/* /etc/octavia/ \
    && chown -R octavia: /etc/octavia
 {% endif %}

-
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

 RUN touch /usr/local/bin/kolla_octavia_extend_start \
-    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_octavia_extend_start \
-    && usermod -a -G kolla octavia
+    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_octavia_extend_start

 {% block octavia_base_footer %}{% endblock %}
--- a/docker/panko/panko-base/Dockerfile.j2
+++ b/docker/panko/panko-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='panko') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}

@ -49,20 +51,16 @@ RUN truncate -s 0 /etc/apache2/ports.conf
 ADD panko-base-archive /panko-base-source

 RUN ln -s panko-base-source/* panko \
-    && useradd --user-group panko \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /panko \
-    && mkdir -p /etc/panko /home/panko  \
+    && mkdir -p /etc/panko \
    && cp -r /panko/etc/panko/* /etc/panko/ \
-    && chown -R panko: /etc/panko /home/panko
+    && chown -R panko: /etc/panko

 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla panko \
-    && mkdir -p /var/lib/panko \
-    && chown -R panko: /var/lib/panko \
-    && touch /usr/local/bin/kolla_panko_extend_start \
+RUN touch /usr/local/bin/kolla_panko_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_panko_extend_start

 {% block panko_base_footer %}{% endblock %}
--- a/docker/rabbitmq/Dockerfile.j2
+++ b/docker/rabbitmq/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='rabbitmq') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set rabbitmq_packages = [
        'hostname',
@ -54,8 +56,7 @@ COPY rabbitmq_sudoers /etc/sudoers.d/kolla_rabbitmq_sudoers
 COPY rabbitmq_get_gospel_node.py /usr/local/bin/rabbitmq_get_gospel_node
 RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/rabbitmq_get_gospel_node \
    && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_rabbitmq_sudoers \
-    && usermod -a -G kolla rabbitmq
+    && chmod 440 /etc/sudoers.d/kolla_rabbitmq_sudoers

 {% block rabbitmq_footer %}{% endblock %}
 {{ include_footer }}
--- a/docker/rally/Dockerfile.j2
+++ b/docker/rally/Dockerfile.j2
@ -5,12 +5,12 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='rally') }}
+
 {% if install_type == 'binary' %}

 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set rally_packages = ['openstack-rally'] %}
-RUN useradd --user-group rally
-
 {% elif base_distro in ['ubuntu'] %}
    {% set rally_packages = ['rally'] %}
 {% endif %}
@ -19,18 +19,15 @@ RUN useradd --user-group rally

 ADD rally-archive /rally-source
 RUN ln -s rally-source/* rally \
-    && useradd --user-group rally \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /rally \
-    && mkdir -p /etc/rally /var/log/rally /home/rally \
-    && chown -R rally: /etc/rally /var/log/rally /home/rally
+    && mkdir -p /etc/rally /var/log/rally \
+    && chown -R rally: /etc/rally /var/log/rally

 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla rally
-
 {% block rally_footer %}{% endblock %}
 {% block footer %}{% endblock %}
 {{ include_footer }}
--- a/docker/sahara/sahara-base/Dockerfile.j2
+++ b/docker/sahara/sahara-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='sahara') }}
+
 {% if install_type == 'binary' %}

 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@ -18,22 +20,18 @@ MAINTAINER {{ maintainer }}

 ADD sahara-base-archive /sahara-base-source
 RUN ln -s sahara-base-source/* sahara \
-    && useradd --user-group sahara \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /sahara \
-    && mkdir -p /etc/sahara /home/sahara \
+    && mkdir -p /etc/sahara \
    && cp -r /sahara/etc/sahara/* /etc/sahara/ \
-    && chown -R sahara: /etc/sahara /home/sahara \
+    && chown -R sahara: /etc/sahara \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/sahara/rootwrap.conf

 {% endif %}

-RUN usermod -a -G kolla sahara
-
 COPY sahara_sudoers /etc/sudoers.d/kolla_sahara_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla sahara \
-    && chmod 750 /etc/sudoers.d \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 640 /etc/sudoers.d/kolla_sahara_sudoers \
    && touch /usr/local/bin/kolla_sahara_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_sahara_extend_start
--- a/docker/searchlight/searchlight-base/Dockerfile.j2
+++ b/docker/searchlight/searchlight-base/Dockerfile.j2
@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}

 {% block searchlight_base_header %}{% endblock %}

+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='searchlight') }}
+
 {% if install_type == 'binary' %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \

 ADD searchlight-base-archive /searchlight-base-source
 RUN ln -s searchlight-base-source/* searchlight \
-    && useradd --user-group searchlight \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /searchlight \
    && mkdir -p /etc/searchlight \
    && cp -r /searchlight/etc/* /etc/searchlight \
@ -22,8 +25,7 @@ RUN ln -s searchlight-base-source/* searchlight \

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla searchlight \
-    && touch /usr/local/bin/kolla_searchlight_extend_start \
+RUN touch /usr/local/bin/kolla_searchlight_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_searchlight_extend_start

 {% block searchlight_base_footer %}{% endblock %}
--- a/docker/senlin/senlin-base/Dockerfile.j2
+++ b/docker/senlin/senlin-base/Dockerfile.j2
@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}

 {% block senlin_base_header %}{% endblock %}

+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='senlin') }}
+
 {% if install_type == 'binary' %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \

 ADD senlin-base-archive /senlin-base-source
 RUN ln -s senlin-base-source/* senlin \
-    && useradd --user-group senlin \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /senlin \
    && mkdir -p /etc/senlin \
    && cp -r /senlin/etc/senlin/* /etc/senlin \
@ -22,8 +25,7 @@ RUN ln -s senlin-base-source/* senlin \

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla senlin \
-    && touch /usr/local/bin/kolla_senlin_extend_start \
+RUN touch /usr/local/bin/kolla_senlin_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_senlin_extend_start

 {% block senlin_base_footer %}{% endblock %}
--- a/docker/solum/solum-base/Dockerfile.j2
+++ b/docker/solum/solum-base/Dockerfile.j2
@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}

 {% block solum_base_header %}{% endblock %}

+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='solum') }}
+
 {% if install_type == 'binary' %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@ -12,18 +16,16 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \

 ADD solum-base-archive /solum-base-source
 RUN ln -s solum-base-source/* solum \
-    && useradd --user-group solum \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /solum \
-    && mkdir -p /etc/solum /home/solum \
+    && mkdir -p /etc/solum \
    && cp -r /solum/etc/solum/* /etc/solum/ \
-    && chown -R solum: /etc/solum /home/solum
+    && chown -R solum: /etc/solum

 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla solum \
-    && touch /usr/local/bin/kolla_solum_extend_start \
+RUN touch /usr/local/bin/kolla_solum_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_solum_extend_start

 {% block solum_base_footer %}{% endblock %}
--- a/docker/swift/swift-base/Dockerfile.j2
+++ b/docker/swift/swift-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='swift') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set swift_base_packages = [
@ -30,11 +32,10 @@ MAINTAINER {{ maintainer }}

 ADD swift-base-archive /swift-base-source
 RUN ln -s swift-base-source/* swift \
-    && useradd --user-group swift \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /swift \
-    && mkdir -p /etc/swift /var/cache/swift /var/log/swift /home/swift \
+    && mkdir -p /etc/swift /var/cache/swift /var/log/swift \
    && cp -r /swift/etc/* /etc/swift/ \
-    && chown -R swift: /etc/swift /var/cache/swift /var/log/swift /home/swift
+    && chown -R swift: /etc/swift /var/cache/swift /var/log/swift
 {% endif %}

 COPY swift-rootwrap /var/lib/kolla/venv/bin/swift-rootwrap
@ -50,6 +51,4 @@ RUN chmod 750 /etc/sudoers.d \
 COPY build-swift-ring.py /usr/local/bin/kolla_build_swift_ring
 RUN mkdir -p /opt/swift

-RUN usermod -a -G kolla swift
-
 {% block swift_base_footer %}{% endblock %}
--- a/docker/tacker/Dockerfile.j2
+++ b/docker/tacker/Dockerfile.j2
@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}

 {% block tacker_header %}{% endblock %}

+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='tacker') }}
+
 {% if install_type == 'binary' %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \

 ADD tacker-archive /tacker-source
 RUN ln -s tacker-source/* tacker \
-    && useradd --user-group --create-home --home-dir /var/lib/tacker tacker \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /tacker \
    && mkdir -p /etc/tacker \
    && cp -r /tacker/etc/tacker/* /etc/tacker \
@ -22,8 +25,7 @@ RUN ln -s tacker-source/* tacker \

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla tacker \
-    && chmod 755 /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start

 {% block tacker_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/telegraf/Dockerfile.j2
+++ b/docker/telegraf/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='telegraf', homedir='/etc/telegraf') }}
+
 {% set telegraf_packages = ['telegraf'] %}
 {{ macros.install_packages(telegraf_packages | customizable("packages")) }}

@ -13,8 +15,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start

 RUN chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_telegraf_sudoers \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla telegraf
+    && chmod 755 /usr/local/bin/kolla_extend_start

 {% block telegraf_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/trove/trove-base/Dockerfile.j2
+++ b/docker/trove/trove-base/Dockerfile.j2
@ -5,12 +5,15 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='trove') }}
+
 {% if install_type == 'binary' %}

    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set trove_base_packages = ['openstack-trove-common'] %}
    {% elif base_distro in ['ubuntu'] %}
-        {% set trove_base_packages = ['trove-common'] %}
+        {{ macros.ubuntu_trove_bug_1651852() }}
+        {% set trove_base_packages = [] %}
    {% endif %}

 {{ macros.install_packages(trove_base_packages | customizable("packages")) }}
@ -19,18 +22,16 @@ MAINTAINER {{ maintainer }}

 ADD trove-base-archive /trove-base-source
 RUN ln -s trove-base-source/* trove \
-    && useradd --user-group trove \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /trove \
-    && mkdir -p /etc/trove /var/log/trove /home/trove \
+    && mkdir -p /etc/trove /var/log/trove \
    && cp -r /trove/etc/trove/* /etc/trove/ \
-    && chown -R trove: /etc/trove /var/log/trove /home/trove
+    && chown -R trove: /etc/trove /var/log/trove

 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla trove \
-    && touch /usr/local/bin/kolla_trove_extend_start \
+RUN touch /usr/local/bin/kolla_trove_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_trove_extend_start

 {% block trove_base_footer %}{% endblock %}
--- a/docker/vmtp/Dockerfile.j2
+++ b/docker/vmtp/Dockerfile.j2
@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}

 {% block vmtp_header %}{% endblock %}

+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='vmtp') }}
+
 {% if install_type == 'binary' %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@ -10,15 +14,13 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \

 {% elif install_type == 'source' %}

-RUN pip install vmtp \
-    && useradd --user-group vmtp
+RUN pip install vmtp

 {% endif %}

 COPY vmtp_sudoers /etc/sudoers.d/kolla_vmtp_sudoers
 RUN chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_vmtp_sudoers \
-    && usermod -a -G kolla vmtp
+    && chmod 440 /etc/sudoers.d/kolla_vmtp_sudoers

 {% block vmtp_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/watcher/watcher-base/Dockerfile.j2
+++ b/docker/watcher/watcher-base/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='watcher') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set watcher_base_packages = ['openstack-watcher-common'] %}
@ -17,20 +19,16 @@ MAINTAINER {{ maintainer }}

 ADD watcher-base-archive /watcher-base-source
 RUN ln -s watcher-base-source/* watcher \
-    && useradd --user-group watcher \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /watcher \
-    && mkdir -p /etc/watcher /home/watcher \
+    && mkdir -p /etc/watcher \
    && cp -r /watcher/etc/watcher/* /etc/watcher/ \
-    && chown -R watcher: /etc/watcher /home/watcher
+    && chown -R watcher: /etc/watcher

 {% endif %}

-RUN usermod -a -G kolla watcher
-
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN usermod -a -G kolla watcher \
-    && touch /usr/local/bin/kolla_watcher_extend_start \
+RUN touch /usr/local/bin/kolla_watcher_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_watcher_extend_start

 {% block watcher_base_footer %}{% endblock %}
--- a/docker/zaqar/Dockerfile.j2
+++ b/docker/zaqar/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='zaqar') }}
+
 {% if install_type == 'binary' %}

    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@ -20,7 +22,6 @@ MAINTAINER {{ maintainer }}
 {% elif install_type == 'source' %}
 ADD zaqar-archive /zaqar-source
 RUN ln -s zaqar-source/* zaqar \
-    && useradd --user-group --create-home --home-dir /var/lib/zaqar zaqar \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt pymongo /zaqar \
    && mkdir -p /etc/zaqar \
    && cp -r /zaqar/etc/* /etc/zaqar/ \
@ -30,8 +31,7 @@ RUN ln -s zaqar-source/* zaqar \
 {% endif %}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla zaqar
+RUN chmod 755 /usr/local/bin/kolla_extend_start

 {% block zaqar_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/zookeeper/Dockerfile.j2
+++ b/docker/zookeeper/Dockerfile.j2
@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='zookeeper') }}
+
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set zookeeper_packages = [
        'zookeeper',
@ -18,8 +20,7 @@ MAINTAINER {{ maintainer }}
 {{ macros.install_packages(zookeeper_packages | customizable("packages")) }}

 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && usermod -a -G kolla zookeeper
+RUN chmod 755 /usr/local/bin/kolla_extend_start

 {% block zookeeper_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/kolla/common/config.py
+++ b/kolla/common/config.py
@ -500,6 +500,240 @@ SOURCES = {
 }


+# NOTE(SamYaple): Only increment the UID. Never reuse old or removed UIDs.
+#     Starting point 42400+ was choosen arbitrarily to ensure no conflicts
+USERS = {
+    'kolla-user': {
+        'uid': 42400,
+        'gid': 42400,
+    },
+    'ansible-user': {
+        'uid': 42401,
+        'gid': 42401,
+    },
+    'aodh-user': {
+        'uid': 42402,
+        'gid': 42402,
+    },
+    'barbican-user': {
+        'uid': 42403,
+        'gid': 42403,
+    },
+    'bifrost-user': {
+        'uid': 42404,
+        'gid': 42404,
+    },
+    'ceilometer-user': {
+        'uid': 42405,
+        'gid': 42405,
+    },
+    'chrony-user': {
+        'uid': 42406,
+        'gid': 42406,
+    },
+    'cinder-user': {
+        'uid': 42407,
+        'gid': 42407,
+    },
+    'cloudkitty-user': {
+        'uid': 42408,
+        'gid': 42408,
+    },
+    'collectd-user': {
+        'uid': 42409,
+        'gid': 42409,
+    },
+    'congress-user': {
+        'uid': 42410,
+        'gid': 42410,
+    },
+    'designate-user': {
+        'uid': 42411,
+        'gid': 42411,
+    },
+    'elasticsearch-user': {
+        'uid': 42412,
+        'gid': 42412,
+    },
+    'etcd-user': {
+        'uid': 42413,
+        'gid': 42413,
+    },
+    'freezer-user': {
+        'uid': 42414,
+        'gid': 42414,
+    },
+    'glance-user': {
+        'uid': 42415,
+        'gid': 42415,
+    },
+    'gnocchi-user': {
+        'uid': 42416,
+        'gid': 42416,
+    },
+    'grafana-user': {
+        'uid': 42417,
+        'gid': 42417,
+    },
+    'heat-user': {
+        'uid': 42418,
+        'gid': 42418,
+    },
+    'heka-user': {
+        'uid': 42419,
+        'gid': 42419,
+    },
+    'horizon-user': {
+        'uid': 42420,
+        'gid': 42420,
+    },
+    'influxdb-user': {
+        'uid': 42421,
+        'gid': 42421,
+    },
+    'ironic-user': {
+        'uid': 42422,
+        'gid': 42422,
+    },
+    'kafka-user': {
+        'uid': 42423,
+        'gid': 42423,
+    },
+    'keystone-user': {
+        'uid': 42425,
+        'gid': 42425,
+    },
+    'kibana-user': {
+        'uid': 42426,
+        'gid': 42426,
+    },
+    'qemu-user': {
+        'uid': 42427,
+        'gid': 42427,
+    },
+    'magnum-user': {
+        'uid': 42428,
+        'gid': 42428,
+    },
+    'manila-user': {
+        'uid': 42429,
+        'gid': 42429,
+    },
+    'mistral-user': {
+        'uid': 42430,
+        'gid': 42430,
+    },
+    'monasca-user': {
+        'uid': 42431,
+        'gid': 42431,
+    },
+    'mongodb-user': {
+        'uid': 42432,
+        'gid': 65534,
+    },
+    'murano-user': {
+        'uid': 42433,
+        'gid': 42433,
+    },
+    'mysql-user': {
+        'uid': 42434,
+        'gid': 42434,
+    },
+    'neutron-user': {
+        'uid': 42435,
+        'gid': 42435,
+    },
+    'nova-user': {
+        'uid': 42436,
+        'gid': 42436,
+    },
+    'octavia-user': {
+        'uid': 42437,
+        'gid': 42437,
+    },
+    'panko-user': {
+        'uid': 42438,
+        'gid': 42438,
+    },
+    'rabbitmq-user': {
+        'uid': 42439,
+        'gid': 42439,
+    },
+    'rally-user': {
+        'uid': 42440,
+        'gid': 42440,
+    },
+    'sahara-user': {
+        'uid': 42441,
+        'gid': 42441,
+    },
+    'searchlight-user': {
+        'uid': 42442,
+        'gid': 42442,
+    },
+    'senlin-user': {
+        'uid': 42443,
+        'gid': 42443,
+    },
+    'solum-user': {
+        'uid': 42444,
+        'gid': 42444,
+    },
+    'swift-user': {
+        'uid': 42445,
+        'gid': 42445,
+    },
+    'tacker-user': {
+        'uid': 42446,
+        'gid': 42446,
+    },
+    'td-agent-user': {
+        'uid': 42447,
+        'gid': 42447,
+    },
+    'telegraf-user': {
+        'uid': 42448,
+        'gid': 42448,
+    },
+    'trove-user': {
+        'uid': 42449,
+        'gid': 42449,
+    },
+    'vmtp-user': {
+        'uid': 42450,
+        'gid': 42450,
+    },
+    'watcher-user': {
+        'uid': 42451,
+        'gid': 42451,
+    },
+    'zaqar-user': {
+        'uid': 42452,
+        'gid': 42452,
+    },
+    'zookeeper-user': {
+        'uid': 42453,
+        'gid': 42453,
+    },
+    'haproxy-user': {
+        'uid': 42454,
+        'gid': 42454,
+    },
+    'ceph-user': {
+        'uid': 64045,
+        'gid': 64045,
+    },
+    'memcached-user': {
+        'uid': 42457,
+        'gid': 42457,
+    },
+    'karbor-user': {
+        'uid': 42458,
+        'gid': 42458,
+    },
+}
+
+
 def get_source_opts(type_=None, location=None, reference=None):
    return [cfg.StrOpt('type', choices=['local', 'git', 'url'],
                       default=type_,
@ -511,6 +745,20 @@ def get_source_opts(type_=None, location=None, reference=None):
                             'or branch name'))]


+def get_user_opts(uid, gid):
+    return [
+        cfg.StrOpt('uid', default=uid, help='The user id'),
+        cfg.StrOpt('gid', default=gid, help='The group id'),
+    ]
+
+
+def gen_all_user_opts():
+    for name, params in USERS.items():
+        uid = params['uid']
+        gid = params['gid']
+        yield name, get_user_opts(uid, gid)
+
+
 def gen_all_source_opts():
    for name, params in SOURCES.items():
        type_ = params['type']
@ -524,6 +772,7 @@ def list_opts():
                            (None, _BASE_OPTS),
                            ('profiles', _PROFILE_OPTS)],
                           gen_all_source_opts(),
+                           gen_all_user_opts(),
                           )


@ -534,6 +783,8 @@ def parse(conf, args, usage=None, prog=None,
    conf.register_opts(_PROFILE_OPTS, group='profiles')
    for name, opts in gen_all_source_opts():
        conf.register_opts(opts, name)
+    for name, opts in gen_all_user_opts():
+        conf.register_opts(opts, name)

    conf(args=args,
         project='kolla',
--- a/kolla/image/build.py
+++ b/kolla/image/build.py
@ -631,6 +631,20 @@ class KollaWorker(object):
            'debian_package_install': jinja_methods.debian_package_install,
        }

+    def get_users(self):
+        all_sections = (set(six.iterkeys(self.conf._groups)) |
+                        set(self.conf.list_all_sections()))
+        ret = dict()
+        for section in all_sections:
+            match = re.search('^.*-user$', section)
+            if match:
+                user = self.conf[match.group(0)]
+                ret[match.group(0)[:-5]] = {
+                    'uid': user.uid,
+                    'gid': user.gid,
+                }
+        return ret
+
    def create_dockerfiles(self):
        kolla_version = version.version_info.cached_version_string()
        supported_distro_release = common_config.DISTRO_RELEASE.get(
@ -650,6 +664,7 @@ class KollaWorker(object):
                      'maintainer': self.maintainer,
                      'kolla_version': kolla_version,
                      'image_name': image_name,
+                      'users': self.get_users(),
                      'rpm_setup': self.rpm_setup}
            env = jinja2.Environment(  # nosec: not used to render HTML
                loader=jinja2.FileSystemLoader(self.working_dir))
--- a/releasenotes/notes/static-uid-gid-b90800f2947e656d.yaml
+++ b/releasenotes/notes/static-uid-gid-b90800f2947e656d.yaml
@ -0,0 +1,10 @@
+---
+features:
+  - Static uid and gid are now set in container images.
+    This ensures the numbers do not change and mess up
+    upgrades from one image to another. These values are
+    customizable in the kolla-build.conf if someone
+    should wish to change the default values. By default,
+    the uid and gid are set to 42400+, with the exception
+    of Ceph, which is set to the static 64045 which
+    matches the static uid that the package already uses.