use static uid/gid in images

This centralizes all user and group creation into a single source. This will fix any current and furture uid/gid mismatches (such as with nova-libvirt). In the process, we also unify users between the distros in a standard way. The users in the following containers change from thier defaults: Ubuntu: _chrony user is now chrony Ubuntu: memcache user is now memcached All: qemu user is used for ownership and socket permissions All uid and gid numbers are customizable via kolla-build.conf Co-Authored-By: Kris Lindgren <klindgren@godaddy.com> Change-Id: I120f26ab0683dc87d69727c3df8d4707e52a4543 Partially-Implements: blueprint static-uid-gid
2016-12-18 19:11:47 +00:00
parent 3671d860af
commit 58eee09c15
63 changed files with 572 additions and 266 deletions
--- a/docker/aodh/aodh-base/Dockerfile.j2
+++ b/docker/aodh/aodh-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='aodh') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -34,7 +36,7 @@ RUN mkdir -p /var/www/cgi-bin/aodh \
    && cp -a /usr/lib/python2.7/dist-packages/aodh/api/app.wsgi /var/www/cgi-bin/aodh/ \
    && echo > /etc/apache2/ports.conf
    {% endif %}
-   
+
 {% elif install_type == 'source' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -63,21 +65,18 @@ RUN mkdir -p /var/www/cgi-bin/aodh \
 ADD aodh-base-archive /aodh-base-source
 RUN ln -s aodh-base-source/* aodh \
    && useradd --user-group aodh \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt pymongo /aodh \
-    && mkdir -p /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh /home/aodh \
+    && mkdir -p /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh \
    && cp -r /aodh/etc/aodh/* /etc/aodh/  \
    && cp /aodh/aodh/api/app.wsgi /var/www/cgi-bin/aodh \
-    && chown -R aodh: /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh /home/aodh
+    && chown -R aodh: /etc/aodh /var/log/kolla/aodh /var/www/cgi-bin/aodh
 {% endif %}
 RUN usermod -a -G kolla aodh
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 COPY aodh_sudoers /etc/sudoers.d/kolla_aodh_sudoers
-RUN usermod -a -G kolla aodh \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 750 /etc/sudoers.d \
    && chmod 640 /etc/sudoers.d/kolla_aodh_sudoers \
    && chmod 755 /var/www/cgi-bin/aodh \
    && touch /usr/local/bin/kolla_aodh_extend_start \
--- a/docker/barbican/barbican-base/Dockerfile.j2
+++ b/docker/barbican/barbican-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='barbican') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set barbican_base_packages = ['openstack-barbican-common'] %}
@@ -25,19 +27,17 @@ MAINTAINER {{ maintainer }}
 ADD barbican-base-archive /barbican-base-source
 RUN ln -s barbican-base-source/* barbican \
    && useradd --user-group barbican \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt  pastedeploy uwsgi MySQL-python python-barbicanclient /barbican \
-    && mkdir -p /etc/barbican /var/log/barbican /home/barbican /var/lib/barbican \
+    && mkdir -p /etc/barbican /var/log/barbican \
    && cp -r /barbican/etc/barbican/* /etc/barbican/ \
-    && chown -R barbican: /etc/barbican /var/log/barbican /home/barbican /var/lib/barbican
+    && chown -R barbican: /etc/barbican /var/log/barbican
 {% endif %}
 COPY barbican_sudoers /etc/sudoers.d/kolla_barbican_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla barbican \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 750 /etc/sudoers.d \
    && chmod 640 /etc/sudoers.d/kolla_barbican_sudoers \
    && touch /usr/local/bin/kolla_barbican_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_barbican_extend_start
--- a/docker/base/Dockerfile.j2
+++ b/docker/base/Dockerfile.j2
@@ -1,6 +1,15 @@
 FROM {{ base_image }}:{{ base_distro_tag }}
 MAINTAINER {{ maintainer }}
 {# NOTE(SamYaple): Avoid uid/gid conflicts by creating each user/group up front. #}
 {# Specifics required such as homedir or shell are configured within the service specific image #}
 {%- for name, user in users | dictsort() %}
 {% if loop.first -%}RUN {% else %}    && {% endif -%}
    groupadd --force --gid {{ user.gid }} {{ name }} \
    && useradd -M --shell /usr/sbin/nologin --uid {{ user.uid }} --gid {{ user.gid }} {{ name }}
        {%- if not loop.last %} \{% endif -%}
 {%- endfor %}
 LABEL kolla_version="{{ kolla_version }}"
 {% import "macros.j2" as macros with context %}
@@ -294,7 +303,6 @@ COPY curlrc /root/.curlrc
 RUN touch /usr/local/bin/kolla_extend_start \
    && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs \
    && chmod 440 /etc/sudoers \
    && groupadd kolla \
    && mkdir -p /var/log/kolla \
    && chown :kolla /var/log/kolla \
    && chmod 2775 /var/log/kolla \
--- a/docker/bifrost/bifrost-base/Dockerfile.j2
+++ b/docker/bifrost/bifrost-base/Dockerfile.j2
@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 {% block bifrost_base_header %}{% endblock %}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='bifrost') }}
 {% if install_type == 'binary' %}
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' && /bin/false
@@ -14,7 +18,6 @@ ENV ANSIBLE_FROM_PYPI True
 ADD bifrost-base-archive /bifrost-base-source
 COPY build_arg.yml /tmp/build_arg.yml
 RUN ln -s bifrost-base-source/* bifrost \
    && useradd --user-group bifrost \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /bifrost
 WORKDIR /bifrost
@@ -23,7 +26,6 @@ WORKDIR /bifrost
 RUN sed -e "s/.*mariadb.*//Ig" -i /etc/apt/sources.list && apt-get purge -y mariadb* mysql*
 {% endif %}
 RUN bash -c './scripts/env-setup.sh && source ./env-vars && \
    ansible-playbook -vvvv -i /bifrost/playbooks/inventory/localhost /bifrost/playbooks/install.yaml \
    -e @/tmp/build_arg.yml && \
@@ -32,15 +34,11 @@ RUN bash -c './scripts/env-setup.sh && source ./env-vars && \
 {% else %}
    yum clean all'
 {% endif %}
 {% endif %}
 COPY bifrost_sudoers /etc/sudoers.d/kolla_bifrost_sudoers
-RUN usermod -a -G kolla bifrost \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_bifrost_sudoers \
    && chown -R bifrost:bifrost /bifrost
--- a/docker/ceilometer/ceilometer-base/Dockerfile.j2
+++ b/docker/ceilometer/ceilometer-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='ceilometer') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set ceilometer_base_packages = [
@@ -27,11 +29,10 @@ MAINTAINER {{ maintainer }}
 ADD ceilometer-base-archive /ceilometer-base-source
 RUN ln -s ceilometer-base-source/* ceilometer \
    && useradd --user-group ceilometer \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /ceilometer[gnocchi,mongo,mysql] \
-    && mkdir -p /etc/ceilometer /var/lib/ceilometer /home/ceilometer \
+    && mkdir -p /etc/ceilometer \
    && cp -r /ceilometer/etc/ceilometer/* /etc/ceilometer/ \
-    && chown -R ceilometer: /etc/ceilometer /var/lib/ceilometer /home/ceilometer \
+    && chown -R ceilometer: /etc/ceilometer \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ceilometer/rootwrap.conf
 {% endif %}
@@ -39,8 +40,7 @@ RUN ln -s ceilometer-base-source/* ceilometer \
 COPY ceilometer_sudoers /etc/sudoers.d/kolla_ceilometer_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla ceilometer \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_ceilometer_sudoers \
    && touch /usr/local/bin/kolla_ceilometer_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_ceilometer_extend_start
--- a/docker/ceph/ceph-base/Dockerfile.j2
+++ b/docker/ceph/ceph-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='ceph') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
   {% set ceph_base_packages = [
        'ceph',
@@ -29,7 +31,6 @@ MAINTAINER {{ maintainer }}
 {{ macros.install_packages(ceph_base_packages | customizable("packages")) }}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
+RUN chmod 755 /usr/local/bin/kolla_extend_start
    && usermod -a -G kolla ceph
 {% block ceph_base_footer %}{% endblock %}
--- a/docker/chrony/Dockerfile.j2
+++ b/docker/chrony/Dockerfile.j2
@@ -5,18 +5,14 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
-{% set chrony_packages = ['chrony'] %}
+{{ macros.configure_user(name='chrony') }}
-{% if base_distro in ['ubuntu', 'debian'] %}
+{% set chrony_packages = ['chrony'] %}
 # Ubuntu use _chrony username to use unified running user with RHEL system
 RUN useradd --user-group --create-home --home-dir /var/lib/chrony chrony
 {% endif %}
 {{ macros.install_packages(chrony_packages | customizable("packages")) }}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
+RUN chmod 755 /usr/local/bin/kolla_extend_start
    && usermod -a -G kolla chrony
 {% block chrony_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/cinder/cinder-base/Dockerfile.j2
+++ b/docker/cinder/cinder-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='cinder') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -50,11 +52,10 @@ MAINTAINER {{ maintainer }}
 ADD cinder-base-archive /cinder-base-source
 RUN ln -s cinder-base-source/* cinder \
    && useradd --user-group cinder \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /cinder \
-    && mkdir -p /etc/cinder /var/lib/cinder /home/cinder \
+    && mkdir -p /etc/cinder \
    && cp -r /cinder/etc/cinder/* /etc/cinder/ \
-    && chown -R cinder: /etc/cinder /var/lib/cinder /home/cinder \
+    && chown -R cinder: /etc/cinder \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/cinder/rootwrap.conf
 {% endif %}
@@ -62,9 +63,7 @@ RUN ln -s cinder-base-source/* cinder \
 COPY cinder_sudoers /etc/sudoers.d/kolla_cinder_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla cinder \
+RUN chmod 750 /etc/sudoers.d \
    && mkdir -p /etc/ceph \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_cinder_sudoers \
    && touch /usr/local/bin/kolla_cinder_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_cinder_extend_start
--- a/docker/cloudkitty/cloudkitty-base/Dockerfile.j2
+++ b/docker/cloudkitty/cloudkitty-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='cloudkitty') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -25,18 +27,16 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 ADD cloudkitty-base-archive /cloudkitty-base-source
 RUN ln -s cloudkitty-base-source/* cloudkitty \
    && useradd --user-group cloudkitty \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /cloudkitty \
-    && mkdir -p /etc/cloudkitty /var/lib/cloudkitty /home/cloudkitty \
+    && mkdir -p /etc/cloudkitty  \
    && cp -r /cloudkitty/etc/cloudkitty/* /etc/cloudkitty/ \
-    && chown -R cloudkitty: /etc/cloudkitty /var/lib/cloudkitty /home/cloudkitty
+    && chown -R cloudkitty: /etc/cloudkitty
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla cloudkitty \
+RUN touch /usr/local/bin/kolla_cloudkitty_extend_start \
    && touch /usr/local/bin/kolla_cloudkitty_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_cloudkitty_extend_start
 {% block cloudkitty_base_footer %}{% endblock %}
--- a/docker/collectd/Dockerfile.j2
+++ b/docker/collectd/Dockerfile.j2
@@ -2,17 +2,18 @@ FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
 MAINTAINER {{ maintainer }}
 {% block collectd_header %}{% endblock %}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='collectd') }}
 {% set collectd_packages = [
    'collectd'
 ] %}
 {{ macros.install_packages(collectd_packages | customizable("packages")) }}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN useradd -r -m collectd \
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
-    && chmod 755 /usr/local/bin/kolla_extend_start \
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && usermod -a -G kolla collectd \
    && chown -R collectd /var/lib/collectd \
    && chown -R collectd /etc/collectd* \
    && chown -R collectd /var/run/
--- a/docker/congress/congress-base/Dockerfile.j2
+++ b/docker/congress/congress-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='congress') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['ubuntu'] %}
        {% set congress_base_packages = [
@@ -27,18 +29,16 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 ADD congress-base-archive /congress-base-source
 RUN ln -s congress-base-source/* congress \
    && useradd --user-group congress \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /congress \
-    && mkdir -p /etc/congress /home/congress \
+    && mkdir -p /etc/congress \
    && cp -r /congress/etc/* /etc/congress/ \
-    && chown -R congress: /etc/congress /home/congress
+    && chown -R congress: /etc/congress
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla congress \
+RUN touch /usr/local/bin/kolla_congress_extend_start \
    && touch /usr/local/bin/kolla_congress_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_congress_extend_start
 {% block congress_base_footer %}{% endblock %}
--- a/docker/designate/designate-base/Dockerfile.j2
+++ b/docker/designate/designate-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='designate') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -39,12 +41,11 @@ RUN cp /etc/designate/policy.json /tmp/ \
 ADD designate-base-archive /designate-base-source
 RUN ln -s designate-base-source/* designate \
    && useradd --user-group designate \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /designate \
-    && mkdir -p /etc/designate /var/log/designate /home/designate \
+    && mkdir -p /etc/designate /var/log/designate \
    && cp -r /designate/etc/designate/* /etc/designate/ \
    && mv /etc/designate/rootwrap.conf.sample /etc/designate/rootwrap.conf \
-    && chown -R designate: /etc/designate /var/log/designate /home/designate \
+    && chown -R designate: /etc/designate /var/log/designate \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/designate/rootwrap.conf
 {% endif %}
--- a/docker/elasticsearch/Dockerfile.j2
+++ b/docker/elasticsearch/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='elasticsearch', shell='/bin/bash', homedir='/usr/share/elasticsearch') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set elasticsearch_packages = [
        'java-1.7.0-openjdk',
@@ -34,9 +36,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_elasticsearch_sudoers \
+    && chmod 440 /etc/sudoers.d/kolla_elasticsearch_sudoers
    && usermod -a -G kolla elasticsearch \
    && usermod -s /bin/bash elasticsearch -d /usr/share/elasticsearch
 {% block elasticsearch_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/etcd/Dockerfile.j2
+++ b/docker/etcd/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='etcd') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set etcd_packages = ['etcd'] %}
 {% elif base_distro in ['ubuntu', 'debian'] %}
@@ -17,8 +19,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_etcd_sudoers \
+    && chmod 440 /etc/sudoers.d/kolla_etcd_sudoers
    && usermod -a -G kolla etcd
 {% block etcd_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/fluentd/Dockerfile.j2
+++ b/docker/fluentd/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='td-agent') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 RUN rpm --import https://packages.treasuredata.com/GPG-KEY-td-agent
@@ -40,12 +42,9 @@ RUN ulimit -n 65536 \
 COPY fluentd_sudoers /etc/sudoers.d/kolla_fluentd_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla td-agent \
+RUN chmod 440 /etc/sudoers.d/kolla_fluentd_sudoers \
    && chmod 440 /etc/sudoers.d/kolla_fluentd_sudoers \
    && chmod 755 /usr/local/bin/kolla_extend_start \
-    && chown -R td-agent: /etc/td-agent \
+    && chown -R td-agent: /etc/td-agent
    && mkdir /var/lib/td-agent \
    && chown -R td-agent: /var/lib/td-agent
 {% block fluentd_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/freezer/freezer-base/Dockerfile.j2
+++ b/docker/freezer/freezer-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='freezer') }}
 {% if install_type == 'binary' %}
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -14,9 +16,8 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 ADD freezer-base-archive /freezer-base-source
 RUN ln -s freezer-base-source/* freezer \
-    && useradd --user-group freezer \
+    && mkdir -p /etc/freezer \
-    && mkdir -p /etc/freezer /home/freezer \
+    && chown -R freezer: /etc/freezer \
    && chown -R freezer: /etc/freezer /home/freezer \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /freezer \
    && cp -r /freezer/etc/* /etc/freezer
@@ -25,8 +26,7 @@ RUN ln -s freezer-base-source/* freezer \
 COPY freezer_sudoers /etc/sudoers.d/kolla_freezer_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla freezer \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 750 /etc/sudoers.d \
    && chmod 640 /etc/sudoers.d/kolla_freezer_sudoers \
    && touch /usr/local/bin/kolla_freezer_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_freezer_extend_start
--- a/docker/glance/glance-base/Dockerfile.j2
+++ b/docker/glance/glance-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='glance') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set glance_base_packages = [
@@ -32,19 +34,17 @@ MAINTAINER {{ maintainer }}
 ADD glance-base-archive /glance-base-source
 RUN ln -s glance-base-source/* glance \
    && useradd --user-group glance \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /glance[cinder] \
-    && mkdir -p /etc/glance /var/lib/glance /home/glance \
+    && mkdir -p /etc/glance \
    && cp -r /glance/etc/* /etc/glance/ \
-    && chown -R glance: /etc/glance /var/lib/glance /home/glance
+    && chown -R glance: /etc/glance
 {% endif %}
 COPY glance_sudoers /etc/sudoers.d/kolla_glance_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla glance \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_glance_sudoers \
    && touch /usr/local/bin/kolla_glance_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_glance_extend_start
--- a/docker/gnocchi/gnocchi-base/Dockerfile.j2
+++ b/docker/gnocchi/gnocchi-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='gnocchi') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -61,9 +63,8 @@ RUN truncate -s 0 /etc/apache2/ports.conf
 ADD gnocchi-base-archive /gnocchi-base-source
 RUN ln -s gnocchi-base-source/* gnocchi \
    && useradd --user-group gnocchi \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt gnocchiclient /gnocchi[keystone,mysql,file,ceph] \
-    && mkdir -p /etc/gnocchi /var/log/kolla/gnocchi /home/gnocchi \
+    && mkdir -p /etc/gnocchi /var/log/kolla/gnocchi \
    && chown -R gnocchi: /etc/gnocchi /var/log/kolla/gnocchi
 {% endif %}
@@ -71,8 +72,7 @@ RUN ln -s gnocchi-base-source/* gnocchi \
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 COPY gnocchi_sudoers /etc/sudoers.d/kolla_gnocchi_sudoers
-RUN usermod -a -G kolla gnocchi \
+RUN mkdir -p /var/lib/gnocchi \
    && mkdir -p /var/lib/gnocchi \
    && chown -R gnocchi: /var/lib/gnocchi \
    && chmod 750 /etc/sudoers.d \
    && chmod 640 /etc/sudoers.d/kolla_gnocchi_sudoers \
--- a/docker/grafana/Dockerfile.j2
+++ b/docker/grafana/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='grafana', homedir='/usr/share/grafana') }}
 {% set grafana_packages = ['grafana'] %}
 {{ macros.install_packages(grafana_packages | customizable("packages")) }}
@@ -16,8 +18,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN grafana-cli plugins install sileht-gnocchi-datasource \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_grafana_sudoers \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
+    && chmod 755 /usr/local/bin/kolla_extend_start
    && usermod -a -G kolla grafana
 {% block grafana_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/haproxy/Dockerfile.j2
+++ b/docker/haproxy/Dockerfile.j2
@@ -5,14 +5,19 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='haproxy') }}
 {% if base_distro in ['ubuntu', 'debian'] %}
 {{ macros.debian_haproxy_existing_user_fix() }}
 {% endif %}
 {% set haproxy_packages = [
    'haproxy',
    'socat'
 ] %}
 {{ macros.install_packages(haproxy_packages | customizable("packages")) }}
-RUN usermod -a -G kolla haproxy \
+RUN mkdir -p /var/lib/kolla/haproxy \
    && mkdir -p /var/lib/kolla/haproxy \
    && chown -R haproxy: /var/lib /run
 COPY ensure_latest_config.sh /usr/local/bin/kolla_ensure_haproxy_latest_config
--- a/docker/heat/heat-base/Dockerfile.j2
+++ b/docker/heat/heat-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='heat') }}
 {% if install_type == 'binary' %}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -18,18 +20,16 @@ MAINTAINER {{ maintainer }}
 ADD heat-base-archive /heat-base-source
 RUN ln -s heat-base-source/* heat \
    && useradd --user-group heat \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /heat \
-    && mkdir -p /etc/heat /home/heat \
+    && mkdir -p /etc/heat \
    && cp -r /heat/etc/heat/* /etc/heat/ \
-    && chown -R heat: /etc/heat /home/heat
+    && chown -R heat: /etc/heat
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla heat \
+RUN touch /usr/local/bin/kolla_heat_extend_start \
    && touch /usr/local/bin/kolla_heat_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_heat_extend_start
 {% block heat_base_footer %}{% endblock %}
--- a/docker/heka/Dockerfile.j2
+++ b/docker/heka/Dockerfile.j2
@@ -5,12 +5,13 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='heka', homedir='/var/cache/hekad') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set heka_packages = [
        'https://github.com/mozilla-services/heka/releases/download/v0.10.0/heka-0_10_0-linux-amd64.rpm'
    ] %}
-RUN useradd --user-group heka \
+RUN mkdir /etc/heka
    && mkdir /etc/heka
 {% elif base_distro in ['ubuntu', 'debian'] %}
    {% set heka_packages = [
@@ -27,8 +28,7 @@ COPY plugins/encoders /usr/share/heka/lua_encoders/
 COPY heka_sudoers /etc/sudoers.d/kolla_heka_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla heka \
+RUN chmod 440 /etc/sudoers.d/kolla_heka_sudoers \
    && chmod 440 /etc/sudoers.d/kolla_heka_sudoers \
    && chmod 755 /usr/local/bin/kolla_extend_start \
    && chown -R heka: /usr/share/heka /etc/heka
--- a/docker/horizon/Dockerfile.j2
+++ b/docker/horizon/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='horizon') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -24,8 +26,7 @@ MAINTAINER {{ maintainer }}
 {{ macros.install_packages(horizon_packages | customizable("packages")) }}
 {% block horizon_redhat_binary_setup %}
-RUN useradd --user-group horizon \
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
    && ln -s /usr/share/openstack-dashboard/openstack_dashboard /usr/lib/python2.7/site-packages/openstack_dashboard \
    && ln -s /usr/share/openstack-dashboard/static /usr/lib/python2.7/site-packages/static \
    && chown -R horizon: /etc/openstack-dashboard /usr/share/openstack-dashboard \
@@ -108,8 +109,7 @@ ADD horizon-archive /horizon-source
 ADD plugins-archive /
 RUN ln -s horizon-source/* horizon \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /horizon \
-    && useradd --user-group horizon \
+    && mkdir -p /etc/openstack-dashboard \
    && mkdir -p /etc/openstack-dashboard /home/horizon \
    && ln -s /etc/openstack-dashboard/local_settings /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard/local/local_settings.py \
    && cp -r /horizon/openstack_dashboard/conf/* /etc/openstack-dashboard/ \
    && cp /horizon/openstack_dashboard/local/local_settings.py.example /etc/openstack-dashboard/local_settings \
@@ -119,7 +119,7 @@ RUN ln -s horizon-source/* horizon \
       fi \
    && (cd /var/lib/kolla/venv/lib/python2.7/site-packages/horizon && /var/lib/kolla/venv/bin/python /var/lib/kolla/venv/bin/manage.py compilemessages) \
    && (cd /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard && /var/lib/kolla/venv/bin/python /var/lib/kolla/venv/bin/manage.py compilemessages) \
-    && chown -R horizon: /etc/openstack-dashboard /home/horizon /var/lib/kolla/venv/lib/python2.7/site-packages/static
+    && chown -R horizon: /etc/openstack-dashboard /var/lib/kolla/venv/lib/python2.7/site-packages/static
 {% endif %}
--- a/docker/influxdb/Dockerfile.j2
+++ b/docker/influxdb/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='influxdb') }}
 {% set influxdb_packages = ['influxdb'] %}
 {{ macros.install_packages(influxdb_packages | customizable("packages")) }}
@@ -13,8 +15,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_influxdb_sudoers \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
+    && chmod 755 /usr/local/bin/kolla_extend_start
    && usermod -a -G kolla influxdb
 {% block influxdb_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/ironic/ironic-base/Dockerfile.j2
+++ b/docker/ironic/ironic-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='ironic') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set ironic_base_packages = ['openstack-ironic-common'] %}
@@ -18,11 +20,10 @@ MAINTAINER {{ maintainer }}
 ADD ironic-base-archive /ironic-base-source
 RUN ln -s ironic-base-source/* ironic \
    && useradd --user-group --create-home --home-dir /var/lib/ironic ironic \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /ironic \
-    && mkdir -p /etc/ironic /var/lib/ironic \
+    && mkdir -p /etc/ironic \
    && cp -r /ironic/etc/ironic/* /etc/ironic/ \
-    && chown -R ironic: /etc/ironic /var/lib/ironic \
+    && chown -R ironic: /etc/ironic \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic/rootwrap.conf
 ADD ironic_sudoers /etc/sudoers.d/kolla_ironic_sudoers
@@ -35,7 +36,6 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN touch /usr/local/bin/kolla_ironic_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_ironic_extend_start \
    && usermod -a -G kolla ironic \
    && chown -R ironic: /etc/ironic
 {% block ironic_base_footer %}{% endblock %}
--- a/docker/kafka/Dockerfile.j2
+++ b/docker/kafka/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='kafka', homedir='/kafka') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -26,9 +28,7 @@ RUN curl -o kafka.tgz http://apache.osuosl.org/kafka/0.10.1.0/kafka_2.11-0.10.1.
 {% endblock %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN useradd --user-group --home-dir /kafka kafka \
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start \
    && usermod -a -G kolla kafka \
    && chown -R kafka: /kafka
 {% block kafka_footer %}{% endblock %}
--- a/docker/karbor/karbor-base/Dockerfile.j2
+++ b/docker/karbor/karbor-base/Dockerfile.j2
@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 {% block karbor_base_header %}{% endblock %}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='karbor') }}
 {% if install_type == 'binary' %}
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 ADD karbor-base-archive /karbor-base-source
 RUN ln -s karbor-base-source/* karbor \
    && useradd --user-group --create-home --home-dir /var/lib/karbor karbor \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /karbor \
    && mkdir -p /etc/karbor \
    && cp -r /karbor/etc/* /etc/karbor/ \
@@ -22,8 +25,7 @@ RUN ln -s karbor-base-source/* karbor \
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla karbor \
+RUN touch /usr/local/bin/kolla_karbor_extend_start \
    && touch /usr/local/bin/kolla_karbor_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_karbor_extend_start
 {% block karbor_base_footer %}{% endblock %}
--- a/docker/keystone/keystone-base/Dockerfile.j2
+++ b/docker/keystone/keystone-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='keystone') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set keystone_base_packages = [
@@ -61,7 +63,6 @@ RUN echo > /etc/apache2/ports.conf
 {% block keystone_source_install %}
 ADD keystone-base-archive /keystone-base-source
 RUN ln -s keystone-base-source/* keystone \
    && useradd --user-group --create-home --home-dir /var/lib/keystone keystone \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /keystone \
    && mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 \
    && cp -r /keystone/etc/* /etc/keystone/ \
@@ -72,8 +73,7 @@ RUN ln -s keystone-base-source/* keystone \
 {% endif %}
-RUN usermod -a -G kolla keystone \
+RUN chown -R keystone: /var/www/cgi-bin/keystone \
    && chown -R keystone: /var/www/cgi-bin/keystone \
    && chmod 755 /var/www/cgi-bin/keystone/*
 {% block keystone_base_footer %}{% endblock %}
--- a/docker/kibana/Dockerfile.j2
+++ b/docker/kibana/Dockerfile.j2
@@ -5,10 +5,10 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='kibana') }}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN useradd -r -m --user-group kibana \
+RUN chmod 755 /usr/local/bin/kolla_extend_start
    && usermod -a -G kolla kibana \
    && chmod 755 /usr/local/bin/kolla_extend_start
 {% set kibana_packages = ['kibana'] %}
 {{ macros.install_packages(kibana_packages | customizable("packages")) }}
--- a/docker/kolla-toolbox/Dockerfile.j2
+++ b/docker/kolla-toolbox/Dockerfile.j2
@@ -7,6 +7,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='ansible') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set kolla_toolbox_packages = [
        'crudini',
@@ -62,13 +64,12 @@ RUN pip --no-cache-dir install \
    pyudev \
    shade==1.5.0
-RUN useradd -m --user-group ansible --groups kolla \
+RUN mkdir -p /etc/ansible /usr/share/ansible \
    && mkdir -p /etc/ansible /usr/share/ansible \
    && echo 'localhost ansible_connection=local' > /etc/ansible/hosts \
    && sed -i 's|  "identity_api_version": "2.0",|  "identity_api_version": "3",|' {{ os_client_config }}
 COPY find_disks.py kolla_keystone_service.py kolla_keystone_user.py kolla_sanity.py /usr/share/ansible/
-COPY ansible.cfg /home/ansible/.ansible.cfg
+COPY ansible.cfg /var/lib/ansible/.ansible.cfg
 COPY ansible_sudoers /etc/sudoers.d/kolla_ansible_sudoers
 RUN chmod 440 /etc/sudoers.d/kolla_ansible_sudoers
--- a/docker/macros.j2
+++ b/docker/macros.j2
@@ -17,3 +17,39 @@
 {% macro install_pip(packages) %}
 RUN /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt {% for package in packages %}{{ package }} {% endfor %}
 {% endmacro %}
 {% macro configure_user(name, groups=None, shell=None, homedir=None) %}
 {% set user=users[name] %}
 {%- if not homedir %}
 {% set homedir='/var/lib/' + name %}
 {%- endif %}
 RUN usermod --append --home {{ homedir }} --groups kolla {{ name }} \
    {%- if groups %}
    && usermod --append --groups {{ groups }} {{ name }} \
    {%- endif %}
    {%- if shell %}
    && chsh --shell {{ shell }} {{ name }} \
    {%- endif %}
    && mkdir -p {{ homedir }} \
    && chown -R {{ user.uid }}:{{ user.gid }} {{ homedir }}
 {% endmacro %}
 {% macro ubuntu_trove_bug_1651852() %}
 {# NOTE(SamYaple): The postinst script breaks because it calls getenv instead of getent #}
 {# TODO(SamYaple): Remove once issue is fixed -- https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/1651852 #}
 RUN apt-get -y install --no-install-recommends trove-common \
    || sed -i 's/getenv/getent/g' /var/lib/dpkg/info/trove-common.postinst \
    && apt-get -y install -f \
    && apt-get clean
 {% endmacro %}
 {% macro debian_haproxy_existing_user_fix() %}
 {# NOTE(SamYaple): The postinst script breaks if the user 'haproxy' already exists #}
 RUN apt-get -y install --no-install-recommends haproxy \
    || sed -i '/^adduser/,+1 d' /var/lib/dpkg/info/haproxy.postinst \
    && apt-get -y install -f \
    && apt-get clean
 {% endmacro %}
--- a/docker/magnum/magnum-base/Dockerfile.j2
+++ b/docker/magnum/magnum-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='magnum') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux'] %}
       {% set magnum_base_packages = ['openstack-magnum-common'] %}
@@ -17,16 +19,14 @@ MAINTAINER {{ maintainer }}
 ADD magnum-base-archive /magnum-base-source
 RUN ln -s magnum-base-source/* magnum \
    && useradd --user-group magnum \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /magnum \
-    && mkdir -p /etc/magnum /home/magnum /var/lib/magnum \
+    && mkdir -p /etc/magnum \
    && cp -r /magnum/etc/magnum/* /etc/magnum \
-    && chown -R magnum: /etc/magnum /home/magnum /var/lib/magnum
+    && chown -R magnum: /etc/magnum
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla magnum \
+RUN touch /usr/local/bin/kolla_magnum_extend_start \
    && touch /usr/local/bin/kolla_magnum_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_magnum_extend_start
--- a/docker/manila/manila-base/Dockerfile.j2
+++ b/docker/manila/manila-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='manila') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -39,11 +41,10 @@ MAINTAINER {{ maintainer }}
 ADD manila-base-archive /manila-base-source
 RUN ln -s manila-base-source/* manila \
    && useradd --user-group manila \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /manila \
-    && mkdir -p /etc/manila /var/lib/manila /var/cache/manila /home/manila \
+    && mkdir -p /etc/manila /var/cache/manila \
    && cp -r /manila/etc/manila/* /etc/manila/ \
-    && chown -R manila: /etc/manila /var/lib/manila /var/cache/manila /home/manila \
+    && chown -R manila: /etc/manila /var/cache/manila \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/manila/rootwrap.conf
 COPY manila_sudoers /etc/sudoers.d/kolla_manila_sudoers
@@ -57,6 +58,4 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN touch /usr/local/bin/kolla_manila_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_manila_extend_start
 RUN usermod -a -G kolla manila
 {% block manila_base_footer %}{% endblock %}
--- a/docker/mariadb/Dockerfile.j2
+++ b/docker/mariadb/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='mysql') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set mariadb_packages = [
        'MariaDB-Galera-server',
@@ -35,7 +37,6 @@ RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chmod 755 /usr/local/bin/kolla_security_reset \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_mariadb_sudoers \
    && usermod -a -G kolla mysql \
    && rm -rf /var/lib/mysql/*
 {% block mariadb_footer %}{% endblock %}
--- a/docker/memcached/Dockerfile.j2
+++ b/docker/memcached/Dockerfile.j2
@@ -5,24 +5,13 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
-{% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
+{{ macros.configure_user(name='memcached', homedir='/run/memcache') }}
-{% set user = 'memcached' %}
+{% set memcached_packages = ['memcached'] %}
-    {% set memcached_packages = ['memcached']  %}
+{{ macros.install_packages(memcached_packages | customizable("packages")) }}
 {{ macros.install_packages(memcached_packages | customizable("packages")) }} \
    && usermod -a -G kolla {{ user }}
 {% elif base_distro in ['ubuntu', 'debian'] %}
 {% set user = 'memcache' %}
    {% set memcached_packages = ['memcached'] %}
 {{ macros.install_packages(memcached_packages | customizable("packages")) }} \
    && usermod -a -G kolla {{ user }}
 {% endif %}
 {% block memcached_footer %}{% endblock %}
 {% block footer %}{% endblock %}
 {{ include_footer }}
-USER {{ user }}
+USER memcached
--- a/docker/mistral/mistral-base/Dockerfile.j2
+++ b/docker/mistral/mistral-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='mistral') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -18,16 +20,14 @@ MAINTAINER {{ maintainer }}
 ADD mistral-base-archive /mistral-base-source
 RUN ln -s mistral-base-source/* mistral \
    && useradd --user-group mistral \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install /mistral \
-    && mkdir -p /etc/mistral /home/mistral \
+    && mkdir -p /etc/mistral \
    && cp -r /mistral/etc/* /etc/mistral/ \
-    && chown -R mistral: /etc/mistral /home/mistral
+    && chown -R mistral: /etc/mistral
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla mistral \
+RUN touch /usr/local/bin/kolla_mistral_extend_start \
    && touch /usr/local/bin/kolla_mistral_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_mistral_extend_start
--- a/docker/monasca/monasca-base/Dockerfile.j2
+++ b/docker/monasca/monasca-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='monasca') }}
 {% if install_type == 'binary' %}
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,17 +14,14 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 {% elif install_type == 'source' %}
-RUN useradd --user-group --create-home --home-dir /var/lib/monasca monasca \
+RUN mkdir -p /etc/monasca \
-    && chmod 755 /var/lib/monasca \
+    && chown -R monasca: /etc/monasca
    && mkdir -p /etc/monasca /var/lib/monasca \
    && chown -R monasca: /etc/monasca /var/lib/monasca
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN touch /usr/local/bin/kolla_monasca_extend_start \
-    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_monasca_extend_start \
+    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_monasca_extend_start
    && usermod -a -G kolla monasca
 {% block monasca_base_footer %}{% endblock %}
--- a/docker/mongodb/Dockerfile.j2
+++ b/docker/mongodb/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='mongodb') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set mongodb_packages = [
            'mongodb',
@@ -18,14 +20,10 @@ MAINTAINER {{ maintainer }}
 {{ macros.install_packages(mongodb_packages | customizable("packages")) }}
 RUN mkdir -p /var/lib/mongodb /home/mongodb \
    && chown -R mongodb: /var/lib/mongodb /home/mongodb
 COPY mongodb_sudoers /etc/sudoers.d/kolla_mongodb_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla mongodb \
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_mongodb_sudoers
--- a/docker/murano/murano-base/Dockerfile.j2
+++ b/docker/murano/murano-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='murano') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -19,11 +21,10 @@ MAINTAINER {{ maintainer }}
 ADD murano-base-archive /murano-base-source
 RUN ln -s murano-base-source/* murano \
    && useradd --user-group murano \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /murano \
-    && mkdir -p /etc/murano /home/murano \
+    && mkdir -p /etc/murano \
    && cp -r /murano/etc/murano/* /etc/murano/ \
-    && chown -R murano: /etc/murano /home/murano \
+    && chown -R murano: /etc/murano \
    && cd murano/meta/io.murano \
    && zip -r /io.murano.zip *
@@ -31,8 +32,7 @@ RUN ln -s murano-base-source/* murano \
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla murano \
+RUN touch /usr/local/bin/kolla_murano_extend_start \
    && touch /usr/local/bin/kolla_murano_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_murano_extend_start
 {% block murano_base_footer %}{% endblock %}
--- a/docker/neutron/neutron-base/Dockerfile.j2
+++ b/docker/neutron/neutron-base/Dockerfile.j2
@@ -5,6 +5,12 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='neutron') }}
 {% if base_distro in ['ubuntu', 'debian'] %}
 {{ macros.debian_haproxy_existing_user_fix() }}
 {% endif %}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -77,14 +83,13 @@ RUN mkdir -p /usr/share/neutron \
 ADD neutron-base-archive /neutron-base-source
 ADD plugins-archive /
 RUN ln -s neutron-base-source/* neutron \
    && useradd --user-group neutron \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /neutron \
-    && mkdir -p /etc/neutron /usr/share/neutron /var/lib/neutron /home/neutron \
+    && mkdir -p /etc/neutron /usr/share/neutron \
    && cp -r /neutron/etc/* /etc/neutron/ \
    && cp -r /neutron/etc/neutron/* /etc/neutron/ \
    && cp /neutron/etc/api-paste.ini /usr/share/neutron \
    && mv /etc/neutron/neutron/ /etc/neutron/plugins/ \
-    && chown -R neutron: /etc/neutron /usr/share/neutron /var/lib/neutron /home/neutron \
+    && chown -R neutron: /etc/neutron /usr/share/neutron \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/neutron/rootwrap.conf \
    && if [ "$(ls /plugins)" ]; then \
        pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /plugins/*; \
@@ -95,8 +100,7 @@ RUN ln -s neutron-base-source/* neutron \
 COPY neutron_sudoers /etc/sudoers.d/kolla_neutron_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla neutron \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_neutron_sudoers \
    && touch /usr/local/bin/kolla_neutron_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_neutron_extend_start
--- a/docker/neutron/neutron-metadata-agent/Dockerfile.j2
+++ b/docker/neutron/neutron-metadata-agent/Dockerfile.j2
@@ -21,8 +21,7 @@ COPY neutron_sudoers /etc/sudoers.d/kolla_neutron_metadata_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_neutron_extend_start
 RUN chmod 755 /usr/local/bin/kolla_neutron_extend_start \
    && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_neutron_metadata_sudoers \
+    && chmod 440 /etc/sudoers.d/kolla_neutron_metadata_sudoers
    && usermod -a -G kolla neutron
 {% block neutron_metadata_agent_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/nova/nova-base/Dockerfile.j2
+++ b/docker/nova/nova-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='nova', groups='qemu') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -56,12 +58,10 @@ MAINTAINER {{ maintainer }}
 ADD nova-base-archive /nova-base-source
 RUN ln -s nova-base-source/* nova \
    && useradd --user-group --create-home --home-dir /var/lib/nova nova \
    && chmod 755 /var/lib/nova \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /nova \
-    && mkdir -p /etc/nova /var/lib/nova \
+    && mkdir -p /etc/nova/ \
    && cp -r /nova/etc/nova/* /etc/nova/ \
-    && chown -R nova: /etc/nova /var/lib/nova \
+    && chown -R nova: /etc/nova/ \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/nova/rootwrap.conf
 COPY nova_sudoers /etc/sudoers.d/kolla_nova_sudoers
@@ -75,6 +75,4 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN touch /usr/local/bin/kolla_nova_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_nova_extend_start
 RUN usermod -a -G kolla nova
 {% block nova_base_footer %}{% endblock %}
--- a/docker/nova/nova-libvirt/Dockerfile.j2
+++ b/docker/nova/nova-libvirt/Dockerfile.j2
@@ -1,10 +1,12 @@
-FROM {{ namespace }}/{{ image_prefix }}nova-base:{{ tag }}
+FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
 MAINTAINER {{ maintainer }}
 {% block nova_libvirt_header %}{% endblock %}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='nova', groups='qemu') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set nova_libvirt_packages = [
@@ -30,8 +32,6 @@ MAINTAINER {{ maintainer }}
        'xen-utils-4.6'
    ] %}
    {% set libvirt_group = 'libvirtd' %}
 {% elif base_distro == 'debian' %}
    {% set nova_libvirt_packages = [
@@ -46,22 +46,13 @@ MAINTAINER {{ maintainer }}
        'usermode'
    ] %}
    {% set libvirt_group = 'libvirt' %}
 {% endif %}
 {{ macros.install_packages(nova_libvirt_packages | customizable("packages")) }}
-{% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
+{% if base_distro in ['ubuntu', 'debian'] %}
-RUN usermod -a -G qemu nova
+RUN rm -f /etc/libvirt/qemu/networks/default.xml /etc/libvirt/qemu/networks/autostart/default.xml
 {% elif base_distro in ['ubuntu', 'debian'] %}
 RUN mkdir -p /etc/ceph \
    && rm -f /etc/libvirt/qemu/networks/default.xml \
        /etc/libvirt/qemu/networks/autostart/default.xml \
    && usermod -a -G {{ libvirt_group }} nova
 {% endif %}
--- a/docker/nova/nova-libvirt/extend_start.sh
+++ b/docker/nova/nova-libvirt/extend_start.sh
@@ -5,7 +5,7 @@
 # Do not remove unless CentOS has been validated
 if [[ -c /dev/kvm ]]; then
    chmod 660 /dev/kvm
-    chown root:kvm /dev/kvm
+    chown root:qemu /dev/kvm
 fi
 # Mount xenfs for libxl to work
--- a/docker/octavia/octavia-base/Dockerfile.j2
+++ b/docker/octavia/octavia-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='octavia') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set octavia_base_packages = [
@@ -20,18 +22,15 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 {% elif install_type == 'source' %}
 ADD octavia-base-archive /octavia-base-source
 RUN ln -s /octavia-base-source/* octavia \
    && useradd --user-group --create-home --home-dir /var/lib/octavia octavia \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /octavia \
    && mkdir -p /etc/octavia \
    && cp -r /octavia/etc/* /etc/octavia/ \
    && chown -R octavia: /etc/octavia
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN touch /usr/local/bin/kolla_octavia_extend_start \
-    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_octavia_extend_start \
+    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_octavia_extend_start
    && usermod -a -G kolla octavia
 {% block octavia_base_footer %}{% endblock %}
--- a/docker/panko/panko-base/Dockerfile.j2
+++ b/docker/panko/panko-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='panko') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -49,20 +51,16 @@ RUN truncate -s 0 /etc/apache2/ports.conf
 ADD panko-base-archive /panko-base-source
 RUN ln -s panko-base-source/* panko \
    && useradd --user-group panko \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /panko \
-    && mkdir -p /etc/panko /home/panko  \
+    && mkdir -p /etc/panko \
    && cp -r /panko/etc/panko/* /etc/panko/ \
-    && chown -R panko: /etc/panko /home/panko
+    && chown -R panko: /etc/panko
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla panko \
+RUN touch /usr/local/bin/kolla_panko_extend_start \
    && mkdir -p /var/lib/panko \
    && chown -R panko: /var/lib/panko \
    && touch /usr/local/bin/kolla_panko_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_panko_extend_start
 {% block panko_base_footer %}{% endblock %}
--- a/docker/rabbitmq/Dockerfile.j2
+++ b/docker/rabbitmq/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='rabbitmq') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set rabbitmq_packages = [
        'hostname',
@@ -54,8 +56,7 @@ COPY rabbitmq_sudoers /etc/sudoers.d/kolla_rabbitmq_sudoers
 COPY rabbitmq_get_gospel_node.py /usr/local/bin/rabbitmq_get_gospel_node
 RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/rabbitmq_get_gospel_node \
    && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_rabbitmq_sudoers \
+    && chmod 440 /etc/sudoers.d/kolla_rabbitmq_sudoers
    && usermod -a -G kolla rabbitmq
 {% block rabbitmq_footer %}{% endblock %}
 {{ include_footer }}
--- a/docker/rally/Dockerfile.j2
+++ b/docker/rally/Dockerfile.j2
@@ -5,12 +5,12 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='rally') }}
 {% if install_type == 'binary' %}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set rally_packages = ['openstack-rally'] %}
 RUN useradd --user-group rally
 {% elif base_distro in ['ubuntu'] %}
    {% set rally_packages = ['rally'] %}
 {% endif %}
@@ -19,18 +19,15 @@ RUN useradd --user-group rally
 ADD rally-archive /rally-source
 RUN ln -s rally-source/* rally \
    && useradd --user-group rally \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /rally \
-    && mkdir -p /etc/rally /var/log/rally /home/rally \
+    && mkdir -p /etc/rally /var/log/rally \
-    && chown -R rally: /etc/rally /var/log/rally /home/rally
+    && chown -R rally: /etc/rally /var/log/rally
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 RUN usermod -a -G kolla rally
 {% block rally_footer %}{% endblock %}
 {% block footer %}{% endblock %}
 {{ include_footer }}
--- a/docker/sahara/sahara-base/Dockerfile.j2
+++ b/docker/sahara/sahara-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='sahara') }}
 {% if install_type == 'binary' %}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -18,22 +20,18 @@ MAINTAINER {{ maintainer }}
 ADD sahara-base-archive /sahara-base-source
 RUN ln -s sahara-base-source/* sahara \
    && useradd --user-group sahara \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /sahara \
-    && mkdir -p /etc/sahara /home/sahara \
+    && mkdir -p /etc/sahara \
    && cp -r /sahara/etc/sahara/* /etc/sahara/ \
-    && chown -R sahara: /etc/sahara /home/sahara \
+    && chown -R sahara: /etc/sahara \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/sahara/rootwrap.conf
 {% endif %}
 RUN usermod -a -G kolla sahara
 COPY sahara_sudoers /etc/sudoers.d/kolla_sahara_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla sahara \
+RUN chmod 750 /etc/sudoers.d \
    && chmod 750 /etc/sudoers.d \
    && chmod 640 /etc/sudoers.d/kolla_sahara_sudoers \
    && touch /usr/local/bin/kolla_sahara_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_sahara_extend_start
--- a/docker/searchlight/searchlight-base/Dockerfile.j2
+++ b/docker/searchlight/searchlight-base/Dockerfile.j2
@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 {% block searchlight_base_header %}{% endblock %}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='searchlight') }}
 {% if install_type == 'binary' %}
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 ADD searchlight-base-archive /searchlight-base-source
 RUN ln -s searchlight-base-source/* searchlight \
    && useradd --user-group searchlight \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /searchlight \
    && mkdir -p /etc/searchlight \
    && cp -r /searchlight/etc/* /etc/searchlight \
@@ -22,8 +25,7 @@ RUN ln -s searchlight-base-source/* searchlight \
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla searchlight \
+RUN touch /usr/local/bin/kolla_searchlight_extend_start \
    && touch /usr/local/bin/kolla_searchlight_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_searchlight_extend_start
 {% block searchlight_base_footer %}{% endblock %}
--- a/docker/senlin/senlin-base/Dockerfile.j2
+++ b/docker/senlin/senlin-base/Dockerfile.j2
@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 {% block senlin_base_header %}{% endblock %}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='senlin') }}
 {% if install_type == 'binary' %}
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 ADD senlin-base-archive /senlin-base-source
 RUN ln -s senlin-base-source/* senlin \
    && useradd --user-group senlin \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /senlin \
    && mkdir -p /etc/senlin \
    && cp -r /senlin/etc/senlin/* /etc/senlin \
@@ -22,8 +25,7 @@ RUN ln -s senlin-base-source/* senlin \
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla senlin \
+RUN touch /usr/local/bin/kolla_senlin_extend_start \
    && touch /usr/local/bin/kolla_senlin_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_senlin_extend_start
 {% block senlin_base_footer %}{% endblock %}
--- a/docker/solum/solum-base/Dockerfile.j2
+++ b/docker/solum/solum-base/Dockerfile.j2
@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 {% block solum_base_header %}{% endblock %}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='solum') }}
 {% if install_type == 'binary' %}
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,18 +16,16 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 ADD solum-base-archive /solum-base-source
 RUN ln -s solum-base-source/* solum \
    && useradd --user-group solum \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /solum \
-    && mkdir -p /etc/solum /home/solum \
+    && mkdir -p /etc/solum \
    && cp -r /solum/etc/solum/* /etc/solum/ \
-    && chown -R solum: /etc/solum /home/solum
+    && chown -R solum: /etc/solum
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla solum \
+RUN touch /usr/local/bin/kolla_solum_extend_start \
    && touch /usr/local/bin/kolla_solum_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_solum_extend_start
 {% block solum_base_footer %}{% endblock %}
--- a/docker/swift/swift-base/Dockerfile.j2
+++ b/docker/swift/swift-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='swift') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set swift_base_packages = [
@@ -30,11 +32,10 @@ MAINTAINER {{ maintainer }}
 ADD swift-base-archive /swift-base-source
 RUN ln -s swift-base-source/* swift \
    && useradd --user-group swift \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /swift \
-    && mkdir -p /etc/swift /var/cache/swift /var/log/swift /home/swift \
+    && mkdir -p /etc/swift /var/cache/swift /var/log/swift \
    && cp -r /swift/etc/* /etc/swift/ \
-    && chown -R swift: /etc/swift /var/cache/swift /var/log/swift /home/swift
+    && chown -R swift: /etc/swift /var/cache/swift /var/log/swift
 {% endif %}
 COPY swift-rootwrap /var/lib/kolla/venv/bin/swift-rootwrap
@@ -50,6 +51,4 @@ RUN chmod 750 /etc/sudoers.d \
 COPY build-swift-ring.py /usr/local/bin/kolla_build_swift_ring
 RUN mkdir -p /opt/swift
 RUN usermod -a -G kolla swift
 {% block swift_base_footer %}{% endblock %}
--- a/docker/tacker/Dockerfile.j2
+++ b/docker/tacker/Dockerfile.j2
@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 {% block tacker_header %}{% endblock %}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='tacker') }}
 {% if install_type == 'binary' %}
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -12,7 +16,6 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 ADD tacker-archive /tacker-source
 RUN ln -s tacker-source/* tacker \
    && useradd --user-group --create-home --home-dir /var/lib/tacker tacker \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /tacker \
    && mkdir -p /etc/tacker \
    && cp -r /tacker/etc/tacker/* /etc/tacker \
@@ -22,8 +25,7 @@ RUN ln -s tacker-source/* tacker \
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla tacker \
+RUN chmod 755 /usr/local/bin/kolla_extend_start
    && chmod 755 /usr/local/bin/kolla_extend_start
 {% block tacker_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/telegraf/Dockerfile.j2
+++ b/docker/telegraf/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='telegraf', homedir='/etc/telegraf') }}
 {% set telegraf_packages = ['telegraf'] %}
 {{ macros.install_packages(telegraf_packages | customizable("packages")) }}
@@ -13,8 +15,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_telegraf_sudoers \
-    && chmod 755 /usr/local/bin/kolla_extend_start \
+    && chmod 755 /usr/local/bin/kolla_extend_start
    && usermod -a -G kolla telegraf
 {% block telegraf_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/trove/trove-base/Dockerfile.j2
+++ b/docker/trove/trove-base/Dockerfile.j2
@@ -5,12 +5,15 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='trove') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set trove_base_packages = ['openstack-trove-common'] %}
    {% elif base_distro in ['ubuntu'] %}
-        {% set trove_base_packages = ['trove-common'] %}
+        {{ macros.ubuntu_trove_bug_1651852() }}
        {% set trove_base_packages = [] %}
    {% endif %}
 {{ macros.install_packages(trove_base_packages | customizable("packages")) }}
@@ -19,18 +22,16 @@ MAINTAINER {{ maintainer }}
 ADD trove-base-archive /trove-base-source
 RUN ln -s trove-base-source/* trove \
    && useradd --user-group trove \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /trove \
-    && mkdir -p /etc/trove /var/log/trove /home/trove \
+    && mkdir -p /etc/trove /var/log/trove \
    && cp -r /trove/etc/trove/* /etc/trove/ \
-    && chown -R trove: /etc/trove /var/log/trove /home/trove
+    && chown -R trove: /etc/trove /var/log/trove
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla trove \
+RUN touch /usr/local/bin/kolla_trove_extend_start \
    && touch /usr/local/bin/kolla_trove_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_trove_extend_start
 {% block trove_base_footer %}{% endblock %}
--- a/docker/vmtp/Dockerfile.j2
+++ b/docker/vmtp/Dockerfile.j2
@@ -3,6 +3,10 @@ MAINTAINER {{ maintainer }}
 {% block vmtp_header %}{% endblock %}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='vmtp') }}
 {% if install_type == 'binary' %}
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -10,15 +14,13 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 {% elif install_type == 'source' %}
-RUN pip install vmtp \
+RUN pip install vmtp
    && useradd --user-group vmtp
 {% endif %}
 COPY vmtp_sudoers /etc/sudoers.d/kolla_vmtp_sudoers
 RUN chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_vmtp_sudoers \
+    && chmod 440 /etc/sudoers.d/kolla_vmtp_sudoers
    && usermod -a -G kolla vmtp
 {% block vmtp_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/watcher/watcher-base/Dockerfile.j2
+++ b/docker/watcher/watcher-base/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='watcher') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set watcher_base_packages = ['openstack-watcher-common'] %}
@@ -17,20 +19,16 @@ MAINTAINER {{ maintainer }}
 ADD watcher-base-archive /watcher-base-source
 RUN ln -s watcher-base-source/* watcher \
    && useradd --user-group watcher \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /watcher \
-    && mkdir -p /etc/watcher /home/watcher \
+    && mkdir -p /etc/watcher \
    && cp -r /watcher/etc/watcher/* /etc/watcher/ \
-    && chown -R watcher: /etc/watcher /home/watcher
+    && chown -R watcher: /etc/watcher
 {% endif %}
 RUN usermod -a -G kolla watcher
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN usermod -a -G kolla watcher \
+RUN touch /usr/local/bin/kolla_watcher_extend_start \
    && touch /usr/local/bin/kolla_watcher_extend_start \
    && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_watcher_extend_start
 {% block watcher_base_footer %}{% endblock %}
--- a/docker/zaqar/Dockerfile.j2
+++ b/docker/zaqar/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='zaqar') }}
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
@@ -20,7 +22,6 @@ MAINTAINER {{ maintainer }}
 {% elif install_type == 'source' %}
 ADD zaqar-archive /zaqar-source
 RUN ln -s zaqar-source/* zaqar \
    && useradd --user-group --create-home --home-dir /var/lib/zaqar zaqar \
    && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt pymongo /zaqar \
    && mkdir -p /etc/zaqar \
    && cp -r /zaqar/etc/* /etc/zaqar/ \
@@ -30,8 +31,7 @@ RUN ln -s zaqar-source/* zaqar \
 {% endif %}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
+RUN chmod 755 /usr/local/bin/kolla_extend_start
    && usermod -a -G kolla zaqar
 {% block zaqar_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/zookeeper/Dockerfile.j2
+++ b/docker/zookeeper/Dockerfile.j2
@@ -5,6 +5,8 @@ MAINTAINER {{ maintainer }}
 {% import "macros.j2" as macros with context %}
 {{ macros.configure_user(name='zookeeper') }}
 {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
    {% set zookeeper_packages = [
        'zookeeper',
@@ -18,8 +20,7 @@ MAINTAINER {{ maintainer }}
 {{ macros.install_packages(zookeeper_packages | customizable("packages")) }}
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
+RUN chmod 755 /usr/local/bin/kolla_extend_start
    && usermod -a -G kolla zookeeper
 {% block zookeeper_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/kolla/common/config.py
+++ b/kolla/common/config.py
@@ -500,6 +500,240 @@ SOURCES = {
 }
 # NOTE(SamYaple): Only increment the UID. Never reuse old or removed UIDs.
 #     Starting point 42400+ was choosen arbitrarily to ensure no conflicts
 USERS = {
    'kolla-user': {
        'uid': 42400,
        'gid': 42400,
    },
    'ansible-user': {
        'uid': 42401,
        'gid': 42401,
    },
    'aodh-user': {
        'uid': 42402,
        'gid': 42402,
    },
    'barbican-user': {
        'uid': 42403,
        'gid': 42403,
    },
    'bifrost-user': {
        'uid': 42404,
        'gid': 42404,
    },
    'ceilometer-user': {
        'uid': 42405,
        'gid': 42405,
    },
    'chrony-user': {
        'uid': 42406,
        'gid': 42406,
    },
    'cinder-user': {
        'uid': 42407,
        'gid': 42407,
    },
    'cloudkitty-user': {
        'uid': 42408,
        'gid': 42408,
    },
    'collectd-user': {
        'uid': 42409,
        'gid': 42409,
    },
    'congress-user': {
        'uid': 42410,
        'gid': 42410,
    },
    'designate-user': {
        'uid': 42411,
        'gid': 42411,
    },
    'elasticsearch-user': {
        'uid': 42412,
        'gid': 42412,
    },
    'etcd-user': {
        'uid': 42413,
        'gid': 42413,
    },
    'freezer-user': {
        'uid': 42414,
        'gid': 42414,
    },
    'glance-user': {
        'uid': 42415,
        'gid': 42415,
    },
    'gnocchi-user': {
        'uid': 42416,
        'gid': 42416,
    },
    'grafana-user': {
        'uid': 42417,
        'gid': 42417,
    },
    'heat-user': {
        'uid': 42418,
        'gid': 42418,
    },
    'heka-user': {
        'uid': 42419,
        'gid': 42419,
    },
    'horizon-user': {
        'uid': 42420,
        'gid': 42420,
    },
    'influxdb-user': {
        'uid': 42421,
        'gid': 42421,
    },
    'ironic-user': {
        'uid': 42422,
        'gid': 42422,
    },
    'kafka-user': {
        'uid': 42423,
        'gid': 42423,
    },
    'keystone-user': {
        'uid': 42425,
        'gid': 42425,
    },
    'kibana-user': {
        'uid': 42426,
        'gid': 42426,
    },
    'qemu-user': {
        'uid': 42427,
        'gid': 42427,
    },
    'magnum-user': {
        'uid': 42428,
        'gid': 42428,
    },
    'manila-user': {
        'uid': 42429,
        'gid': 42429,
    },
    'mistral-user': {
        'uid': 42430,
        'gid': 42430,
    },
    'monasca-user': {
        'uid': 42431,
        'gid': 42431,
    },
    'mongodb-user': {
        'uid': 42432,
        'gid': 65534,
    },
    'murano-user': {
        'uid': 42433,
        'gid': 42433,
    },
    'mysql-user': {
        'uid': 42434,
        'gid': 42434,
    },
    'neutron-user': {
        'uid': 42435,
        'gid': 42435,
    },
    'nova-user': {
        'uid': 42436,
        'gid': 42436,
    },
    'octavia-user': {
        'uid': 42437,
        'gid': 42437,
    },
    'panko-user': {
        'uid': 42438,
        'gid': 42438,
    },
    'rabbitmq-user': {
        'uid': 42439,
        'gid': 42439,
    },
    'rally-user': {
        'uid': 42440,
        'gid': 42440,
    },
    'sahara-user': {
        'uid': 42441,
        'gid': 42441,
    },
    'searchlight-user': {
        'uid': 42442,
        'gid': 42442,
    },
    'senlin-user': {
        'uid': 42443,
        'gid': 42443,
    },
    'solum-user': {
        'uid': 42444,
        'gid': 42444,
    },
    'swift-user': {
        'uid': 42445,
        'gid': 42445,
    },
    'tacker-user': {
        'uid': 42446,
        'gid': 42446,
    },
    'td-agent-user': {
        'uid': 42447,
        'gid': 42447,
    },
    'telegraf-user': {
        'uid': 42448,
        'gid': 42448,
    },
    'trove-user': {
        'uid': 42449,
        'gid': 42449,
    },
    'vmtp-user': {
        'uid': 42450,
        'gid': 42450,
    },
    'watcher-user': {
        'uid': 42451,
        'gid': 42451,
    },
    'zaqar-user': {
        'uid': 42452,
        'gid': 42452,
    },
    'zookeeper-user': {
        'uid': 42453,
        'gid': 42453,
    },
    'haproxy-user': {
        'uid': 42454,
        'gid': 42454,
    },
    'ceph-user': {
        'uid': 64045,
        'gid': 64045,
    },
    'memcached-user': {
        'uid': 42457,
        'gid': 42457,
    },
    'karbor-user': {
        'uid': 42458,
        'gid': 42458,
    },
 }
 def get_source_opts(type_=None, location=None, reference=None):
    return [cfg.StrOpt('type', choices=['local', 'git', 'url'],
                       default=type_,
@@ -511,6 +745,20 @@ def get_source_opts(type_=None, location=None, reference=None):
                             'or branch name'))]
 def get_user_opts(uid, gid):
    return [
        cfg.StrOpt('uid', default=uid, help='The user id'),
        cfg.StrOpt('gid', default=gid, help='The group id'),
    ]
 def gen_all_user_opts():
    for name, params in USERS.items():
        uid = params['uid']
        gid = params['gid']
        yield name, get_user_opts(uid, gid)
 def gen_all_source_opts():
    for name, params in SOURCES.items():
        type_ = params['type']
@@ -524,6 +772,7 @@ def list_opts():
                            (None, _BASE_OPTS),
                            ('profiles', _PROFILE_OPTS)],
                           gen_all_source_opts(),
                           gen_all_user_opts(),
                           )
@@ -534,6 +783,8 @@ def parse(conf, args, usage=None, prog=None,
    conf.register_opts(_PROFILE_OPTS, group='profiles')
    for name, opts in gen_all_source_opts():
        conf.register_opts(opts, name)
    for name, opts in gen_all_user_opts():
        conf.register_opts(opts, name)
    conf(args=args,
         project='kolla',
--- a/kolla/image/build.py
+++ b/kolla/image/build.py
@@ -631,6 +631,20 @@ class KollaWorker(object):
            'debian_package_install': jinja_methods.debian_package_install,
        }
    def get_users(self):
        all_sections = (set(six.iterkeys(self.conf._groups)) |
                        set(self.conf.list_all_sections()))
        ret = dict()
        for section in all_sections:
            match = re.search('^.*-user$', section)
            if match:
                user = self.conf[match.group(0)]
                ret[match.group(0)[:-5]] = {
                    'uid': user.uid,
                    'gid': user.gid,
                }
        return ret
    def create_dockerfiles(self):
        kolla_version = version.version_info.cached_version_string()
        supported_distro_release = common_config.DISTRO_RELEASE.get(
@@ -650,6 +664,7 @@ class KollaWorker(object):
                      'maintainer': self.maintainer,
                      'kolla_version': kolla_version,
                      'image_name': image_name,
                      'users': self.get_users(),
                      'rpm_setup': self.rpm_setup}
            env = jinja2.Environment(  # nosec: not used to render HTML
                loader=jinja2.FileSystemLoader(self.working_dir))
--- a/releasenotes/notes/static-uid-gid-b90800f2947e656d.yaml
+++ b/releasenotes/notes/static-uid-gid-b90800f2947e656d.yaml
@@ -0,0 +1,10 @@
 ---
 features:
  - Static uid and gid are now set in container images.
    This ensures the numbers do not change and mess up
    upgrades from one image to another. These values are
    customizable in the kolla-build.conf if someone
    should wish to change the default values. By default,
    the uid and gid are set to 42400+, with the exception
    of Ceph, which is set to the static 64045 which
    matches the static uid that the package already uses.