Backport "docker group is no longer used"

Restrict docker api access to only the root user. This is so that someone
with access to the docker api cannot access arbitrary files on the host and
modify the host networking and kill/inspect host processes.

Change-Id: I9b5cb3cf3e0470ce58f72bd9952b6b3856ebf94d
heat-coe-templates: I0eee1222e06d6c34761feb24b517972892dc8bbc

magnum/templates/heat-kubernetes/fragments/add-to-docker-group.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-# Under atomic, we need to make sure the 'dockerroot' group exists in
-# /etc/group (because /lib/group cannot be modified by usermod).
-echo "making 'dockerroot' group editable"
-if ! grep -q dockerroot /etc/group; then
-	grep dockerroot /lib/group >> /etc/group
-fi
-
-# make 'minion' user a member of the dockerroot group
-# (so you can run docker commands as the 'minion' user)
-echo "adding 'minion' user to 'dockerroot' group"
-usermod -G dockerroot minion
-

magnum/templates/heat-kubernetes/kubeminion.yaml

@@ -93,12 +93,6 @@ resources:
             $KUBE_MASTER_IP: {get_param: kube_master_ip}
             $DOCKER_VOLUME: {get_resource: docker_volume}
 
-  add_to_docker_group:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: ungrouped
-      config: {get_file: fragments/add-to-docker-group.sh}
-
   configure_docker_storage:
     type: OS::Heat::SoftwareConfig
     properties:
@@ -167,7 +161,6 @@ resources:
         - config: {get_resource: write_heat_params}
         - config: {get_resource: kube_user}
         - config: {get_resource: kube_examples}
-        - config: {get_resource: add_to_docker_group}
         - config: {get_resource: configure_docker_storage}
         - config: {get_resource: kube_register}
         - config: {get_resource: configure_kubernetes_minion}