From 0feb83850634ff1abc13f6598ec04042c8a762c3 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Fri, 24 Jun 2016 11:53:50 +1000
Subject: [PATCH] Don't use devuser for zuul-worker

The devuser element is designed to add a single development user and
manage their keys.  Any local use of devuser by a developer thus
silently conflicts with zuul-worker.

Additionally, this is currently tacitly taking the public-key from
~/.ssh/id_rsa.pub -- i.e. the public key of the currently building
user.  Mixing permissions from the builder into the final-image makes
sense for a development-user case, but not for deploying worker
accounts.

This simply creates the worker account by hand, which is easy enough.
To maintain the status-quo we still source ~/.ssh/id_rsa.pub by
default, but provide a documented flag to override this.

Change-Id: Ic9c9e415c158ad1f057b8d2aa2776dbe2bbd1e47
---
 nodepool/elements/zuul-worker/README.rst      | 17 +++++++++++
 nodepool/elements/zuul-worker/element-deps    |  1 -
 .../zuul-worker/environment.d/05-zuul.bash    | 16 ----------
 .../zuul-worker/extra-data.d/60-zuul-user     | 16 ++++++++++
 .../zuul-worker/install.d/60-zuul-worker      | 29 +++++++++++++++++++
 5 files changed, 62 insertions(+), 17 deletions(-)
 create mode 100644 nodepool/elements/zuul-worker/README.rst
 delete mode 100644 nodepool/elements/zuul-worker/environment.d/05-zuul.bash
 create mode 100755 nodepool/elements/zuul-worker/extra-data.d/60-zuul-user
 create mode 100755 nodepool/elements/zuul-worker/install.d/60-zuul-worker

diff --git a/nodepool/elements/zuul-worker/README.rst b/nodepool/elements/zuul-worker/README.rst
new file mode 100644
index 0000000000..86a174f826
--- /dev/null
+++ b/nodepool/elements/zuul-worker/README.rst
@@ -0,0 +1,17 @@
+zuul-worker
+===========
+
+Setup a node to be a zuul worker
+
+User Creation
+=============
+
+This element bakes in a ``zuul`` user on the host for the zuul-worker
+process to log in with.
+
+By default login permissions (``authorized_keys``) will be populated
+for the ``zuul`` user from ``~/.ssh/id_rsa.pub`` -- i.e. the public
+key of the currently building user.  Specify an alternative filename
+in ``ZUUL_USER_SSH_PUBLIC_KEY`` to override this.
+
+The ``zuul`` user is provided with passwordless ``sudo`` access.
diff --git a/nodepool/elements/zuul-worker/element-deps b/nodepool/elements/zuul-worker/element-deps
index da49a759f0..7076aba945 100644
--- a/nodepool/elements/zuul-worker/element-deps
+++ b/nodepool/elements/zuul-worker/element-deps
@@ -1,2 +1 @@
-devuser
 package-installs
diff --git a/nodepool/elements/zuul-worker/environment.d/05-zuul.bash b/nodepool/elements/zuul-worker/environment.d/05-zuul.bash
deleted file mode 100644
index 93f4c63e34..0000000000
--- a/nodepool/elements/zuul-worker/environment.d/05-zuul.bash
+++ /dev/null
@@ -1,16 +0,0 @@
-# Copyright 2016 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-#
-export DIB_DEV_USER_PWDLESS_SUDO=true
-export DIB_DEV_USER_USERNAME=zuul
diff --git a/nodepool/elements/zuul-worker/extra-data.d/60-zuul-user b/nodepool/elements/zuul-worker/extra-data.d/60-zuul-user
new file mode 100755
index 0000000000..1795ed846d
--- /dev/null
+++ b/nodepool/elements/zuul-worker/extra-data.d/60-zuul-user
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+ZUUL_USER_SSH_PUBLIC_KEY=${ZUUL_USER_SSH_PUBLIC_KEY:-$HOME/.ssh/id_rsa.pub}
+
+if [ ! -f $ZUUL_USER_SSH_PUBLIC_KEY ]; then
+    die "Can not find public key for zuul user!"
+fi
+
+# save the public key inside the chroot
+cat $ZUUL_USER_SSH_PUBLIC_KEY >> $TMP_HOOKS_PATH/zuul-user-ssh-public-key
diff --git a/nodepool/elements/zuul-worker/install.d/60-zuul-worker b/nodepool/elements/zuul-worker/install.d/60-zuul-worker
new file mode 100755
index 0000000000..ef10d06810
--- /dev/null
+++ b/nodepool/elements/zuul-worker/install.d/60-zuul-worker
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+useradd -m zuul
+
+cat > /etc/sudoers.d/zuul << EOF
+zuul ALL=(ALL) NOPASSWD:ALL
+EOF
+
+chmod 0440 /etc/sudoers.d/zuul
+visudo -c || die "Error setting zuul sudo!"
+
+# this was copied from outside the chroot by extras.d
+_pub_key=/tmp/in_target.d/zuul-user-ssh-public-key
+if [ ! -f $_pub_key ]; then
+    die "Can not find Zuul public key!"
+fi
+
+mkdir /home/zuul/.ssh
+chmod 700 /home/zuul/.ssh
+cp $_pub_key /home/zuul/.ssh/authorized_keys
+
+# cleanup everything to the right owner
+chown -R zuul:zuul /home/zuul