Don't use devuser for zuul-worker

The devuser element is designed to add a single development user and
manage their keys.  Any local use of devuser by a developer thus
silently conflicts with zuul-worker.

Additionally, this is currently tacitly taking the public-key from
~/.ssh/id_rsa.pub -- i.e. the public key of the currently building
user.  Mixing permissions from the builder into the final-image makes
sense for a development-user case, but not for deploying worker
accounts.

This simply creates the worker account by hand, which is easy enough.
To maintain the status-quo we still source ~/.ssh/id_rsa.pub by
default, but provide a documented flag to override this.

Change-Id: Ic9c9e415c158ad1f057b8d2aa2776dbe2bbd1e47
This commit is contained in:
Ian Wienand 2016-06-24 11:53:50 +10:00
parent fec0be43e1
commit 0feb838506
5 changed files with 62 additions and 17 deletions

View File

@ -0,0 +1,17 @@
zuul-worker
===========
Setup a node to be a zuul worker
User Creation
=============
This element bakes in a ``zuul`` user on the host for the zuul-worker
process to log in with.
By default login permissions (``authorized_keys``) will be populated
for the ``zuul`` user from ``~/.ssh/id_rsa.pub`` -- i.e. the public
key of the currently building user. Specify an alternative filename
in ``ZUUL_USER_SSH_PUBLIC_KEY`` to override this.
The ``zuul`` user is provided with passwordless ``sudo`` access.

View File

@ -1,2 +1 @@
devuser
package-installs package-installs

View File

@ -1,16 +0,0 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
export DIB_DEV_USER_PWDLESS_SUDO=true
export DIB_DEV_USER_USERNAME=zuul

View File

@ -0,0 +1,16 @@
#!/bin/bash
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
ZUUL_USER_SSH_PUBLIC_KEY=${ZUUL_USER_SSH_PUBLIC_KEY:-$HOME/.ssh/id_rsa.pub}
if [ ! -f $ZUUL_USER_SSH_PUBLIC_KEY ]; then
die "Can not find public key for zuul user!"
fi
# save the public key inside the chroot
cat $ZUUL_USER_SSH_PUBLIC_KEY >> $TMP_HOOKS_PATH/zuul-user-ssh-public-key

View File

@ -0,0 +1,29 @@
#!/bin/bash
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
useradd -m zuul
cat > /etc/sudoers.d/zuul << EOF
zuul ALL=(ALL) NOPASSWD:ALL
EOF
chmod 0440 /etc/sudoers.d/zuul
visudo -c || die "Error setting zuul sudo!"
# this was copied from outside the chroot by extras.d
_pub_key=/tmp/in_target.d/zuul-user-ssh-public-key
if [ ! -f $_pub_key ]; then
die "Can not find Zuul public key!"
fi
mkdir /home/zuul/.ssh
chmod 700 /home/zuul/.ssh
cp $_pub_key /home/zuul/.ssh/authorized_keys
# cleanup everything to the right owner
chown -R zuul:zuul /home/zuul