Merge "Don't use devuser for zuul-worker"
This commit is contained in:
commit
6c3417c2ad
17
nodepool/elements/zuul-worker/README.rst
Normal file
17
nodepool/elements/zuul-worker/README.rst
Normal file
@ -0,0 +1,17 @@
|
||||
zuul-worker
|
||||
===========
|
||||
|
||||
Setup a node to be a zuul worker
|
||||
|
||||
User Creation
|
||||
=============
|
||||
|
||||
This element bakes in a ``zuul`` user on the host for the zuul-worker
|
||||
process to log in with.
|
||||
|
||||
By default login permissions (``authorized_keys``) will be populated
|
||||
for the ``zuul`` user from ``~/.ssh/id_rsa.pub`` -- i.e. the public
|
||||
key of the currently building user. Specify an alternative filename
|
||||
in ``ZUUL_USER_SSH_PUBLIC_KEY`` to override this.
|
||||
|
||||
The ``zuul`` user is provided with passwordless ``sudo`` access.
|
@ -1,2 +1 @@
|
||||
devuser
|
||||
package-installs
|
||||
|
@ -1,16 +0,0 @@
|
||||
# Copyright 2016 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
export DIB_DEV_USER_PWDLESS_SUDO=true
|
||||
export DIB_DEV_USER_USERNAME=zuul
|
16
nodepool/elements/zuul-worker/extra-data.d/60-zuul-user
Executable file
16
nodepool/elements/zuul-worker/extra-data.d/60-zuul-user
Executable file
@ -0,0 +1,16 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
ZUUL_USER_SSH_PUBLIC_KEY=${ZUUL_USER_SSH_PUBLIC_KEY:-$HOME/.ssh/id_rsa.pub}
|
||||
|
||||
if [ ! -f $ZUUL_USER_SSH_PUBLIC_KEY ]; then
|
||||
die "Can not find public key for zuul user!"
|
||||
fi
|
||||
|
||||
# save the public key inside the chroot
|
||||
cat $ZUUL_USER_SSH_PUBLIC_KEY >> $TMP_HOOKS_PATH/zuul-user-ssh-public-key
|
29
nodepool/elements/zuul-worker/install.d/60-zuul-worker
Executable file
29
nodepool/elements/zuul-worker/install.d/60-zuul-worker
Executable file
@ -0,0 +1,29 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
useradd -m zuul
|
||||
|
||||
cat > /etc/sudoers.d/zuul << EOF
|
||||
zuul ALL=(ALL) NOPASSWD:ALL
|
||||
EOF
|
||||
|
||||
chmod 0440 /etc/sudoers.d/zuul
|
||||
visudo -c || die "Error setting zuul sudo!"
|
||||
|
||||
# this was copied from outside the chroot by extras.d
|
||||
_pub_key=/tmp/in_target.d/zuul-user-ssh-public-key
|
||||
if [ ! -f $_pub_key ]; then
|
||||
die "Can not find Zuul public key!"
|
||||
fi
|
||||
|
||||
mkdir /home/zuul/.ssh
|
||||
chmod 700 /home/zuul/.ssh
|
||||
cp $_pub_key /home/zuul/.ssh/authorized_keys
|
||||
|
||||
# cleanup everything to the right owner
|
||||
chown -R zuul:zuul /home/zuul
|
Loading…
Reference in New Issue
Block a user