From 5397e9eb4fcf2c95f50049995d433bca3ea3dcf9 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Mon, 10 Aug 2020 14:12:53 -0400
Subject: [PATCH] (backward compatibility) create kolla UIDs/GIDs for TCIB

When upgrading container images from Kolla-based to TCIB-based, the
config files can't be read if we don't apply the new chown values unless
we re-use the same UIDs/GIDs as we had with Kolla; which is what we'll
do for now until we figure out an easy way to update config permissions
during the upgrade/update stage.

This introduces a new script, that will be injected in the base layer:

uid_gid_manage.sh

Usage:

./uid_gid_manage.sh qemu nova

It'll first create the qemu user/group, then nova user/group.
The format aims to be simple:

<username> <uid> <gid> <optional homedir> <optional list of extra groups>

It's also removing instances of usermod which aren't needed anymore;
since we create the user / groups only in the images where they are
needed; which wasn't the case for Kolla where all users/groups were
created in the base image.

Note: we create the user/group before installing packaging so if
packaging creates directories and sets permissions, it'll be with the
right UID/GID (unless packaging overrides UID/GID but rarely do it).

Related-Bug: #1890798

Change-Id: If3fa2ff34af42a7438c6dbf81dbcb0bddd63afa6
(cherry picked from commit fb0ec2ffd0a99d441c361bb83472e48ead18d013)
---
 container-images/kolla/base/uid_gid_manage.sh | 124 ++++++++++++++++++
 container-images/tcib/base/base.yaml          |   4 +-
 .../tcib/base/collectd/collectd.yaml          |   4 +-
 container-images/tcib/base/etcd/etcd.yaml     |   1 +
 .../tcib/base/mariadb/mariadb.yaml            |   2 +-
 .../tcib/base/memcached/memcached.yaml        |   3 +-
 .../tcib/base/os/aodh-base/aodh-base.yaml     |   2 +-
 .../base/os/barbican-base/barbican-base.yaml  |   2 +-
 .../os/ceilometer-base/ceilometer-base.yaml   |   2 +-
 .../tcib/base/os/cinder-base/cinder-base.yaml |   2 +-
 .../os/designate-base/designate-base.yaml     |   2 +-
 .../tcib/base/os/glance-api/glance-api.yaml   |   2 +-
 .../base/os/gnocchi-base/gnocchi-base.yaml    |   2 +-
 .../tcib/base/os/heat-base/heat-base.yaml     |   2 +-
 .../tcib/base/os/ironic-base/ironic-base.yaml |   2 +-
 .../ironic-inspector/ironic-inspector.yaml    |   2 +-
 .../tcib/base/os/keystone/keystone.yaml       |   2 +-
 .../tcib/base/os/manila-base/manila-base.yaml |   2 +-
 .../base/os/mistral-base/mistral-base.yaml    |   2 +-
 .../base/os/neutron-base/neutron-base.yaml    |   2 +-
 .../tcib/base/os/nova-base/nova-base.yaml     |   2 +-
 .../nova-compute-ironic.yaml                  |   2 +
 .../nova-base/nova-compute/nova-compute.yaml  |   2 +
 .../base/os/novajoin-base/novajoin-base.yaml  |   2 +-
 .../base/os/octavia-base/octavia-base.yaml    |   2 +-
 .../tcib/base/os/swift-base/swift-base.yaml   |   2 +-
 .../tcib/base/os/tempest/tempest.yaml         |   3 +-
 .../tcib/base/qdrouterd/qdrouterd.yaml        |   2 +-
 .../tcib/base/rabbitmq/rabbitmq.yaml          |   2 +-
 container-images/tcib/base/redis/redis.yaml   |   2 +-
 30 files changed, 158 insertions(+), 29 deletions(-)
 create mode 100755 container-images/kolla/base/uid_gid_manage.sh

diff --git a/container-images/kolla/base/uid_gid_manage.sh b/container-images/kolla/base/uid_gid_manage.sh
new file mode 100755
index 000000000..7e44afdd6
--- /dev/null
+++ b/container-images/kolla/base/uid_gid_manage.sh
@@ -0,0 +1,124 @@
+#!/bin/bash
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This script maintains compatibility when upgrading kolla images to the
+# TCIB images. To allow containers reading configuration files, we need to
+# maintain the same UIDs/GIDs for now until we update file permissions during
+# update/upgrade tasks.
+#
+# Usage:
+# ./uid_gid_manage.sh qemu nova
+#
+# Note: order of args is maintained during the creation.
+#
+
+set -o errexit
+set -o xtrace
+
+[ -z $1 ] && echo "Argument missing: name of user to create" && exit 1
+_USERS_TO_CREATE=$@
+
+declare -A _SUPPORTED_USERS
+# This comes from kolla/common/config.py.
+# Format: <username> <uid> <gid> <optional homedir> <optional comma-separated list of extra groups>
+# Note: if homedir isn't specified, extra groups aren't supported
+_SUPPORTED_USERS['aodh']='aodh 42402 42402 /var/lib/aodh kolla'
+_SUPPORTED_USERS['barbican']='barbican 42403 42403 /var/lib/barbican kolla,nfast'
+_SUPPORTED_USERS['ceilometer']='ceilometer 42405 42405 /var/lib/ceilometer kolla'
+_SUPPORTED_USERS['cinder']='cinder 42407 42407 /var/lib/cinder kolla'
+_SUPPORTED_USERS['collectd']='collectd 42409 42409 /var/lib/collectd kolla'
+_SUPPORTED_USERS['designate']='designate 42411 42411 /var/lib/designate kolla'
+_SUPPORTED_USERS['etcd']='etcd 42413 42413 /var/lib/etcd kolla'
+_SUPPORTED_USERS['glance']='glance 42415 42415 /var/lib/glance kolla'
+_SUPPORTED_USERS['gnocchi']='gnocchi 42416 42416 /var/lib/gnocchi kolla'
+_SUPPORTED_USERS['haproxy']='haproxy 42454 42454 /var/lib/haproxy kolla'
+_SUPPORTED_USERS['heat']='heat 42418 42418 /var/lib/heat kolla'
+_SUPPORTED_USERS['horizon']='horizon 42420 42420 /var/lib/horizon kolla'
+_SUPPORTED_USERS['hugetlbfs']='hugetlbfs 42477 42477'
+_SUPPORTED_USERS['ironic']='ironic 42422 42422 /var/lib/ironic kolla'
+_SUPPORTED_USERS['ironic-inspector']='ironic-inspector 42461 42461 /var/lib/ironic-inspector kolla'
+_SUPPORTED_USERS['keystone']='keystone 42425 42425 /var/lib/keystone kolla'
+_SUPPORTED_USERS['kolla']='kolla 42400 42400'
+_SUPPORTED_USERS['libvirt']='libvirt 42473 42473'
+_SUPPORTED_USERS['manila']='manila 42429 42429 /var/lib/manila kolla'
+_SUPPORTED_USERS['memcached']='memcached 42457 42457 /run/memcache kolla'
+_SUPPORTED_USERS['mistral']='mistral 42430 42430 /var/lib/mistral kolla'
+_SUPPORTED_USERS['mysql']='mysql 42434 42434 /var/lib/mysql kolla'
+_SUPPORTED_USERS['neutron']='neutron 42435 42435 /var/lib/neutron kolla'
+_SUPPORTED_USERS['nfast']='nfast 42481 42481'
+_SUPPORTED_USERS['nova']='nova 42436 42436 /var/lib/nova qemu,libvirt,kolla'
+_SUPPORTED_USERS['novajoin']='novajoin 42470 42470 /var/lib/novajoin kolla'
+_SUPPORTED_USERS['octavia']='octavia 42437 42437 /var/lib/octavia kolla'
+_SUPPORTED_USERS['openvswitch']='openvswitch 42476 42476'
+_SUPPORTED_USERS['placement']='placement 42482 42482 /var/lib/placement kolla'
+_SUPPORTED_USERS['qdrouterd']='qdrouterd 42465 42465 /var/lib/qdrouterd kolla'
+_SUPPORTED_USERS['qemu']='qemu 42427 42427'
+_SUPPORTED_USERS['rabbitmq']='rabbitmq 42439 42439 /var/lib/rabbitmq kolla'
+_SUPPORTED_USERS['redis']='redis 42460 42460 /run/redis kolla'
+_SUPPORTED_USERS['swift']='swift 42445 42445 /var/lib/swift kolla'
+_SUPPORTED_USERS['tempest']='tempest 42480 42480 /var/lib/tempest kolla'
+_SUPPORTED_USERS['zaqar']='zaqar 42452 42452 /var/lib/zaqar kolla'
+
+for _USER_TO_CREATE in $_USERS_TO_CREATE; do
+    # Initialize computed args
+    _EXTRA_GROUPS_ARG=
+    _EXTRA_PERMS=
+    _HOME_ARGS=
+
+    _NAME=$(echo ${_SUPPORTED_USERS[$_USER_TO_CREATE]} | awk '{ print $1 }')
+    _UID=$(echo ${_SUPPORTED_USERS[$_USER_TO_CREATE]} | awk '{ print $2 }')
+    _GID=$(echo ${_SUPPORTED_USERS[$_USER_TO_CREATE]} | awk '{ print $3 }')
+    _HOME_DIR=$(echo ${_SUPPORTED_USERS[$_USER_TO_CREATE]} | awk '{ print $4 }')
+    _EXTRA_GROUPS=$(echo ${_SUPPORTED_USERS[$_USER_TO_CREATE]} | awk '{ print $5 }')
+
+    # User was not found, we fail
+    if [[ "$_NAME" != "$_USER_TO_CREATE" ]]; then
+        echo "User ${_USER_TO_CREATE} was not found in the supported list"
+        exit 1
+    fi
+
+    if [[ ! -z $_EXTRA_GROUPS ]]; then
+        _EXTRA_GROUPS_ARG="--groups $_EXTRA_GROUPS"
+    fi
+
+    # Some users don't need a home directory
+    if [[ -z $_HOME_DIR ]]; then
+        _HOME_ARGS="-M"
+    else
+        _HOME_ARGS="-m --home $_HOME_DIR"
+    fi
+
+    if id -g $_NAME 2>/dev/null; then
+        _GROUPADD_CMD="groupmod --gid $_GID $_NAME"
+    else
+        _GROUPADD_CMD="groupadd --gid $_GID $_NAME"
+    fi
+
+    if id $_NAME 2>/dev/null; then
+        # -M argument doesn't exist with usermod
+        if [[ -z $_HOME_DIR ]]; then
+            _HOME_ARGS=
+        # usermod doesn't guaranty the home directory permissions (best effort)
+        else
+            _EXTRA_PERMS="&& mkdir -p $_HOME_DIR && chown -R $_UID:$_GID $_HOME_DIR"
+        fi
+        # --append only exists with usermod
+        [ ! -z $_EXTRA_GROUPS_ARG ] && _EXTRA_GROUPS_ARG="--append $_EXTRA_GROUPS_ARG"
+        _USERADD_CMD="usermod ${_HOME_ARGS} --gid $_GID --uid $_UID ${_EXTRA_GROUPS_ARG} $_NAME ${_EXTRA_PERMS}"
+    else
+        _USERADD_CMD="useradd -l ${_HOME_ARGS} --shell /usr/sbin/nologin --uid $_UID --gid $_GID ${_EXTRA_GROUPS_ARG} $_NAME"
+    fi
+    eval $_GROUPADD_CMD
+    eval $_USERADD_CMD
+done
diff --git a/container-images/tcib/base/base.yaml b/container-images/tcib/base/base.yaml
index a7fc74e2f..e69bd6193 100644
--- a/container-images/tcib/base/base.yaml
+++ b/container-images/tcib/base/base.yaml
@@ -12,7 +12,9 @@ tcib_actions:
     crudini --set /etc/dnf/dnf.conf main plugins 1 &&
     crudini --set /etc/dnf/dnf.conf main skip_missing_names_on_install False &&
     crudini --set /etc/dnf/dnf.conf main tsflags nodocs
-- run: groupadd --force --gid 42400 kolla && useradd -l -M --shell /usr/sbin/nologin --uid 42400 --gid 42400 kolla
+- copy: /usr/share/tripleo-common/container-images/kolla/base/uid_gid_manage.sh /usr/local/bin/uid_gid_manage
+- run: chmod 755 /usr/local/bin/uid_gid_manage
+- run: bash /usr/local/bin/uid_gid_manage kolla hugetlbfs libvirt qemu
 - run: touch /usr/local/bin/kolla_extend_start && chmod 755 /usr/local/bin/kolla_extend_start
 - copy: /usr/share/tripleo-common/container-images/kolla/base/set_configs.py /usr/local/bin/kolla_set_configs
 - run: chmod 755 /usr/local/bin/kolla_set_configs
diff --git a/container-images/tcib/base/collectd/collectd.yaml b/container-images/tcib/base/collectd/collectd.yaml
index 5479a93ec..ae17be6aa 100644
--- a/container-images/tcib/base/collectd/collectd.yaml
+++ b/container-images/tcib/base/collectd/collectd.yaml
@@ -1,4 +1,5 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage collectd
 - run: >-
     if [ '{{ tcib_distro }}' == 'rhel' ]; then
     {% for item in tcib_packages.modules %}{% set key, value = (item.items() | list).0 %}dnf module -y {{ key }} {{ value }}; {% endfor %}
@@ -6,8 +7,7 @@ tcib_actions:
 - run: if [ "{{ tcib_distro }}" == "rhel" ]; then dnf -y install {{ tcib_packages['rhel'] | join(' ') }}; fi
 - run: if [ "$(uname -m)" == "x86_64" ]; then dnf -y install {{ tcib_packages['x86_64'] | join(' ') }}; fi
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: mkdir -p /var/lib/collectd && useradd -d /var/lib/collectd -l -M --shell /usr/sbin/nologin collectd && chown collectd:collectd /var/lib/collectd
-- run: chown -R collectd /var/lib/collectd  && chown -R collectd /etc/collectd*  && chown -R collectd /var/run/
+- run: chown -R collectd:collectd /etc/collectd* /var/run/
 - run: ln -s /usr/share/openstack-tripleo-common/healthcheck/collectd /openstack/healthcheck && chmod a+rx /openstack/healthcheck
 tcib_packages:
   common:
diff --git a/container-images/tcib/base/etcd/etcd.yaml b/container-images/tcib/base/etcd/etcd.yaml
index fac2e4bd9..dc323f000 100644
--- a/container-images/tcib/base/etcd/etcd.yaml
+++ b/container-images/tcib/base/etcd/etcd.yaml
@@ -1,4 +1,5 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
 - run: ln -s /usr/share/openstack-tripleo-common/healthcheck/etcd /openstack/healthcheck && chmod a+rx /openstack/healthcheck
 tcib_packages:
diff --git a/container-images/tcib/base/mariadb/mariadb.yaml b/container-images/tcib/base/mariadb/mariadb.yaml
index 4db555944..d4c05f252 100644
--- a/container-images/tcib/base/mariadb/mariadb.yaml
+++ b/container-images/tcib/base/mariadb/mariadb.yaml
@@ -1,10 +1,10 @@
 tcib_actions:
 - run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_security_reset" > /etc/sudoers.d/security_reset && chmod 640 /etc/sudoers.d/security_reset'
+- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
 - run: if [ '{{ tcib_distro }}' == 'rhel' ]; then {% for item in tcib_packages.modules %}{% set key, value = (item.items() | list).0 %}dnf module -y {{ key }} {{ value }}; {% endfor %}fi
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
 - copy: /usr/share/tripleo-common/container-images/kolla/mariadb/extend_start.sh /usr/local/bin/kolla_extend_start
 - run: chmod 755 /usr/local/bin/kolla_extend_start
-- run: usermod -a -G kolla {{ tcib_user }}
 - copy: /usr/share/tripleo-common/container-images/kolla/mariadb/security_reset.expect /usr/local/bin/kolla_security_reset
 - run: chmod 755 /usr/local/bin/kolla_security_reset
 - run: rm -rf /var/lib/mysql/* /etc/my.cnf.d/mariadb-server.cnf /etc/my.cnf.d/auth_gssapi.cnf
diff --git a/container-images/tcib/base/memcached/memcached.yaml b/container-images/tcib/base/memcached/memcached.yaml
index 779297155..1099041ad 100644
--- a/container-images/tcib/base/memcached/memcached.yaml
+++ b/container-images/tcib/base/memcached/memcached.yaml
@@ -1,7 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
 - run: dnf install -y {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla {{ tcib_user }}
-- run: mkdir -p /run/memcache && chown -R memcached:memcached /run/memcache
 - run: ln -s /usr/share/openstack-tripleo-common/healthcheck/memcached /openstack/healthcheck && chmod a+rx /openstack/healthcheck
 tcib_packages:
   common:
diff --git a/container-images/tcib/base/os/aodh-base/aodh-base.yaml b/container-images/tcib/base/os/aodh-base/aodh-base.yaml
index f0aace632..3d8263344 100644
--- a/container-images/tcib/base/os/aodh-base/aodh-base.yaml
+++ b/container-images/tcib/base/os/aodh-base/aodh-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage aodh
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla aodh
 tcib_packages:
   common:
   - openstack-aodh-common
diff --git a/container-images/tcib/base/os/barbican-base/barbican-base.yaml b/container-images/tcib/base/os/barbican-base/barbican-base.yaml
index c56a9ce3f..a4f5aef73 100644
--- a/container-images/tcib/base/os/barbican-base/barbican-base.yaml
+++ b/container-images/tcib/base/os/barbican-base/barbican-base.yaml
@@ -1,7 +1,7 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage nfast barbican
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
 - run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/" > /etc/sudoers.d/barbican_sudoers && chmod 640 /etc/sudoers.d/barbican_sudoers'
-- run: usermod -a -G kolla barbican
 tcib_packages:
   common:
   - openstack-barbican-common
diff --git a/container-images/tcib/base/os/ceilometer-base/ceilometer-base.yaml b/container-images/tcib/base/os/ceilometer-base/ceilometer-base.yaml
index ce6819b3a..d5e6f093f 100644
--- a/container-images/tcib/base/os/ceilometer-base/ceilometer-base.yaml
+++ b/container-images/tcib/base/os/ceilometer-base/ceilometer-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage ceilometer
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla ceilometer
 tcib_packages:
   common:
   - openstack-ceilometer-common
diff --git a/container-images/tcib/base/os/cinder-base/cinder-base.yaml b/container-images/tcib/base/os/cinder-base/cinder-base.yaml
index d5115b1ff..a174065f4 100644
--- a/container-images/tcib/base/os/cinder-base/cinder-base.yaml
+++ b/container-images/tcib/base/os/cinder-base/cinder-base.yaml
@@ -1,7 +1,7 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage cinder
 - run: if [ '{{ tcib_distro }}' == 'rhel' ]; then {% for item in tcib_packages.modules %}{% set key, value = (item.items() | list).0 %}dnf module -y {{ key }} {{ value }}; {% endfor %}fi
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla cinder
 tcib_packages:
   common:
   - ceph-common
diff --git a/container-images/tcib/base/os/designate-base/designate-base.yaml b/container-images/tcib/base/os/designate-base/designate-base.yaml
index 4c63ee3be..9008568b9 100644
--- a/container-images/tcib/base/os/designate-base/designate-base.yaml
+++ b/container-images/tcib/base/os/designate-base/designate-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage designate
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla designate
 tcib_packages:
   common:
   - openstack-designate-common
diff --git a/container-images/tcib/base/os/glance-api/glance-api.yaml b/container-images/tcib/base/os/glance-api/glance-api.yaml
index 3f3315a66..2566c4013 100644
--- a/container-images/tcib/base/os/glance-api/glance-api.yaml
+++ b/container-images/tcib/base/os/glance-api/glance-api.yaml
@@ -1,7 +1,7 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
 - run: if [ '{{ tcib_distro }}' == 'rhel' ]; then {% for item in tcib_packages.modules %}{% set key, value = (item.items() | list).0 %}dnf module -y {{ key }} {{ value }}; {% endfor %}fi
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla {{ tcib_user }}
 - copy: /usr/share/tripleo-common/container-images/kolla/glance-api/extend_start.sh /usr/local/bin/kolla_extend_start
 - run: chmod 755 /usr/local/bin/kolla_extend_start
 - run: ln -s /usr/share/openstack-tripleo-common/healthcheck/glance-api /openstack/healthcheck &&  chmod a+rx /openstack/healthcheck
diff --git a/container-images/tcib/base/os/gnocchi-base/gnocchi-base.yaml b/container-images/tcib/base/os/gnocchi-base/gnocchi-base.yaml
index 43271799e..7626a2cf8 100644
--- a/container-images/tcib/base/os/gnocchi-base/gnocchi-base.yaml
+++ b/container-images/tcib/base/os/gnocchi-base/gnocchi-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage gnocchi
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla gnocchi
 tcib_packages:
   common:
   - gnocchi-common
diff --git a/container-images/tcib/base/os/heat-base/heat-base.yaml b/container-images/tcib/base/os/heat-base/heat-base.yaml
index 7302c0969..e3599e80f 100644
--- a/container-images/tcib/base/os/heat-base/heat-base.yaml
+++ b/container-images/tcib/base/os/heat-base/heat-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage heat
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla heat
 - run: sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 tcib_packages:
   common:
diff --git a/container-images/tcib/base/os/ironic-base/ironic-base.yaml b/container-images/tcib/base/os/ironic-base/ironic-base.yaml
index 62241451a..3fde28c6a 100644
--- a/container-images/tcib/base/os/ironic-base/ironic-base.yaml
+++ b/container-images/tcib/base/os/ironic-base/ironic-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage ironic
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla ironic
 tcib_packages:
   common:
   - openstack-ironic-common
diff --git a/container-images/tcib/base/os/ironic-base/ironic-inspector/ironic-inspector.yaml b/container-images/tcib/base/os/ironic-base/ironic-inspector/ironic-inspector.yaml
index a24b52ee8..6425f1298 100644
--- a/container-images/tcib/base/os/ironic-base/ironic-inspector/ironic-inspector.yaml
+++ b/container-images/tcib/base/os/ironic-base/ironic-inspector/ironic-inspector.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla {{ tcib_user }}
 - run: ln -s /usr/share/openstack-tripleo-common/healthcheck/ironic-inspector /openstack/healthcheck && chmod a+rx /openstack/healthcheck
 tcib_packages:
   common:
diff --git a/container-images/tcib/base/os/keystone/keystone.yaml b/container-images/tcib/base/os/keystone/keystone.yaml
index e43b2ad9e..b4ffc6420 100644
--- a/container-images/tcib/base/os/keystone/keystone.yaml
+++ b/container-images/tcib/base/os/keystone/keystone.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage keystone
 - run: dnf module -y enable mod_auth_openidc && dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla keystone
 - run: mkdir -p /var/www/cgi-bin/keystone && chown -R keystone /var/www/cgi-bin/keystone
 - copy: /usr/share/tripleo-common/container-images/kolla/keystone/extend_start.sh /usr/local/bin/kolla_extend_start
 - run: chmod 755 /usr/local/bin/kolla_extend_start
diff --git a/container-images/tcib/base/os/manila-base/manila-base.yaml b/container-images/tcib/base/os/manila-base/manila-base.yaml
index c7d16e1ce..8f69e14a9 100644
--- a/container-images/tcib/base/os/manila-base/manila-base.yaml
+++ b/container-images/tcib/base/os/manila-base/manila-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage manila
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla manila
 tcib_packages:
   common:
   - openstack-manila
diff --git a/container-images/tcib/base/os/mistral-base/mistral-base.yaml b/container-images/tcib/base/os/mistral-base/mistral-base.yaml
index aa45d858e..58e2c4deb 100644
--- a/container-images/tcib/base/os/mistral-base/mistral-base.yaml
+++ b/container-images/tcib/base/os/mistral-base/mistral-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage mistral
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla mistral
 tcib_packages:
   common:
   - openstack-mistral-common
diff --git a/container-images/tcib/base/os/neutron-base/neutron-base.yaml b/container-images/tcib/base/os/neutron-base/neutron-base.yaml
index 09c69bd40..08bdab101 100644
--- a/container-images/tcib/base/os/neutron-base/neutron-base.yaml
+++ b/container-images/tcib/base/os/neutron-base/neutron-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage neutron
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla neutron
 - copy: /usr/share/tripleo-common/container-images/kolla/neutron-base/neutron_sudoers /etc/sudoers.d/neutron_sudoers
 - run: chmod 440 /etc/sudoers.d/neutron_sudoers
 # TODO(emilien) add support for tripleo-common being installed from source
diff --git a/container-images/tcib/base/os/nova-base/nova-base.yaml b/container-images/tcib/base/os/nova-base/nova-base.yaml
index a9281cb77..1e4971b77 100644
--- a/container-images/tcib/base/os/nova-base/nova-base.yaml
+++ b/container-images/tcib/base/os/nova-base/nova-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage nova
 - run: mkdir -p /etc/ssh && touch /etc/ssh/ssh_known_host
 - run: dnf install -y {{ tcib_packages | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla nova
 tcib_packages:
 - openstack-nova-common
diff --git a/container-images/tcib/base/os/nova-base/nova-compute-ironic/nova-compute-ironic.yaml b/container-images/tcib/base/os/nova-base/nova-compute-ironic/nova-compute-ironic.yaml
index 30fd474bd..b1c10868d 100644
--- a/container-images/tcib/base/os/nova-base/nova-compute-ironic/nova-compute-ironic.yaml
+++ b/container-images/tcib/base/os/nova-base/nova-compute-ironic/nova-compute-ironic.yaml
@@ -1,6 +1,8 @@
 tcib_actions:
 - run: if [ '{{ tcib_distro }}' == 'rhel' ]; then {% for item in tcib_packages.modules %}{% set key, value = (item.items() | list).0 %}dnf module -y {{ key }} {{ value }}; {% endfor %}fi
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
+# this need to happen after installing nova-compute because the distgit does usermod to add libvirt/qemu groups
+- run: bash /usr/local/bin/uid_gid_manage nova
 - run: ln -s /usr/share/openstack-tripleo-common/healthcheck/nova-ironic /openstack/healthcheck &&  chmod a+rx /openstack/healthcheck
 tcib_packages:
   common:
diff --git a/container-images/tcib/base/os/nova-base/nova-compute/nova-compute.yaml b/container-images/tcib/base/os/nova-base/nova-compute/nova-compute.yaml
index 3101b421e..7734b5362 100644
--- a/container-images/tcib/base/os/nova-base/nova-compute/nova-compute.yaml
+++ b/container-images/tcib/base/os/nova-base/nova-compute/nova-compute.yaml
@@ -1,6 +1,8 @@
 tcib_actions:
 - run: if [ '{{ tcib_distro }}' == 'rhel' ]; then {% for item in tcib_packages.modules %}{% set key, value = (item.items() | list).0 %}dnf module -y {{ key }} {{ value }}; {% endfor %}fi
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
+# this need to happen after installing nova-compute because the distgit does usermod to add libvirt/qemu groups
+- run: bash /usr/local/bin/uid_gid_manage nova
 - run: rm -f /etc/machine-id
 - run: ln -s /usr/share/openstack-tripleo-common/healthcheck/nova-compute /openstack/healthcheck &&  chmod a+rx /openstack/healthcheck
 tcib_packages:
diff --git a/container-images/tcib/base/os/novajoin-base/novajoin-base.yaml b/container-images/tcib/base/os/novajoin-base/novajoin-base.yaml
index 691853e69..1f2679a73 100644
--- a/container-images/tcib/base/os/novajoin-base/novajoin-base.yaml
+++ b/container-images/tcib/base/os/novajoin-base/novajoin-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage novajoin
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla novajoin
 tcib_packages:
   common:
   - python3-novajoin
diff --git a/container-images/tcib/base/os/octavia-base/octavia-base.yaml b/container-images/tcib/base/os/octavia-base/octavia-base.yaml
index d717b2750..4dcbbb01e 100644
--- a/container-images/tcib/base/os/octavia-base/octavia-base.yaml
+++ b/container-images/tcib/base/os/octavia-base/octavia-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage octavia
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla octavia
 tcib_packages:
   common:
   - openstack-octavia-common
diff --git a/container-images/tcib/base/os/swift-base/swift-base.yaml b/container-images/tcib/base/os/swift-base/swift-base.yaml
index b1eee28c2..a1038e13f 100644
--- a/container-images/tcib/base/os/swift-base/swift-base.yaml
+++ b/container-images/tcib/base/os/swift-base/swift-base.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage swift
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla swift
 - copy: /usr/share/tripleo-common/container-images/kolla/swift-base/swift-rootwrap /usr/bin/swift-rootwrap
 - copy: /usr/share/tripleo-common/container-images/kolla/swift-base/swift-sudoers /etc/sudoers.d/swift-sudoers
 - run: chmod 755 /usr/bin/swift-rootwrap && chmod 440 /etc/sudoers.d/swift-sudoers
diff --git a/container-images/tcib/base/os/tempest/tempest.yaml b/container-images/tcib/base/os/tempest/tempest.yaml
index 3ff8dc570..15d21ddbd 100644
--- a/container-images/tcib/base/os/tempest/tempest.yaml
+++ b/container-images/tcib/base/os/tempest/tempest.yaml
@@ -1,7 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: groupadd --force --gid 42480 tempest && useradd -l -M --shell /usr/sbin/nologin --uid 42480 --gid 42480 tempest
-- run: usermod -a -G kolla tempest
 tcib_packages:
   common:
   - iputils
diff --git a/container-images/tcib/base/qdrouterd/qdrouterd.yaml b/container-images/tcib/base/qdrouterd/qdrouterd.yaml
index d4ceda058..b355308f0 100644
--- a/container-images/tcib/base/qdrouterd/qdrouterd.yaml
+++ b/container-images/tcib/base/qdrouterd/qdrouterd.yaml
@@ -1,6 +1,6 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod -a -G kolla qdrouterd && mkdir -p /var/lib/qdrouterd && chown -R qdrouterd /var/lib/qdrouterd
 - run: ln -s /usr/share/openstack-tripleo-common/healthcheck/qdrouterd /openstack/healthcheck && chmod a+rx /openstack/healthcheck
 tcib_packages:
   common:
diff --git a/container-images/tcib/base/rabbitmq/rabbitmq.yaml b/container-images/tcib/base/rabbitmq/rabbitmq.yaml
index 9996d8736..11df8121a 100644
--- a/container-images/tcib/base/rabbitmq/rabbitmq.yaml
+++ b/container-images/tcib/base/rabbitmq/rabbitmq.yaml
@@ -1,8 +1,8 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
 - copy: /usr/share/tripleo-common/container-images/kolla/rabbitmq/extend_start.sh /usr/local/bin/kolla_extend_start
 - run: chmod 755 /usr/local/bin/kolla_extend_start
-- run: usermod -a -G kolla {{ tcib_user }}
 - run: ln -s /usr/share/openstack-tripleo-common/healthcheck/rabbitmq /openstack/healthcheck &&  chmod a+rx /openstack/healthcheck
 tcib_gather_files: '{{ lookup(''fileglob'', ''/usr/share/tripleo-common/container-images/kolla/rabbitmq/*'', wantlist=True) }}'
 tcib_packages:
diff --git a/container-images/tcib/base/redis/redis.yaml b/container-images/tcib/base/redis/redis.yaml
index f03d8fb00..0bdc640f7 100644
--- a/container-images/tcib/base/redis/redis.yaml
+++ b/container-images/tcib/base/redis/redis.yaml
@@ -1,7 +1,7 @@
 tcib_actions:
+- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
 - run: if [ '{{ tcib_distro }}' == 'rhel' ]; then {% for item in tcib_packages.modules %}{% set key, value = (item.items() | list).0 %}dnf module -y {{ key }} {{ value }}; {% endfor %}fi
 - run: dnf -y install {{ tcib_packages.common | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: usermod --append --home /run/redis --groups kolla redis && mkdir -p /run/redis && chown -R redis /run/redis
 - run: mkdir /etc/libqb
 - run: ln -s /usr/share/openstack-tripleo-common/healthcheck/redis /openstack/healthcheck && chmod a+rx /openstack/healthcheck
 tcib_packages: