Add zuul-worker element for nodepool

This adds a DIB element to allow nodepool-builder and zuul-executor to properly SSH into a VM launched by nodepool-launcher. Change-Id: I5c21f6d5a9e5e0ca963aa78c8dcab14ce55365a8 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2018-04-08 21:17:36 -04:00 · 2018-04-08 21:17:36 -04:00 · 0c6650d157
parent 0dc4c4ac6f
commit 0c6650d157
9 changed files with 146 additions and 59 deletions
--- a/config/nodepool/elements/zuul-worker/README.rst
+++ b/config/nodepool/elements/zuul-worker/README.rst
@ -0,0 +1,17 @@
+zuul-worker
+===========
+
+Setup a node to be a zuul worker
+
+User Creation
+=============
+
+This element bakes in a ``zuul`` user on the host for the zuul-worker
+process to log in with.
+
+By default login permissions (``authorized_keys``) will be populated
+for the ``zuul`` user from ``~/.ssh/id_rsa.pub`` -- i.e. the public
+key of the currently building user.  Specify an alternative filename
+in ``ZUUL_USER_SSH_PUBLIC_KEY`` to override this.
+
+The ``zuul`` user is provided with passwordless ``sudo`` access.
--- a/config/nodepool/elements/zuul-worker/extra-data.d/60-zuul-user
+++ b/config/nodepool/elements/zuul-worker/extra-data.d/60-zuul-user
@ -0,0 +1,16 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+ZUUL_USER_SSH_PUBLIC_KEY=${ZUUL_USER_SSH_PUBLIC_KEY:-$HOME/.ssh/id_rsa.pub}
+
+if [ ! -f $ZUUL_USER_SSH_PUBLIC_KEY ]; then
+    die "Can not find public key for zuul user!"
+fi
+
+# save the public key inside the chroot
+cat $ZUUL_USER_SSH_PUBLIC_KEY >> $TMP_HOOKS_PATH/zuul-user-ssh-public-key
--- a/config/nodepool/elements/zuul-worker/install.d/60-zuul-worker
+++ b/config/nodepool/elements/zuul-worker/install.d/60-zuul-worker
@ -0,0 +1,33 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+# Add zuul user and group.  Note we don't want to rely on
+# "useradd"'s group adding behaviour, because it might differ across
+# distros.
+groupadd zuul
+useradd -m zuul -g zuul -s /bin/bash
+
+cat > /etc/sudoers.d/zuul << EOF
+zuul ALL=(ALL) NOPASSWD:ALL
+EOF
+chmod 0440 /etc/sudoers.d/zuul
+
+visudo -c || die "Error setting zuul sudo!"
+
+# this was copied from outside the chroot by extras.d
+_pub_key=/tmp/in_target.d/zuul-user-ssh-public-key
+if [ ! -f $_pub_key ]; then
+    die "Can not find Zuul public key!"
+fi
+
+mkdir -p /home/zuul/.ssh
+chmod 700 /home/zuul/.ssh
+cp $_pub_key /home/zuul/.ssh/authorized_keys
+
+# cleanup everything to the right owner
+chown -R zuul:zuul /home/zuul
--- a/config/nodepool/nodepool.yaml.j2
+++ b/config/nodepool/nodepool.yaml.j2
@ -39,6 +39,7 @@ diskimages:
      - openssh-server
      - simple-init
      - vm
+      - zuul-worker
    release: xenial
    env-vars:
      TMPDIR: /opt/nodepool/tmp
--- a/playbooks/group_vars/nodepool-builder.yaml
+++ b/playbooks/group_vars/nodepool-builder.yaml
@ -46,3 +46,10 @@ sudoers_task_manager:
  - config
 sudoers_file_includes_dest: /etc/sudoers.d/nodepool
 sudoers_file_includes_src: nodepool-builder/etc/sudoers.d/nodepool.j2
+
+# windmill.ssh
+ssh_user_name: "{{ nodepool_user_name|default('nodepool') }}"
+ssh_user_home: "{{ nodepool_user_home|default('/var/lib/nodepool') }}"
+
+ssh_key_public_content: |
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPFYsTS2aTFpgJHACEZjtkr4kt7rf9fHjavl5OhCq7rwAzfiQfq25YSaCZRRPywjUg6stm5JmBCLvQAa1LuhpsrUTE61TvGBIxeRwE6B0OecPW8SoXNbhgvfdrgVb4OIvH51tndPmXYPMpVN03iWyoSfN58YE77Z0VipDuG++dAjSJg+bmBlmmVE3L1419E2Jm56OnRDADWEDlvYciEIXaFWN9pIYXTL+Q1QdYKkWGPfuvMu6k5xSgQtNeXO4IWLSKyqkqj/PRQeY7XVBNstRhGzy+10fV0J4LrYcTAs/80rI2qgvrRoiDuXuhPMXyyD0OxoVrlIO4/f7BD2xk1lbq6JrUQthsNeLn9O5KVX9H7zhnFM1EUSRZz+knasDRfv8jrfrhUtM1QpF/3LITKftrjbr9whpOrxGSKSRRtnYlS5OrY1o9qqEfYPbelQdnz4oa+aTl0R7ApLfRpg64tbF1uNyVXwJvm7EYY2Ju1t0dY6vxFWlC8lLujE4Zq/VWajf5FhzsIh6SD0NVdz8UK1W/sZYKczejo0UHgQujfuJeJ3wRWAB/idzP2B69/uFJn7gp6199637j3v/3l38xRPi/kbh8zK0LjwvR8PKOlTx8pMJzNFaLzRqOTVJzhl4YmlYXtiNpxf/7/dPRUu8kJlb+yvVPo811v537EnmtsXin9w== zuul@example.org
--- a/playbooks/group_vars/zuul-executor.yaml
+++ b/playbooks/group_vars/zuul-executor.yaml
@ -56,3 +56,62 @@ logrotate_configs:
      - rotate 7
      - daily
      - notifempty
+
+# windmill.ssh
+ssh_user_name: "{{ zuul_user_name|default('zuul') }}"
+ssh_user_home: "{{ zuul_user_home|default('/var/lib/zuul') }}"
+
+ssh_key_private_content: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIJKgIBAAKCAgEAzxWLE0tmkxaYCRwAhGY7ZK+JLe63/Xx42r5eToQqu68AM34k
+  H6tuWEmgmUUT8sI1IOrLZuSZgQi70AGtS7oabK1ExOtU7xgSMXkcBOgdDnnD1vEq
+  FzW4YL33a4FW+DiLx+dbZ3T5l2DzKVTdN4lsqEnzefGBO+2dFYqQ7hvvnQI0iYPm
+  5gZZplRNy9eNfRNiZuejp0QwA1hA5b2HIhCF2hVjfaSGF0y/kNUHWCpFhj37rzLu
+  pOcUoELTXlzuCFi0isqpKo/z0UHmO11QTbLUYRs8vtdH1dCeC62HEwLP/NKyNqoL
+  60aIg7l7oTzF8sg9DsaFa5SDuP3+wQ9sZNZW6uia1ELYbDXi5/TuSlV/R+84ZxTN
+  RFEkWc/pJ2rA0X7/I6364VLTNUKRf9yyEyn7a426/cIaTq8RkikkUbZ2JUuTq2Na
+  PaqhH2D23pUHZ8+KGvmk5dEewKS30aYOuLWxdbjclV8Cb5uxGGNibtbdHWOr8RVp
+  QvJS7oxOGav1Vmo3+RYc7CIekg9DVXc/FCtVv7GWCnM3o6NFB4ELo37iXid8EVgA
+  f4ncz9gevf7hSZ+4Ketffet+497/95d/MUT4v5G4fMytC48L0fDyjpU8fKTCczRW
+  i80ajk1Sc4ZeGJpWF7YjacX/+/3T0VLvJCZW/sr1T6PNdb+d+xJ5rbF4p/cCAwEA
+  AQKCAgBLeAJzSatcN4O47ieSGN/UVdSclL8g9lflADPGUYxxUdm06men0wYnzs1k
+  jjQy6GwMTwVJvk3jJJetuq65Rl2S9aJ2UX1mlVMsDIMVlrHgMKgakVFRnBZRy2l8
+  GGrlk1X9yGcbURoU/RQhH/hu4Ppkam79JfJ/MJ1q2FDxNeUhR0h2RUfE1NOfNmIT
+  w76gsovODOUrdEI7NdKQ5310AKmHTPwxMeBcZW/7DGfczasAvV4X/2vRVRXDQhdd
+  8GgfSpShcDIufL/Spz2MrPkzF9UmfpKoyjQ3zAuNHfR4DTJXZUHlghtN5yqhNtvD
+  ay6IyEjYNakyB7HpnUdWfJR4O1T5J23Kqjea9Bg+mKw5YWOVqWUDcoEFZwyfJttM
+  jpKkUm9Lb211J9wTZhhryZxMbK0j2ciMdVu4ppv8tbktWj5tcY7F+rcmhNudHfeb
+  q3oe4raCc9PvQRjubMRMSWZLQY30WF4eJTuAMReMX6QtGkSH6QywOUIBEs4MsgVl
+  /b5SgAq2+B64BlMNCHnAWkPiDCK80Qv6G/NcoGw/F7+rYqTEyYuYfh+frmCNBECW
+  yR9vZY6IzQZg9+vYf7sxTfoy0aeIqutAb5MIQBNGKY1eVH5Ytlygd4mNyZvCFlyU
+  pKk4xrMHOrpgQ4Op/3ysF/59TRg0O/HKdrfSsunLJplBktH6YQKCAQEA6VApZ7eY
+  nu0OkPEMAy1jw2FxI9I7YliHIN2HFjXnn2QWqU/opbSCz7PKtv2F3DNxzMYrYOJY
+  RNZIfWqt22sKMnmhUbFBy7V5NWknHvkq321EJwbGe+eq1O3fLkNadmaJ5s+/UQfW
+  RIEEzXE2eilfJUhf1KQSmSTE33bpqqH1aUvvJLg3Tq003MHjSRjjh9Uv4MmSoKVn
+  DwWv6KZMkrdJVcFdh6LeQckYgAIn5F/H2MrhcVx/AWRonymY1fnh+90GKdLhlMAo
+  TaRoFsUWURJOUkLwVhVCh/Jgqt2LwbmLPxIvsf7ROZU/Cy3aRL2DzXCMy3jVuDy3
+  cMN4ydKNSyealQKCAQEA4zh3aD6necWWU3Pafm1BSGhsPE4VJq6aLnu0df4roWZW
+  u23/m5JACbLFSfnFgEUTcl09EosH1vPz8pNSGfEVsjO5ywjhKQbPWuDq1XlE0Vts
+  K5koqxbvVel9tEMFq+EWinebqtY6Bot3ymn86adqPJ/rkUN4aSOJEZ1Zuw1SA+kB
+  YXKYj5VXlfxxPKNV5Vkbiz+t4yXNaM6L0NTHLzitrshxbT10iuo4g711oTEc4lhx
+  TBpBQjNYAvWzKX7IyrDbjM/rRs7rthGkR8+puQggS37Lfqre0sC6ERXoT+uJMtZX
+  xQPv0cmlCIc6nhgESm9/t07KLLWOj1+cN+KBSzmhWwKCAQEApUNo8NS1wO0+AiEc
+  VyvRnNXq5GrIMbNvlDIWu/7W4Kpu+uNlcerZNfKuxsvyA7ZVB63fkDMEP05h7qSg
+  HepGQNazFECw0HDtOI4RbfklCzpEqjg8ZAwHj+gmzIhdDb04NUw2wlkAx2l0U2m8
+  IvAnOyt25hKKMfw/j+KVRY6PXVSyQppSYuKBrVWRf3enw9GYpmth93Tx+UwX/H2/
+  g7VctufPLoKJWKPvPM1KIJRP5RpgcoIIXJ4ZFZTLc9Ya4uL+uKVtsIYkhkrMiER2
+  uFp1LAPKZc+NXuqq2p0vn7ukDLr/Gd/bqCQ1kd+a2lI7iEwPDxm6mVQ4xCFR7/O6
+  rd+RuQKCAQEAqZvExjO+n8813yVju2uih4IrCPjgIPfEb1433rvTpa7WnyIE4wPQ
+  eWzQh9/B5XWqhnvC0sylFXcUacY+Ss8C+vpRfZUrPYyvy46IvMDA9eXgYMr66Hs+
+  PEsGYkCFQz/Jq6KMuIEg3zHMQXPMLj2ht49IMC7E+vZjoppqGI5g4jpTpYH9D3DS
+  6Ep/3FuwCnrxbIgkLKJTKiDDjSbHaCBOxWEqCfkNvYQIm44Y+DHI9cw/Biey/s+E
+  qvDsw9S33VUXDY1GepyKpmWU02XXsx61vKTxEaRKn9btDUPlHYMb7q7A5XeC1H5I
+  io0m3EvhKA8CrrpJgAYmXC9qVOzmxlhGcQKCAQEA5aq8q7pJNO45l9lyZbdShDvo
+  HT5RqmSajpCVed4RKR0eE/lCOiwExN9wJLJBls89TWcuVojHxOMq+Fx9KG1sYJSV
+  b980ejbSX0G4FeTmYacgn8DW+MwEVtA3tMEsFnTXirWrAV25dZ/nrKMDsT7VuoKP
+  hIZhDP6ArEjB4OFwKPNeoKA81R82Ubg58jFP7QRFUZHmfP7UGkaztRd7cLLcAah7
+  xD/bPqLKBBxJiFV7AjLXVkyNhFvtjB1fdqfAmlyBGFwrOGufKuBjS710ocS6bi9m
+  kqNxJjwpr7RIhj0f/zerJ4VS3ZeT2XeXBOTJ8jx4IkKWywgVa4nPVrSS8A706g==
+  -----END RSA PRIVATE KEY-----
+
+ssh_key_private_dest: "{{ ssh_user_home }}/.ssh/nodepool_id_rsa"
--- a/playbooks/nodepool-builder.yaml
+++ b/playbooks/nodepool-builder.yaml
@ -79,6 +79,10 @@
        owner: nodepool
        src: "{{ windmill_config_git_dest }}/nodepool/elements"

+    - name: Setup openstack.ssh role
+      include_role:
+        name: openstack.ssh
+
    - name: Setup openstack.logrotate role
      include_role:
        name: openstack.logrotate
--- a/playbooks/vars/nodepool.yaml
+++ b/playbooks/vars/nodepool.yaml
@ -19,57 +19,3 @@
 # NOTE(pabelanger): Because we are installing nodepool and nodepool-builder on a
 # shared host, we need to make sure both tasks use the same configuration.
 nodepool_file_nodepool_yaml_src: "{{ windmill_config_git_dest }}/nodepool/nodepool.yaml.j2"
-
-# windmill.ssh
-ssh_key_private_content: |
-  -----BEGIN RSA PRIVATE KEY-----
-  MIIJKgIBAAKCAgEAzxWLE0tmkxaYCRwAhGY7ZK+JLe63/Xx42r5eToQqu68AM34k
-  H6tuWEmgmUUT8sI1IOrLZuSZgQi70AGtS7oabK1ExOtU7xgSMXkcBOgdDnnD1vEq
-  FzW4YL33a4FW+DiLx+dbZ3T5l2DzKVTdN4lsqEnzefGBO+2dFYqQ7hvvnQI0iYPm
-  5gZZplRNy9eNfRNiZuejp0QwA1hA5b2HIhCF2hVjfaSGF0y/kNUHWCpFhj37rzLu
-  pOcUoELTXlzuCFi0isqpKo/z0UHmO11QTbLUYRs8vtdH1dCeC62HEwLP/NKyNqoL
-  60aIg7l7oTzF8sg9DsaFa5SDuP3+wQ9sZNZW6uia1ELYbDXi5/TuSlV/R+84ZxTN
-  RFEkWc/pJ2rA0X7/I6364VLTNUKRf9yyEyn7a426/cIaTq8RkikkUbZ2JUuTq2Na
-  PaqhH2D23pUHZ8+KGvmk5dEewKS30aYOuLWxdbjclV8Cb5uxGGNibtbdHWOr8RVp
-  QvJS7oxOGav1Vmo3+RYc7CIekg9DVXc/FCtVv7GWCnM3o6NFB4ELo37iXid8EVgA
-  f4ncz9gevf7hSZ+4Ketffet+497/95d/MUT4v5G4fMytC48L0fDyjpU8fKTCczRW
-  i80ajk1Sc4ZeGJpWF7YjacX/+/3T0VLvJCZW/sr1T6PNdb+d+xJ5rbF4p/cCAwEA
-  AQKCAgBLeAJzSatcN4O47ieSGN/UVdSclL8g9lflADPGUYxxUdm06men0wYnzs1k
-  jjQy6GwMTwVJvk3jJJetuq65Rl2S9aJ2UX1mlVMsDIMVlrHgMKgakVFRnBZRy2l8
-  GGrlk1X9yGcbURoU/RQhH/hu4Ppkam79JfJ/MJ1q2FDxNeUhR0h2RUfE1NOfNmIT
-  w76gsovODOUrdEI7NdKQ5310AKmHTPwxMeBcZW/7DGfczasAvV4X/2vRVRXDQhdd
-  8GgfSpShcDIufL/Spz2MrPkzF9UmfpKoyjQ3zAuNHfR4DTJXZUHlghtN5yqhNtvD
-  ay6IyEjYNakyB7HpnUdWfJR4O1T5J23Kqjea9Bg+mKw5YWOVqWUDcoEFZwyfJttM
-  jpKkUm9Lb211J9wTZhhryZxMbK0j2ciMdVu4ppv8tbktWj5tcY7F+rcmhNudHfeb
-  q3oe4raCc9PvQRjubMRMSWZLQY30WF4eJTuAMReMX6QtGkSH6QywOUIBEs4MsgVl
-  /b5SgAq2+B64BlMNCHnAWkPiDCK80Qv6G/NcoGw/F7+rYqTEyYuYfh+frmCNBECW
-  yR9vZY6IzQZg9+vYf7sxTfoy0aeIqutAb5MIQBNGKY1eVH5Ytlygd4mNyZvCFlyU
-  pKk4xrMHOrpgQ4Op/3ysF/59TRg0O/HKdrfSsunLJplBktH6YQKCAQEA6VApZ7eY
-  nu0OkPEMAy1jw2FxI9I7YliHIN2HFjXnn2QWqU/opbSCz7PKtv2F3DNxzMYrYOJY
-  RNZIfWqt22sKMnmhUbFBy7V5NWknHvkq321EJwbGe+eq1O3fLkNadmaJ5s+/UQfW
-  RIEEzXE2eilfJUhf1KQSmSTE33bpqqH1aUvvJLg3Tq003MHjSRjjh9Uv4MmSoKVn
-  DwWv6KZMkrdJVcFdh6LeQckYgAIn5F/H2MrhcVx/AWRonymY1fnh+90GKdLhlMAo
-  TaRoFsUWURJOUkLwVhVCh/Jgqt2LwbmLPxIvsf7ROZU/Cy3aRL2DzXCMy3jVuDy3
-  cMN4ydKNSyealQKCAQEA4zh3aD6necWWU3Pafm1BSGhsPE4VJq6aLnu0df4roWZW
-  u23/m5JACbLFSfnFgEUTcl09EosH1vPz8pNSGfEVsjO5ywjhKQbPWuDq1XlE0Vts
-  K5koqxbvVel9tEMFq+EWinebqtY6Bot3ymn86adqPJ/rkUN4aSOJEZ1Zuw1SA+kB
-  YXKYj5VXlfxxPKNV5Vkbiz+t4yXNaM6L0NTHLzitrshxbT10iuo4g711oTEc4lhx
-  TBpBQjNYAvWzKX7IyrDbjM/rRs7rthGkR8+puQggS37Lfqre0sC6ERXoT+uJMtZX
-  xQPv0cmlCIc6nhgESm9/t07KLLWOj1+cN+KBSzmhWwKCAQEApUNo8NS1wO0+AiEc
-  VyvRnNXq5GrIMbNvlDIWu/7W4Kpu+uNlcerZNfKuxsvyA7ZVB63fkDMEP05h7qSg
-  HepGQNazFECw0HDtOI4RbfklCzpEqjg8ZAwHj+gmzIhdDb04NUw2wlkAx2l0U2m8
-  IvAnOyt25hKKMfw/j+KVRY6PXVSyQppSYuKBrVWRf3enw9GYpmth93Tx+UwX/H2/
-  g7VctufPLoKJWKPvPM1KIJRP5RpgcoIIXJ4ZFZTLc9Ya4uL+uKVtsIYkhkrMiER2
-  uFp1LAPKZc+NXuqq2p0vn7ukDLr/Gd/bqCQ1kd+a2lI7iEwPDxm6mVQ4xCFR7/O6
-  rd+RuQKCAQEAqZvExjO+n8813yVju2uih4IrCPjgIPfEb1433rvTpa7WnyIE4wPQ
-  eWzQh9/B5XWqhnvC0sylFXcUacY+Ss8C+vpRfZUrPYyvy46IvMDA9eXgYMr66Hs+
-  PEsGYkCFQz/Jq6KMuIEg3zHMQXPMLj2ht49IMC7E+vZjoppqGI5g4jpTpYH9D3DS
-  6Ep/3FuwCnrxbIgkLKJTKiDDjSbHaCBOxWEqCfkNvYQIm44Y+DHI9cw/Biey/s+E
-  qvDsw9S33VUXDY1GepyKpmWU02XXsx61vKTxEaRKn9btDUPlHYMb7q7A5XeC1H5I
-  io0m3EvhKA8CrrpJgAYmXC9qVOzmxlhGcQKCAQEA5aq8q7pJNO45l9lyZbdShDvo
-  HT5RqmSajpCVed4RKR0eE/lCOiwExN9wJLJBls89TWcuVojHxOMq+Fx9KG1sYJSV
-  b980ejbSX0G4FeTmYacgn8DW+MwEVtA3tMEsFnTXirWrAV25dZ/nrKMDsT7VuoKP
-  hIZhDP6ArEjB4OFwKPNeoKA81R82Ubg58jFP7QRFUZHmfP7UGkaztRd7cLLcAah7
-  xD/bPqLKBBxJiFV7AjLXVkyNhFvtjB1fdqfAmlyBGFwrOGufKuBjS710ocS6bi9m
-  kqNxJjwpr7RIhj0f/zerJ4VS3ZeT2XeXBOTJ8jx4IkKWywgVa4nPVrSS8A706g==
-  -----END RSA PRIVATE KEY-----
--- a/playbooks/zuul-executor.yaml
+++ b/playbooks/zuul-executor.yaml
@ -12,11 +12,11 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 ---
- name: Install zuul-executor.
+- name: Install zuul-executor
  hosts: zuul-executor

  tasks:
-    - name: Setup openstack.zuul role.
+    - name: Setup openstack.zuul role
      include_role:
        name: openstack.zuul

@ -31,18 +31,22 @@

    # TODO(pabelanger): I'm thinking we should likely create
    # ansible-role-bubblewrap to allow user to better manage this dependency.
-    - name: Ensure bubblewrap is installed.
+    - name: Ensure bubblewrap is installed
      become: yes
      package:
        name: bubblewrap
        state: installed

-    - name: Setup openstack.logrotate role.
+    - name: Setup openstack.ssh role
+      include_role:
+        name: openstack.ssh
+
+    - name: Setup openstack.logrotate role
      include_role:
        name: openstack.logrotate

  post_tasks:
-    - name: Run zuul-executor validation.
+    - name: Run zuul-executor validation
      include_role:
        name: test.zuul-executor