-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Azimuth user outside of image build #251
base: main
Are you sure you want to change the base?
Changes from 16 commits
0884213
fac8855
626a97d
53ae3cd
d5890ab
34f4603
497223c
4ebe7c0
bad74cc
b008c92
0f006d2
c23862b
164974a
dddd4f9
2229122
af81584
3972586
c553f33
19669ff
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
--- | ||
|
||
- hosts: localhost | ||
gather_facts: true | ||
vars: | ||
openstack_metadata: "{{ (lookup('url', 'http://169.254.169.254/openstack/latest/meta_data.json') | from_json).get('meta', {}) }}" | ||
openstack_userdata: "{{ (lookup('url', 'http://169.254.169.254/openstack/latest/user_data', split_lines=false) | from_yaml) }}" | ||
vars_files: | ||
- /etc/ansible-init/vars/user.yml | ||
tasks: | ||
- name: Get Azimuth user metadata | ||
ansible.builtin.set_fact: | ||
azimuth_username: "azimuth" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The workstation playbook is setting a metadata item for this that I think we should respect? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think so, I changed it because of #251 (comment) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we either respect the metadata item here or we don't pretend to support it in the workstation patch. I don't really mind which. |
||
azimuth_uid: "{{ openstack_metadata['azimuth_workstation_uid'] | default('1006') }}" | ||
azimuth_gid: "{{ openstack_metadata['azimuth_workstation_gid'] | default('1006') }}" | ||
Comment on lines
+14
to
+15
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These defaults are different to the workstation playbook - is that on purpose? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not really, I think we're only setting defaults here anyway to get this to work without the metadata. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If the idea is to allow this to continue to work without the playbook patch, then the defaults should match the user in the Packer file that is being removed, i.e. |
||
azimuth_is_sudo: "{{ openstack_metadata['azimuth_workstation_is_sudo'] | default(true) }}" | ||
azimuth_ssh_keys: "{{ openstack_userdata.azimuth_users[0].ssh_authorized_keys | default([]) }}" | ||
|
||
- name: Setup Azimuth home directory | ||
ansible.builtin.file: | ||
path: "{{ user_mountpoint }}/{{ azimuth_username }}-home" | ||
state: directory | ||
become: true | ||
|
||
- name: Setup bind mount for Azimuth home directory | ||
ansible.posix.mount: | ||
src: "{{ user_mountpoint }}/{{ azimuth_username }}-home" | ||
path: "/home/{{ azimuth_username }}" | ||
opts: bind | ||
fstype: none | ||
state: mounted | ||
become: true | ||
|
||
- name: Ensure the Azimuth user is created | ||
ansible.builtin.user: | ||
name: "{{ azimuth_username }}" | ||
uid: "{{ azimuth_uid }}" | ||
shell: "/bin/bash" | ||
become: true | ||
|
||
- name: Ensure the Azimuth group has the correct GID | ||
ansible.builtin.group: | ||
name: "{{ azimuth_username }}" | ||
gid: "{{ azimuth_gid }}" | ||
become: true | ||
|
||
- name: Ensure Azimuth home directory has the correct permissions | ||
ansible.builtin.file: | ||
path: "{{ user_mountpoint }}" | ||
state: directory | ||
owner: "{{ azimuth_username }}" | ||
group: "{{ azimuth_username }}" | ||
mode: '750' | ||
recurse: true | ||
become: true | ||
|
||
- name: Setup public keys for the Azimuth user | ||
ansible.posix.authorized_key: | ||
user: "{{ azimuth_username }}" | ||
state: present | ||
key: "{{ item }}" | ||
with_items: "{{ azimuth_ssh_keys }}" | ||
|
||
- name: Add the Azimuth user to sudoers | ||
ansible.builtin.user: | ||
name: "{{ azimuth_username }}" | ||
groups: sudo | ||
when: azimuth_is_sudo | bool | ||
|
||
- name: Make sudo without password for users | ||
ansible.builtin.copy: | ||
dest: /etc/sudoers.d/80-ansible-sudo-user | ||
content: "{{ azimuth_username }} ALL=(ALL) NOPASSWD:ALL" | ||
mode: 0440 | ||
when: azimuth_is_sudo | bool | ||
|
||
- name: Setup MOTD for user | ||
ansible.builtin.blockinfile: | ||
path: /etc/motd | ||
create: true | ||
block: | | ||
This Azimuth user is mounted at {{ user_mountpoint }}/{{ azimuth_username }}-home | ||
|
||
Note that this user storage is EPHEMERAL and is removed on platform deletion, use | ||
/platform for persistent storage between workstations. | ||
|
||
More information is available in the Azimuth user documentation: | ||
https://azimuth-cloud.github.io/azimuth-user-docs/platforms/linux-workstation/ | ||
become: true |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
--- | ||
|
||
- name: Ensure ansible-init directories exist | ||
file: | ||
path: "/etc/ansible-init/{{ item }}" | ||
state: directory | ||
loop: | ||
- includes | ||
- playbooks | ||
- vars | ||
|
||
- name: Install ansible-init vars for users | ||
copy: | ||
content: "{{ { 'user_mountpoint': user_mountpoint } | to_nice_yaml }}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Stylistic choice, but I like having this as a nicely formatted variable under |
||
dest: /etc/ansible-init/vars/user.yml | ||
|
||
- name: Install ansible-init playbook | ||
copy: | ||
src: user-create-playbook.yml | ||
# Leave some numbers for playbooks to execute before | ||
dest: /etc/ansible-init/playbooks/15-user-create.yml |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -48,17 +48,26 @@ | |
# generating ]]>, which will still break XML. Therefore remove ">" from special | ||
# characters. | ||
special_chars: '!"#$%&()*+,-./:;<=?@[\]^_`{|}~' | ||
|
||
- block: | ||
- name: Get Guacamole user info | ||
getent: | ||
database: passwd | ||
key: "{{ guacamole_user }}" | ||
|
||
- name: Get Guacamole user info | ||
getent: | ||
database: passwd | ||
key: "{{ guacamole_user }}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we need the The way this is currently set up, it will use the username baked into the vars file at build time. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, although I'm not sure if we're going to be using this outside of the case where the user is 'azimuth'. I suppose we should decide on whether to set the user in metadata or assume the user is always azimuth. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same as above, I don't care which we do but we need to be consistent between the image and the playbook. Probably using a fixed |
||
|
||
- name: Set Guacamole user home directory | ||
set_fact: | ||
guacamole_user_home: "{{ ansible_facts.getent_passwd[guacamole_user][4] }}" | ||
|
||
- name: Set Guacamole user home directory | ||
set_fact: | ||
guacamole_user_home: "{{ ansible_facts.getent_passwd[guacamole_user][4] }}" | ||
- name: Configure user for systemd unit | ||
copy: | ||
dest: /etc/systemd/system/vncserver@:1.service.d/user.conf | ||
content: | | ||
[Service] | ||
Environment=VNCSERVER_PASSWD_FILE={{ guacamole_user_home }}/.vnc/passwd | ||
User={{ guacamole_user }} | ||
become: true | ||
|
||
- block: | ||
- name: Generate VNC password | ||
command: vncpasswd -f | ||
args: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RDP gateway doesn't have a
/data
mount