Create Azimuth user outside of image build (#251)

* Setup Azimuth user creation in linux-data-volumes

* Hardcode Azimuth user

* Disable SSH for now

* Move Guacamole user tasks to ansible-init

* Revert "Disable SSH for now"

This reverts commit 626a97d.

* Parse openstack_userdata correctly

* Fix ssh_key

* Fix SSH keys again

* Setup bind mount

* Create linux-user role

* Remove permissions config from data-volumes role

* Fix repo2docker mountpoint

* Fix user includes

* Fix undefined SSH keys

* Setup MOTD for Azimuth user

* Remove managed text marker

* Change init vars

* Fix Zenith mounts

* Remove azimuth_username variable

* Use UID/GID from appliance

* Update MOTD

* Add Zenith SSH mountpoint to r-studio role

* Update metadata variables

* Update MOTD

* Create the Azimuth user group

ansible/roles/jupyter-repo2docker/files/repo2docker-playbook.yml

@@ -10,6 +10,22 @@
     os_user_metadata: "{{ os_metadata.get('meta', {}) }}"
     os_project_id: "{{ os_metadata.project_id }}"
   tasks:
+    - name: Ensure Zenith SSH mount has the correct permissions
+      file:
+        path: "/etc/zenith/ssh"
+        state: directory
+        owner: "podman"
+        group: "podman"
+        mode: '0755'
+
+    - name: Ensure data mountpoint has the correct permissions
+      file:
+        path: "/data"
+        state: directory
+        owner: "podman"
+        group: "podman"
+        mode: '0755'
+
     - name: Make Jupyter data directory
       # Have to make this here not in the base image
       # because the data volume has to be mounted first

ansible/roles/jupyter-repo2docker/tasks/main.yml

@@ -11,13 +11,9 @@
       - metadata_var: zenith_volume_id
         mountpoint: /etc/zenith/ssh
         opts: "defaults,nofail"
-        owner: podman
-        group: podman
       - metadata_var: data_volume_id
         mountpoint: /data
         opts: "defaults,nofail"
-        owner: podman
-        group: podman
 
 - include_tasks: repo2docker.yml
 

ansible/roles/linux-data-volumes/files/data-volumes-configure-volume.yml

@@ -67,11 +67,3 @@
     state: mounted
     fstype: "{{ data_volume.get('fs_type', 'ext4') }}"
     opts: "{{ data_volume.get('opts', omit) }}"
-
-- name: Ensure mountpoint permissions
-  ansible.builtin.file:
-    state: directory
-    owner: "{{ data_volume.owner }}"
-    group: "{{ data_volume.group }}"
-    path: "{{ data_volume.mountpoint }}"
-    mode: "{{ data_volume.get('mode', '0755') }}"

ansible/roles/linux-data-volumes/tasks/main.yml

@@ -16,7 +16,7 @@
   loop:
     - data-volumes-configure-volume.yml
 
-- name: Install ansible-init vars
+- name: Install ansible-init vars for volumes
   copy:
     content: "{{ { 'data_volumes': data_volumes } | to_nice_yaml }}"
     dest: /etc/ansible-init/vars/data-volumes.yml

ansible/roles/linux-rdp-gateway/files/guacamole-playbook.yml

@@ -6,6 +6,14 @@
   vars:
     openstack_metadata: "{{ (lookup('url', 'http://169.254.169.254/openstack/latest/meta_data.json') | from_json).get('meta', {}) }}"
   tasks:
+    - name: Ensure Zenith SSH mount has the correct permissions
+      file:
+        path: "/etc/zenith/ssh"
+        state: directory
+        owner: "podman"
+        group: "podman"
+        mode: '0755'
+
     - name: Write Guacamole user mapping file
       copy:
         content: |

ansible/roles/linux-rdp-gateway/tasks/main.yml

@@ -11,8 +11,6 @@
       - metadata_var: zenith_volume_id
         mountpoint: /etc/zenith/ssh
         opts: "defaults,nofail"
-        owner: podman
-        group: podman
 
 - include_role:
     name: linux-guacamole

ansible/roles/linux-rstudio/files/rstudio-server-playbook.yml

@@ -6,6 +6,22 @@
     os_user_metadata: "{{ os_metadata.get('meta', {}) }}"
     os_project_id: "{{ os_metadata.project_id }}"
   tasks:
+  - name: Ensure Zenith SSH mount has the correct permissions
+    file:
+      path: "/etc/zenith/ssh"
+      state: directory
+      owner: "podman"
+      group: "podman"
+      mode: '0755'
+
+  - name: Ensure data mount has the correct permissions
+    file:
+      path: "/data"
+      state: directory
+      owner: "podman"
+      group: "podman"
+      mode: '0755'
+
   - name: Ensure rstudio-server service is enabled and started
     service:
       name: rstudio-server

ansible/roles/linux-rstudio/tasks/main.yml

@@ -11,13 +11,9 @@
       - metadata_var: zenith_volume_id
         mountpoint: /etc/zenith/ssh
         opts: "defaults,nofail"
-        owner: podman
-        group: podman
       - metadata_var: data_volume_id
         mountpoint: /data
         opts: "defaults,nofail"
-        owner: podman
-        group: podman
 
 - include_tasks: rstudio.yml
 

ansible/roles/linux-user/files/user-create-playbook.yml

@@ -0,0 +1,91 @@
+---
+
+- hosts: localhost
+  gather_facts: true
+  vars:
+    openstack_metadata: "{{ (lookup('url', 'http://169.254.169.254/openstack/latest/meta_data.json') | from_json).get('meta', {}) }}"
+    openstack_userdata: "{{ (lookup('url', 'http://169.254.169.254/openstack/latest/user_data', split_lines=false) | from_yaml) }}"
+  vars_files:
+    - /etc/ansible-init/vars/user.yml
+  tasks:
+    - name: Get Azimuth user metadata
+      ansible.builtin.set_fact:
+        azimuth_uid: "{{ openstack_metadata['azimuth_uid'] | default('1005') }}"
+        azimuth_gid: "{{ openstack_metadata['azimuth_gid'] | default('1005') }}"
+        azimuth_is_sudo: "{{ openstack_metadata['azimuth_is_sudo'] | default('yes') }}"
+        azimuth_ssh_keys: "{{ openstack_userdata.azimuth_users[0].ssh_authorized_keys | default([]) }}"
+
+    - name: Setup Azimuth home directory
+      ansible.builtin.file:
+        path: "{{ user_mountpoint }}/azimuth-home"
+        state: directory
+      become: true
+
+    - name: Setup bind mount for Azimuth home directory
+      ansible.posix.mount:
+        src: "{{ user_mountpoint }}/azimuth-home"
+        path: "/home/azimuth"
+        opts: bind
+        fstype: none
+        state: mounted
+      become: true
+
+    - name: Ensure the Azimuth group is created
+      ansible.builtin.group:
+        name: "azimuth"
+        gid: "{{ azimuth_gid }}"
+      become: true
+
+    - name: Ensure the Azimuth user is created
+      ansible.builtin.user:
+        name: "azimuth"
+        group: "azimuth"
+        uid: "{{ azimuth_uid }}"
+        shell: "/bin/bash"
+        create_home: false
+      become: true
+
+    - name: Ensure Azimuth home directory has the correct permissions
+      ansible.builtin.file:
+        path: "{{ user_mountpoint }}"
+        state: directory
+        owner: "azimuth"
+        group: "azimuth"
+        mode: '750'
+        recurse: true
+      become: true
+
+    - name: Setup public keys for the Azimuth user
+      ansible.posix.authorized_key:
+        user: "azimuth"
+        state: present
+        key: "{{ item }}"
+      with_items: "{{ azimuth_ssh_keys }}"
+
+    - name: Add the Azimuth user to sudoers
+      ansible.builtin.user:
+        name: "azimuth"
+        groups: sudo
+      when: azimuth_is_sudo == "yes"
+
+    - name: Make sudo without password for users
+      ansible.builtin.copy:
+        dest: /etc/sudoers.d/80-ansible-sudo-user
+        content: "azimuth ALL=(ALL) NOPASSWD:ALL"
+        mode: 0440
+      when: azimuth_is_sudo == "yes"
+
+    - name: Setup MOTD for user
+      ansible.builtin.blockinfile:
+        path: /etc/motd
+        create: true
+        marker: ""
+        block: |
+          Note that this user storage (/home/azimuth) is ephemeral, but is persistent through
+          platform patches. All system level changes outside of the home directory will be lost
+          on a platform patch.
+
+          When configured by the Azimuth operator and supported by the platform, an additional
+          filesystem is mounted at /project. This filesystem persists after the platform is deleted
+          and is shared with other platforms in the tenancy.
+      become: true

ansible/roles/linux-user/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Ensure ansible-init directories exist
+  file:
+    path: "/etc/ansible-init/{{ item }}"
+    state: directory
+  loop:
+    - includes
+    - playbooks
+    - vars
+
+- name: Install ansible-init vars for users
+  copy:
+    content: "{{ user_init_vars | to_nice_yaml }}"
+    dest: /etc/ansible-init/vars/user.yml
+  vars:
+    user_init_vars:
+      user_mountpoint: /data
+
+- name: Install ansible-init playbook
+  copy:
+    src: user-create-playbook.yml
+    # Leave some numbers for playbooks to execute before
+    dest: /etc/ansible-init/playbooks/15-user-create.yml

ansible/roles/linux-webconsole/files/guacamole-playbook.yml

@@ -6,6 +6,14 @@
   vars_files:
     - /etc/ansible-init/vars/guacamole.yml
   tasks:
+    - name: Ensure Zenith SSH mount has the correct permissions
+      file:
+        path: "/etc/zenith/ssh"
+        state: directory
+        owner: "podman"
+        group: "podman"
+        mode: '0755'
+
     - name: Generate SSH keypair for Guacamole
       # Guacamole requires that the key is PEM-formatted
       # See https://issues.apache.org/jira/browse/GUACAMOLE-745
@@ -48,17 +56,26 @@
             # generating ]]>, which will still break XML. Therefore remove ">" from special
             # characters.
             special_chars: '!"#$%&()*+,-./:;<=?@[\]^_`{|}~'
-
-        - block:
-          - name: Get Guacamole user info
-            getent:
-              database: passwd
-              key: "{{ guacamole_user }}"
+
+        - name: Get Guacamole user info
+          getent:
+            database: passwd
+            key: "{{ guacamole_user }}"
 
-          - name: Set Guacamole user home directory
-            set_fact:
-              guacamole_user_home: "{{ ansible_facts.getent_passwd[guacamole_user][4] }}"
+        - name: Set Guacamole user home directory
+          set_fact:
+            guacamole_user_home: "{{ ansible_facts.getent_passwd[guacamole_user][4] }}"
+
+        - name: Configure user for systemd unit
+          copy:
+            dest: /etc/systemd/system/vncserver@:1.service.d/user.conf
+            content: |
+              [Service]
+              Environment=VNCSERVER_PASSWD_FILE={{ guacamole_user_home }}/.vnc/passwd
+              User={{ guacamole_user }}
+          become: true
 
+        - block:
           - name: Generate VNC password
             command: vncpasswd -f
             args:

ansible/roles/linux-webconsole/tasks/main.yml

@@ -27,29 +27,28 @@
     name: apptainer
     state: present
 
-- block:
-    - include_tasks: desktop.yml
-    - include_tasks: vnc_server.yml
-  when: desktop_enabled is defined and desktop_enabled
-
-- include_role: 
-    name: linux-podman
-    tasks_from: install.yml
-
 - include_role:
     name: linux-data-volumes
   vars:
     data_volumes:
       - metadata_var: zenith_volume_id
         mountpoint: /etc/zenith/ssh
         opts: "defaults,nofail"
-        owner: podman
-        group: podman
       - metadata_var: data_volume_id
         mountpoint: /data
         opts: "defaults,nofail"
-        owner: azimuth
-        group: azimuth
+
+- include_role:
+    name: linux-user
+
+- block:
+    - include_tasks: desktop.yml
+    - include_tasks: vnc_server.yml
+  when: desktop_enabled is defined and desktop_enabled
+
+- include_role: 
+    name: linux-podman
+    tasks_from: install.yml
 
 - include_role:
     name: linux-zenith-ssh

ansible/roles/linux-webconsole/tasks/vnc_server.yml

@@ -29,25 +29,7 @@
     - start_order.conf
     - restart.conf
 
-- name: Get guacamole user info
-  user:
-    name: "{{ guacamole_user }}"
-    state: present
-  register: guacamole_user_info
-
-- name: Set VNC server user facts for guacamole user
-  set_fact:
-    guacamole_user_vnc_config_dir: "{{ guacamole_user_info.home }}/.vnc"
-
 - name: Ensure systemd overrides directory exists
   file:
     path: /etc/systemd/system/vncserver@:1.service.d
     state: directory
-
-- name: Configure user for systemd unit
-  copy:
-    dest: /etc/systemd/system/vncserver@:1.service.d/user.conf
-    content: |
-      [Service]
-      Environment=VNCSERVER_PASSWD_FILE={{ guacamole_user_vnc_config_dir }}/passwd
-      User={{ guacamole_user }}

ansible/roles/linux-zenith-client/templates/zenith-playbook.yml

@@ -21,6 +21,14 @@
         "zenith_sshd_port" not in os_user_metadata or
         zenith_registrar_token_metadata_key not in os_user_metadata
 
+    - name: Ensure Zenith SSH mount has the correct permissions
+      file:
+        path: "/etc/zenith/ssh/"
+        state: directory
+        owner: "podman"
+        group: "podman"
+        mode: '0755'
+
     - name: Set Zenith facts
       set_fact:
         zenith_client_registrar_url: "{{ os_user_metadata.zenith_registrar_url }}"

packer/linux-desktop.pkr.hcl

@@ -72,20 +72,6 @@ source "openstack" "linux-desktop" {
   communicator = "ssh"
   ssh_username = var.ssh_username
   ssh_clear_authorized_keys = true
-
-  user_data = <<-EOF
-  #cloud-config
-  users:
-  - default
-  # create a new default-type user matching Slurm platform:
-  - name: azimuth
-    uid: 1005
-    lock_passwd: true
-    gecos: Azimuth User
-    groups: [adm, systemd-journal]
-    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
-    shell: /bin/bash
-  EOF
 }
 
 build {