From 09935ff32823f44682c0350f1d89d6d3358174ad Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Mon, 11 May 2020 14:56:50 -0700
Subject: [PATCH] Run Zuul as the zuuld user

This avoids the conflict with the zuul user (1000) on the test
nodes.  The executor will continue to use the default username
of 'zuul' as the ansible_user in the inventory.

This change also touches the zk and nodepool deployment to use
variables for the usernames and uids to make changes like this
easier.  No changes are intended there.

Change-Id: Ib8cef6b7889b23ddc65a07bcba29c21a36e3dcb5
---
 playbooks/group_vars/nodepool-builder.yaml    |  6 +-
 .../group_vars/nodepool-builder_opendev.yaml  |  2 +-
 playbooks/group_vars/nodepool-launcher.yaml   |  4 +-
 .../group_vars/nodepool-launcher_opendev.yaml |  6 +-
 playbooks/group_vars/nodepool.yaml            | 10 ++-
 playbooks/group_vars/zookeeper.yaml           |  4 ++
 playbooks/group_vars/zuul.yaml                |  2 +
 .../roles/nodepool-base/defaults/main.yaml    |  5 --
 playbooks/roles/nodepool-base/tasks/main.yaml | 21 +++---
 .../roles/nodepool-builder/tasks/main.yaml    |  4 +-
 playbooks/roles/zookeeper/tasks/main.yaml     | 21 +++---
 .../zuul-executor/files/docker-compose.yaml   |  2 +-
 .../zuul-merger/files/docker-compose.yaml     |  2 +-
 .../zuul-scheduler/files/docker-compose.yaml  |  2 +-
 .../roles/zuul-web/files/docker-compose.yaml  |  4 +-
 playbooks/roles/zuul/tasks/main.yaml          | 66 +++++++++----------
 16 files changed, 81 insertions(+), 80 deletions(-)

diff --git a/playbooks/group_vars/nodepool-builder.yaml b/playbooks/group_vars/nodepool-builder.yaml
index 81cac6a1aa..16e82208ba 100644
--- a/playbooks/group_vars/nodepool-builder.yaml
+++ b/playbooks/group_vars/nodepool-builder.yaml
@@ -1,4 +1,4 @@
-openstacksdk_config_dir: /home/nodepool/.config/openstack
-openstacksdk_config_owner: nodepool
-openstacksdk_config_group: nodepool
+openstacksdk_config_owner: "{{ nodepool_user }}"
+openstacksdk_config_group: "{{ nodepool_group }}"
+openstacksdk_config_dir: "~{{ openstacksdk_config_owner }}/.config/openstack"
 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2
diff --git a/playbooks/group_vars/nodepool-builder_opendev.yaml b/playbooks/group_vars/nodepool-builder_opendev.yaml
index 11b5eac6ed..6b987b9ae1 100644
--- a/playbooks/group_vars/nodepool-builder_opendev.yaml
+++ b/playbooks/group_vars/nodepool-builder_opendev.yaml
@@ -1,4 +1,4 @@
 openstacksdk_config_dir: /etc/openstack
 openstacksdk_config_owner: root
-openstacksdk_config_group: nodepool
+openstacksdk_config_group: "{{ nodepool_group }}"
 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2
diff --git a/playbooks/group_vars/nodepool-launcher.yaml b/playbooks/group_vars/nodepool-launcher.yaml
index 4174245222..dd46629203 100644
--- a/playbooks/group_vars/nodepool-launcher.yaml
+++ b/playbooks/group_vars/nodepool-launcher.yaml
@@ -1,4 +1,4 @@
 openstacksdk_config_dir: /etc/openstack
-openstacksdk_config_owner: nodepool
-openstacksdk_config_group: nodepool
+openstacksdk_config_owner: "{{ nodepool_user }}"
+openstacksdk_config_group: "{{ nodepool_group }}"
 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2
diff --git a/playbooks/group_vars/nodepool-launcher_opendev.yaml b/playbooks/group_vars/nodepool-launcher_opendev.yaml
index 81cac6a1aa..16e82208ba 100644
--- a/playbooks/group_vars/nodepool-launcher_opendev.yaml
+++ b/playbooks/group_vars/nodepool-launcher_opendev.yaml
@@ -1,4 +1,4 @@
-openstacksdk_config_dir: /home/nodepool/.config/openstack
-openstacksdk_config_owner: nodepool
-openstacksdk_config_group: nodepool
+openstacksdk_config_owner: "{{ nodepool_user }}"
+openstacksdk_config_group: "{{ nodepool_group }}"
+openstacksdk_config_dir: "~{{ openstacksdk_config_owner }}/.config/openstack"
 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2
diff --git a/playbooks/group_vars/nodepool.yaml b/playbooks/group_vars/nodepool.yaml
index 91e605d531..2c1347a893 100644
--- a/playbooks/group_vars/nodepool.yaml
+++ b/playbooks/group_vars/nodepool.yaml
@@ -1,4 +1,8 @@
-kube_config_dir: ~nodepool/.kube
-kube_config_owner: nodepool
-kube_config_group: nodepool
+nodepool_user: nodepool
+nodepool_group: nodepool
+nodepool_uid: 10001
+nodepool_gid: 10001
+kube_config_dir: ~{{ nodepool_user }}/.kube
+kube_config_owner: "{{ nodepool_user }}"
+kube_config_group: "{{ nodepool_group }}"
 kube_config_template: clouds/nodepool_kube_config.yaml.j2
diff --git a/playbooks/group_vars/zookeeper.yaml b/playbooks/group_vars/zookeeper.yaml
index e03be16ec0..f62df8548a 100644
--- a/playbooks/group_vars/zookeeper.yaml
+++ b/playbooks/group_vars/zookeeper.yaml
@@ -1,3 +1,7 @@
+zookeeper_user: zookeeper
+zookeeper_group: zookeeper
+zookeeper_uid: 10001
+zookeeper_gid: 10001
 iptables_extra_allowed_hosts:
   - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb01.opendev.org'}
   - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb02.opendev.org'}
diff --git a/playbooks/group_vars/zuul.yaml b/playbooks/group_vars/zuul.yaml
index e3f2dd3e3a..604fbc21cb 100644
--- a/playbooks/group_vars/zuul.yaml
+++ b/playbooks/group_vars/zuul.yaml
@@ -1,5 +1,7 @@
 zuul_user_id: 10001
 zuul_group_id: 10001
+zuul_user: zuuld
+zuul_group: zuuld
 zuul_known_hosts: |
   [review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 {{ gerrit_ssh_rsa_pubkey_contents }}
   [git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==
diff --git a/playbooks/roles/nodepool-base/defaults/main.yaml b/playbooks/roles/nodepool-base/defaults/main.yaml
index f6c7e9a391..38bb8e9166 100644
--- a/playbooks/roles/nodepool-base/defaults/main.yaml
+++ b/playbooks/roles/nodepool-base/defaults/main.yaml
@@ -1,6 +1 @@
 nodepool_base_install_zookeeper: False
-
-# Keep these in sync with the container uid's so containers can write
-# to local bits and pieces.
-nodepool_base_nodepool_uid: 10001
-nodepool_base_nodepool_gid: 10001
\ No newline at end of file
diff --git a/playbooks/roles/nodepool-base/tasks/main.yaml b/playbooks/roles/nodepool-base/tasks/main.yaml
index 48e0660dbe..956a702ee5 100644
--- a/playbooks/roles/nodepool-base/tasks/main.yaml
+++ b/playbooks/roles/nodepool-base/tasks/main.yaml
@@ -1,17 +1,18 @@
 - name: Add the nodepool group
   group:
-    name: nodepool
+    name: '{{ nodepool_group }}'
     state: present
-    gid: '{{ nodepool_base_nodepool_gid }}'
+    gid: '{{ nodepool_gid }}'
 
 - name: Add the nodepool user
   user:
-    name: nodepool
-    group: nodepool
-    home: /home/nodepool
+    name: '{{ nodepool_user }}'
+    group: '{{ nodepool_group }}'
+    uid: '{{ nodepool_uid }}'
+    home: '/home/{{ nodepool_user }}'
     create_home: yes
     shell: /bin/bash
-    uid: '{{ nodepool_base_nodepool_uid }}'
+    system: yes
 
 - name: Sync project-config
   include_role:
@@ -21,16 +22,16 @@
   file:
     name: /etc/nodepool
     state: directory
-    owner: nodepool
-    group: nodepool
+    owner: '{{ nodepool_user }}'
+    group: '{{ nodepool_group }}'
     mode: 0755
 
 - name: Create nodepool log dir
   file:
     name: /var/log/nodepool
     state: directory
-    owner: nodepool
-    group: nodepool
+    owner: '{{ nodepool_user }}'
+    group: '{{ nodepool_group }}'
     mode: 0755
 
 - name: Look for a host specific config file
diff --git a/playbooks/roles/nodepool-builder/tasks/main.yaml b/playbooks/roles/nodepool-builder/tasks/main.yaml
index 7c33fffc86..c4fe1b9adf 100644
--- a/playbooks/roles/nodepool-builder/tasks/main.yaml
+++ b/playbooks/roles/nodepool-builder/tasks/main.yaml
@@ -8,8 +8,8 @@
     state: directory
     path: '{{ item }}'
     mode: 0755
-    owner: nodepool
-    group: nodepool
+    owner: "{{ nodepool_user }}"
+    group: "{{ nodepool_group }}"
   loop:
     - '/opt/dib_tmp'
     - '/opt/dib_cache'
diff --git a/playbooks/roles/zookeeper/tasks/main.yaml b/playbooks/roles/zookeeper/tasks/main.yaml
index 8752ffe66f..10ceaa2dba 100644
--- a/playbooks/roles/zookeeper/tasks/main.yaml
+++ b/playbooks/roles/zookeeper/tasks/main.yaml
@@ -1,17 +1,16 @@
 - name: Create Zookeeper group
   group:
-    name: "zookeeper"
-    gid: 10001
+    name: "{{ zookeeper_group }}"
+    gid: "{{ zookeeper_gid }}"
     system: yes
 - name: Create Zookeeper User
   user:
-    name: "zookeeper"
-    uid: 10001
-    comment: Zookeeper
-    shell: /bin/false
-    group: "zookeeper"
-    home: "/var/zookeeper"
-    create_home: no
+    name: "{{ zookeeper_user }}"
+    group: "{{ zookeeper_group }}"
+    uid: "{{ zookeeper_uid }}"
+    home: "/home/{{ zookeeper_user }}"
+    create_home: yes
+    shell: /bin/bash
     system: yes
 - name: Synchronize compose directory
   synchronize:
@@ -21,8 +20,8 @@
   file:
     state: directory
     path: "/var/zookeeper/{{ item }}"
-    owner: zookeeper
-    group: zookeeper
+    owner: "{{ zookeeper_user }}"
+    group: "{{ zookeeper_group }}"
   loop:
     - conf
     - data
diff --git a/playbooks/roles/zuul-executor/files/docker-compose.yaml b/playbooks/roles/zuul-executor/files/docker-compose.yaml
index 2bfaff3ad3..15df22da8c 100644
--- a/playbooks/roles/zuul-executor/files/docker-compose.yaml
+++ b/playbooks/roles/zuul-executor/files/docker-compose.yaml
@@ -12,7 +12,7 @@ services:
       - /etc/zuul:/etc/zuul
       - /opt/project-config:/opt/project-config
       - /afs:/afs
-      - /home/zuul:/home/zuul
+      - /home/zuuld:/home/zuul
       - /var/lib/zuul:/var/lib/zuul
       - /var/log/zuul:/var/log/zuul
       - /etc/openafs:/etc/openafs
diff --git a/playbooks/roles/zuul-merger/files/docker-compose.yaml b/playbooks/roles/zuul-merger/files/docker-compose.yaml
index 994593f1ff..db62d16c11 100644
--- a/playbooks/roles/zuul-merger/files/docker-compose.yaml
+++ b/playbooks/roles/zuul-merger/files/docker-compose.yaml
@@ -11,6 +11,6 @@ services:
     volumes:
       - /etc/zuul:/etc/zuul
       - /opt/project-config:/opt/project-config
-      - /home/zuul:/home/zuul
+      - /home/zuuld:/home/zuul
       - /var/lib/zuul:/var/lib/zuul
       - /var/log/zuul:/var/log/zuul
diff --git a/playbooks/roles/zuul-scheduler/files/docker-compose.yaml b/playbooks/roles/zuul-scheduler/files/docker-compose.yaml
index 2d98d627fb..6659d61274 100644
--- a/playbooks/roles/zuul-scheduler/files/docker-compose.yaml
+++ b/playbooks/roles/zuul-scheduler/files/docker-compose.yaml
@@ -11,6 +11,6 @@ services:
     volumes:
       - /etc/zuul:/etc/zuul
       - /opt/project-config:/opt/project-config
-      - /home/zuul:/home/zuul
+      - /home/zuuld:/home/zuul
       - /var/lib/zuul:/var/lib/zuul
       - /var/log/zuul:/var/log/zuul
diff --git a/playbooks/roles/zuul-web/files/docker-compose.yaml b/playbooks/roles/zuul-web/files/docker-compose.yaml
index 7930b35820..d43a40415f 100644
--- a/playbooks/roles/zuul-web/files/docker-compose.yaml
+++ b/playbooks/roles/zuul-web/files/docker-compose.yaml
@@ -10,7 +10,7 @@ services:
     user: zuul
     volumes:
       - /etc/zuul:/etc/zuul
-      - /home/zuul:/home/zuul
+      - /home/zuuld:/home/zuul
       - /var/lib/zuul:/var/lib/zuul
       - /var/log/zuul:/var/log/zuul
   fingergw:
@@ -21,6 +21,6 @@ services:
     # grab the finger port and then drop privs
     volumes:
       - /etc/zuul:/etc/zuul
-      - /home/zuul:/home/zuul
+      - /home/zuuld:/home/zuul
       - /var/lib/zuul:/var/lib/zuul
       - /var/log/zuul:/var/log/zuul
diff --git a/playbooks/roles/zuul/tasks/main.yaml b/playbooks/roles/zuul/tasks/main.yaml
index 7c2894b452..4c1738a18c 100644
--- a/playbooks/roles/zuul/tasks/main.yaml
+++ b/playbooks/roles/zuul/tasks/main.yaml
@@ -1,51 +1,47 @@
 - name: Create Zuul Group
   group:
-    name: zuul
+    name: "{{ zuul_group }}"
     gid: "{{ zuul_group_id }}"
     system: yes
 
 - name: Create Zuul User
   user:
-    name: zuul
+    name: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
     uid: "{{ zuul_user_id }}"
-    comment: Zuul User
-    shell: /bin/bash
-    home: /home/zuul
-    group: zuul
+    home: "/home/{{ zuul_user }}"
     create_home: yes
+    shell: /bin/bash
     system: yes
-  # In order to run this in Zuul, we have to ignore errors.
-  # That's because in Zuul, the test nodes have a Zuul user.
-  failed_when: false
 
 - name: Create Zuul Config dir
   file:
     state: directory
     path: /etc/zuul
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
 
 - name: Create Zuul SSL dir
   file:
     state: directory
     path: /etc/zuul/ssl
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
 
 - name: Write Gearman SSL CA
   copy:
     content: "{{ gearman_ssl_ca }}"
     dest: /etc/zuul/ssl/gearman-ca.pem
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
     mode: 0644
 
 - name: Write Gearman Client SSL Cert
   copy:
     content: "{{ gearman_client_ssl_cert }}"
     dest: /etc/zuul/ssl/gearman-client.pem
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
     mode: 0644
 
 - name: Write Gearman Client SSL Key
@@ -53,8 +49,8 @@
   copy:
     content: "{{ gearman_client_ssl_key }}"
     dest: /etc/zuul/ssl/gearman-client.key
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
     mode: 0640
 
 - name: Write Gearman Server SSL Cert
@@ -62,8 +58,8 @@
   copy:
     content: "{{ gearman_server_ssl_cert }}"
     dest: /etc/zuul/ssl/gearman-server.pem
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
     mode: 0644
 
 - name: Write Gearman Server SSL Key
@@ -71,24 +67,24 @@
   copy:
     content: "{{ gearman_server_ssl_key }}"
     dest: /etc/zuul/ssl/gearman-server.key
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
     mode: 0640
 
 - name: Write Zuul Conf File
   template:
     src: zuul.conf.j2
     dest: /etc/zuul/zuul.conf
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
     mode: 0600
 
 - name: Create Zuul directories
   file:
     state: directory
     path: '{{ item }}'
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
   loop:
     - /var/log/zuul
     - /var/run/zuul
@@ -99,24 +95,24 @@
   copy:
     dest: /var/lib/zuul/ssh/id_rsa
     content: '{{ zuul_ssh_private_key_contents }}'
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
     mode: 0400
 
 - name: Create Zuul SSH directory
   file:
     state: directory
-    path: /home/zuul/.ssh
-    owner: zuul
-    group: zuul
+    path: "~{{ zuul_user }}/.ssh"
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
     mode: 0700
 
 - name: Write Known Hosts
   copy:
-    dest: /home/zuul/.ssh/known_hosts
+    dest: "~{{ zuul_user }}/.ssh/known_hosts"
     content: '{{ zuul_known_hosts }}'
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
     mode: 0600
 
 - name: Sync project-config