zuul-providers/dib-elements/zuul-worker/install.d/60-zuul-worker

#!/bin/bash

if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
    set -x
fi
set -eu
set -o pipefail

# Add zuul user and group.  Note we don't want to rely on
# "useradd"'s group adding behaviour, because it might differ across
# distros.
groupadd zuul
useradd -m zuul -g zuul -s /bin/bash

cat > /etc/sudoers.d/zuul << EOF
zuul ALL=(ALL) NOPASSWD:ALL
EOF
chmod 0440 /etc/sudoers.d/zuul

visudo -c || die "Error setting zuul sudo!"

# this was copied from outside the chroot by extras.d
_pub_key=/tmp/in_target.d/zuul-user-ssh-public-key
if [ ! -f $_pub_key ]; then
    die "Can not find Zuul public key!"
fi

mkdir -p /home/zuul/.ssh
chmod 700 /home/zuul/.ssh
cp $_pub_key /home/zuul/.ssh/authorized_keys

# cleanup everything to the right owner
chown -R zuul:zuul /home/zuul

# a lot of caching happens in extra-data.d (for "historical" reasons).
# We've put the cache stuff into /opt/cache/files, but again, for
# "historical" reasons, ensure this is available in /home/zuul
#
# We do this for zuul as relative paths to the current user's homedir
# are used in places like devstack.
#
# Check if the cache exists as we don't have a strict dependency on the
# devstack-cache element. This allows you to build an image without
# incurring the cost of caching all the things.
if [ -d /opt/cache/files ] ; then
    mkdir -p /home/zuul/cache
    chown zuul:zuul /home/zuul/cache
    ln -sf /opt/cache/files /home/zuul/cache/files
    # but make sure the cache is readable by everyone
    chmod -R a+rX /opt/cache/files/*
fi

# New versions of git don't let you clone repos as a different user
# than the user owning the repo by default for security reasons.
# As above we cache git repos during extra-data.d in /opt/git/ and they
# end up owned by root. Chown them to zuul here to avoid permissions
# issues with the most likely user to interact with the git cache( zuul).
if [ -d /opt/git ] ; then
    chown -R zuul:zuul /opt/git
fi