Disable distro cloud image users more forcefully

This updates our user management system to use the userdel --force flag when disabling and removing distro cloud image users like 'ubuntu', 'centos' and 'admin'. The reason for this is when we switch from using the distro user to boot strap launchnode over to root the distro user may still have running processes that prevent userdel from succeeding. This should address that problem and delete the user anyway. The last step in the launch node process is to reboot which should clear out any stale processes. We don't do this for normal users as they aren't removed at node launch time and this may be too forceful for them. It would be better for us to error in that case and clean up any stale processes. Change-Id: I79caf2a996566ecaec4cb4a70941bb3f03a5fb73
2022-10-03 09:21:42 -07:00 · 2022-10-03 09:21:42 -07:00 · 9a9af41e48
commit 9a9af41e48
parent 4170a94be1
4 changed files with 20 additions and 0 deletions
--- a/inventory/base/group_vars/all.yaml
+++ b/inventory/base/group_vars/all.yaml
@ -184,6 +184,8 @@ disabled_users:
  - shrews
  - dmsimard
  - pabelanger
+# Default distro cloud image names to remove
+disabled_distro_cloud_users:
  - ubuntu
  - centos
  - admin
--- a/playbooks/roles/base/users/README.rst
+++ b/playbooks/roles/base/users/README.rst
@ -19,6 +19,12 @@ Configure users on a server.  Users are given sudo access

   Extra users to install on a specific host or group

+.. zuul:rolevar:: disabled_distro_cloud_users
+   :default: []
+
+   Distro cloud image default users to remove from hosts. This removal is
+   slightly more forceful than the removal of normal users.
+
 .. zuul:rolevar:: disabled_users
   :default: []

--- a/playbooks/roles/base/users/defaults/main.yaml
+++ b/playbooks/roles/base/users/defaults/main.yaml
@ -1,3 +1,4 @@
 all_users: {}
+disabled_distro_cloud_users: []
 disabled_users: []
 extra_users: []
--- a/playbooks/roles/base/users/tasks/main.yaml
+++ b/playbooks/roles/base/users/tasks/main.yaml
@ -31,6 +31,17 @@
    group: root
    mode: 0644

+- name: Delete default distro cloud image users
+  # Do this in a separate task so that we can use force: yes which is
+  # probably too destructive for normal users, but should be fine for
+  # these built in cloud image names.
+  loop: "{{ disabled_distro_cloud_users }}"
+  user:
+    name: "{{ item }}"
+    state: absent
+    remove: yes
+    force: yes
+
 - name: Delete old users
  loop: "{{ disabled_users }}"
  user: