Drop root for kolla-ansible

This change ensures commands run in the kolla-ansible container are done
as the 'ansible' user rather than root.

By default Ansible tries to write it's temporary files to $HOME/.ansible
on the target, which in most cases won't exist when run as the new user.
Hence we now supply the kolla-ansible container with an ansible.cfg, to
tweak the remote_dir option to /tmp.

Change-Id: I838a8c8cd0c7dc1aeca4d12e38c346f252170e7c
Partially-Implements: blueprint drop-root

docker/kolla-ansible/Dockerfile.j2

@@ -24,9 +24,13 @@ RUN git clone --depth 1 -b v2.0.0-0.2.alpha2 https://github.com/ansible/ansible.
     && git submodule update --init --recursive \
     && pip --no-cache-dir install .
 
-RUN mkdir -p /etc/ansible /usr/share/ansible \
-    && echo 'localhost ansible_connection=local' > /etc/ansible/hosts
+RUN mkdir -p /etc/ansible /usr/share/ansible /home/ansible \
+    && echo 'localhost ansible_connection=local' > /etc/ansible/hosts \
+    && useradd --user-group ansible --groups kolla
 
 COPY kolla_keystone_service.py kolla_keystone_user.py /usr/share/ansible/
+COPY ansible.cfg /home/ansible/.ansible.cfg
+
+USER ansible
 
 {{ include_footer }}

docker/kolla-ansible/ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+remote_tmp = /tmp