bareon/cloud-init-templates/cloud_config_ubuntu.jinja2
Dmitry Nikishov c5b4e5dfca Create non-root user account during image build process
Extended Nailgun data driver to parse new ks_meta keys.

Extended Ubuntu cloud-init config template to create a non-root
account. Root login is being disabled, however, this setting
will only be effective until osnailyfacter::ssh puppet class
will have been evaluated during deployment as it overrides
sshd_config values. This means, that PermitRootLogin should be
managed by library as well.

Blueprint: fuel-nonroot-openstack-nodes
Depends-On: Ia18305e07d07377886783c3b3e44abe93cef2da5

Conflicts:

	bareon/tests/test_configdrive.py

Change-Id: I69831fe0327ef9ac55bed99301d2c3732b87ed88
2016-06-14 18:18:24 +03:00

120 lines
3.1 KiB
Django/Jinja

#cloud-config
resize_rootfs: false
growpart:
mode: false
disable_ec2_metadata: true
disable_root: false
users:
{% for user in user_accounts %}
- name: {{ user.name }}
plain_text_passwd: {{ user.password }}
lock_passwd: False
homedir: {{ user.homedir }}
shell: {{ user.shell }}
{% if user.ssh_keys|length > 0 %}
ssh_authorized_keys:
{% for key in user.ssh_keys %}
- {{ key }}
{% endfor %}
{% endif %}
{% if user.sudo|length > 0 %}
sudo:
{% for entry in user.sudo %}
- "{{ entry }}"
{% endfor %}
{% endif %}
{% endfor %}
chpasswd: { expire: false }
ssh_pwauth: false
# set the locale to a given locale
# default: en_US.UTF-8
locale: en_US.UTF-8
timezone: {{ common.timezone }}
hostname: {{ common.hostname }}
fqdn: {{ common.fqdn }}
# add entries to rsyslog configuration
rsyslog:
- filename: 10-log2master.conf
content: |
$template LogToMaster, "<%PRI%>1 %$NOW%T%TIMESTAMP:8:$%Z %HOSTNAME% %APP-NAME% %PROCID% %MSGID% -%msg%\n"
*.* @{{ common.master_ip }};LogToMaster
# that module's missing in 0.6.3, but existent for >= 0.7.3
write_files:
- content: |
---
url: {{ common.master_url }}
path: /etc/nailgun-agent/config.yaml
- content: target
path: /etc/nailgun_systemtype
mcollective:
conf:
main_collective: mcollective
collectives: mcollective
libdir: /usr/share/mcollective/plugins
logfile: /var/log/mcollective.log
loglevel: debug
daemonize: 0
direct_addressing: 1
ttl: 4294957
securityprovider: psk
plugin.psk: {{ mcollective.pskey }}
identity: {{ mcollective.identity }}
{% if mcollective.connector == 'stomp' %}
connector = stomp
plugin.stomp.host: {{ mcollective.host }}
plugin.stomp.port: {{ mcollective.port|default(61613) }}
plugin.stomp.user: {{ mcollective.user }}
plugin.stomp.password: {{ mcollective.password }}
{% else %}
connector: rabbitmq
plugin.rabbitmq.vhost: {{ mcollective.vhost }}
plugin.rabbitmq.pool.size: 1
plugin.rabbitmq.pool.1.host: {{ mcollective.host }}
plugin.rabbitmq.pool.1.port: {{ mcollective.port|default(61613) }}
plugin.rabbitmq.pool.1.user: {{ mcollective.user }}
plugin.rabbitmq.pool.1.password: {{ mcollective.password }}
plugin.rabbitmq.heartbeat_interval: 30
{% endif %}
factsource: yaml
plugin.yaml: /etc/mcollective/facts.yaml
puppet:
conf:
main:
logdir: /var/log/puppet
rundir: /var/run/puppet
ssldir: $vardir/ssl
pluginsync: true
prerun_command: /bin/true
postrun_command: /bin/true
agent:
classfile: $vardir/classes.txt
localconfig: $vardir/localconfig
server: {{ puppet.master }}
report: false
configtimeout: 600
runcmd:
{% if puppet.enable != 1 %}
- /usr/sbin/invoke-rc.d puppet stop
- /usr/sbin/update-rc.d -f puppet remove
{% endif %}
{% if mcollective.enable != 1 %}
- /usr/sbin/invoke-rc.d mcollective stop
- echo manual > /etc/init/mcollective.override
{% else %}
- rm -f /etc/init/mcollective.override
{% endif %}
- iptables -t filter -F INPUT
- iptables -t filter -F FORWARD
final_message: "YAY! The system is finally up, after $UPTIME seconds"