From ba11376328a56cb3b963c2d438b434637d4c54f4 Mon Sep 17 00:00:00 2001
From: Yolanda Robla <yroblamo@redhat.com>
Date: Fri, 22 Sep 2017 11:13:22 +0200
Subject: [PATCH] Create rescue user on ironic agent

Create a new service, that will be launched after ironic
agent has been exited. This will launch an script that will
take the rescue password, and create the rescue user with
that credentials.

Depends-On: I7898ff22800dedba73d7fbfb3801378867abe183
Change-Id: Ic3a241e2789a122d3d966e7e2148306fd0cf6aed
Partial-Bug: 1526449
---
 diskimage_builder/elements/ironic-agent/element-deps |  1 +
 .../ironic-agent/post-install.d/80-ironic-agent      |  1 +
 .../system/ironic-agent-create-rescue-user.path      |  8 ++++++++
 .../system/ironic-agent-create-rescue-user.service   | 10 ++++++++++
 .../bin/ironic-python-agent-create-rescue-user.sh    | 12 ++++++++++++
 5 files changed, 32 insertions(+)
 create mode 100644 diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.path
 create mode 100644 diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.service
 create mode 100755 diskimage_builder/elements/ironic-agent/static/usr/local/bin/ironic-python-agent-create-rescue-user.sh

diff --git a/diskimage_builder/elements/ironic-agent/element-deps b/diskimage_builder/elements/ironic-agent/element-deps
index 39d864612..665e0da3e 100644
--- a/diskimage_builder/elements/ironic-agent/element-deps
+++ b/diskimage_builder/elements/ironic-agent/element-deps
@@ -1,4 +1,5 @@
 dhcp-all-interfaces
+install-static
 no-final-image
 package-installs
 pip-and-virtualenv
diff --git a/diskimage_builder/elements/ironic-agent/post-install.d/80-ironic-agent b/diskimage_builder/elements/ironic-agent/post-install.d/80-ironic-agent
index 38dae821f..bc3a15fdd 100755
--- a/diskimage_builder/elements/ironic-agent/post-install.d/80-ironic-agent
+++ b/diskimage_builder/elements/ironic-agent/post-install.d/80-ironic-agent
@@ -24,6 +24,7 @@ case "$DIB_INIT_SYSTEM" in
             systemctl disable iptables.service
         fi
         systemctl enable $(svc-map ironic-python-agent).service
+        systemctl enable ironic-agent-create-rescue-user.path
         ;;
     sysv)
         update-rc.d iptables disable
diff --git a/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.path b/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.path
new file mode 100644
index 000000000..9987044e4
--- /dev/null
+++ b/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.path
@@ -0,0 +1,8 @@
+[Unit]
+Description=Ironic user rescue - notify path existence
+
+[Path]
+PathExists=/etc/ipa-rescue-config/ipa-rescue-password
+
+[Install]
+WantedBy=multi-user.target
diff --git a/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.service b/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.service
new file mode 100644
index 000000000..befeda666
--- /dev/null
+++ b/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Ironic agent rescue user creation
+
+[Service]
+ExecStart=/bin/bash /usr/local/bin/ironic-python-agent-create-rescue-user.sh
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/diskimage_builder/elements/ironic-agent/static/usr/local/bin/ironic-python-agent-create-rescue-user.sh b/diskimage_builder/elements/ironic-agent/static/usr/local/bin/ironic-python-agent-create-rescue-user.sh
new file mode 100755
index 000000000..aee408c0a
--- /dev/null
+++ b/diskimage_builder/elements/ironic-agent/static/usr/local/bin/ironic-python-agent-create-rescue-user.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+echo "Adding rescue user with root privileges..."
+crypted_pass=$(</etc/ipa-rescue-config/ipa-rescue-password)
+useradd -m rescue -G wheel -p $crypted_pass
+echo "rescue ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/rescue