Create etcd user in cloud-init master.yaml rather than in configure-helper.sh

yaseenhamdulay · yaseenhamdulay · commit 5de3c64ad0e9 · 2020-03-19T11:05:42.000Z
An etcd unix user is currently created in configure-helper.sh if it does not exist
on the master.

cloud-init is the only supported mechanism to add users on COS VMs. If an attempt
is made to add a key using OS Login or the instance metadata mechanism the
google_accounts_daemon will race with useradd and potentially attempt to use
the same UID. This will lock out any attempt to SSH into the VM. We therefore
migrate to using cloud-init to create this user and prevent this issue from occurring.
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
@@ -445,9 +445,6 @@ function mount-master-pd {
   mkdir -p "${mount_point}/srv/sshproxy"
   ln -s -f "${mount_point}/srv/sshproxy" /etc/srv/sshproxy
 
-  if ! id etcd &>/dev/null; then
-    useradd -s /sbin/nologin -d /var/etcd etcd
-  fi
   chown -R etcd "${mount_point}/var/etcd"
   chgrp -R etcd "${mount_point}/var/etcd"
 }
diff --git a/cluster/gce/gci/master.yaml b/cluster/gce/gci/master.yaml
@@ -1,5 +1,10 @@
 #cloud-config
 
+users:
+- name: etcd
+  homedir: /var/etcd
+  lock_passwd: true
+
 write_files:
   - path: /etc/systemd/system/kube-master-installation.service
     permissions: 0644

Original file line number	Diff line number	Diff line change
`@@ -445,9 +445,6 @@ function mount-master-pd {`
`445`	`445`	`mkdir -p "${mount_point}/srv/sshproxy"`
`446`	`446`	`ln -s -f "${mount_point}/srv/sshproxy" /etc/srv/sshproxy`
`447`	`447`
`448`		`- if ! id etcd &>/dev/null; then`
`449`		`- useradd -s /sbin/nologin -d /var/etcd etcd`
`450`		`- fi`
`451`	`448`	`chown -R etcd "${mount_point}/var/etcd"`
`452`	`449`	`chgrp -R etcd "${mount_point}/var/etcd"`
`453`	`450`	`}`