[Merge] lp:~tribaal/livecd-rootfs/add-vagrant-user into lp:livecd-rootfs

Tue Aug 29 14:24:04 UTC 2017

Review: Needs Fixing

Thanks for solving the 'how does this restricted to artful' question over IRC. While testing, I found one file ownership problem, otherwise, this looks good.

Diff comments:

> === modified file 'live-build/ubuntu-cpc/hooks/042-vagrant.binary'
> --- live-build/ubuntu-cpc/hooks/042-vagrant.binary	2017-06-14 16:25:11 +0000
> +++ live-build/ubuntu-cpc/hooks/042-vagrant.binary	2017-08-29 09:13:37 +0000
> @@ -67,6 +67,28 @@
>  # avoid pulling into a cloud image.
>  chroot ${mount_d} apt-get install --no-install-recommends -y virtualbox-guest-utils
>  chroot ${mount_d} apt-get clean
> +
> +# Create and setup users inside the image.
> +# Vagrant users expect a "vagrant" user with a "vagrant" username.
> +# See https://www.vagrantup.com/docs/boxes/base.html
> +# Note: We decided NOT to allow root login with a default password.
> +chroot ${mount_d} useradd -m vagrant -s /bin/bash
> +echo "vagrant:vagrant" | chroot ${mount_d} chpasswd
> +
> +# The vagrant user should have passwordless sudo.
> +cat << EOF > ${mount_d}/etc/sudoers.d/vagrant
> +vagrant ALL=(ALL) NOPASSWD:ALL
> +EOF
> +
> +# Add the insecure vagrant pubkey to the vagrant user, as is expected by the
> +# vagrant ecosystem (https://www.vagrantup.com/docs/boxes/base.html)
> +chroot ${mount_d} chmod 0440 /etc/sudoers.d/vagrant
> +chroot ${mount_d} mkdir -p /home/vagrant/.ssh
> +chroot ${mount_d} chown -R vagrant: /home/vagrant/.ssh

This chown should come after writing out `.ssh/authorized_keys`, otherwise that file will remain as owned by root.

> +cat << EOF > ${mount_d}/home/vagrant/.ssh/authorized_keys
> +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
> +EOF
> +
>  umount_disk_image "$mount_d"
>  rmdir "$mount_d"
>  
> @@ -98,9 +114,6 @@
>  # except via local host.
>  cat > ${seed_d}/user-data <<END
>  #cloud-config
> -password: ${ubuntu_user_pass}
> -chpasswd: { expire: False }
> -ssh_pwauth: True

Other boxes appear to allow password login, but it's not strictly requested in the docs. The closest I could find is 'it is a general convention to set the password for the "vagrant" user to "vagrant". This lets people login as that user manually if they need to'. I suspect we want to keep this, but I don't have a strong opinion either way.

>  manage_etc_hosts: localhost
>  END
>  

-- 
https://code.launchpad.net/~tribaal/livecd-rootfs/add-vagrant-user/+merge/329598
Your team Ubuntu Core Development Team is requested to review the proposed merge of lp:~tribaal/livecd-rootfs/add-vagrant-user into lp:livecd-rootfs.