From 9a9af41e4842105996c4df3d71c8ad87e063ab1f Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Mon, 3 Oct 2022 09:21:42 -0700
Subject: [PATCH] Disable distro cloud image users more forcefully

This updates our user management system to use the userdel --force flag
when disabling and removing distro cloud image users like 'ubuntu',
'centos' and 'admin'. The reason for this is when we switch from using
the distro user to boot strap launchnode over to root the distro user
may still have running processes that prevent userdel from succeeding.
This should address that problem and delete the user anyway.

The last step in the launch node process is to reboot which should clear
out any stale processes.

We don't do this for normal users as they aren't removed at node launch
time and this may be too forceful for them. It would be better for us to
error in that case and clean up any stale processes.

Change-Id: I79caf2a996566ecaec4cb4a70941bb3f03a5fb73
---
 inventory/base/group_vars/all.yaml            |  2 ++
 playbooks/roles/base/users/README.rst         |  6 ++++++
 playbooks/roles/base/users/defaults/main.yaml |  1 +
 playbooks/roles/base/users/tasks/main.yaml    | 11 +++++++++++
 4 files changed, 20 insertions(+)

diff --git a/inventory/base/group_vars/all.yaml b/inventory/base/group_vars/all.yaml
index 9e34a9480c..ff177a5dd7 100644
--- a/inventory/base/group_vars/all.yaml
+++ b/inventory/base/group_vars/all.yaml
@@ -184,6 +184,8 @@ disabled_users:
   - shrews
   - dmsimard
   - pabelanger
+# Default distro cloud image names to remove
+disabled_distro_cloud_users:
   - ubuntu
   - centos
   - admin
diff --git a/playbooks/roles/base/users/README.rst b/playbooks/roles/base/users/README.rst
index 3089a06e09..f08eccd9e9 100644
--- a/playbooks/roles/base/users/README.rst
+++ b/playbooks/roles/base/users/README.rst
@@ -19,6 +19,12 @@ Configure users on a server.  Users are given sudo access
 
    Extra users to install on a specific host or group
 
+.. zuul:rolevar:: disabled_distro_cloud_users
+   :default: []
+
+   Distro cloud image default users to remove from hosts. This removal is
+   slightly more forceful than the removal of normal users.
+
 .. zuul:rolevar:: disabled_users
    :default: []
 
diff --git a/playbooks/roles/base/users/defaults/main.yaml b/playbooks/roles/base/users/defaults/main.yaml
index 1256d6b56a..4ea1c0cabd 100644
--- a/playbooks/roles/base/users/defaults/main.yaml
+++ b/playbooks/roles/base/users/defaults/main.yaml
@@ -1,3 +1,4 @@
 all_users: {}
+disabled_distro_cloud_users: []
 disabled_users: []
 extra_users: []
diff --git a/playbooks/roles/base/users/tasks/main.yaml b/playbooks/roles/base/users/tasks/main.yaml
index fa0b11cf02..063f38f218 100644
--- a/playbooks/roles/base/users/tasks/main.yaml
+++ b/playbooks/roles/base/users/tasks/main.yaml
@@ -31,6 +31,17 @@
     group: root
     mode: 0644
 
+- name: Delete default distro cloud image users
+  # Do this in a separate task so that we can use force: yes which is
+  # probably too destructive for normal users, but should be fine for
+  # these built in cloud image names.
+  loop: "{{ disabled_distro_cloud_users }}"
+  user:
+    name: "{{ item }}"
+    state: absent
+    remove: yes
+    force: yes
+
 - name: Delete old users
   loop: "{{ disabled_users }}"
   user: