From 0f315a0ed0a7b05158f115ea5c77710f0125dd07 Mon Sep 17 00:00:00 2001
From: Paul Bourke <paul.bourke@oracle.com>
Date: Wed, 11 Nov 2015 17:54:00 +0000
Subject: [PATCH] Drop root for kolla-ansible

This change ensures commands run in the kolla-ansible container are done
as the 'ansible' user rather than root.

By default Ansible tries to write it's temporary files to $HOME/.ansible
on the target, which in most cases won't exist when run as the new user.
Hence we now supply the kolla-ansible container with an ansible.cfg, to
tweak the remote_dir option to /tmp.

Change-Id: I838a8c8cd0c7dc1aeca4d12e38c346f252170e7c
Partially-Implements: blueprint drop-root
---
 docker/kolla-ansible/Dockerfile.j2 | 8 ++++++--
 docker/kolla-ansible/ansible.cfg   | 2 ++
 2 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 docker/kolla-ansible/ansible.cfg

diff --git a/docker/kolla-ansible/Dockerfile.j2 b/docker/kolla-ansible/Dockerfile.j2
index d4890eed5d..2466234d61 100644
--- a/docker/kolla-ansible/Dockerfile.j2
+++ b/docker/kolla-ansible/Dockerfile.j2
@@ -24,9 +24,13 @@ RUN git clone --depth 1 -b v2.0.0-0.2.alpha2 https://github.com/ansible/ansible.
     && git submodule update --init --recursive \
     && pip --no-cache-dir install .
 
-RUN mkdir -p /etc/ansible /usr/share/ansible \
-    && echo 'localhost ansible_connection=local' > /etc/ansible/hosts
+RUN mkdir -p /etc/ansible /usr/share/ansible /home/ansible \
+    && echo 'localhost ansible_connection=local' > /etc/ansible/hosts \
+    && useradd --user-group ansible --groups kolla
 
 COPY kolla_keystone_service.py kolla_keystone_user.py /usr/share/ansible/
+COPY ansible.cfg /home/ansible/.ansible.cfg
+
+USER ansible
 
 {{ include_footer }}
diff --git a/docker/kolla-ansible/ansible.cfg b/docker/kolla-ansible/ansible.cfg
new file mode 100644
index 0000000000..c45b65ae1c
--- /dev/null
+++ b/docker/kolla-ansible/ansible.cfg
@@ -0,0 +1,2 @@
+[defaults]
+remote_tmp = /tmp