How to prevent from the guest-agent to delete user, created by packer?

Question

How to prevent from the guest-agent to delete user, created by packer?

vitalyk-multinarity opened this issue a year ago · comments

vitalyk-multinarity commented a year ago

Hi,
I'm trying to build an image using Packer. I noticed that guest-agent removed my user:

Mar 6 10:59:20 workstation-test-6-03-2023-3 google_guest_agent[544]: Removing user packer.

How can I prevent that?
According to Readme, 'User accounts not managed by Google are not touched by the accounts daemon.'. I tried both 'packer' and 'ubuntu' for Debian image - the same behavior.

TIA,
Vitaly

vorakl · Answer 1 · Thu Mar 23 2023 08:05:45 GMT+0800 (China Standard Time)

It seems, packer is a Google managed user in your case. How it happens is a second question, but first, I'd check if this assumption is correct.

Check the content of /var/lib/google/google_users file. In my case it is

$ cat /var/lib/google/google_users
vorakl

A user gets removed here
https://github.com/GoogleCloudPlatform/guest-agent/blob/main/google_guest_agent/non_windows_accounts.go#L169

The name is taken from the gUsers which, in turn, is taken from a file
https://github.com/GoogleCloudPlatform/guest-agent/blob/main/google_guest_agent/non_windows_accounts.go#L133

The file is defined here
https://github.com/GoogleCloudPlatform/guest-agent/blob/main/google_guest_agent/non_windows_accounts.go#L37

So, if a user exists in that file and doesn't exist in metadata, it will be removed, if...

// removeGoogleUser removes Google managed users. If deprovision_remove is true, the
// user and its home directory are removed. Otherwise, SSH keys and sudoer
// permissions are removed but the user remains on the system. Group membership
// is not changed.

https://github.com/GoogleCloudPlatform/guest-agent/blob/main/google_guest_agent/non_windows_accounts.go#L361

It looks like, deprovision_remove is True in your case.
If avoiding this user from getting into the file is not possible, consider setting this config parameter in False value.
By the way, my configuration file has it set in False:

$ grep 'deprovision_remove' /etc/default/instance_configs.cfg*
/etc/default/instance_configs.cfg:deprovision_remove = false

What's a value on your system?

P.S.
I've just realized that the log message is a bit misleading. It reports Removing user before it actually checks for the configuration settings and before it makes a decision about removing a user from the system.
Just check if a user is really removed, for example, id packer. In my case, it is

$ id vorakl
uid=1000(vorakl) gid=1001(vorakl) groups=1001(vorakl),4(adm),39(video),1000(google-sudoers)

vitalyk-multinarity · Answer 2 · Thu Mar 23 2023 15:24:42 GMT+0800 (China Standard Time)

Thank you, I'll review these details.

It seems, 'packer' is a Google managed user in your case.
I tested with 'just-a-test-user' as well - the same behaviour.

vitalyk-multinarity · Answer 3 · Mon Mar 27 2023 19:40:58 GMT+0800 (China Standard Time)

@vorakl , thank you again, and sorry for the delay.

in /var/lib/google/google_users I see only our team's GCP users, not packer.
/etc/default/instance_configs.cfg:deprovision_remove is already False - so I do have this user and its home directory with a few files, just .ssh dir was cleaned

Obviously, it's not a showstopper anymore, as far as I'm aware of this behavior, but it's weird.

regards,
Vitaly