google_guest_agent creates unwanted users in image creation process.

[ek-nag]

Hello,

I am using a modules/packer/custom-image module for creating custom images for my GHPC cluster. During the image creation, google_guest_agent creates a bunch of local users that exist in the project. In the logs, it appears like this:

google_guest_agent[1204]: Creating user user1
google_guest_agent[1204]: Creating user user2
google_guest_agent[1204]: Creating user user3

Since it's the base image and the nodes that use this image will not be using a Google authentication service but the separate LDAP server, I don't need any of the local users to be created. Is it possible to disable this behaviour?

I found out that you can stop this by editing /etc/default/instance_configs.cfg and setting accounts_daemon = false. To my knowledge, the only place where I can change this is in the startup scripts. However, startup scripts are executed after google_guest_agent runs, so it's not an option.

Snippet from the blueprint used to create images:

- group: packer-login
  modules:
  - id: custom-login-image
    source: modules/packer/custom-image
    kind: packer
    settings:
      source_image_project_id: [schedmd-slurm-public]
      source_image_family: schedmd-v5-slurm-22-05-8-rocky-linux-8
      disk_size: 50
      image_family: $(vars.login_image)
      state_timeout: 30m
      zone: $(vars.zone)
      subnetwork_name: $(vars.subnetwork_name)
      image_storage_locations: [$(vars.zone)]

The workaround that I have now is a script that deletes all local users at the end of image build.

Thank you!

[tpdownes]

Thanks for the report. It looks like you are not enabling OS Login on the VM. I am curious if you have either (A) enabled OS Login at the project level through metadata or (B) have project-wide SSH keys.

• https://console.cloud.google.com/compute/metadata?tab=metadata
• https://console.cloud.google.com/compute/metadata?tab=sshkeys

I suspect the answer is (B) and that the corresponding users are being created. If so, one potential solution would be to block project-wide SSH keys. That would look something like:

...
    settings:
      ...
      block-project-ssh-keys: "TRUE"

I advise the quotation marks around TRUE to ensure that it is interpreted as a string literal value.

[tpdownes]

Also see #1393.

[ek-nag]

Hi @tpdownes, that's right, we have several ssh keys in project metadata. Thanks for helping me understand where the users are coming from. After setting block-project-ssh-keys: "TRUE" in the instance metadata, there are no local users being created during the image creation.

...
    metadata:
      ...
      block-project-ssh-keys: "TRUE"

Thanks for your help!

[tpdownes]

Thanks, for the record, #1393 will make this behavior the default in future releases of the Toolkit. It can be overridden by setting block-project-ssh-keys as shown above to any value other than TRUE.

[cboneti]

Hi all,
This was released a while ago, I will now close this issue.
Cheers,

Carlos