fix: builder user remenants should not be present in node images

[sriramandev]

Change description

Currently the builder user is not deleted, just locked, which could pose security risks for qemu, raw, nutanix and maas. So based on the suggestions, cleaning up the user just like in the case of ova.

Related issues

• Fixes Cleanup builder user residue - raw, qemu, nutanix and maas #1837

Additional context

This changeset has been introduced on the basis of the discussions that happened as part of PR.

[k8s-ci-robot]

Hi @sriramandev. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sriramandev]

/assign

[sriramandev]

@AverageMarcus @ffais Based on the discussions in PR creating this PR. Kindly have a look and provide your comments on the same.

[ffais]

@sriramandev I tested your changes on the raw target, the build completed successfully, the user and sudoers files were deleted, but I received this error:

==> qemu: userdel: user builder is currently used by process 774
==> qemu: userdel: builder mail spool (/var/mail/builder) not found

Does the same thing happen to you with OVA?

[sriramandev]

@sriramandev I tested your changes on the raw target, the build completed successfully, the user and sudoers files were deleted, but I received this error:

==> qemu: userdel: user builder is currently used by process 774
==> qemu: userdel: builder mail spool (/var/mail/builder) not found

Does the same thing happen to you with OVA?

Interesting, no, do not see this in OVA.

[ffais]

I ran further tests, and the user is being deleted correctly. At this point, I think it's just a warning we can ignore.

[drew-viles]

Could you test it with pkill -u builder before trying the remove? This may solve the error. I suspect because the pipeline is still technically running and tasks are being executed by the user, this is where it's coming from. I'm slightly reluctant to add it with the error is all because people may wonder where it's coming from.

The pkill, may just kill the pipeline ofc making it a non-viable option. Just a thought. :-)

If you don't have time I can look at it later but I'm slammed atm.

[ffais]

@drew-viles I ran some tests using pkill, but unfortunately the build times out. My suspicion is that pkill terminates the ssh session, preventing the pipeline from completing.

However, I can't figure out why this error doesn't appear on OVA.

[drew-viles]

Thanks for confirming.

If you're sure it's removing the user I'm happy to proceed personally unless anyone else can interject with another idea ofc.

/ok-to-test

[ffais]

Yes, I can confirm that builder user is not present anymore, on all tests with RAW target, despite the warning message.

[drew-viles]

/lgtm

/assign @mboersma

[mboersma]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mboersma]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment