Skip to content

Commit 9f54fa8

Browse files
dwahlerdwahler
authored
Make gcp-linux example template use a non-root user (coder#2480)
* make gcp-linux example template use a non-root user * don't try to create user account if it already exists * upgrade to debian-10 image since debian-9 is no longer available
1 parent fd4e2cc commit 9f54fa8

File tree

1 file changed

+15
-12
lines changed
  • examples/templates/gcp-linux

1 file changed

+15
-12
lines changed

examples/templates/gcp-linux/main.tf

Lines changed: 15 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ resource "google_compute_disk" "root" {
3939
name = "coder-${lower(data.coder_workspace.me.owner)}-${lower(data.coder_workspace.me.name)}-root"
4040
type = "pd-ssd"
4141
zone = var.zone
42-
image = "debian-cloud/debian-9"
42+
image = "debian-cloud/debian-10"
4343
lifecycle {
4444
ignore_changes = [image]
4545
}
@@ -70,21 +70,24 @@ resource "google_compute_instance" "dev" {
7070
email = data.google_compute_default_service_account.default.email
7171
scopes = ["cloud-platform"]
7272
}
73-
# The startup script runs as root with no $HOME environment set up, which can break workspace applications, so
74-
# instead of directly running the agent init script, setup the home directory, write the init script, and then execute
75-
# it.
73+
# The startup script runs as root with no $HOME environment set up, so instead of directly
74+
# running the agent init script, create a user (with a homedir, default shell and sudo
75+
# permissions) and execute the init script as that user.
7676
metadata_startup_script = <<EOMETA
7777
#!/usr/bin/env sh
7878
set -eux
7979
80-
mkdir /root || true
81-
cat <<'EOCODER' > /root/coder_agent.sh
82-
${coder_agent.main.init_script}
83-
EOCODER
84-
chmod +x /root/coder_agent.sh
85-
86-
export HOME=/root
87-
/root/coder_agent.sh
80+
# If user does not exist, create it and set up passwordless sudo
81+
if ! id -u "${local.linux_user}" >/dev/null 2>&1; then
82+
useradd -m -s /bin/bash "${local.linux_user}"
83+
echo "${local.linux_user} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder-user
84+
fi
8885
86+
exec sudo -u "${local.linux_user}" sh -c '${coder_agent.main.init_script}'
8987
EOMETA
9088
}
89+
90+
locals {
91+
# Ensure Coder username is a valid Linux username
92+
linux_user = lower(substr(data.coder_workspace.me.owner, 0, 32))
93+
}

0 commit comments

Comments
 (0)