From 5de3c64ad0e9199bb08846a7aa00e8b2499b5083 Mon Sep 17 00:00:00 2001
From: yaseenhamdulay <31653044+yaseenhamdulay@users.noreply.github.com>
Date: Thu, 5 Mar 2020 16:12:47 +0000
Subject: [PATCH 1/2] Create etcd user in cloud-init master.yaml rather than in
 configure-helper.sh

An etcd unix user is currently created in configure-helper.sh if it does not exist
on the master.

cloud-init is the only supported mechanism to add users on COS VMs. If an attempt
is made to add a key using OS Login or the instance metadata mechanism the
google_accounts_daemon will race with useradd and potentially attempt to use
the same UID. This will lock out any attempt to SSH into the VM. We therefore
migrate to using cloud-init to create this user and prevent this issue from occurring.
---
 cluster/gce/gci/configure-helper.sh | 3 ---
 cluster/gce/gci/master.yaml         | 5 +++++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 2ac0d176071..aac725f0ddf 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -445,9 +445,6 @@ function mount-master-pd {
   mkdir -p "${mount_point}/srv/sshproxy"
   ln -s -f "${mount_point}/srv/sshproxy" /etc/srv/sshproxy
 
-  if ! id etcd &>/dev/null; then
-    useradd -s /sbin/nologin -d /var/etcd etcd
-  fi
   chown -R etcd "${mount_point}/var/etcd"
   chgrp -R etcd "${mount_point}/var/etcd"
 }
diff --git a/cluster/gce/gci/master.yaml b/cluster/gce/gci/master.yaml
index fd0a88d081d..70c5ce6716a 100644
--- a/cluster/gce/gci/master.yaml
+++ b/cluster/gce/gci/master.yaml
@@ -1,5 +1,10 @@
 #cloud-config
 
+users:
+- name: etcd
+  homedir: /var/etcd
+  lock_passwd: true
+
 write_files:
   - path: /etc/systemd/system/kube-master-installation.service
     permissions: 0644

From 58f78a53ee1afdc6f656d2517275e52bda34c865 Mon Sep 17 00:00:00 2001
From: Yaseen Hamdulay <yaseenh@google.com>
Date: Tue, 24 Mar 2020 11:30:48 +0000
Subject: [PATCH 2/2] Add ssh_redirect_user

---
 cluster/gce/gci/master.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cluster/gce/gci/master.yaml b/cluster/gce/gci/master.yaml
index 70c5ce6716a..6fd8f876e19 100644
--- a/cluster/gce/gci/master.yaml
+++ b/cluster/gce/gci/master.yaml
@@ -4,6 +4,7 @@ users:
 - name: etcd
   homedir: /var/etcd
   lock_passwd: true
+  ssh_redirect_user: true
 
 write_files:
   - path: /etc/systemd/system/kube-master-installation.service