Create rescue user on ironic agent

Create a new service, that will be launched after ironic
agent has been exited. This will launch an script that will
take the rescue password, and create the rescue user with
that credentials.

Depends-On: I7898ff22800dedba73d7fbfb3801378867abe183
Change-Id: Ic3a241e2789a122d3d966e7e2148306fd0cf6aed
Partial-Bug: 1526449

diskimage_builder/elements/ironic-agent/element-deps

@@ -1,4 +1,5 @@
 dhcp-all-interfaces
+install-static
 no-final-image
 package-installs
 pip-and-virtualenv

diskimage_builder/elements/ironic-agent/post-install.d/80-ironic-agent

@@ -24,6 +24,7 @@ case "$DIB_INIT_SYSTEM" in
             systemctl disable iptables.service
         fi
         systemctl enable $(svc-map ironic-python-agent).service
+        systemctl enable ironic-agent-create-rescue-user.path
         ;;
     sysv)
         update-rc.d iptables disable

diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.path

@@ -0,0 +1,8 @@
+[Unit]
+Description=Ironic user rescue - notify path existence
+
+[Path]
+PathExists=/etc/ipa-rescue-config/ipa-rescue-password
+
+[Install]
+WantedBy=multi-user.target

diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Ironic agent rescue user creation
+
+[Service]
+ExecStart=/bin/bash /usr/local/bin/ironic-python-agent-create-rescue-user.sh
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

diskimage_builder/elements/ironic-agent/static/usr/local/bin/ironic-python-agent-create-rescue-user.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+echo "Adding rescue user with root privileges..."
+crypted_pass=$(</etc/ipa-rescue-config/ipa-rescue-password)
+useradd -m rescue -G wheel -p $crypted_pass
+echo "rescue ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/rescue