fix(make_chroot): Simplify chroot user creation.

The commands useradd/usermod will silently skip adding users to
secondary groups that are not in /etc/group. The idea being that the
tools should not create groups that conflict with existing LDAP/NIS
groups but why trying to do so isn't a fatal error I don't know.

Overall the code is rather complicated and tries to modify instead of
add when possible to allow running the SDK as the 'core' user. To keep
things simple gut this code, make the 'core' user special, and add
secondary groups via the 'gpasswd' command so that errors are reported
instead of silently ignored.

One functional change: the default groups have changed to kvm and
portage. The old list excluded kvm and included lots of extra cruft.

sdk_lib/make_chroot.sh

@@ -73,8 +73,6 @@ switch_to_strict_mode
 
 . "${SCRIPT_ROOT}"/sdk_lib/make_conf_util.sh
 
-DEFGROUPS="adm,cdrom,floppy,audio,video,portage"
-
 USEPKG=""
 if [[ $FLAGS_usepkg -eq $FLAGS_TRUE ]]; then
   # Use binary packages. Include all build-time dependencies,
@@ -142,49 +140,31 @@ init_users () {
   touch "${FLAGS_chroot}/etc/"{group,gshadow,passwd,shadow}
   chmod 640 "${FLAGS_chroot}/etc/"{gshadow,shadow}
 
-  # update or add developer user and group
+  # do nothing with the CoreOS system user
-  local userent=$(bare_chroot getent passwd "${SUDO_USER}") || true
+  if [[ "${SUDO_USER}" == core ]]; then
-  if [[ "${userent}" =~ ^[^:]*:[^:]*:${SUDO_UID}:${SUDO_GID}: ]]; then
+    return
-    info "Updating ${SUDO_USER} (already exists in chroot)..."
+  fi
-    bare_chroot usermod -a -G "${DEFGROUPS}" \
+
-        -s /bin/bash -m -d "/home/${SUDO_USER}" "${SUDO_USER}"
+  local baselayout="${FLAGS_chroot}/usr/share/baselayout"
-  elif [[ -n "${userent}" ]]; then
+  local full_name=$(getent passwd "${SUDO_USER}" | cut -d: -f5)
-    die "User ${SUDO_USER} exists in chroot with different UID/GID"
+  local group_name=$(getent group "${SUDO_GID}" | cut -d: -f1)
-  else
-    info "Adding user ${SUDO_USER}..."
-    local full_name group_name
-    full_name=$(getent passwd "${SUDO_USER}" | cut -d: -f5)
-    group_name=$(getent group "${SUDO_GID}" | cut -d: -f1)
   [[ -n "${group_name}" ]] || die "Looking up gid $SUDO_GID failed."
 
-    local groupent=$(bare_chroot getent group "${group_name}") || true
+  if ! grep -q "^${group_name}:" "${baselayout}/group"; then
-    if [[ "${groupent}" =~ ^[^:]*:[^:]*:${SUDO_GID}: ]]; then
+    info "Adding group ${group_name}..."
-      true # group/gid exists, don't need to add it
-    elif [[ -n "${groupent}" ]]; then
-      die "Group ${group_name} exists in chroot with different GID"
-    else
     bare_chroot groupadd -o -g "${SUDO_GID}" "${group_name}"
   fi
 
-    bare_chroot useradd -o \
+  info "Adding user ${SUDO_USER}..."
-        -G "${DEFGROUPS}" -g "${SUDO_GID}" -u "${SUDO_UID}" \
+  bare_chroot useradd -o -g "${SUDO_GID}" -u "${SUDO_UID}" \
       -s /bin/bash -m -c "${full_name}" "${SUDO_USER}"
 
-    # TODO(marineam): this can be removed once baselayout 3 is merged
+  # copy and update other system groups the developer should be in
-    # We need the UID to match the host user's. This can conflict with
+  local group
-    # a particular chroot UID. At the same time, the added user has to
+  for group in kvm portage; do
-    # be a primary user for the given UID for sudo to work, which is
+    grep "^${group}:" "${baselayout}/group" >> "${FLAGS_chroot}/etc/group"
-    # determined by the order in /etc/passwd. Let's put ourselves on top
+    bare_chroot gpasswd -a "${SUDO_USER}" "${group}"
-    # of the file.
+  done
-    # Because passwd generally isn't sorted and the entry ended up at the
-    # bottom, it is safe to just take it and move it to top instead.
-    if [[ $(wc -l <"${FLAGS_chroot}/etc/passwd") -gt 1 ]]; then
-      sed -e '1{h;d};$!{H;d};$G' -i "${FLAGS_chroot}/etc/passwd"
-    fi
-    if [[ $(wc -l <"${FLAGS_chroot}/etc/group") -gt 1 ]]; then
-      sed -e '1{h;d};$!{H;d};$G' -i "${FLAGS_chroot}/etc/group"
-    fi
-  fi
 }
 
 init_setup () {