Updated init script to allow metadata override

[liamfallon]

This PR:

• Allows the initialization variables to be overridden on invocation without using the get metadata, for example by using
  cat gce_init.sh | sudo NEPHIO_DEBUG=true NEPHIO_RUN_E2E=false bash
• Creates the docker use before management cluster invocation to allow the kpt fn apply commands in the
  gce_install_sandbox.sh script to run on the nephio user.

[liamfallon]

/assign @johnbelamaric @electrocucaracha @efiacor @henderiw

[electrocucaracha]

Docker is installed by the Ansible playbooks, so technically at this point the docker group shouldn't exist

[liamfallon]

Yes, but if you don't add it before calling the gce_install_sandbox.sh script using the nephio user, you can't add the nephio user to the docker group. In a shell, while you can add a user to a group, you can't execute anything using that new group's rights without spawning a new shell.

I know this is not a perfect way of doing this and we should restructure these scripts afterwards, but it does work and the Docker install works fine even if the docker user already exists.

[electrocucaracha]

My understanding is that line 57 adds $NEPHIO_USER into the docker group, correct me if I'm wrong, but is this not doing the same?

BTW, I was planning to move 56-58 into the gce_install_sandbox.sh script.

[liamfallon]

I just tried this:
sudo usermod -aG docker2 ubuntu
usermod: group 'docker2' does not exist

(used non-existant docker2 group as a test)
The group has to exist before it can be given to a user.

I tried moving lines 56-58 into the gce_install_sandbox.sh script but because of the requirement to restart the shell, docker or kpt fn render commands later in the script would not run as $NEPHIO_USER because a new shell has to be started to pick up the new group privileges

[liamfallon]

We probably should have one phase in the install process to install all the prerequisites (docker kpt kubectl etc etc) and then in another phase install the more nephio-specific stuff we need but I guess that'll be post R1 :-)

[electrocucaracha]

That's done here before executing the bootstrap Ansible role. So my point is that before those instructions has been executed, docker group shouldn't exist

[liamfallon]

Thanks @electrocucaracha I have reverted this.

[electrocucaracha]

Another way to achieve that is using newgrp

Suggested change

	kpt fn render "$localpkg"
	newgrp docker <<EONG
	kpt fn render "$localpkg"
	EONG

[liamfallon]

OK, newgrp spawns a new shell and then the render happens in that shell with the new privileges?

[liamfallon]

But doesn't newgrp have to be run as sudo?

[efiacor]

Hi @electrocucaracha , I am currently working on refactoring the scripts a bit so will take the docker group issue after this change if that's ok.
Plan is to add an intermediary script to setup the platform and isolate and sudo calls.

[liamfallon]

Hi @electrocucaracha I have reverted this and left in the sudo.

[electrocucaracha]

Suggested change

	- default user is "ubuntu" and "ubuntu" has sudo rights
	- default user is "ubuntu" and "ubuntu" needs sudo passwordless permissions

[liamfallon]

Just added the hacks/resolve_secrets.sh script to destroy and re-apply the kpt packages for mgmt and mgmt-cluster, this script works around the issue with secrets not being created by the gce_install_sandbox.sh script.

[radoslawc]

/approve
/lgtm

[nephio-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liamfallon, radoslawc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [radoslawc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment