3

on newly created gce instances I find a really messy /home/ folder, containing one home directory for every GCP user with sufficient permissions (so far not too insane), but also for any user that ever succeeded to ssh login via gcloud to any gce of the same project (even if that very user never actually tried ssh-ing to that gce instance)

gcloud compute ssh username@gce-instance --project project-name

This last thing seems inexplicable to me, but anyway I decided to remove all of these linux users on a newly created Ubuntu 18.04 gce, with the deluser --remove-all-files command as showed hereby:

CURRENT_USER=username
for USER in `ls /home`
  do
    if [ $CURRENT_USER -neq $USER ]
      then 
        deluser --remove-all-files $USER
      fi
  done

All the users but the current are thus removed, and their home folders do not appear in ls /home/, but this is only temporary, because they reappear after the next reboot of the gce, all of them.

I took a look to journalctl, and noticed that this is due to the google-accounts deamon, which creates all those user back at startup. I spotted the code that does this, in /usr/lib/python3/dist-packages/google_compute_engine/accounts/accounts_daemon.py, I even tried to instantiate an google_compute_engine.accounts.accounts_daemon.AccountsDaemon() from a python CLI and run its HandleAccounts(res) method, and journalctl looked very very promising:

Feb 27 15:32:57 gce-name google-accounts[1922]: WARNING Exception locking /var/lock/google_accounts.lock. File already locked.
Feb 27 15:33:18 gce-name google-accounts[1935]: WARNING Exception locking /var/lock/google_accounts.lock. File already locked.
Feb 27 15:33:35 gce-name google-accounts[1935]: WARNING Instance attributes were not found.
Feb 27 15:33:35 gce-name google-accounts[1935]: WARNING Project attributes were not found.
Feb 27 15:33:35 gce-name google-accounts[1935]: WARNING Instance attributes were not found.
Feb 27 15:33:35 gce-name google-accounts[1935]: WARNING Project attributes were not found.
Feb 27 15:33:36 gce-name google-accounts[1935]: INFO Removing user username_1.
Feb 27 15:33:36 gce-name google-accounts[1935]: INFO Removing user username_2.
### etc ###
Feb 27 15:33:36 gce-name google-accounts[1935]: INFO Removing user username_last.

Unfortunately after one last very confident sudo reboot now I found to my horror that every folder was back once again inside /home/.

I ran out of ideas, can anybody help me?

D3r
  • 33
  • 4

1 Answers1

4

Go to the console of GCP and in the Compute Engine, go to the Metadata. you will find all the SSH-KEY which have been added as project lever. Each time new VM is created, all those users with SSH-key as project level are going to have access to the VM.

for more information refer to this link: https://cloud.google.com/compute/docs/storing-retrieving-metadata

Majico
  • 156
  • 3