Add property to allow the use of the 'root' user for docker Apps

[acosta11]

Background

Associated bosh release configuration for cloudfoundry/cloud_controller_ng#4452

• I have viewed signed and have submitted the Contributor License Agreement

• I have made this pull request to the develop branch

• I have run CF Acceptance Tests on bosh lite

[acosta11]

See related PR cloudfoundry/cloud_controller_ng#4452 for CATs comment. That testing included this bosh packaging update. Should be ready for review now @Gerg @tcdowney .

[Gerg]

Acceptance

Setup

❯ cf enable-feature-flag diego_docker
Enabling feature flag diego_docker as admin...
OK

Base Case

❯ cf push docker -o cloudfoundry/test-app
...
name:              docker
requested state:   started
routes:            docker.chap.app-runtime-interfaces.ci.cloudfoundry.org
last uploaded:     Thu 14 Aug 13:16:50 PDT 2025
stack:
docker image:      cloudfoundry/test-app:latest

type:            web
sidecars:
instances:       1/1
memory usage:    256M
start command:   /test-app
     state     since                  cpu    memory     disk       logging        cpu entitlement   details
#0   running   2025-08-14T20:17:00Z   0.0%   0B of 0B   0B of 0B   0B/s of 0B/s   0.0%

Set to true

❯ bosh deploy /tmp/chap.yml --no-redact
...
  instance_groups:
  - name: api
    jobs:
    - name: cloud_controller_ng
      properties:
        cc:
+         allow_docker_root_user: true
  - name: cc-worker
    jobs:
    - name: cloud_controller_worker
      properties:
        cc:
+         allow_docker_root_user: true
  - name: scheduler
    jobs:
    - name: cloud_controller_clock
      properties:
        cc:
+         allow_docker_root_user: true
...
Task 90 done

Succeeded

❯ cf push docker -o cloudfoundry/test-app
...
name:              docker
requested state:   started
routes:            docker.chap.app-runtime-interfaces.ci.cloudfoundry.org
last uploaded:     Thu 14 Aug 14:19:13 PDT 2025
stack:
docker image:      cloudfoundry/test-app:latest

type:            web
sidecars:
instances:       1/1
memory usage:    256M
start command:   /test-app
     state     since                  cpu    memory          disk          logging              cpu entitlement   details
#0   running   2025-08-14T21:19:21Z   0.5%   15.2M of 256M   22.4M of 1G   33B/s of unlimited   62.2%

Set to false

❯ bosh deploy /tmp/chap.yml --no-redact -n
...
  instance_groups:
  - name: api
    jobs:
    - name: cloud_controller_ng
      properties:
        cc:
-         allow_docker_root_user: true
+         allow_docker_root_user: false
  - name: cc-worker
    jobs:
    - name: cloud_controller_worker
      properties:
        cc:
-         allow_docker_root_user: true
+         allow_docker_root_user: false  - name: scheduler
    jobs:
    - name: cloud_controller_clock
      properties:
        cc:
-         allow_docker_root_user: true
+         allow_docker_root_user: false

Sync

❯ bosh ssh diego-api

$ cfdot delete-desired-lrp fba69784-a41a-4e8c-bf10-7f42e172718f-5a583bae-e685-47e9-8f91-7a92d821baa6

❯ bosh ssh scheduler

# tail /var/vcap/sys/log/cloud_controller_clock/cloud_controller_clock.log
...
{"timestamp":"2025-08-18T17:39:28.077426069Z","message":"error-updating-lrp-state","log_level":"error","source":"cc.diego.sync.processes","data":{"error":"UnprocessableEntity","error_message":"Attempting to run process as root user, which is not permitted." ...

Processes

❯ cf restart docker
Restarting app docker in org org / space space as admin...

Stopping app...

Waiting for app to start...

Attempting to run process as root user, which is not permitted.
FAILED

❯ cf push docker -o cloudfoundry/test-app
Pushing app docker to org org / space space as admin...

Staging app and tracing logs...
   Cell 30142ebe-e245-4ecc-a860-864ebd1e0f45 creating container for instance 00b197c5-a68f-4d83-ba95-724ec5915aef
...
   Cell 30142ebe-e245-4ecc-a860-864ebd1e0f45 successfully destroyed container for instance 00b197c5-a68f-4d83-ba95-724ec5915aef

Waiting for app docker to start...

Attempting to run process as root user, which is not permitted.
FAILED

❯ cf curl -X PATCH /v3/processes/fba69784-a41a-4e8c-bf10-7f42e172718f -d '{"user": "vcap"}'
{"guid":"fba69784-a41a-4e8c-bf10-7f42e172718f", "...": "..."}

 ❯ cf restart docker
Restarting app docker in org org / space space as admin...

Stopping app...

Waiting for app to start...

Instances starting...
...
Instances starting...

All instances crashed
FAILED

Note: this is fine, CAPI tried to run the container, so it got past the check.

❯ cf logs docker --recent
...
   2025-08-18T10:51:43.05-0700 [CELL/0] OUT Cell 30142ebe-e245-4ecc-a860-864ebd1e0f45 creating container for instance 4da3af80-2a3a-443a-76f3-eee0
   2025-08-18T10:51:43.05-0700 [API/0] OUT App instance exited with guid fba69784-a41a-4e8c-bf10-7f42e172718f payload: {"instance"=>"c9802d48-15be-4999-585a-bf4d", "index"=>0, "cell_id"=>"30142ebe-e245-4ecc-a860-864ebd1e0f45", "reason"=>"CRASHED", "exit_description"=>"unable to find user vcap: no matching entries in passwd file", "crash_count"=>2, "crash_timestamp"=>1755539503001112793, "version"=>"a4e5c43c-7ea3-4b23-a45c-8dd176873dfe"}
   2025-08-18T10:51:43.12-0700 [PROXY/0] OUT Exit status 137
   ...

Tasks

❯ cf run-task docker -c "echo"
Creating task for app docker in org org / space space as admin...
Attempting to run task as root user, which is not permitted.
FAILED

❯ cf curl -X POST /v3/apps/fba69784-a41a-4e8c-bf10-7f42e172718f/tasks -d '{"command": "echo", "user": "vcap"}'
{"guid":"a8011fe8-2119-4d45-b5eb-7abe2238f2e9","...":"..."}

❯ cf logs docker --recent
   2025-08-18T10:59:25.37-0700 [CELL/0] OUT Cell 30142ebe-e245-4ecc-a860-864ebd1e0f45 successfully created container for instance a8011fe8-2119-4d45-b5eb-7abe2238f2e9
   2025-08-18T10:59:25.78-0700 [APP/TASK/e3bf3619/0] OUT failed-creating-process: unable to find user vcap: no matching entries in passwd file
   2025-08-18T10:59:26.82-0700 [CELL/0] OUT Cell 30142ebe-e245-4ecc-a860-864ebd1e0f45 stopping instance a8011fe8-2119-4d45-b5eb-7abe2238f2e9