Conditionally use 'vcap' as default docker user

acosta11 · acosta11 · commit 2f50f92a9e39 · 2025-07-14T14:55:39.000-07:00
* Now that user may be overridden on processes and tasks, update default
  user based on new flag to allow or deny the use of 'root'.
diff --git a/app/models/runtime/droplet_model.rb b/app/models/runtime/droplet_model.rb
@@ -138,7 +138,7 @@ def docker_user
         end
       end
 
-      container_user.presence || AppModel::DEFAULT_DOCKER_CONTAINER_USER
+      container_user.presence || (Config.config.get(:allow_process_root_user) ? AppModel::DEFAULT_DOCKER_CONTAINER_USER : AppModel::DEFAULT_CONTAINER_USER)
     end
 
     def staging?
diff --git a/app/models/runtime/process_model.rb b/app/models/runtime/process_model.rb
@@ -578,7 +578,7 @@ def permitted_users
     def docker_run_action_user
       return AppModel::DEFAULT_CONTAINER_USER unless docker?
 
-      desired_droplet&.docker_user.presence || AppModel::DEFAULT_DOCKER_CONTAINER_USER
+      desired_droplet&.docker_user.presence || (Config.config.get(:allow_process_root_user) ? AppModel::DEFAULT_DOCKER_CONTAINER_USER : AppModel::DEFAULT_CONTAINER_USER)
     end
 
     def non_unique_process_types
diff --git a/app/models/runtime/task_model.rb b/app/models/runtime/task_model.rb
@@ -66,7 +66,7 @@ def permitted_users
     end
 
     def docker_run_action_user
-      droplet.docker_user.presence || AppModel::DEFAULT_CONTAINER_USER
+      droplet&.docker_user.presence || (Config.config.get(:allow_process_root_user) ? AppModel::DEFAULT_DOCKER_CONTAINER_USER : AppModel::DEFAULT_CONTAINER_USER)
     end
 
     def running_state?
diff --git a/spec/unit/models/runtime/process_model_spec.rb b/spec/unit/models/runtime/process_model_spec.rb
@@ -687,62 +687,133 @@ def act_as_cf_admin
           process.desired_droplet.reload
         end
 
-        context 'when the process has a user specified' do
+        context 'when root user is allowed' do
           before do
-            process.update(user: 'ContainerUser')
+            TestConfig.override(allow_process_root_user: true)
           end
 
-          it 'returns the user' do
-            expect(process.run_action_user).to eq('ContainerUser')
+          context 'when the process has a user specified' do
+            before do
+              process.update(user: 'ContainerUser')
+            end
+
+            it 'returns the user' do
+              expect(process.run_action_user).to eq('ContainerUser')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata specifies a user' do
-          it 'returns the specified user' do
-            expect(process.run_action_user).to eq('some-user')
+          context 'when the droplet execution metadata specifies a user' do
+            it 'returns the specified user' do
+              expect(process.run_action_user).to eq('some-user')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata DOES NOT specify a user' do
-          let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
+          context 'when the droplet execution metadata DOES NOT specify a user' do
+            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
 
-          it 'defaults the user to root' do
-            expect(process.run_action_user).to eq('root')
+            it 'returns the default "root" user' do
+              expect(process.run_action_user).to eq('root')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata is an empty string' do
-          let(:droplet_execution_metadata) { '' }
+          context 'when the droplet execution metadata is an empty string' do
+            let(:droplet_execution_metadata) { '' }
+
+            it 'returns the default "root" user' do
+              expect(process.run_action_user).to eq('root')
+            end
+          end
 
-          it 'defaults the user to root' do
-            expect(process.run_action_user).to eq('root')
+          context 'when the droplet execution metadata is nil' do
+            let(:droplet_execution_metadata) { nil }
+
+            it 'returns the default "root" user' do
+              expect(process.run_action_user).to eq('root')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata is nil' do
-          let(:droplet_execution_metadata) { nil }
+          context 'when the droplet execution metadata has invalid json' do
+            let(:droplet_execution_metadata) { '{' }
 
-          it 'defaults the user to root' do
-            expect(process.run_action_user).to eq('root')
+            it 'returns the default "root" user' do
+              expect(process.run_action_user).to eq('root')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata has invalid json' do
-          let(:droplet_execution_metadata) { '{' }
+          context 'when the app does not have a droplet assigned' do
+            before do
+              process.app.update(droplet: nil)
+              process.reload
+            end
 
-          it 'defaults the user to root' do
-            expect(process.run_action_user).to eq('root')
+            it 'returns the default "root" user' do
+              expect(process.run_action_user).to eq('root')
+            end
           end
         end
 
-        context 'when the app does not have a droplet assigned' do
+        context 'when root user is not allowed' do
           before do
-            process.app.update(droplet: nil)
-            process.reload
+            TestConfig.override(allow_process_root_user: false)
+          end
+
+          context 'when the process has a user specified' do
+            before do
+              process.update(user: 'ContainerUser')
+            end
+
+            it 'returns the user' do
+              expect(process.run_action_user).to eq('ContainerUser')
+            end
+          end
+
+          context 'when the droplet execution metadata specifies a user' do
+            it 'returns the specified user' do
+              expect(process.run_action_user).to eq('some-user')
+            end
+          end
+
+          context 'when the droplet execution metadata DOES NOT specify a user' do
+            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
+
+            it 'returns the default "vcap" user' do
+              expect(process.run_action_user).to eq('vcap')
+            end
+          end
+
+          context 'when the droplet execution metadata is an empty string' do
+            let(:droplet_execution_metadata) { '' }
+
+            it 'returns the default "vcap" user' do
+              expect(process.run_action_user).to eq('vcap')
+            end
+          end
+
+          context 'when the droplet execution metadata is nil' do
+            let(:droplet_execution_metadata) { nil }
+
+            it 'returns the default "vcap" user' do
+              expect(process.run_action_user).to eq('vcap')
+            end
+          end
+
+          context 'when the droplet execution metadata has invalid json' do
+            let(:droplet_execution_metadata) { '{' }
+
+            it 'returns the default "vcap" user' do
+              expect(process.run_action_user).to eq('vcap')
+            end
           end
 
-          it 'defaults the user to root' do
-            expect(process.run_action_user).to eq('root')
+          context 'when the app does not have a droplet assigned' do
+            before do
+              process.app.update(droplet: nil)
+              process.reload
+            end
+
+            it 'returns the default "vcap" user' do
+              expect(process.run_action_user).to eq('vcap')
+            end
           end
         end
       end
diff --git a/spec/unit/models/runtime/task_model_spec.rb b/spec/unit/models/runtime/task_model_spec.rb
@@ -204,51 +204,111 @@ module VCAP::CloudController
           task.droplet.update(execution_metadata: droplet_execution_metadata)
         end
 
-        context 'when the task has a user specified' do
+        context 'when root user is allowed' do
           before do
-            task.update(user: 'ContainerUser')
+            TestConfig.override(allow_process_root_user: true)
           end
 
-          it 'returns the user' do
-            expect(task.run_action_user).to eq('ContainerUser')
+          context 'when the task has a user specified' do
+            before do
+              task.update(user: 'ContainerUser')
+            end
+
+            it 'returns the user' do
+              expect(task.run_action_user).to eq('ContainerUser')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata specifies a user' do
-          it 'returns the specified user' do
-            expect(task.run_action_user).to eq('cnb')
+          context 'when the droplet execution metadata specifies a user' do
+            it 'returns the specified user' do
+              expect(task.run_action_user).to eq('cnb')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata DOES NOT specify a user' do
-          let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
+          context 'when the droplet execution metadata DOES NOT specify a user' do
+            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
 
-          it 'defaults the user to root' do
-            expect(task.run_action_user).to eq('root')
+            it 'defaults the user to root' do
+              expect(task.run_action_user).to eq('root')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata is an empty string' do
-          let(:droplet_execution_metadata) { '' }
+          context 'when the droplet execution metadata is an empty string' do
+            let(:droplet_execution_metadata) { '' }
 
-          it 'defaults the user to root' do
-            expect(task.run_action_user).to eq('root')
+            it 'defaults the user to root' do
+              expect(task.run_action_user).to eq('root')
+            end
           end
-        end
 
-        context 'when the droplet execution metadata is nil' do
-          let(:droplet_execution_metadata) { nil }
+          context 'when the droplet execution metadata is nil' do
+            let(:droplet_execution_metadata) { nil }
 
-          it 'defaults the user to root' do
-            expect(task.run_action_user).to eq('root')
+            it 'defaults the user to root' do
+              expect(task.run_action_user).to eq('root')
+            end
+          end
+
+          context 'when the droplet execution metadata has invalid json' do
+            let(:droplet_execution_metadata) { '{' }
+
+            it 'defaults the user to root' do
+              expect(task.run_action_user).to eq('root')
+            end
           end
         end
 
-        context 'when the droplet execution metadata has invalid json' do
-          let(:droplet_execution_metadata) { '{' }
+        context 'when root user is not allowed' do
+          before do
+            TestConfig.override(allow_process_root_user: false)
+          end
 
-          it 'defaults the user to root' do
-            expect(task.run_action_user).to eq('root')
+          context 'when the task has a user specified' do
+            before do
+              task.update(user: 'ContainerUser')
+            end
+
+            it 'returns the user' do
+              expect(task.run_action_user).to eq('ContainerUser')
+            end
+          end
+
+          context 'when the droplet execution metadata specifies a user' do
+            it 'returns the specified user' do
+              expect(task.run_action_user).to eq('cnb')
+            end
+          end
+
+          context 'when the droplet execution metadata DOES NOT specify a user' do
+            let(:droplet_execution_metadata) { '{"entrypoint":["/image-entrypoint.sh"]}' }
+
+            it 'defaults the user to vcap' do
+              expect(task.run_action_user).to eq('vcap')
+            end
+          end
+
+          context 'when the droplet execution metadata is an empty string' do
+            let(:droplet_execution_metadata) { '' }
+
+            it 'defaults the user to vcap' do
+              expect(task.run_action_user).to eq('vcap')
+            end
+          end
+
+          context 'when the droplet execution metadata is nil' do
+            let(:droplet_execution_metadata) { nil }
+
+            it 'defaults the user to vcap' do
+              expect(task.run_action_user).to eq('vcap')
+            end
+          end
+
+          context 'when the droplet execution metadata has invalid json' do
+            let(:droplet_execution_metadata) { '{' }
+
+            it 'defaults the user to vcap' do
+              expect(task.run_action_user).to eq('vcap')
+            end
           end
         end
       end
