The committers listed above are authorized under a signed CLA.

• ✅ login: acosta11 / name: Andrew Costa (356d7b1, d4ad30a, ff95407)

Oh looks like I had pivotal-cf membership visibility set to private. Is there a way to rerun the CLA check to see if I need any other updates?

Edit: I still had to click sign again. But it seems to be working now.

@acosta11 you will also need to open a PR to add this new property to https://github.com/cloudfoundry/capi-release

@acosta11 you will also need to open a PR to add this new property to https://github.com/cloudfoundry/capi-release

Draft PR: cloudfoundry/capi-release#561

Still need to test this end to end with the bosh release config.

I haven't validated this myself yet, but I don't think this PR covers the case where the root user is coming from the Dockerfile. In that case, the user will be returned from staging as root and stored in the Droplet's docker_exec_metadata.

I haven't validated this myself yet, but I don't think this PR covers the case where the root user is coming from the Dockerfile. In that case, the user will be returned from staging as root and stored in the Droplet's docker_exec_metadata.

Indeed it's not exercised through that complete flow. I can look at adding a test to explicitly configure the user to root in the docker metadata. I think the setup that I copied was only setting image information so would have to update the call to the factory.

Indeed it's not exercised through that complete flow. I can look at adding a test to explicitly configure the user to root in the docker metadata. I think the setup that I copied was only setting image information so would have to update the call to the factory.

There is some complexity there, since the user specified in the Dockerfile -> execution_metadata will be set on the Droplet as a result of staging. I don't think we want to fail the staging because:

1. The app dev could still override what user will be used via the Process/Task APIs
2. The check wouldn't catch older Droplets that were staged with the root user prior to enabling the new check

I think we need to check the user-that-will-be-used when actually starting to run the process/task (but, I'm open to other ideas). I'm fine if you want to break that into a separate PR, to keep things more manageable with this one.

Initial pass on the runtime check for 'root' user leverages the desired_lrp and task_action builder layer to avoid disrupting staging. Talking with Greg, I also considered going into all the relevant action implementations to start the error message a bit earlier in the call chain. That said, the builder level check ended up fairly succinct and easy to test, so I'm slightly favoring this implementation to avoid missing something in the action layer with a larger set of required changes.

Curious if it looks reasonable to y'all.

Wrapped up end to end testing, added some error handling from an issue detected as part of that process, and rebased on latest main with the task handler and ccng config updates. Should be good for review now.

See updated PR description for nsync edge case that I also validated in the e2e env. If anything, taking one last look at our handling of the USER UID:GID directive instead of just USER root. Technically it would be relevant to also prevent the use of user id or group id 0.

Rebased on main and renamed property to allow_docker_root_user instead of allow_process_root_user since this applies to both Processes and Tasks. Bump @Gerg @tcdowney if y'all had any other thoughts.

Rebased on main again and ultimately removed all of the model layer changes in favor of the user allow list. Added more explicit tests at the diego builder layer for the cases where user is '0' or absent in the Dockerfile to round out the ways by which a root user may be specified.

Also added dev note to PR description about potentially unexpected behavior of the Process/Task policy not applying to the users set in Dockerfile specifically. Running CATs on env now to see if anything weird pops up.

CATs appears to be working consistently for the standard app and docker suites. I'm mostly seeing what looks like flakes with logging tests.

$ cat cats-config.json
{
  "api": "<api>",
  "apps_domain": "<apps>",
  "admin_user": "admin",
  "admin_password": "<cred>",
  "skip_ssl_validation": true,
  "use_http": true,
  "include_apps": true,
  "include_capi_experimental":true,
  "include_detect": false,
  "include_security_groups": false,
  "include_services": false,
  "include_v3": true,
  "include_tasks": true,
  "include_backend_compatibility": false,
  "include_capi_no_bridge": false,
  "include_container_networking": false,
  "include_credhub" : false,
  "include_docker": true,
  "include_internet_dependent": false,
  "include_isolation_segments": false,
  "include_persistent_app": false,
  "include_private_docker_registry": false,
  "include_privileged_container_support": false,
  "include_route_services": false,
  "include_routing": false,
  "include_routing_isolation_segments": false,
  "include_service_discovery": false,
  "include_service_instance_sharing": false,
  "include_ssh": false,
  "include_sso": false,
  "include_zipkin": false,
  "java_buildpack_name": "java_buildpack_offline"
}

CONFIG=cats-config.json ./bin/test --procs=4
...
Summarizing 2 Failures:
  [FAIL] [app_syslog_tcp] Syslog Drain over TCP Syslog drains [It] forwards app messages to registered syslog drains via mtls
  /workspace/cf-acceptance-tests/app_syslog_tcp/syslog_drain.go:152
  [FAIL] [app_syslog_tcp] Syslog Drain over TCP Syslog drains [It] forwards app messages to registered syslog drains
  /workspace/cf-acceptance-tests/app_syslog_tcp/syslog_drain.go:113

Ran 80 of 275 Specs in 1513.412 seconds
FAIL! -- 78 Passed | 2 Failed | 2 Pending | 193 Skipped


Ginkgo ran 1 suite in 25m15.173901372s

Seems like I just need what looks like some flakey errors in the remaining mysql unit test here to pass.