Skip to content

Allow developer to specify run action user on Processes #4407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tcdowney merged 1 commit into from
Jun 20, 2025
Merged

Allow developer to specify run action user on Processes #4407

tcdowney merged 1 commit into from
Jun 20, 2025

Conversation

@tcdowney
Copy link
Member

@tcdowney tcdowney commented Jun 13, 2025
edited
Loading

This adds a new field to the Process called user which is used to override the default run action user from vcap to something else. The use case this specifically solves is allowing Windows apps to opt-in to running as the built-in Windows ContainerUser user. It makes configuring user a bit more straightforward for Docker applications as well, but is not useful for the cflinux stacks since those stacks only support the vcap user.

Currently the list of permitted users is controlled by a new capi-release BOSH property called cc.allowed_process_users (see cloudfoundry/capi-release#555), but a possible future enhancement would be to make run_user and build_user first-class properties on Stack resources so that stacks could declare what users they support explicitly.

See #4372 for more details on the use cases this solves.

I plan on submitting follow-up PRs to support this configuration via Manifests and on Tasks.

  • I have reviewed the contributing guide

  • I have viewed, signed, and submitted the Contributor License Agreement

  • I have made this pull request to the main branch

  • I have run all the unit tests using bundle exec rake

  • I have run CF Acceptance Tests

@tcdowney tcdowney requested review from Gerg, Samze and sethboyles June 13, 2025 20:56
@tcdowney tcdowney mentioned this pull request Jun 13, 2025
Merged
3 tasks
@sethboyles
Copy link
Member

sethboyles commented Jun 13, 2025

Interestingly I can get dora to work with user root, which is not surprising, but rolling deployments no longer work. The first instance comes up as 'running'. I think there might be some extra checks on whether or not an instance is 'routable' that is preventing it from progressing. I'd have to revisit the DeploymentUpdater code, though.

I think the same thing is happening with docker apps if you set 'root' user. You can do a plain old restart, though.

Do you think user should be tracked on Revisions?

@tcdowney
Copy link
Member Author

tcdowney commented Jun 16, 2025

Interestingly I can get dora to work with user root, which is not surprising, but rolling deployments no longer work. The first instance comes up as 'running'. I think there might be some extra checks on whether or not an instance is 'routable' that is preventing it from progressing. I'd have to revisit the DeploymentUpdater code, though.

I think the same thing is happening with docker apps if you set 'root' user. You can do a plain old restart, though.

Do you think user should be tracked on Revisions?

I will experiment with this, I realized I'm not copying user over when duplicating the process during the deployment. Not sure about tracking it on Revisions. From a purist standpoint it probably should be tracked, but in practice I think you will set this once and rarely (or never) change it for the life of the app. Will play around with this some more, though.

@tcdowney
Copy link
Member Author

tcdowney commented Jun 16, 2025
edited
Loading

I think user is a reserved (?) column on MySQL (only tested with Postgres locally), I'm going to rename the column to action_user (but keep APIs the same).

Edit: I was wrong about this. user is fine as a column name, my idempotency test wasn't correct and was not truly idempotent on MySQL.

@tcdowney
Copy link
Member Author

tcdowney commented Jun 16, 2025

@sethboyles I can't reproduce deployment failures after making this change:

18abaff

Regarding adding user to a Revision. I think if we do that it will function like commands on a Process. Which have their own table called revision_process_commands. I don't think we should have a revision_process_users table in addition -- maybe that table should have all process level revision info? I think maybe that should be separate scope from this story though.

@sethboyles
Copy link
Member

sethboyles commented Jun 16, 2025

I agree. We should probably treat revision_process_commands as revision_processes or something if we have more process details we want to track. But it's not like we track health_check or readiness_health_check on revisions, so we probably don't need to add user just yet.

@tcdowney tcdowney requested a review from sethboyles June 17, 2025 15:32
@tcdowney
Copy link
Member Author

tcdowney commented Jun 17, 2025

Docs tests are failing with a 429. I think Github may be rate limiting access to the OSBAPI spec file for some reason.
It's unrelated to this PR though @sethboyles @Samze

Samze
Samze reviewed Jun 18, 2025
View reviewed changes
Samze
Samze reviewed Jun 18, 2025
View reviewed changes
@tcdowney tcdowney requested a review from Samze June 19, 2025 22:34
Samze
Samze reviewed Jun 20, 2025
View reviewed changes
@tcdowney tcdowney merged commit 384b017 into main Jun 20, 2025
30 of 32 checks passed
@moleske moleske deleted the user-on-process branch June 20, 2025 17:48
ari-wg-gitbot added a commit to cloudfoundry/capi-release that referenced this pull request Jun 20, 2025
@ari-wg-gitbot
Bump cloud_controller_ng
40b2179 
Changes in cloud_controller_ng:

- Support overriding the user on Processes
    PR: cloudfoundry/cloud_controller_ng#4407
    Author: Tim Downey <tcdowney@users.noreply.github.com>
@jochenehret
Copy link
Contributor

jochenehret commented Jun 23, 2025

This change causes the "Docker Application Lifecycle" tests of the CATs suite to fail:
https://concourse.app-runtime-interfaces.ci.cloudfoundry.org/teams/capi-team/pipelines/capi/jobs/gyro-exp-tests/builds/38
https://concourse.app-runtime-interfaces.ci.cloudfoundry.org/teams/capi-team/pipelines/capi/jobs/olaf-mysql-tests/builds/39

  [FAIL] [docker] Docker Application Lifecycle running a docker app without a start command [BeforeEach] handles docker-defined metadata and environment variables correctly
  /tmp/build/1f5f819e/cf-acceptance-tests/docker/docker_lifecycle.go:80
  [FAIL] [docker] Docker Application Lifecycle running a docker app with a start command [BeforeEach] retains its start command through starts and stops
  /tmp/build/1f5f819e/cf-acceptance-tests/docker/docker_lifecycle.go:53
  [FAIL] [docker] Docker Application Lifecycle running a docker app without a start command [BeforeEach] when env vars are set with 'cf set-env' prefers the env vars from cf set-env over those in the Dockerfile
  /tmp/build/1f5f819e/cf-acceptance-tests/docker/docker_lifecycle.go:80
  [FAIL] [docker] Docker App Lifecycle CredHub Integration when CredHub is configured service bindings [JustBeforeEach] in assisted mode the app should see the service creds
  /tmp/build/1f5f819e/cf-acceptance-tests/docker/credhub_enabled.go:105

I found the following stack trace in the cloud controller logs:

{"timestamp":"2025-06-23T11:22:28.000598027Z","message":"Request failed: 500: {\"errors\"=\u003e[{\"title\"=\u003e\"UnknownError\", \"detail\"=\u003e\"An unknown error occurred.\", \"code\"=\u003e10001, \"test_mode_info\"=\u003e{\"detail\"=\u003e\"unexpected character (after ) at line 1, column 1 [parse.c:706] in '\", \"title\"=\u003e\"CF-EncodingError\", \"backtrace\"=\u003e[\"/var/vcap/data/packages/cloud_controller_ng/15dbf508b71c470d5ed4a0e29f62d3d68928ae12/cloud_controller_ng/app/models/runtime/process_model.rb:582:in `load'\", \"/var/vcap/data/packages/cloud_controller_ng/15dbf508b71c470d5ed4a0e29f62d3d68928ae12/cloud_controller_ng/app/models/runtime/process_model.rb:582:in `docker_run_action_user'\", \"/var/vcap/data/packages/cloud_controller_ng/15dbf508b71c470d5ed4a0e29f62d3d68928ae12/cloud_controller_ng/app/models/runtime/process_model.rb:399:in `run_action_user'\", \"/var/vcap/data/packages/cloud_controller_ng/15dbf508b71c470d5ed4a0e29f62d3d68928ae12/cloud_controller_ng/app/presenters/v3/process_presenter.rb:31:in `to_hash'\",

Can you please check and provide a fix?

@tcdowney
Copy link
Member Author

tcdowney commented Jun 23, 2025
edited
Loading

Yes, I'll take a look and fix it. Thanks for letting me know @jochenehret

PR here: #4415

tcdowney added a commit that referenced this pull request Jun 23, 2025
@tcdowney
Fix GET Process endpoint for unstaged docker apps
8d3377a 
- The user field was added in #4407
- This failed for unstaged Docker apps since they do not have
  JSON-parseable execution metadata
- This fix updates the code to treat empty and unparseable execution
  metadata the same as an empty JSON object
@tcdowney tcdowney mentioned this pull request Jun 23, 2025
Merged
5 tasks
tcdowney added a commit that referenced this pull request Jun 23, 2025
@tcdowney
Fix GET Process endpoint for unstaged docker apps (#4415)
903f90d 
- The user field was added in #4407
- This failed for unstaged Docker apps since they do not have
  JSON-parseable execution metadata
- This fix updates the code to treat empty and unparseable execution
  metadata the same as an empty JSON object
@tcdowney tcdowney mentioned this pull request Jun 23, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Samze Samze Samze approved these changes

@Gerg Gerg Awaiting requested review from Gerg

@sethboyles sethboyles Awaiting requested review from sethboyles

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tcdowney @sethboyles @jochenehret @Samze