Explicitly set diego-docker-app USER

[tcdowney]

Please provide the following information:

What is this change about?

Sets the diego-docker-app user to 'nobody' so that the container can be run on Kubernetes clusters that have the MustRunAsNonRoot security policy.

Alternatively we could explicitly make a new user with a static UID and set it to that.

What problem it is trying to solve?

This allows CATS to be run with the same Docker test app in both CF for VMs and CF on Kubernetes contexts.

What is the impact if the change is not made?

We will need to maintain a separate "diego-docker-app" Dockerfile for Kubernetes or change the CATs to use a different app.

Please provide any contextual information.

Slack discussion: https://cloudfoundry.slack.com/archives/CH9LF6V1P/p1602865303312100

Tag your pair, your PM, and/or team!

@jamespollard8 @davewalter

[goonzoid]

This looks fine to me, though I was wondering if we couldn't just use the vcap user? It doesn't matter much either way, I expect.

Will ask someone else from the team to take a look before merging in case there's something I'm missing.

[tcdowney]

@goonzoid I was wondering about the vcap user. It's created, but not actually used? I asked @cwlbraa, since he worked on that in 2015, but he doesn't remember (not that I'd expect anyone to 😛 ). Our hypothesis is that it was to test a bug fix related to Docker images that already had an existing vcap user and that this broke something. Anyways, my worry was that the image isn't meant to run as vcap for some reason.

My thoughts are that if we use the vcap user we need to specify an explicit uid for it. I haven't tried this out, but based on what I've read, Kubernetes requires that it be a numeric value or you get something like:

Error: container has runAsNonRoot and image has non-numeric user (nonroot), cannot verify user is non-root