Adds container.user configuration

[CyrilleH]

Towards #1029, this PR adds the possibility to sets the username or UID which the process in the container should run as.

For security reason, we prefer to start a tomcat container with non-root user. We have a generic base image with this (in our private registry) :

RUN addgroup -S tomcat && adduser -S -G tomcat tomcat && chown -R tomcat:tomcat /usr/local

[coollog]

Thanks for the contribution! We'll take a look at this soon. For the future, we'd recommend commenting on the issue thread with the design/solution you will be implementing before starting work to help save time potentially changing large portions of the implementation.

[CyrilleH]

Ok I understand. It was very easy to implement.
If you want I can close this PR.

[coollog]

We can definitely work with most of this :) It's mostly that we need to decide what we would support for the user configuration. Currently, as proposed in #1029 (comment), we are intending only to support user id and group id and not username, but we might decide to allow username as well. @GoogleContainerTools/java-tools

[chanseokoh]

Yeah, looks like we can work on this. There are a few things to think about though.

And thinking about it for a while, it might be possible to accept any string as the parameter value, not just numbers, if what we end up doing is to just set the value in the container config metadata. In that case, we may always be able to build an image (need to check), which may error at runtime due to non-existing username. However, on the other hand, this may result in a Dockerfile that is not buildable.

[chanseokoh]

However, on the other hand, this may result in a Dockerfile that is not buildable.

Never mind. I think it is always buildable. Now I think there is no problem supporting usernames and it is the user's responsibility to use the base image that has the right user database. Same for usual Docker build.

[CyrilleH]

If we set the wrong username, we have this error at runtime :

docker: Error response from daemon: linux spec user: unable to find user tomcat2: no matching entries in passwd file.
ERRO[0000] error waiting for container: context canceled 

[chanseokoh]

If we set the wrong username, we have this error at runtime

Yeah, it's the same story for Dockerfile, so perhaps we should say it's WAI. The big difference is, however, you can easily do adduser or addgroup with Dockerfile to make it work. But with Jib, it's a bit cumbersome in that you need to prepare a base image with the user or have /etc/passwd and /etc/group under /src/main/jib.

[chanseokoh]

I believe this can be a mix of user and group.

[CyrilleH]

You're right, I changed the javadoc.

[chanseokoh]

ditto

[chanseokoh]

ditto

[chanseokoh]

ditto

[CyrilleH]

Javadoc modified.

[coollog]

Looks great! Just some comment nits.

[coollog]

Wording suggestion: Sets the user and group to run the container as. {@code user} can be a username or UID along with an optional groupname or GID. The following are all valid: {@code user}, {@code uid}, {@code user:group}, {@code uid:gid}, {@code uid:group}, {@code user:gid}.

[CyrilleH]

done

[coollog]

Wording suggestion: Sets the user for the {@code USER} directive.

[CyrilleH]

done

[coollog]

Wording suggestion: Sets the user/group to run the container as.

[CyrilleH]

done

[coollog]

the username/UID and optionally the groupname/GID

[CyrilleH]

done

[coollog]

the username/UID and optionally the groupname/GID

[CyrilleH]

done

[chanseokoh]

Looks good to me. Updating some wordings, and I think we're good to go.

[CyrilleH]

Great. I've rebased on master and fixed wordings.

[coollog]

LGTM. Thanks for your contribution again! I think this just fixes #1029. We should also add CHANGELOG entries for this new feature, but that can be done in a follow-up PR.