Fix application files/runtime permissions scheme

Summary:
Introduces new `lives` configuration that provides the name/UID/GID of
the user that will own application files and installed dependencies.
This new configuration is distinct from `runs` in that the former
determines application file location ownership and the latter now only
determines runtime process ownership. Default configuration has also
been introduced for both config sections.

In addition to the new configuration, a new `build.CopyAs` instruction
has been introduced that ensures correct UID/GID ownership of files
copied into the container image, and all unqualified `build.Copy`
instructions are wrapped by the new `build.CopyAs` instruction using the
UID/GID appropriate for the current build phase. A new `build.User`
instruction is also introduced and injected into the build at the start
of certain phases to enforce ownership of `build.Run` processes.

This effective process/file ownership model is:

   PhasePrivileged - "root"
   PhasePrivilegedDropped - lives.as
   PhasePreInstall - lives.as
   PhaseInstall - lives.as
   PhasePostInstall - runs.as

Fixes T187372

Test Plan: Run `go test ./...`.

Reviewers: thcipriani, hashar, demon, #release-engineering-team

Reviewed By: thcipriani, #release-engineering-team

Subscribers: mmodell

Tags: #release-engineering-team

Maniphest Tasks: T187372

Differential Revision: https://phabricator.wikimedia.org/D984

1 files changed, 0 insertions, 4 deletions

diff --git a/blubber.example.yaml b/blubber.example.yaml
index 894472f..07e1a86 100644
--- a/blubber.example.yaml
+++ b/blubber.example.yaml
@@ -3,10 +3,6 @@ base: debian:jessie
 apt:
   packages: [libjpeg, libyaml]
 runs:
-  in: /srv/service
-  as: runuser
-  uid: 666
-  gid: 666
   environment:
     FOO: bar
     BAR: baz