System users in dockerized setup

We are using the docker setup of stackstorm, but we’re a bit confused by the users used to run different components in stackstorm. We identified 3 users: root, stanley and st2.

A quick scan of the users used by the init scripts gave us this list:

/etc/init/st2actionrunner-worker.conf:setuid root
/etc/init/st2api.conf:setuid st2
/etc/init/st2auth.conf:setuid st2
/etc/init/st2chatops.conf:setuid st2
/etc/init/st2garbagecollector.conf:setuid st2
/etc/init/st2notifier.conf:setuid st2
/etc/init/st2resultstracker.conf:setuid st2
/etc/init/st2rulesengine.conf:setuid st2
/etc/init/st2scheduler.conf:setuid st2
/etc/init/st2sensorcontainer.conf:setuid st2
/etc/init/st2stream.conf:setuid st2
/etc/init/st2timersengine.conf:setuid st2
/etc/init/st2workflowengine.conf:setuid st2

You can clearly see that all services are ran by st2, except for st2actionrunner-worker, which is ran by root and nothing by stanley. During development of our own packs, we were sometimes confused by this setup. There seem to be some inconsistency between different packs. We observed that most packs are run as root, while checking $(id) with core.echo produces 1000 (aka stanley).

These inconsistencies confuse us and hinder our development.

  • Can someone from the developer team explain the rational behind these accounts?
  • In which situations can we expect our code to run as either root, stanley or st2?
  • Is it strictly necessary to run all workers as root? Except for local administrative commands, we do not see the need to run packs as root by default.