Add vespa user to root group for OpenShift arbitrary UID support

[snecklifter]

Summary

• Add the vespa user to the root group (-G root) in the two dev image Dockerfiles that create this user
• This is a minimal change to align with the broader OpenShift compatibility work in vespa-engine/vespa#36545 and vespa-engine/docker-image#84

Background: OpenShift SCCs and the root group

OpenShift 4.20's default restricted-v2 SCC runs containers with arbitrary UIDs that are always members of GID 0 (root group). As the OpenShift image guidelines state:

"The directories and files that are read from or written to by processes in the image should be owned by the root group and be read/writable by that group [...] because the container user is always a member of the root group, the container user can read and write these files."

Using GID 0 as the group does not grant root privileges — the root group is simply the access mechanism for arbitrary UIDs, while the root user (UID 0) remains prohibited.

Scope

Only the two dev Dockerfiles that create a vespa user are affected:

• dev/almalinux-8/Dockerfile — useradd now includes -G root
• dev/almalinux-9/Dockerfile — same

What was NOT changed (and why)

• build/ Dockerfiles: Don't create a vespa user — purely build environments
• debug-dev/: Inherits from vespa-dev-almalinux-8, no user creation
• create-and-start.sh / configure-container.sh scripts: These run on the host via docker exec as root to configure dev containers. They operate outside OpenShift's security model and are not affected by SCC restrictions
• docker-swarm/: CI infrastructure, not deployed on OpenShift
• experimental/ and university/: Training/experimental images with fundamentally different security models (sudo access, interactive users)

Test plan

• Build dev/almalinux-8 and dev/almalinux-9 images
• Verify id vespa shows root in the groups list
• Confirm no regression in existing dev container workflows

🤖 Generated with Claude Code