envd: bug: bad permission in current working directory

Description

There is a permission issue when the CWD has difference UID, GID with the USER in container.

I used to fix this issue with --user $(id -u):$(id -g) in docker-cli or create and switch to the new user in the Dockerfile

I didn’t find the user configuration in build.envd. It may be a new feature.

Reproduction

(envd) ➜  envd-quick-start whoami
envd
(envd) ➜  envd-quick-start id
uid=1000(envd) gid=1000(envd) groups=1000(envd),27(sudo)
(envd) ➜  envd-quick-start ll
total 28K
-rw-rw-r-- 1 1042 1042  12K Jun 16 02:54 LICENSE
-rw-rw-r-- 1 1042 1042 4.4K Jun 16 02:54 README.md
-rw-rw-r-- 1 1042 1042  250 Jun 16 03:16 build.envd
-rw-rw-r-- 1 1042 1042   54 Jun 16 02:54 demo.py
(envd) ➜  envd-quick-start touch new_file
touch: cannot touch 'new_file': Permission denied

Additional Info

Maybe related to issue #343, see also VS Code devcontainer add non-root user

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 23 (23 by maintainers)

Most upvoted comments

It should be fixed in the new release, please give it another try with

pip install --upgrade --pre envd
+1
gaocegege on Jun 16, 2022

The user firstly downloads the base image and re-builds it with new args e.g., NEW_UID, NEW_GID.

It is interesting. I think the best option is UID remapping but I am not sure if it is possible. Or we should have a similar mechanism with vscode dev container.

+1
gaocegege on Jun 16, 2022

@gaocegege if envd can remapping UID and GID at runtime that will be great. I’m also agree with @Zheaoli that if UID/GID remapping is doable there should be an API or config option allowing user to modify it.

I’ve used VSCode Dev Container with some projects, and I found that they also need to fix this UID/GID issue. https://github.com/microsoft/vscode-dev-containers/blob/main/containers/python-3/.devcontainer/library-scripts/common-debian.sh#L182

As far as I understand it, they fix it in build time but not build from scratch. The base Dockerfile has several build args. The user firstly downloads the base image and re-builds it with new args e.g., NEW_UID, NEW_GID.

Here is the build log I captured from VSCode console:

[11184 ms] Start: Check Docker is running
[11184 ms] Start: Run in Host: docker version --format {{.Server.APIVersion}}
[11405 ms] Server API version: 1.41
[11408 ms] Start: Run in Host: docker volume ls -q
[11581 ms] Start: Run in Host: docker inspect --type container 016e7f0fda022020f0e1403ffb8c970ed625c157df31e85f46c4c69a950561ac
[11649 ms] Start: Run in Host: docker rm -f 016e7f0fda022020f0e1403ffb8c970ed625c157df31e85f46c4c69a950561ac
[12280 ms] Start: Run in Host: docker ps -q -a --filter label=vsch.local.folder=/home/aaron/tmp/devcontainer-test --filter label=vsch.quality=stable
[12346 ms] Start: Run in Host: docker ps -q -a --filter label=devcontainer.local_folder=/home/aaron/tmp/devcontainer-test
[12457 ms] Start: Run in Host: /home/aaron/.vscode-server/bin/30d9c6cd9483b2cc586687151bcbcd635f373630/node /home/aaron/.vscode-remote-containers/dist/dev-containers-cli-0.238.2/dist/spec-node/devContainersSpecCLI.js up --workspace-folder /home/aaron/tmp/devcontainer-test --workspace-mount-consistency cached --id-label devcontainer.local_folder=/home/aaron/tmp/devcontainer-test --log-level debug --log-format json --config /home/aaron/tmp/devcontainer-test/.devcontainer/devcontainer.json --default-user-env-probe loginInteractiveShell --mount type=volume,source=vscode,target=/vscode,external=true --skip-post-create --update-remote-user-uid-default on --mount-workspace-git-root true --terminal-columns 197 --terminal-rows 15
[13910 ms] remote-containers 0.238.2.
[13909 ms] Start: Run: docker buildx version
[14098 ms] Start: Resolving Remote
[14119 ms] Start: Run: git rev-parse --show-cdup
[14127 ms] Start: Run: docker ps -q -a --filter label=devcontainer.local_folder=/home/aaron/tmp/devcontainer-test
[14210 ms] Start: Run: docker buildx build --load --build-arg BUILDKIT_INLINE_CACHE=1 -f /home/aaron/tmp/devcontainer-test/.devcontainer/Dockerfile -t vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944 --build-arg VARIANT=3.10-bullseye --build-arg NODE_VERSION=lts/* /home/aaron/tmp/devcontainer-test
[+] Building 0.5s (7/7) FINISHED                                                                                                                                                                     
 => [internal] load build definition from Dockerfile                                                                                                                                            0.0s
 => => transferring dockerfile: 32B                                                                                                                                                             0.0s
 => [internal] load .dockerignore                                                                                                                                                               0.1s
 => => transferring context: 2B                                                                                                                                                                 0.1s
 => [internal] load metadata for mcr.microsoft.com/vscode/devcontainers/python:0-3.10-bullseye                                                                                                  0.3s
 => [1/2] FROM mcr.microsoft.com/vscode/devcontainers/python:0-3.10-bullseye@sha256:21a12816fcadaa16dabb4ba0e8c358361d02ea062b1b89db8786eb67173489d0                                            0.0s
 => CACHED [2/2] RUN if [ "lts/*" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install lts/* 2>&1"; fi                                                    0.0s
 => exporting to image                                                                                                                                                                          0.0s
 => => exporting layers                                                                                                                                                                         0.0s
 => => writing image sha256:f5ca2cc4cd9b08f9d763be03a35e06542c6b58d1c8a6a7533fa7562c70a66124                                                                                                    0.0s
 => => naming to docker.io/library/vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944                                                                                                       0.0s
 => exporting cache                                                                                                                                                                             0.0s
 => => preparing build cache for export                                                                                                                                                         0.0s
[15279 ms] Start: Run: docker inspect --type image vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944
[15342 ms] Start: Run: docker build -f /tmp/vsch/updateUID.Dockerfile-0.238.2 -t vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944-uid --build-arg BASE_IMAGE=vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944 --build-arg REMOTE_USER=vscode --build-arg NEW_UID=1042 --build-arg NEW_GID=1042 --build-arg IMAGE_USER=root /tmp/vsch
Sending build context to Docker daemon   5.12kB
Step 1/10 : ARG BASE_IMAGE
Step 2/10 : FROM $BASE_IMAGE
 ---> f5ca2cc4cd9b
Step 3/10 : USER root
 ---> Using cache
 ---> 874aed0bb282
Step 4/10 : ARG REMOTE_USER
 ---> Using cache
 ---> da9f4a3c90b4
Step 5/10 : ARG NEW_UID
 ---> Using cache
 ---> e4cd38d66757
Step 6/10 : ARG NEW_GID
 ---> Using cache
 ---> fbbcd0fcde1f
Step 7/10 : SHELL ["/bin/sh", "-c"]
 ---> Using cache
 ---> 1b67b44ac8b8
Step 8/10 : RUN eval $(sed -n "s/${REMOTE_USER}:[^:]*:\([^:]*\):\([^:]*\):[^:]*:\([^:]*\).*/OLD_UID=\1;OLD_GID=\2;HOME_FOLDER=\3/p" /etc/passwd);       eval $(sed -n "s/\([^:]*\):[^:]*:${NEW_UID}:.*/EXISTING_USER=\1/p" /etc/passwd);     eval $(sed -n "s/\([^:]*\):[^:]*:${NEW_GID}:.*/EXISTING_GROUP=\1/p" /etc/group);        if [ -z "$OLD_UID" ]; then              echo "Remote user not found in /etc/passwd ($REMOTE_USER).";         elif [ "$OLD_UID" = "$NEW_UID" -a "$OLD_GID" = "$NEW_GID" ]; then               echo "UIDs and GIDs are the same ($NEW_UID:$NEW_GID).";         elif [ "$OLD_UID" != "$NEW_UID" -a -n "$EXISTING_USER" ]; then               echo "User with UID exists ($EXISTING_USER=$NEW_UID).";         elif [ "$OLD_GID" != "$NEW_GID" -a -n "$EXISTING_GROUP" ]; then     echo "Group with GID exists ($EXISTING_GROUP=$NEW_GID).";        else            echo "Updating UID:GID from $OLD_UID:$OLD_GID to $NEW_UID:$NEW_GID.";           sed -i -e "s/\(${REMOTE_USER}:[^:]*:\)[^:]*:[^:]*/\1${NEW_UID}:${NEW_GID}/" /etc/passwd;             if [ "$OLD_GID" != "$NEW_GID" ]; then                   sed -i -e "s/\([^:]*:[^:]*:\)${OLD_GID}:/\1${NEW_GID}:/" /etc/group;        fi;              chown -R $NEW_UID:$NEW_GID $HOME_FOLDER;        fi;
 ---> Using cache
 ---> 141aa2bb60aa
Step 9/10 : ARG IMAGE_USER
 ---> Using cache
 ---> d7ed6a1029e5
Step 10/10 : USER $IMAGE_USER
 ---> Using cache
 ---> 7d85ff3a9f1d
Successfully built 7d85ff3a9f1d
Successfully tagged vsc-devcontainer-test-d1cfa43adb1ee586e5b9e4ff93f16944-uid:latest
+1
aaronzs on Jun 16, 2022
Read more comments on GitHub
← envd: bug: arm64 binaries are not available on PyPI
envd: bug: failed to slove LLB when running the envd up for project envd-quick-start →