Implement UpdateRemoteUserID handling #1287

aacebedo · 2024-09-27T18:42:54Z

This PR is a tentative implementation of the UpdateRemoteUserID handling.

The reference implementation uses an additional dockerfile (https://github.com/devcontainers/cli/blob/main/scripts/updateUID.Dockerfile) to create a new image using the container image created previously.

I don't think this approach works well with prebuilding feature of devpod. So I decided to amend the
container after it has been created.

In some case, this modification may make the same uid gid to be used twice for 2 users and 2 groups but in the end it shall not impact the way the container work in the end.

This also solves #1284.

pascalbreuninger · 2024-09-28T13:37:04Z

@aacebedo Thanks for the PR! Let's run the test suite real quick and see if it works out.
We've been working on this a while ago as well, although without using the UpdateRemoteUserID option. See this PR.
At the time we've abandonded it because of potential breaking changes and we'd need to invest more time figuring out the consequences.

As for your PR I think scoping it only to linux, as per the spec, would already limit the potential blast radius. I'll still need to test the change with a number of provider/workspace combinations

aacebedo · 2024-09-29T18:20:37Z

fixed the lint issue
added the detection of windows and if the uids are root

pkg/driver/docker/docker.go

aacebedo · 2024-10-08T06:25:50Z

If everything is OK can we merge?

aacebedo · 2024-10-09T06:10:14Z

rebased on main and test E2E tests. It is now working

pascalbreuninger · 2024-10-10T15:31:22Z

@aacebedo I haven't forgotten this PR, I'm still thinking through it and weigh against other options. Thanks for the work you've put in, bear with me :)

aacebedo · 2024-10-10T16:04:44Z

Thanks!

I have some users who are facing the issue and it is very annoying for them.

Do you have an idea of an ETA? Can I help?

bkneis · 2024-10-17T08:24:01Z

@aacebedo I've tested this locally but did not get the result I thought I would. Using the following devcontainer.json and Dockerfile, I toggled updateRemoteUserUID from true to false. Here are the resulting passwd files

{
  "name": "Basic Python",
  "build": { "dockerfile": "Dockerfile" },
  "remoteUser": "vscode",
  "containerUser": "vscode",
  "updateRemoteUserUID": false,
  "customizations": {
    "vscode": {
      "extensions": ["ms-python.python"]
    }
  }
}

FROM library/python:3.11-bookworm

ARG USER=vscode
ARG DEBIAN_FRONTEND=noninteractive
RUN apt update \
    && apt install -y --no-install-recommends sudo \
    && apt autoremove -y \
    && rm -rf /var/lib/apt/lists/* \
    && useradd -m -s /usr/bin/bash ${USER} \
    && echo "${USER} ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers.d/${USER} \
    && chmod 0440 /etc/sudoers.d/${USER}

When updateRemoteUserUID is true

root:x:0:
daemon:x:1:
...
vscode:x:1000:

When updateRemoteUserUID is false

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
vscode:x:1000:1000::/home/vscode:/usr/bin/bash

Should the false entry have dropped the extra info? Also what is the current issue you are facing? When I set this to false, I thought I would have permission issues but can still mount my workspace

aacebedo · 2024-10-17T09:14:40Z

@aacebedo I've tested this locally but did not get the result I thought I would. Using the following devcontainer.json and Dockerfile, I toggled updateRemoteUserUID from true to false. Here are the resulting passwd files
{
  "name": "Basic Python",
  "build": { "dockerfile": "Dockerfile" },
  "remoteUser": "vscode",
  "containerUser": "vscode",
  "updateRemoteUserUID": false,
  "customizations": {
    "vscode": {
      "extensions": ["ms-python.python"]
    }
  }
}
FROM library/python:3.11-bookworm

ARG USER=vscode
ARG DEBIAN_FRONTEND=noninteractive
RUN apt update \
    && apt install -y --no-install-recommends sudo \
    && apt autoremove -y \
    && rm -rf /var/lib/apt/lists/* \
    && useradd -m -s /usr/bin/bash ${USER} \
    && echo "${USER} ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers.d/${USER} \
    && chmod 0440 /etc/sudoers.d/${USER}
When updateRemoteUserUID is true
root:x:0:
daemon:x:1:
...
vscode:x:1000:
When updateRemoteUserUID is false
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
vscode:x:1000:1000::/home/vscode:/usr/bin/bash
Should the false entry have dropped the extra info? Also what is the current issue you are facing? When I set this to false, I thought I would have permission issues but can still mount my workspace

Hi @bkneis

You printed the /etc/passwd of the container right? I'll check

For the issue I am facing, it is described in #1284. Ensure that the UID GID of the user in the container is not the same as the one on your host.

bkneis · 2024-10-18T07:47:37Z

@aacebedo Thanks for clarifying. Yes these two files were from the container. My host user has UID 1000 so I was expecting a different UID when setting to true. I am not using podman, but I don't think this should make a difference for this test? As it should still parse my /etc/passwd and check the UID? Just want to make sure the PR is working as expected before merging

aacebedo force-pushed the aacebedo/implement_updateremoteuseruid branch from 57c95a3 to b07caec Compare September 29, 2024 18:18

aacebedo force-pushed the aacebedo/implement_updateremoteuseruid branch from b07caec to f6f5d0f Compare September 29, 2024 20:50