Add default non-root user to all dev containers

[Chuxel]

While on mac and Windows, developers can run as root inside the container without trouble, on Linux, local bind mounts use the same permissions as the user inside the container. Since the docker daemon is typically running as root, this means all files that are created or modified are root.

To avoid this problem, you typically create a user with the same UID/GID in the container and pass in -u user-name-here to docker run or add user in docker-compose.yml.

If you are running Linux locally, the default user typically has a UID of 1000, so images like node provide a user in the container with this UID. Unfortunately, this is the exception rather than the rule.

To work around this issue, each dev container Dockerfile should provide a default non-root user with a argument based UID/GID and add comments into devcontainer.json and/or docker-compose.yml on how to use it.

For example:

# Or your actual UID, GID on Linux if not the default 1000
ARG USERNAME=vscode
ARG USER_UID=1000
ARG USER_GID=$USER_UID

# Configure apt and install packages
RUN apt-get update \
    && apt-get -y install --no-install-recommends apt-utils 2>&1 \
    #
    # Verify git, process tools, lsb-release (common in install instructions for CLIs) installed
    && apt-get -y install git procps lsb-release \
    #
    # Create a non-root user to use if preferred - see https://aka.ms/vscode-remote/containers/non-root-user.
    && groupadd --gid $USER_GID $USERNAME \
    && useradd -s /bin/bash --uid $USER_UID --gid $USER_GID -m $USERNAME \
    # [Optional] Uncomment the next three lines to add sudo support
    # && apt-get install -y sudo \
    # && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
    # && chmod 0440 /etc/sudoers.d/$USERNAME \
    #
    # Clean up
    && apt-get autoremove -y \
    && apt-get clean -y \
    && rm -rf /var/lib/apt/lists/*

devcontainer.json, then would have the following in it:

	// Uncomment the next line to use a non-root user. See https://aka.ms/vscode-remote/containers/non-root-user.
	// "runArgs": [ "-u", "1000"],

However, if your user has an UID other than 1000, you end up needing to update the Dockerfile.

If we supported a "buildArgs" property (microsoft/vscode-remote-release#46), this could be:

	// "runArgs": [ "-u", "1000"],
	// "buildArgs": [ "--build-arg", "USER_UID=1000", "--build-arg", "USER_GID=1000"],

Unfortunately, ${env:UID} does not pick up $UID. If we introduce microsoft/vscode-remote-release#1050 we could then improve this to be completely automatic:

	// "runArgs": [ "-u", "$(id -u):$(id -g)"],
	// "buildArgs": [ "--build-arg", "USER_UID=$(id -u)", "--build-arg", "USER_GID=$(uid -g)"],

[Chuxel]

Correction - We will need to support a "buildArg" property to make this work since the USER_UID portion of the above won't work as a docker run argument. Text corrected above.

[Chuxel]

@aeschli @chrmarti I merged in changes to the templates to add a non-root user into all containers along with an comment on it in devcontainer.json.

Can we get an updated release of Remote - Containers with this and the other changes in the repo queued up for release?

[Chuxel]

/cc: @brettcannon @testforstephen - I updated the Java and Python dev container definitions to include a non-root user with a UID/GID of 1000 when one was not already in the base image.

[Chuxel]

Closing in favor of microsoft/vscode-remote-release#1155. Dev containers in this repo now all have a default user and sudo installed by default. In addition all of the vscode-remote-try-* repos are using this non-root user by default.