search

coder / envbuilder

Build development environments from a Dockerfile on Docker, Kubernetes, and OpenShift. Enable developers to modify their development environment quickly.
Apache License 2.0
142 stars 26 forks source link

usability: fix ownership of Docker volume mounts to /home #229

Closed johnstcn closed 3 months ago

johnstcn commented 3 months ago

When using Docker, a volume is populated with the initial ownership based on the USER directive.

In the case of Envbuilder, this will always be root:root.

The net result of this is that if you create a Docker volume mounted at /home/someuser and run an envbuilder container that builds an image containing someuser, the resulting user's home directory will be owned by root:root.

Example:

$ docker volume create test_coder_home
$ docker run -it --rm -v test_coder_home:/home/coder -e ENVBUILDER_FALLBACK_IMAGE=codercom/enterprise-
minimal:ubuntu -e ENVBUILDER_INIT_SCRIPT=/bin/sh ghcr.io/coder/envbuilder-preview:latest
[...]
$ cd
$ ls -l ../
total 4
drwxr-xr-x 2 root root 4096 Jun 10 14:35 coder
$ touch test
touch: cannot touch 'test': Permission denied

In Kubernetes-land, you would generally fix this by specifying fsGroup or adding an init container to fix ownership. This isn't as much of an option here.

johnstcn commented 3 months ago

Interestingly, this does not seem to happen with alpine -- it appears that the adduser command in alpine changes ownership by default.