search

devcontainers / ci

A GitHub Action and Azure DevOps Task designed to simplify using Dev Containers (https://containers.dev) in CI/CD systems.
MIT License
334 stars 51 forks source link

Docker user inconsistent when using GitHub Action #176

Closed perezd closed 1 year ago

perezd commented 1 year ago

I have a simple Golang-based docker container, nothing special, looks like this:

ARG VARIANT="1.19-bullseye"
FROM mcr.microsoft.com/vscode/devcontainers/go:0-${VARIANT}

ARG NODE_VERSION="none"
RUN if [ "${NODE_VERSION}" != "none" ]; \
    then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi

RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
    && apt-get -y install --no-install-recommends openjdk-11-jdk wget bat

RUN wget https://www.antlr.org/download/antlr-4.11.1-complete.jar -O /usr/local/lib/antlr.jar
RUN echo "#/bin/sh" > /usr/local/bin/antlr && \
    echo "java -Xmx500M -cp /usr/local/lib/antlr.jar org.antlr.v4.Tool \$@" >> /usr/local/bin/antlr && \
    chmod +x /usr/local/bin/antlr

USER vscode
RUN go install github.com/josharian/impl@latest && \
    go install github.com/cweill/gotests/gotests@latest && \
    go install github.com/fatih/gomodifytags@latest && \
    go install github.com/haya14busa/goplay/cmd/goplay@latest && \
    go install github.com/go-delve/delve/cmd/dlv@latest && \
    go install honnef.co/go/tools/cmd/staticcheck@latest && \
    go install golang.org/x/tools/gopls@latest

My devcontainer.json looks like this:

{
    "name": "MyProject",
    "build": {
        "dockerfile": "Dockerfile",
        "args": {
            "VARIANT": "1.19-bullseye",
            "NODE_VERSION": "18"
        }
    },
    "runArgs": [
        "--cap-add=SYS_PTRACE",
        "--security-opt",
        "seccomp=unconfined"
    ],
    "customizations": {
        "vscode": {
            "settings": {
                "go.toolsManagement.checkForUpdates": "local",
                "go.useLanguageServer": true,
                "go.installDependenciesWhenBuilding": true,
                "go.gopath": "/go"
            },
            "extensions": [
                "mike-lischke.vscode-antlr4",
                "golang.Go",
            ]
        }
    },
    "remoteUser": "vscode",
    "features": {}
}

Notice that the user is vscode. Locally, if I built this container and run ls -l /go/pkg/mod, I see something like this:

drwxr-sr-x 3 vscode golang 4096 Oct 25 03:21 cache
drwxr-sr-x 8 vscode golang 4096 Oct 25 03:21 github.com
drwxr-sr-x 3 vscode golang 4096 Oct 25 03:21 golang.org

Notice the vscode user is properly named as the owner. Everything working as expected. Now, If I do the very same thing w/ the GitHub Action, I see this:

drwxr-sr-x  3 1000 golang 4096 Oct 25 03:44 cache
drwxr-sr-x 22 1000 golang 4096 Oct 25 03:44 github.com
drwxr-sr-x  3 1000 golang 4096 Oct 25 03:44 golang.org

Here the username is 1000, and my runCmd to go test -v ./... results in a bunch of permission denied errors.

  go: writing go.mod cache: open /go/pkg/mod/cache/download/github.com/fatih/color/@v/v1.13.0.mod298498081.tmp: permission denied
  go: writing go.mod cache: mkdir /go/pkg/mod/cache/download/github.com/iancoleman: permission denied
  go: writing go.mod cache: open /go/pkg/mod/cache/download/github.com/inconshreveable/mousetrap/@v/v1.0.1.mod427131847.tmp: permission denied
  go: writing go.mod cache: mkdir /go/pkg/mod/cache/download/github.com/antlr: permission denied
  go: writing go.mod cache: open /go/pkg/mod/cache/download/github.com/mattn/go-colorable/@v/v0.1.13.mod939984059.tmp: permission denied
  go: writing go.mod cache: open /go/pkg/mod/cache/download/github.com/mattn/go-isatty/@v/v0.0.16.mod911902081.tmp: permission denied
  go: writing go.mod cache: open /go/pkg/mod/cache/download/github.com/spf13/cobra/@v/v1.5.0.mod474941318.tmp: permission denied
  go: writing go.mod cache: open /go/pkg/mod/cache/download/golang.org/x/exp/@v/v0.0.0-20221006183845-316c7553db56.mod140954425.tmp: permission denied
  go: writing go.mod cache: open /go/pkg/mod/cache/download/golang.org/x/sys/@v/v0.0.0-20221006211917-84dc82d7e875.mod336122540.tmp: permission denied
  go: writing go.mod cache: mkdir /go/pkg/mod/cache/download/github.com/ivanpirog: permission denied

I verified that the container built by this github action believes it is correctly logged in as the vscode user, but this file system seems to not be consistent with what I am producing locally when VSCode builds this container.

Am I doing something wrong? This feels like a bug, it should be otherwise fully reproducible.

perezd commented 1 year ago

Also, in the container locally vscode user is user 1000 (according to id vscode):

uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),999(golang),998(nvm)

The built container w/ this github action responds with this:

uid=1001(vscode) gid=121(vscode) groups=121(vscode),999(golang),998(nvm)

Not sure why it's different.

perezd commented 1 year ago

OK the problem was fixed by setting: skipContainerUserIdUpdate to true. That was just a very unclear option at first.