search

microsoft / vscode-remote-release

Visual Studio Code Remote Development: Open any folder in WSL, in a Docker container, or on a remote machine using SSH and take advantage of VS Code's full feature set.
https://aka.ms/vscode-remote
Other
3.69k stars 296 forks source link

Podman Usage Improvements #6759

Open nlvw opened 2 years ago

nlvw commented 2 years ago

Improve default handling of both user Home directories and the use of Podman.

This post is mostly to document Podman specific configuration for devcontainer.json to get it working in a friendly fashion. The feature request part is more of a plea to improve the default support so a lot of this custom config is unnecessary.

  1. Add built-in support for mounting user home directory. 1.1 Mounting the users home directory is important as it solves the git + ssh issue as your keys and git config will be available inside the container (not everyone uses an ssh agent). It also exposes other user configs such as git configuration, bash configuration, and other tooling. The end result is a better default environment to work out of.
    1. Podman should be run unprivileged and as the current user by default.
    2. When using Podman selinux needs to be detected and handled without needing specific flags in devcontainer.json.
      3.1. 'Z'/'z' should be avoided in bind/volume mounts as it changes the selinux context on files permanently which can break regular access to those files. For instance if you were to mount $HOME/.ssh you would break key based ssh authentication for that user until the context is manually reset.

settings.json

{
        "terminal.integrated.defaultProfile.linux": "bash",
    "remote.containers.dockerPath": "podman",
    "remote.containers.dockerComposePath": "podman-compose"
}

devcontainer.json (podman specific settings)

{
  "workspaceMount": "",
  "workspaceFolder": "${localWorkspaceFolder}",
  "runArgs": [
    // run container as current user
    "--userns=keep-id",
    // disable selinux isolation that breaks bind mounts
    "--security-opt=label=disable",
    // mount user home directory for things like git, ssh, and other configs
    "--volume=${env:HOME}:${env:HOME}",
    // ensure project directory is mounted incase it exists outside the home directory
    "--volume=${localWorkspaceFolder}:${localWorkspaceFolder}",
    // isolate the .vscode-server folder so you don't overwrite settings from remote ssh vscode
    "--volume=${localWorkspaceFolder}/.cache/vscode-server:${env:HOME}/.vscode-server"
  ],
  "containerEnv": {
    // ensure users home directory is the same inside the container as it is outside
    "HOME": "${env:HOME}"
  }
}

Relates to: Remote - Containers

rhatdan commented 2 years ago

Any movement on this issue?

fulldecent commented 2 years ago

Please do not default to mounting home directory in the container. And please caveat every time when talking about this technique.

SSH keys on the host should stay secure. And a primary use case of containers is doing insecure things with isolation.

nlvw commented 1 year ago

Even if it isn't the default behavior there's no need to "caveat" the usage. These are develop environments and different levels of isolation are understandable.

bam80 commented 10 months ago

Progress?