permissions on volume mounts not set to remoteUser

[stewartadam]

When a remoteUser is specified, I don't believe this is presently a way currently to use volume mounts that mount outside /home/vscode due to the ensuing permission issues.

This is frustrating because for Python packaging for example, it's important the container have its own volume for .venv instead of re-using the hosts' .venv, which might contain binary extensions compiled for the different OS.

Information

• VSCode Version: 1.89.1
• Local OS Version: MacOS 14.5 (23F79)
• Remote OS Version: Debian Bookworm
• Remote Extension/Connection Type: devcontainers

Steps to Reproduce

1. Setup a basic rootless devcontainer.json (in this case remoteUser is vscode):

   ``` { "name": "My Devcontainer", "image": "mcr.microsoft.com/devcontainers/base:bookworm", // Rename the mount to /workspace "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind", "workspaceFolder": "/workspace", "containerEnv": { "PDM_PYTHON": "/workspace/.venv/bin/python" }, "mounts": [ // Put Python VENV data in a volume so it doesn't conflict with local setup { "type": "volume", "source": "${devcontainerId}-venv", "target": "/workspace/.venv" } ], // Features to add to the dev container. More info: https://containers.dev/features. "features": { "ghcr.io/devcontainers/features/python:1": { "version": "3.11" }, "ghcr.io/devcontainers-contrib/features/pdm:2": {}, } } ```
2. Try to mount a volume and use it

Expected results

Volume permissions are automatically adjusted to match the configured remoteUser, or a root-user entrypoint is available so that the permissions can be adjusted.

Actual results

Volume is mounted using the parent folder permissions (in this case, root:root). All lifecycle script hooks (e.g. postCreateCommand) are run under remoteUser and therefore the volume mount cannot be used and its permissions cannot be changed without removing rootless.

Does this issue occur when you try this locally?: N/A Does this issue occur when you try this locally and all extensions are disabled?: Yes

[chrmarti]

Could you try with "containerUser": "vscode"?

[stewartadam]

remoteUser defaults to containerUser, would you also like me to set "remoteUser": "root" in conjunction with container user?

I'm happy to but then it's no longer rootless.

[chrmarti]

Only use "containerUser": "vscode". I'm suggesting that because Docker mounts volumes using the container's user.

With "rootless" are you referring to Docker's rootless mode? That shouldn't be affected by the choice of users inside the container, these should all be mapped to unprivileged users outside the container if I understand correctly.

[stewartadam]

I just tried with "containerUser": "vscode" and unfortunately the same issue. The volumes get mounted owned by root.

[6305 ms] Start: Starting container
[6306 ms] Start: Run: docker run --sig-proxy=false -a STDOUT -a STDERR --mount source=/Users/stewartadam/redacted,target=/workspace,type=bind --mount type=volume,src=0rsrv5j7ppticj9tcnk16p3nh9f0565um7elg38mari18hn4332a-azclidata,dst=/home/vscode/.azure --mount type=volume,src=0rsrv5j7ppticj9tcnk16p3nh9f0565um7elg38mari18hn4332a-pfdata,dst=/home/vscode/.promptflow --mount type=volume,src=vscode,dst=/vscode -l devcontainer.local_folder=/Users/stewartadam/redacted -l devcontainer.config_file=/Users/stewartadam/redacted/.devcontainer/devcontainer.json -e PDM_PYTHON=/workspace/.venv/bin/python -u vscode --entrypoint /bin/sh vsc-wellington-40fc677e53982b90ade450f8bd172cce797d1f0699436c03f035d421f77ef623-features -c echo Container started
Container started

[stewartadam]

@chrmarti is there any more info I can help provide? You can find a repro here: https://github.com/stewartadam/devcontainer-repro

workspace-3.11vscode ➜ /workspace (main) $ ls -ld ~/.promptflow
drwxr-xr-x 2 root root 4096 Jun 24 23:14 /home/vscode/.promptflow
workspace-3.11vscode ➜ /workspace (main) $ 

[chrmarti]

Make sure the volume does not exist yet, I think it applies the ownership only when it first creates the volume.

Someone found a way to do it without changing containerUser: https://github.com/microsoft/vscode-remote-release/issues/7690#issuecomment-2159043850

[stewartadam]

I've tried with fresh volumes, the ownership is still incorrect.

The trick in that comment does work but then requires you setup a customer Dockerfile for the devcontainer. It doesn't work out of the box with a base image and requires the dockerfile be modified for each mount.

[stewartadam]

This issue also appears to break being able to setup a volume for VSCode Extensions by mounting /home/vscode/.vscode-server as a volume as noted here, because mkdir ~/.vscode-server/bin is run before any of the command hooks that can be used to fix the permissions:

``` [2024-07-01T18:13:00.451Z] Start: Starting container [2024-07-01T18:13:00.451Z] Start: Run: docker run --sig-proxy=false -a STDOUT -a STDERR --mount source=c:\Users\stad\devel\git\project,target=/workspace,type=bind --mount type=volume,src=0tajv3mtrpjv606surm1vfkdmuld4i4p01i19opu5mqmh99sr4id-azclidata,dst=/home/vscode/.azure --mount type=volume,src=0tajv3mtrpjv606surm1vfkdmuld4i4p01i19opu5mqmh99sr4id-pfdata,dst=/home/vscode/.promptflow --mount type=volume,src=0tajv3mtrpjv606surm1vfkdmuld4i4p01i19opu5mqmh99sr4id-pdmenv,dst=/workspace/.venv --mount type=volume,src=0tajv3mtrpjv606surm1vfkdmuld4i4p01i19opu5mqmh99sr4id-projectspa-nodemodules,dst=/workspace/project-client-spa/node_modules --mount type=volume,src=0tajv3mtrpjv606surm1vfkdmuld4i4p01i19opu5mqmh99sr4id-vscode,dst=/home/vscode/.vscode-server --mount type=volume,src=vscode,dst=/vscode --mount type=bind,src=\\wsl.localhost\Ubuntu\mnt\wslg\runtime-dir\wayland-0,dst=/tmp/vscode-wayland-f1881865-9be8-41cc-bf05-440e3ea98616.sock -l devcontainer.local_folder=c:\Users\stad\devel\git\project -l devcontainer.config_file=c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json -e PDM_PYTHON=/workspace/.venv/bin/python --entrypoint /bin/sh vsc-project-3cde6fe6e288c550427725e3a02ca44ed5e88eb6273ea68460d148904db99302-features -c echo Container started [2024-07-01T18:13:00.623Z] [2024-07-01T18:13:00.997Z] Stop (546 ms): Starting container [2024-07-01T18:13:00.997Z] Start: Run: docker ps -q -a --filter label=devcontainer.local_folder=c:\Users\stad\devel\git\project --filter label=devcontainer.config_file=c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json [2024-07-01T18:13:01.004Z] Container started [2024-07-01T18:13:01.005Z] Stop (567 ms): Run: docker events --format {{json .}} --filter event=start [2024-07-01T18:13:01.097Z] Stop (100 ms): Run: docker ps -q -a --filter label=devcontainer.local_folder=c:\Users\stad\devel\git\project --filter label=devcontainer.config_file=c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json [2024-07-01T18:13:01.097Z] Start: Run: docker inspect --type container 82065184192d [2024-07-01T18:13:01.172Z] Stop (75 ms): Run: docker inspect --type container 82065184192d [2024-07-01T18:13:01.173Z] Start: Inspecting container [2024-07-01T18:13:01.173Z] Start: Run: docker inspect --type container 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 [2024-07-01T18:13:01.248Z] Stop (75 ms): Run: docker inspect --type container 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 [2024-07-01T18:13:01.248Z] Stop (75 ms): Inspecting container [2024-07-01T18:13:01.248Z] Start: Run in container: /bin/sh [2024-07-01T18:13:01.260Z] Start: Run in container: uname -m [2024-07-01T18:13:01.346Z] x86_64 [2024-07-01T18:13:01.346Z] [2024-07-01T18:13:01.346Z] Stop (86 ms): Run in container: uname -m [2024-07-01T18:13:01.347Z] Start: Run in container: (cat /etc/os-release || cat /usr/lib/os-release) 2>/dev/null [2024-07-01T18:13:01.350Z] PRETTY_NAME="Debian GNU/Linux 12 (bookworm)" NAME="Debian GNU/Linux" VERSION_ID="12" VERSION="12 (bookworm)" VERSION_CODENAME=bookworm ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" [2024-07-01T18:13:01.350Z] [2024-07-01T18:13:01.350Z] Stop (3 ms): Run in container: (cat /etc/os-release || cat /usr/lib/os-release) 2>/dev/null [2024-07-01T18:13:01.350Z] Start: Run in container: (command -v getent >/dev/null 2>&1 && getent passwd 'vscode' || grep -E '^vscode|^[^:]*:[^:]*:vscode:' /etc/passwd || true) [2024-07-01T18:13:01.354Z] Stop (4 ms): Run in container: (command -v getent >/dev/null 2>&1 && getent passwd 'vscode' || grep -E '^vscode|^[^:]*:[^:]*:vscode:' /etc/passwd || true) [2024-07-01T18:13:01.354Z] Start: Run in container: test -f '/var/devcontainer/.patchEtcEnvironmentMarker' [2024-07-01T18:13:01.357Z] [2024-07-01T18:13:01.357Z] [2024-07-01T18:13:01.357Z] Exit code 1 [2024-07-01T18:13:01.357Z] Stop (3 ms): Run in container: test -f '/var/devcontainer/.patchEtcEnvironmentMarker' [2024-07-01T18:13:01.357Z] Start: Run in container: /bin/sh [2024-07-01T18:13:01.371Z] Start: Run in container: test ! -f '/var/devcontainer/.patchEtcEnvironmentMarker' && set -o noclobber && mkdir -p '/var/devcontainer' && { > '/var/devcontainer/.patchEtcEnvironmentMarker' ; } 2> /dev/null [2024-07-01T18:13:01.461Z] [2024-07-01T18:13:01.461Z] [2024-07-01T18:13:01.461Z] Stop (90 ms): Run in container: test ! -f '/var/devcontainer/.patchEtcEnvironmentMarker' && set -o noclobber && mkdir -p '/var/devcontainer' && { > '/var/devcontainer/.patchEtcEnvironmentMarker' ; } 2> /dev/null [2024-07-01T18:13:01.461Z] Start: Run in container: cat >> /etc/environment <<'etcEnvrionmentEOF' [2024-07-01T18:13:01.464Z] [2024-07-01T18:13:01.464Z] [2024-07-01T18:13:01.464Z] Stop (3 ms): Run in container: cat >> /etc/environment <<'etcEnvrionmentEOF' [2024-07-01T18:13:01.464Z] Start: Run in container: test -f '/var/devcontainer/.patchEtcProfileMarker' [2024-07-01T18:13:01.466Z] [2024-07-01T18:13:01.466Z] [2024-07-01T18:13:01.466Z] Exit code 1 [2024-07-01T18:13:01.466Z] Stop (2 ms): Run in container: test -f '/var/devcontainer/.patchEtcProfileMarker' [2024-07-01T18:13:01.466Z] Start: Run in container: test ! -f '/var/devcontainer/.patchEtcProfileMarker' && set -o noclobber && mkdir -p '/var/devcontainer' && { > '/var/devcontainer/.patchEtcProfileMarker' ; } 2> /dev/null [2024-07-01T18:13:01.469Z] [2024-07-01T18:13:01.469Z] [2024-07-01T18:13:01.469Z] Stop (3 ms): Run in container: test ! -f '/var/devcontainer/.patchEtcProfileMarker' && set -o noclobber && mkdir -p '/var/devcontainer' && { > '/var/devcontainer/.patchEtcProfileMarker' ; } 2> /dev/null [2024-07-01T18:13:01.469Z] Start: Run in container: sed -i -E 's/((^|\s)PATH=)([^\$]*)$/\1${PATH:-\3}/g' /etc/profile || true [2024-07-01T18:13:01.474Z] [2024-07-01T18:13:01.474Z] [2024-07-01T18:13:01.474Z] Stop (5 ms): Run in container: sed -i -E 's/((^|\s)PATH=)([^\$]*)$/\1${PATH:-\3}/g' /etc/profile || true [2024-07-01T18:13:01.474Z] Stop (8356 ms): Resolving Remote [2024-07-01T18:13:01.506Z] Stop (9096 ms): Run: C:\Users\stad\AppData\Local\Programs\Microsoft VS Code\Code.exe c:\Users\stad\.vscode\extensions\ms-vscode-remote.remote-containers-0.369.0\dist\spec-node\devContainersSpecCLI.js up --user-data-folder c:\Users\stad\AppData\Roaming\Code\User\globalStorage\ms-vscode-remote.remote-containers\data --container-session-data-folder /tmp/devcontainers-8f782b29-024a-4464-a598-1ed620c99fe41719857568519 --workspace-folder c:\Users\stad\devel\git\project --workspace-mount-consistency cached --id-label devcontainer.local_folder=c:\Users\stad\devel\git\project --id-label devcontainer.config_file=c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json --log-level debug --log-format json --config c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json --default-user-env-probe loginInteractiveShell --remove-existing-container --mount type=volume,source=vscode,target=/vscode,external=true --mount type=bind,source=\\wsl.localhost\Ubuntu\mnt\wslg\runtime-dir\wayland-0,target=/tmp/vscode-wayland-f1881865-9be8-41cc-bf05-440e3ea98616.sock --skip-post-create --update-remote-user-uid-default on --mount-workspace-git-root [2024-07-01T18:13:01.507Z] Start: Run: docker inspect --type container 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 [2024-07-01T18:13:01.594Z] Stop (87 ms): Run: docker inspect --type container 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 [2024-07-01T18:13:01.594Z] Start: Run: docker exec -i -u root 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 /bin/sh -c echo "New container started. Keep-alive process started." ; export VSCODE_REMOTE_CONTAINERS_SESSION=8f782b29-024a-4464-a598-1ed620c99fe41719857568519 ; /bin/sh [2024-07-01T18:13:01.595Z] Running Dev Containers CLI: read-configuration --workspace-folder c:\Users\stad\devel\git\project --id-label devcontainer.local_folder=c:\Users\stad\devel\git\project --id-label devcontainer.config_file=c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json --container-id 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 --log-level debug --log-format json --config c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json --include-merged-configuration --mount-workspace-git-root [2024-07-01T18:13:01.595Z] Start: Run: C:\Users\stad\AppData\Local\Programs\Microsoft VS Code\Code.exe c:\Users\stad\.vscode\extensions\ms-vscode-remote.remote-containers-0.369.0\dist\spec-node\devContainersSpecCLI.js read-configuration --workspace-folder c:\Users\stad\devel\git\project --id-label devcontainer.local_folder=c:\Users\stad\devel\git\project --id-label devcontainer.config_file=c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json --container-id 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 --log-level debug --log-format json --config c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json --include-merged-configuration --mount-workspace-git-root [2024-07-01T18:13:01.725Z] New container started. Keep-alive process started. [2024-07-01T18:13:01.913Z] @devcontainers/cli 0.62.0. Node.js v20.9.0. win32 10.0.22631 x64. [2024-07-01T18:13:01.913Z] Start: Run: docker inspect --type container 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 [2024-07-01T18:13:01.990Z] Stop (77 ms): Run: docker inspect --type container 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 [2024-07-01T18:13:02.003Z] Stop (408 ms): Run: C:\Users\stad\AppData\Local\Programs\Microsoft VS Code\Code.exe c:\Users\stad\.vscode\extensions\ms-vscode-remote.remote-containers-0.369.0\dist\spec-node\devContainersSpecCLI.js read-configuration --workspace-folder c:\Users\stad\devel\git\project --id-label devcontainer.local_folder=c:\Users\stad\devel\git\project --id-label devcontainer.config_file=c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json --container-id 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 --log-level debug --log-format json --config c:\Users\stad\devel\git\project\.devcontainer\devcontainer.json --include-merged-configuration --mount-workspace-git-root [2024-07-01T18:13:02.003Z] Start: Inspecting container [2024-07-01T18:13:02.003Z] Start: Run: docker inspect --type container 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 [2024-07-01T18:13:02.075Z] Stop (72 ms): Run: docker inspect --type container 82065184192dc3fca036432970397ff18123f7b971e7e8ec25021e128cb55e09 [2024-07-01T18:13:02.075Z] Stop (72 ms): Inspecting container [2024-07-01T18:13:02.076Z] Start: Run in container: /bin/sh [2024-07-01T18:13:02.089Z] Start: Run in container: uname -m [2024-07-01T18:13:02.176Z] x86_64 [2024-07-01T18:13:02.177Z] [2024-07-01T18:13:02.177Z] Stop (88 ms): Run in container: uname -m [2024-07-01T18:13:02.177Z] Start: Run in container: (cat /etc/os-release || cat /usr/lib/os-release) 2>/dev/null [2024-07-01T18:13:02.180Z] PRETTY_NAME="Debian GNU/Linux 12 (bookworm)" NAME="Debian GNU/Linux" VERSION_ID="12" VERSION="12 (bookworm)" VERSION_CODENAME=bookworm ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" [2024-07-01T18:13:02.180Z] [2024-07-01T18:13:02.180Z] Stop (3 ms): Run in container: (cat /etc/os-release || cat /usr/lib/os-release) 2>/dev/null [2024-07-01T18:13:02.180Z] Start: Run in container: (command -v getent >/dev/null 2>&1 && getent passwd 'vscode' || grep -E '^vscode|^[^:]*:[^:]*:vscode:' /etc/passwd || true) [2024-07-01T18:13:02.184Z] Stop (4 ms): Run in container: (command -v getent >/dev/null 2>&1 && getent passwd 'vscode' || grep -E '^vscode|^[^:]*:[^:]*:vscode:' /etc/passwd || true) [2024-07-01T18:13:02.185Z] Start: Run in container: command -v git >/dev/null 2>&1 && cd '/workspace' && test -d .git && test "$(stat -c %u .)" != "$(id -u)" [2024-07-01T18:13:02.191Z] [2024-07-01T18:13:02.191Z] [2024-07-01T18:13:02.192Z] Stop (7 ms): Run in container: command -v git >/dev/null 2>&1 && cd '/workspace' && test -d .git && test "$(stat -c %u .)" != "$(id -u)" [2024-07-01T18:13:02.192Z] Start: Run: powershell -NoProfile -NonInteractive -Command if (-not (Get-Acl . | foreach { $_.Owner }).Equals("$env:UserDomain\$env:UserName")) { exit 1 } [2024-07-01T18:13:03.304Z] Stop (1112 ms): Run: powershell -NoProfile -NonInteractive -Command if (-not (Get-Acl . | foreach { $_.Owner }).Equals("$env:UserDomain\$env:UserName")) { exit 1 } [2024-07-01T18:13:03.305Z] Start: Updating configuration state [2024-07-01T18:13:03.307Z] Stop (2 ms): Updating configuration state [2024-07-01T18:13:03.307Z] Start: Setup shutdown monitor [2024-07-01T18:13:03.308Z] Forking shutdown monitor: c:\Users\stad\.vscode\extensions\ms-vscode-remote.remote-containers-0.369.0\dist\shutdown\shutdownMonitorProcess \\.\pipe\vscode-remote-containers-98e5a8f9-8d68-453b-ae34-7d33b920df44-sock singleContainer Debug c:\Users\stad\AppData\Roaming\Code\logs\20240701T103650\window1\exthost\ms-vscode-remote.remote-containers 1719857569200 [2024-07-01T18:13:03.321Z] Stop (14 ms): Setup shutdown monitor [2024-07-01T18:13:03.322Z] Start: Run in container: test -d '/home/vscode/.vscode-server' [2024-07-01T18:13:03.324Z] [2024-07-01T18:13:03.325Z] [2024-07-01T18:13:03.325Z] Stop (3 ms): Run in container: test -d '/home/vscode/.vscode-server' [2024-07-01T18:13:03.325Z] Start: Run in container: test ! -f '/home/vscode/.vscode-server/data/Machine/.writeMachineSettingsMarker' && set -o noclobber && mkdir -p '/home/vscode/.vscode-server/data/Machine' && { > '/home/vscode/.vscode-server/data/Machine/.writeMachineSettingsMarker' ; } 2> /dev/null [2024-07-01T18:13:03.329Z] [2024-07-01T18:13:03.330Z] mkdir: cannot create directory '/home/vscode/.vscode-server/data': Permission denied [2024-07-01T18:13:03.330Z] Exit code 1 [2024-07-01T18:13:03.330Z] Stop (5 ms): Run in container: test ! -f '/home/vscode/.vscode-server/data/Machine/.writeMachineSettingsMarker' && set -o noclobber && mkdir -p '/home/vscode/.vscode-server/data/Machine' && { > '/home/vscode/.vscode-server/data/Machine/.writeMachineSettingsMarker' ; } 2> /dev/null [2024-07-01T18:13:03.330Z] Start: Run in container: cat /home/vscode/.vscode-server/data/Machine/settings.json [2024-07-01T18:13:03.333Z] [2024-07-01T18:13:03.333Z] cat: /home/vscode/.vscode-server/data/Machine/settings.json: No such file or directory [2024-07-01T18:13:03.333Z] Exit code 1 [2024-07-01T18:13:03.333Z] Stop (3 ms): Run in container: cat /home/vscode/.vscode-server/data/Machine/settings.json [2024-07-01T18:13:03.334Z] Start: Run in container: test -d '/home/vscode/.vscode-server/bin/5437499feb04f7a586f677b155b039bc2b3669eb' [2024-07-01T18:13:03.336Z] [2024-07-01T18:13:03.337Z] [2024-07-01T18:13:03.337Z] Exit code 1 [2024-07-01T18:13:03.337Z] Stop (3 ms): Run in container: test -d '/home/vscode/.vscode-server/bin/5437499feb04f7a586f677b155b039bc2b3669eb' [2024-07-01T18:13:03.337Z] Start: Run in container: test -d '/vscode/vscode-server/bin/linux-x64/5437499feb04f7a586f677b155b039bc2b3669eb' [2024-07-01T18:13:03.339Z] [2024-07-01T18:13:03.339Z] [2024-07-01T18:13:03.339Z] Stop (2 ms): Run in container: test -d '/vscode/vscode-server/bin/linux-x64/5437499feb04f7a586f677b155b039bc2b3669eb' [2024-07-01T18:13:03.340Z] Start: Run in container: mkdir -p '/home/vscode/.vscode-server/bin' && ln -snf '/vscode/vscode-server/bin/linux-x64/5437499feb04f7a586f677b155b039bc2b3669eb' '/home/vscode/.vscode-server/bin/5437499feb04f7a586f677b155b039bc2b3669eb' [2024-07-01T18:13:03.344Z] [2024-07-01T18:13:03.344Z] mkdir: cannot create directory '/home/vscode/.vscode-server/bin': Permission denied [2024-07-01T18:13:03.344Z] Exit code 1 [2024-07-01T18:13:03.344Z] Stop (4 ms): Run in container: mkdir -p '/home/vscode/.vscode-server/bin' && ln -snf '/vscode/vscode-server/bin/linux-x64/5437499feb04f7a586f677b155b039bc2b3669eb' '/home/vscode/.vscode-server/bin/5437499feb04f7a586f677b155b039bc2b3669eb' [2024-07-01T18:13:03.349Z] Command in container failed: mkdir -p '/home/vscode/.vscode-server/bin' && ln -snf '/vscode/vscode-server/bin/linux-x64/5437499feb04f7a586f677b155b039bc2b3669eb' '/home/vscode/.vscode-server/bin/5437499feb04f7a586f677b155b039bc2b3669eb' [2024-07-01T18:13:03.349Z] mkdir: cannot create directory '/home/vscode/.vscode-server/bin': Permission denied [2024-07-01T18:13:03.349Z] Exit code 1 ```

[JaneSmith]

Did you ever find a solution to this? I have the same problem. I'm on Linux using the VS Code Flatpak and Podman, and if I set a volume mount it gets owned by root. The user in the container is "node", so I can't do anything with the mounted files. The only solution I've found so far is to set remoteUser to root, which then allows me to access the mounted directory, but it seems very hacky...

Edit: Yeah, this doesn't seem like a great solution... Now all the files created by VS Code, are inaccessible on the host, as they're owned by a different user/group (100000). I have to manually chown them back. Very annoying.

[stewartadam]

On my Debian base image passwordless sudo appears to work, so my workaround was adding a sudo chown $USER:$USER command to a postCreateCommand script and hard coding each of the volume paths I setup in devcontainer.json.

Not pretty but it works.

[reynoldsbd]

Same issue here, using VS Code on Windows + WSL2. Seems like devcontainer tooling totally skips UID/GID remapping for volumes.

The workaround worked for me, although oddly the $USER env var doesn't appear to be set. Perhaps a quirk of the base image I'm using. Here is what I ended up with:

// .devcontainer/devcontainer.json
{
  // ...
  "postCreateCommand": {
    "fixVolumePerms": "sudo chown -R $(whoami): /path/to/volume"
  }
}

[icariantk]

Same issue here, using VS Code on Windows + WSL2. Seems like devcontainer tooling totally skips UID/GID remapping for volumes.

The workaround worked for me, although oddly the $USER env var doesn't appear to be set. Perhaps a quirk of the base image I'm using. Here is what I ended up with:

// .devcontainer/devcontainer.json { // ... "postCreateCommand": { "fixVolumePerms": "sudo chown -R $(whoami): /path/to/volume" } }

You just saved me a lot of time. Right to the point, thanks.

[reynoldsbd]

@chrmarti the following docs from the VS Code website are technically impacted by this issue:

https://code.visualstudio.com/remote/advancedcontainers/persist-bash-history

If a user's UID on the host is anything but 1000, then the "persist bash history" docs would be broken, because there would be a mismatch between the initial UID applied to the volume mount (1000) and the remapped UID applied by devcontainer tooling.

Should we update the docs to mention this issue and/or include the workaround? Or would it make sense to go deeper and try to fix the root issue?

[chrmarti]

@reynoldsbd I will add the workaround to the documentation. Thanks!

The root issue seems to be that Dev Containers often use a non-root user while the container user is root and Docker makes the container user the owner of new volumes. We have considered changing the container user to be the non-root user in the base images we provide, but that would potentially cause issues with scripts (e.g., daemons) that are run as part of the entrypoint. (E.g., container features can add to the entrypoint.)

The solutions I can think of essentially boil down to the solution you suggest above (https://github.com/microsoft/vscode-remote-release/issues/9931#issuecomment-2450277846). There is also the option of creating the mount folder with the correct owner in the Dockerfile and Docker will then use that for the new volume, but your suggestion is easier to apply by the user and doing this automatically might not always be expected.

[vs-code-engineering[bot]]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!

[stewartadam]

?

[chrmarti]

Another idea is that a feature's entrypoint runs as part of the containers entrypoint and can be used to adjust permissions after the container started.

E.g., adding a local feature to the devcontainer.json:

    "features": {
        "./local-features/chown": {}
    },

.devcontainer/local-features/chown/devcontainer-feature.json:

{
    "id": "chown",
    "version": "1.0.0",
    "entrypoint": "chown -R node:node /path/to/mountpoint"
}

.devcontainer/local-features/chown/install.sh is required, but can be empty:

#!/bin/sh

[vs-code-engineering[bot]]

This feature request is now a candidate for our backlog. The community has 60 days to upvote the issue. If it receives 10 upvotes we will move it to our backlog. If not, we will close it. To learn more about how we handle feature requests, please see our documentation.

Happy Coding!