Docker user mode: File permissions on existing project folders

[jcalfee]

The theia user in the container is UID 1001 (probably related https://github.com/theia-ide/theia-apps/issues/34).. So the IDE (as the theia user) can't write to the project folder when mapped to an existing folder on the host system. The development files in the existing project folder are my host's main UID 1000.

Any suggestions on how to fix this without changing file permissions on the host's mounted folder?

host$ docker run -d --rm --name theia --init -p 3000:3000 -v "$HOME/dev:/home/project:cached" theiaide/theia:latest

# Terminal in http://localhost:3000
bash-5.0$ cd /home/project
bash-5.0$ >test
bash: test: Permission denied

bash-5.0$ whoami
theia
bash-5.0$ egrep theia /etc/passwd
theia:x:1001:1001:Linux User,,,:/home/theia:/bin/sh

bash-5.0$ ls -ld /home/project
drwxr-xr-x   94 node     node          4096 Dec 27 09:49 /home/project
bash-5.0$ egrep node /etc/passwd
node:x:1000:1000:Linux User,,,:/home/node:/bin/sh

This is the same issue users are likely to encounter if they follow Theia Docker launcher in the README then try to use Theia for existing projects. Perhaps a good solution could be found and then noted in the README.

[kawakami-o3]

How about the option,

-u `id -u`:`id -g`

The whole run command is, for example,

docker run --rm -it --init -p 3000:3000 -v "$(pwd):/home/project" -u `id -u`:`id -g` theiaide/theia:latest

In this case, UID 1000 on the host become node user on the container. Although UID is not theia, the user can write files in /home/project.

[jcalfee]

Works. I'll run with it and be watchful for any side-effects. Thank you!

[jcalfee]

There is this:

┌─────────────────────────────────────────────────────────┐
│                 npm update check failed                 │
│           Try running with sudo or get access           │
│          to the local update config store via           │
│ sudo chown -R $USER:$(id -gn $USER) /home/theia/.config │
└─────────────────────────────────────────────────────────┘

/home/theia is in the union file system too.. No sudo in the container.

[jcalfee]

As a workaround, downloaded the Dockerfile in theia-docker and changed it to work under the node user instead of the theia user. The node user has the same user and group ID as the typical user's system group ID (that is my case).

commented

#RUN addgroup theia && \
#    adduser -G theia -s /bin/sh -D theia;

In:

RUN chmod g+rw /home && \
    mkdir -p /home/project && \

added

    mkdir -p /home/theia && \

changed form theia to node (User 1000 in FROM node:${NODE_VERSION}-alpine)

    chown -R node:node /home/theia && \
    chown -R node:node /home/project;

changed chown to node:node

COPY --from=0 --chown=node:node /home/theia /home/theia

changed form theia to node

USER node

[marcdumais-work]

Thanks @kawakami-o3 , @jcalfee for trying things and sharing work-arounds.

There are many ways to go about fixing permissions, but none so far is generic enough to satisfy all.

One option is to not change the container's user permissions at all. By that I mean that you can mount a folder on your hosts' file system that's chmod'ed to the UID used in the container. Then the Theia user will be able to write to that folder while changing nothing else. Then you could setup e.g. your GH ssh key and push your work..

This is similar to what's happening in a proper workspace server product (e.g. Gitpod) - the Unuix user in the container is immaterial, if the files are never to be accessed directly, other than through the Theia app.