adds a non-root user for use in the devcontainer (#2956)

* adds a non-root user for use in the devcontainer

* remove un-needed files

* .cabal folder permissions for volume mapping

nix/devcontainer/devcontainer.nix

@@ -2,6 +2,8 @@
 , tag ? null
 , extraContents ? [ ]
 , extraCommands ? ""
+, nonRootUser ? "plutus"
+, nonRootUserId ? "1000"
 , dockerTools
 , bashInteractive
 , cacert
@@ -24,7 +26,9 @@
 , nix
 , openssh
 , procps
+, runtimeShell
 , shadow
+, stdenv
 , xz
 , which
 }:
@@ -35,7 +39,12 @@ let
     inherit name tag;
 
     contents = [
-      ./root
+      # See: https://github.com/NixOS/nixpkgs/issues/118722
+      (stdenv.mkDerivation {
+        name = "wrapped";
+        src = ./root;
+        installPhase = "ln -s $src $out";
+      })
       coreutils
       procps
       gnugrep
@@ -74,27 +83,38 @@ let
       # make sure /tmp exists
       mkdir -m 1777 tmp
 
-      # need a HOME
-      mkdir -vp root
-
       # allow ubuntu ELF binaries to run. VSCode copies it's own.
       chmod +w lib64
       ln -s ${glibc}/lib64/ld-linux-x86-64.so.2 lib64/ld-linux-x86-64.so.2
       ln -s ${gcc-unwrapped.lib}/lib64/libstdc++.so.6 lib64/libstdc++.so.6
       chmod -w lib64
-
     '' + extraCommands;
 
+    runAsRoot = ''
+      ${dockerTools.shadowSetup}
+      groupadd --gid ${nonRootUserId} ${nonRootUser}
+      useradd --uid ${nonRootUserId} --gid ${nonRootUserId} -m ${nonRootUser}
+
+      # Because we map in the `./.cabal` folder from the users home directory,
+      # (see: https://github.com/input-output-hk/plutus-starter/blob/main/.devcontainer/devcontainer.json)
+      # and because docker won't let us map a volume not as root
+      # (see: https://github.com/moby/moby/issues/2259 link), we have to make the
+      # folder first and chown it ...
+      mkdir /home/${nonRootUser}/.cabal
+      chown ${nonRootUser}:${nonRootUser} /home/${nonRootUser}/.cabal
+    '';
+
     config = {
       Cmd = [ "/bin/bash" ];
+      User = nonRootUser;
       Env = [
         "BASH_ENV=/etc/profile.d/env.sh"
         "GIT_SSL_CAINFO=/etc/ssl/certs/ca-bundle.crt"
         "LD_LIBRARY_PATH=${gcc-unwrapped.lib}/lib64"
         "PAGER=less"
         "PATH=/usr/bin:/bin"
         "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
-        "USER=root"
+        "USER=${nonRootUser}"
       ];
     };
   };

nix/devcontainer/plutus-devcontainer.nix

@@ -16,6 +16,7 @@ in
 pkgs.callPackage (import ./devcontainer.nix) {
   name = "plutus-devcontainer";
   tag = "latest";
+  nonRootUser = "plutus";
   extraContents = [
     shell.ghc
     plutus.haskell-language-server
@@ -33,9 +34,5 @@ pkgs.callPackage (import ./devcontainer.nix) {
     # We just clobbered this, put it back
     echo 'export PATH=$PATH:/usr/bin:/bin' >> etc/profile.d/env.sh
     echo 'export NIX_BUILD_TOP=$(mktemp -d)' >> etc/profile.d/env.sh
-
-    # Load all the stuff in an interactive session too
-    chmod +w root
-    echo 'source /etc/profile.d/env.sh' >> root/.bashrc
   '';
 }

nix/devcontainer/root/etc/skel/.bashrc

@@ -0,0 +1,6 @@
+# interactive session
+if [[ $- == *i* ]]; then
+  PS1='\[\033[0;32;40m\][devcontainer]$\[\033[0m\] '
+fi
+
+source /etc/profile.d/env.sh