Remote - Containers: Permission Denied in files created inside container.

[fenilli]

After creating a file or folder inside the container, it will give permission denied inside wsl distro, because the user is different.

• VSCode Version: 1.58.2
• Local OS Version: Windows_NT x64 10.0.19042
• Remote OS Kernel: 5.4.72-microsoft-standard-WSL2
• Remote OS Version: Alpine Linux 3.13.5
• Remote Extension/Connection Type: Docker

Steps to Reproduce:

1. Install WSL2 and install Debian distro
2. Create folder inside host with .devcontainer
3. Start Container
4. While inside the container's bash, create a file/folder.
5. Close VScode and Stop container
6. Open host folder in WSL2
7. Try to change file/folder and save it. ( It will give permission denied )

Does this issue occur when you try this locally?: No
Does this issue occur when you try this locally and all extensions are disabled?: No

[chrmarti]

Make sure the user inside the container is a regular user (not root). We then update that user's UID and GID to the ones your WSL user has before we start the container. That should result in files/folders owned by the WSL user.

If that doesn't work, check that UID and GID of the WSL user are not in use by some other account inside the container.

[fenilli]

If I try to specify the UID in the docker-compose file, it fails when running the .devcontainer "postCreateCommand", because the user is 'node' and not root nor mine.

Also tried to add the "Change the UID/GID of an existing container user", it fails because there isn't a group with the username I tried to add.

[PavelSosin-320]

This behavior is described in the Docker documentation like any OCI runtime documentation: when the container mounts bind volume it adjusts the access rights of the mounted folder to the container's user rights. If container runs as root user it affects the access to the files on the host. It can be solved via uid/gid mapping on the host Gist - user mapping <https://gist.github.com/renzok/29c9e5744f1dffa392cf>. Is it simple? - No, sorry!

…

On Fri, Aug 13, 2021 at 11:39 PM Gustavo Fenilli ***@***.***> wrote: If I try to specify the UID in the docker-compose file, it fails when running the .devcontainer "postCreateCommand", because the user is 'node' and not root nor mine. Also tried to add the "Change the UID/GID of an existing container user", it fails because there isn't a group with the username I tried to add. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#5432 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AM7YVKCAFHI7DHVJXBRBQVTT4V7HPANCNFSM5B2J3DYA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[fenilli]

This behavior is described in the Docker documentation like any OCI runtime documentation: when the container mounts bind volume it adjusts the access rights of the mounted folder to the container's user rights. If container runs as root user it affects the access to the files on the host. It can be solved via uid/gid mapping on the host Gist - user mapping https://gist.github.com/renzok/29c9e5744f1dffa392cf. Is it simple? - No, sorry!

I will try to use this Gist to solve the problem, It seens the documentation for devcontainer is lacking in this kinda of information, because it seens rather simple in the documentation, as just add the user and commands and it should work, without the need of entrypoint files.

[chrmarti]

If I try to specify the UID in the docker-compose file, it fails when running the .devcontainer "postCreateCommand", because the user is 'node' and not root nor mine.

Also tried to add the "Change the UID/GID of an existing container user", it fails because there isn't a group with the username I tried to add.

@GustavoFenilli The UID/GID update should be automatic. Is your host machine missing a group name or is that inside the container? What's the error message?

[fenilli]

WSL Debian machine
whoami: fenilli
groups: fenilli adm cdrom sudo dip plugdev docker

Dockerfile.dev

FROM node:alpine
RUN npm install pm2 -g
WORKDIR /app
RUN apk update && apk add curl && apk add openssh && apk add git
ADD . ./
EXPOSE 8080

docker-compose.yml

version: "3.8"

services:
  app:
    container_name: stepfy-app
    build:
      context: ./
      dockerfile: Dockerfile.dev
    tty: true
    environment:
      - CHOKIDAR_USEPOLLING=true
    volumes:
      - .:/app
    networks:
      - internal

  webserver:
    container_name: stepfy-webserver
    image: nginx:alpine
    tty: true
    ports:
      - "80:80"
    volumes:
      - .:/var/www
      - ./nginx.conf:/etc/nginx/conf.d/default.conf
    depends_on:
      - app
    networks:
      - internal

networks:
  internal:
    driver: bridge

devcontainer.json

{
    "name": "Stepfy Frontend",
    "dockerComposeFile": [
        "../docker-compose.yml",
    ],
    "service": "app",
    "workspaceFolder": "/app",
    "extensions": [
        "vivaxy.vscode-conventional-commits",
        "editorconfig.editorconfig",
        "dbaeumer.vscode-eslint",
        "octref.vetur",
        "formulahendry.auto-close-tag",
        "formulahendry.auto-rename-tag",
        "vincaslt.highlight-matching-tag",
    ],
    "postCreateCommand": "npm i --silent",
    "postStartCommand": "pm2 --name StepfyFrontend start npm -- run 'serve'"
}

Container
whoami: root
groups: root bin daemon sys adm disk wheel floppy dialout tape video

[fenilli]

By adding to devcontainer.json the "remoteUser": "fenilli" it gives the following error: unable to find user fenilli: no matching entries in passwd file.

By also adding to the Dockerfile.dev as specified by the docs Change the UID/GID of an existing container user

Dockerfile.dev

FROM node:alpine

RUN apk add --no-cache shadow

ARG USERNAME=fenilli
ARG USER_UID=1000
ARG USER_GID=$USER_UID

RUN groupmod --gid $USER_GID $USERNAME \
    && usermod --uid $USER_UID --gid $USER_GID $USERNAME \
    && chown -R $USER_UID:$USER_GID /home/$USERNAME
    
WORKDIR /app
    
RUN npm install pm2 -g

RUN apk update && apk add curl && apk add openssh && apk add git
ADD . ./
EXPOSE 8080

It fails with the error: > [3/7] RUN groupmod --gid 1000 fenilli && usermod --uid 1000 --gid 1000 fenilli && chown -R 1000:1000 /home/fenilli: #5 0.230 groupmod: group 'fenilli' does not exist

[chrmarti]

You first need to add the group (addgroup) and user (adduser). You can then try running without groupmod and usermod because the extension should update UID and GID automatically and will also update the home folder's UID and GID.

[fenilli]

You first need to add the group (addgroup) and user (adduser). You can then try running without groupmod and usermod because the extension should update UID and GID automatically and will also update the home folder's UID and GID.

So the UID and GID does not need to match the hosts UID and GID?

[chrmarti]

No, the extension will try to update UID and GID of the container user (if not root and the target UID and GID are not used by another user/group). It will also update UID and GID of the files in the container user's home folder.

[github-actions]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!